Authentication & Security

This page covers Helm values for authentication, secrets management, RBAC, and security configuration.

API Key

Variable: apiKey or secretApiKey

Description: The apiKey is a plaintext key used to access the Pipeline configuration in Edge Delta. The secretApiKey is used to alter the kubernetes Secret name and key. To provide a Pipeline ID to the agents, you should use either the apiKey or use a Kubernetes Secret, but not both. By default, ed-api-key is the secret’s name and key.

Note: Passing in a secret in plain text using apiKey is not recommended for production due to security concerns. See an example of using a secrets management tool.

Example: This command creates a Kubernetes secret in the edgedelta namespace, with ed-api-key as the secret’s name and key, and 12345678987654321 as the secret’s value.

helm upgrade edgedelta edgedelta/edgedelta -i --version v1.17.0 --set secretApiKey.value=12345678987654321 -n edgedelta --create-namespace

You can run this command to retrieve the secret value:

kubectl get secret -n edgedelta ed-api-key -o jsonpath="{.data['ed-api-key']}" | base64 --decode

Secret API Key - Name

Variable: secretApiKey.name

Description: The name to use for the Kubernetes secret object when the secretApiKey.value is passed in.

Example: secretApiKey.name='ed-api-key'

Secret API Key - Key

Variable: secretApiKey.key

Description: The reference to use to create the key part of a key/value pair stored in a Kubernetes secret when the secretApiKey.value is passed in.

Example: secretApiKey.key='ed-api-key, username, password'

Secret API Key - Value

Variable: secretApiKey.value

Description: The value part of a key/value pair that is saved in a Kubernetes secret. Passing in this parameter saves it in the secret rather than the values file, and it uses the name and key specified by secretApiName and secretApiKey. Use either apiKey or secretApiKey.value, not both, to provide an ID to the pipeline.

Example: secretApiKey.value='1a2b3c4d5e6f7g8h9i'

Edge Delta Skip TLS Verify

Variable: edSkipTlsVerify

Description: Ignore SSL/TLS certificate errors when providing a client certificate and key directly. This can be useful in environments where self-signed certificates are used or where certificate verification may fail due to other reasons.

Example:

--set edSkipTlsVerify=true

ClusterRole Rules (RBAC)

Starting with agent version v2.12.0, the default ClusterRole RBAC rules are defined in values.yaml rather than being hardcoded in the Helm chart templates. This gives you full control over the RBAC permissions granted to the Edge Delta agent, coordinator, and gateway service accounts.

clusterRoleRules

Variable: clusterRoleRules

Description: Defines the complete set of ClusterRole rules for the Edge Delta service account. The default rules include permissions for core resources (namespaces, pods, events, nodes, services), workload resources (deployments, daemonsets, statefulsets, jobs, cronjobs), and supporting resources (leases, metrics, endpoints). You can modify this list to remove permissions your environment does not require or to tighten access in restricted clusters.

Default: See the full default rule set in the chart values.yaml.

Example — restrict to a minimal baseline:

clusterRoleRules:
  - apiGroups: [""]
    resources: ["namespaces", "pods", "pods/log", "events", "nodes", "nodes/metrics", "services", "endpoints"]
    verbs: ["get", "watch", "list"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
    verbs: ["watch", "list"]
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["watch", "list"]

Note: Replacing clusterRoleRules overrides the entire default rule set. If you only need to add permissions for custom resources, use additionalClusterRoleRules instead.

additionalClusterRoleRules

Variable: additionalClusterRoleRules

Description: Appends extra ClusterRole rules to the default clusterRoleRules. Use this to grant the agent permission to watch Custom Resource Definitions (CRDs) without modifying the base rules.

Default: [] (empty)

Example — grant access to ArgoCD and Prometheus Operator CRDs:

additionalClusterRoleRules:
  - apiGroups: ["argoproj.io"]
    resources: ["applications", "appprojects"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["prometheusrules", "servicemonitors"]
    verbs: ["get", "list", "watch"]

Inline:

helm upgrade edgedelta edgedelta/edgedelta \
  --reuse-values \
  --set-json 'additionalClusterRoleRules=[{"apiGroups":["argoproj.io"],"resources":["applications"],"verbs":["get","list","watch"]}]' \
  -n edgedelta

Tip: For GitOps workflows, add additionalClusterRoleRules to your existing values.yaml file. See Kubernetes Event Source — Custom Resource Permissions for a full walkthrough.

Pod-Security / SCC (OpenShift & hardened clusters)

Configure pod security policies, Security Context Constraints (SCC) for OpenShift, SELinux labels, and AppArmor profiles for hardened Kubernetes environments.

Typical values file:

podSecurity:
  securityContextConstraints:
    create: true           # generate SCC/PSP
  privileged: true         # container runs privileged (required by eBPF)
  seLinuxContext:
    type: MustRunAs
    seLinuxOptions:
      type: spc_t          # OpenShift privileged profile
  apparmor:
    enabled: true
    profile: runtime/default

Inline:

--set podSecurity.securityContextConstraints.create=true \
--set podSecurity.privileged=true