WebsiteGarden Core
Searchโ€ฆ
Main
welcome
๐ŸŒณ
Getting Started
Adding Your First Project
Running Triggered Workflows
๐ŸŒฟ
Guides
Authenticating to your Providers
Automatic Environment Cleanup
User Groups, Roles and Permissions
Authentication via SAML
StackStreams
Managing Secrets
One-click Preview Environments
๐ŸŒบ
VCS Providers
Setting Up a GitHub App
Setting Up a GitLab App
๐Ÿ’
Cloud
Requirements
๐ŸŒป
Enterprise (Self-Hosted)
Requirements
Installation
Updating Garden Enterprise
Vault
PostgreSQL Configuration
Creating KMS Keys
Creating an AWS Load Balancer
Monitoring Services
Environment Configuration
Updating the Admin Console
๐ŸŒน
Misc
Release Notes
FAQ
Troubleshooting
Powered By GitBook
Environment Configuration
This page contains a list of environment variables that you'll configure during the installation process. Some of these are required and must be at hand when you install Garden Enterprise.
These values are provided via the Replicated admin console. You can edit the configuration at any time. If you modify the configuration, Garden Enterprise will be re-deployed with the new values.
The values are grouped into categories for convenience.

General Settings

General Garden Enterprise settings.

Main Garden Enterprise Hostname

The fully qualified domain name for Garden Enterprise. This should point to the load balancer / ingress controller that exposes the Garden Enterprise cluster.
Type
Required
Default
Text
Yes
โ€‹

Kubernetes Version

The Kubernetes version of the cluster where Garden Enterprise is deployed.
Type
Required
Default
Options
Select One
No
<1.22
<1.22 >=1.22

TLS Secret

Optionally specify the name of the Kubernetes Secret to use as your TLS certificate. Only required if you're doing SSL termination at the ingress controller level. Note that the secret must be in the same namespace as the Garden Enterprise services (defaults to 'garden-enterprise') and that you must manage it yourself. If you use this field, we recommend creating the namespace and the secret prior to installing Garden Enterprise.
Type
Required
Default
Text
No
โ€‹

Log Level

The log level for the Garden Enterprise system loggers.
Type
Required
Default
Options
Select One
No
warn
Error Warn Info HTTP Verbose Debug Silly

API Replica Count

Number of replicas for the API service.
Type
Required
Default
Text
No
1

Automatically Install Ingress Controller

Check this box if you want Garden Enterprise to automatically install an Nginx ingress controller for the cluster. The ingress controller is installed either as a DaemonSet or a Deployment with a Load Balancer service in the main Garden Enterprise namespace. Leave this unchecked if you want to manage your own ingress controller(s).
Type
Required
Default
Boolean
No
0

Install Ingress Controller with a Load Balancer service or as a DaemonSet with HostPorts.

This field is only required if Automatically Install Ingress Controller is 1.
If you want to manage your own load balancer on your cloud provider choose the daemonset option. This option does not create a load balancer, but opens port 80 on each node. If you want a load balancer created and managed for you by the nginx ingress controller, choose the load balancer service option.
Type
Required
Default
Options
Select One
No
install_ingress_controller_daemonset
Install Ingress Controller with a Load Balancer Service Install Ingress Controller as a DaemonSet listening on HostPorts.

IngressClass Pod Annotation

This field is only required if Automatically Install Ingress Controller is 1.
The value for the 'kubernetes.io/ingress.class' Pod annotation. You only need to specify a different value than the default if you have multiple instances of the nginx ingress controller and the default value conflicts with existing annotations.
Type
Required
Default
Text
No
nginx

IngressClass Pod Annotation

This field is only required if Automatically Install Ingress Controller is 0.
The value for the 'kubernetes.io/ingress.class' Pod annotation.
Type
Required
Default
Text
No
โ€‹

Additional Ingress Annotations

Here you can add optional additional Ingress annotations for the Ingress resource. Add one annotation per line. For example: 'appgw.ingress.kubernetes.io/appgw-ssl-certificate: mysslcert'.
Type
Required
Default
โ€‹
No
โ€‹

Node Selectors

Optionally specify node selectors for the Garden Enterprise services. The value provided must be a string of key-value pairs where the pairs are separated by a ';' and the key and value by a '='. For example: 'app=garden-enterprise;disktype=ssd'.
Type
Required
Default
โ€‹
No
โ€‹

Container Runtime

Please select the container runtime in use in your cluster. If your Kubernetes cluster is managed by GCP, AWS, or Azure, and your Kubernete version is less than 1.19, this is typically docker (unless you've configured things otherwise). For versions 1.19 or greater, this will be containerd or another CRI compatible container runtime.
Type
Required
Default
Options
Select One
No
docker
Containerd Docker

Workflow Runner Config

Configuration for the workflows runner.

Workflow Namespace

The namespace in which workflow pods run on VCS events. Must be different from the namespace the other Garden Enterprise services run in.
Type
Required
Default
Text
No
garden-workflows

Workflow Runner Log Level

The CLI log level used when running triggered workflows.
Type
Required
Default
Options
Select One
No
debug
Error Warn Info Verbose Debug Silly

Vault Config

Configuration for the Hashicop Vault secrets backend.

KMS Provider

The name of your KMS provider. This and the values below are used for auto-unsealing Vault during the installation process.
Type
Required
Default
Options
Select One
No
gcp
Azure AWS GCP

Azure Application Client Id

This field is only required if KMS Provider is azure.
Type
Required
Default
Text
Yes
โ€‹

Azure Application Client Secret

This field is only required if KMS Provider is azure.
Type
Required
Default
Password
Yes
โ€‹

Azure Account Tenant Id

This field is only required if KMS Provider is azure.
Type
Required
Default
Text
Yes
โ€‹

Azure Vault Name

This field is only required if KMS Provider is azure.
Type
Required
Default
Text
Yes
โ€‹

Azure Key Name

This field is only required if KMS Provider is azure.
Type
Required
Default
Text
Yes
โ€‹

AWS Region

This field is only required if KMS Provider is aws.
The region where the KMS key was created.
Type
Required
Default
Text
Yes
โ€‹

AWS Access Key ID

This field is only required if KMS Provider is aws.
The Access Key ID of the principal attached to the KMS Key.
Type
Required
Default
Text
Yes
โ€‹

AWS Secret Access Key

This field is only required if KMS Provider is aws.
The Secret Access Key of the principal attached to the KMS Key.
Type
Required
Default
Password
Yes
โ€‹

AWS KMS ID

This field is only required if KMS Provider is aws.
The ID of KMS key.
Type
Required
Default
Text
Yes
โ€‹

GCP Region

This field is only required if KMS Provider is gcp.
Type
Required
Default
Text
Yes
โ€‹

GCP Project

This field is only required if KMS Provider is gcp.
Type
Required
Default
Text
Yes
โ€‹

GCP Key Ring

This field is only required if KMS Provider is gcp.
Type
Required
Default
Text
Yes
โ€‹

GCP Crypto Key

This field is only required if KMS Provider is gcp.
Type
Required
Default
Text
Yes
โ€‹

Vault AppRole RoleID

The ID of the Vault AppRole configured for the Vault server/cluster. If you're using the Vault instance that's bundled with Garden Enterprise, you will need to initialize Vault to retreive this.
Type
Required
Default
Password
No
โ€‹

Vault App Role Secret ID

The ID of the secret issued against the Vault AppRole. If you're using the Vault instance that's bundled with Garden Enterprise, you will need to initialize Vault to retreive this value.
Type
Required
Default
Password
No
โ€‹

SSO via SAML

Configuration for SSO using the SAML protocol.

Enable SSO

Check this box if you want to enable SSO.
Type
Required
Default
Boolean
No
0

SSO certificate.

This field is only required if Enable SSO is 1.
Your SSO certificate. Metadata must be stripped out and it must be in one line.
Type
Required
Default
Password
Yes
โ€‹

SSO Entry Point.

This field is only required if Enable SSO is 1.
The full URL to your identity provider's authentication endpoint.
Type
Required
Default
Text
Yes
โ€‹

VCS Config

Configuration for the VCS integration

VCS Provider

Your VCS provider. Used for authentication, importing projects, and optionally for running workflows on VCS events
Type
Required
Default
Options
Select One
No
github
GitHub Gitlab

GitHub Distribution

This field is only required if VCS Provider is github.
The GitHub Distribution currently in use
Type
Required
Default
Options
Select One
No
github-com
GitHub.com GitHub Enterprise Server GitHub Enterprise Cloud

GitHub Instance Hostname

This field is only required if VCS Provider is github.
The GitHub instance hostname: e.g. "github.your-domain.com". Defaults to "github.com".
Type
Required
Default
Text
Yes
github.com

GitHub App ID

This field is only required if VCS Provider is github.
The GitHub App's App ID. You'll find this on the GitHub App's settings page.
Type
Required
Default
Text
Yes
โ€‹

GitHub App Client ID

This field is only required if VCS Provider is github.
The GitHub App's client ID. You'll find this on the GitHub App's settings page.
Type
Required
Default
Text
Yes
โ€‹

GitHub App Client Secret

This field is only required if VCS Provider is github.
The GitHub App's client secret. You'll find this on the GitHub App's settings page.
Type
Required
Default
Text
No
โ€‹

GitHub App Webhook Secret

This field is only required if VCS Provider is github.
The webhook secret for the GitHub App. You can set this on the GitHub App's settings page.
Type
Required
Default
Password
Yes
โ€‹

Turn debugging on for GitHub Api client

This field is only required if VCS Provider is github.
Turn on debug logs for the GitHub Api client.
Type
Required
Default
Boolean
No
0

GitHub Private Key

This field is only required if VCS Provider is github.
The GitHub App's private key. You generate a private from the GitHub App's settings page.
Type
Required
Default
File
Yes
โ€‹

Gitlab Instance Hostname

This field is only required if VCS Provider is gitlab.
The hostname of your GitLab instance. If you're using hosted GitLab, this is simply gitlab.com.
Type
Required
Default
Text
Yes
โ€‹

Gitlab App ID

This field is only required if VCS Provider is gitlab.
The Application ID for the GitLab OAuth App that's used for authenticating users with Garden Enterprise.
Type
Required
Default
Text
Yes
โ€‹

Gitlab App Secret

This field is only required if VCS Provider is gitlab.
The Application Secret for the GitLab OAuth App that's used for authenticating users with Garden Enterprise.
Type
Required
Default
Text
Yes
โ€‹

Gitlab Access Token

This field is only required if VCS Provider is gitlab.
The access token for the GitLab user account that is used to interact with the GitLab API.
Type
Required
Default
Text
Yes
โ€‹

Gitlab Webhooks Secret

This field is only required if VCS Provider is gitlab.
A user generated secret value that is used when creating and validating webhooks from GitLab.
Type
Required
Default
Password
Yes
โ€‹

Database Config

Configuration for the PostgreSQL database.

Database Hostname

The hostname of the PostgreSQL database. This and the other database values below are used to connect to the PostgreSQL instance from the API service.
Type
Required
Default
Text
Yes
โ€‹

Database Port

The port the PostgreSQL database listens on.
Type
Required
Default
Text
Yes
5432

Database user name

The PostgreSQL user name.
Type
Required
Default
Text
Yes
โ€‹

Database name

The PostgreSQL database name.
Type
Required
Default
Text
Yes
โ€‹

Database Password

The PostgreSQL password.
Type
Required
Default
Password
Yes
โ€‹

SSL Mode

Select "Require" if your database connection is over SSL, otherwise "Disable".
Type
Required
Default
Options
Select One
No
disable
Disable Require

Seed data

Required database seed data

Username

The name of the first admin user that gets created on initialization
Type
Required
Default
Text
Yes
โ€‹

GitHub / GitLab username

The GitHub/GitLab username of the first admin user that gets created on initialization, depending on which VCS provider you're using. For GitHub, this is generally a username, not an email address, and is displayed when you click the profile image in the top right corner of the GitHb web UI. You can also find this one the admin users's GitHub profile page. For GitLab, this is the email address you use to log into GitLab.
Type
Required
Default
Text
Yes
โ€‹

Organization name

The name of the organization. Must be a valid RFC1035/RFC1123 (DNS) label (may contain lowercase letters, numbers and dashes, must start with a letter, and cannot end with a dash) and must not be longer than 63 characters.
Type
Required
Default
Text
Yes
โ€‹

Grafana Config

Configuration for the Grafana dashboard.

Install Grafana

Check this box if you want Garden Enterprise to automatically install a Grafana metrics dashboard. The Grafana dashboard will be installed in the main Garden Enterprise namespace. Note that Grafana requires a datasource such as Prometheus. You can choose to let Garden Entprise install Prometheus below or alternatively install your own Grafana datasource.
Type
Required
Default
Boolean
No
0

Enable Ingress for Grafana

This field is only required if Install Grafana is 1.
Check this box if you want to enable access to the Grafana metrics dashboard from outside the cluster. An ingress will be created with the public hostname you enter below.
Type
Required
Default
Boolean
No
0

Public Hostname for Grafana

This field is only required if Enable Ingress for Grafana is 1.
Public hostname for the Grafana metrics dashboard. If you don't want to publicly expose Grafana, uncheck the "Enable Ingress for Grafana" checkbox above.
Type
Required
Default
Text
No
โ€‹

Grafana Admin Password

This field is only required if Install Grafana is 1.
The admin password to the Grafana dashboard. You'll need this when first logging in.
Type
Required
Default
Password
No
โ€‹

Kibana Config

Configuration for the Kibana logs dashboard.

Install Kibana

Check this box if you want Garden Enterprise to automatically install a Kibana logs dashboard. The Kibana dashboard will be installed in the main Garden Enterprise namespace.
Type
Required
Default
Boolean
No
0

Enable Ingress for Kibana

This field is only required if Install Kibana is 1.
Check this box if you want to enable access to the Kibana logs dashboard from outside the cluster. An ingress will be created with the public hostname you enter below.
Type
Required
Default
Boolean
No
0

Public Hostname for Kibana

This field is only required if Enable Ingress for Kibana is 1.
Public URL for the Kibana logs dashboard. If you don't want to publicly expose Kibana, uncheck the "Enable Ingress for Kibana" checkbox above. | Type | Required | Default | | -------- | -------- | ----------- | | Text | No |

Prometheus Config

Configuration for Prometheus Server.

Install Prometheus

Check this box if you want Garden Enterprise to automatically install a Prometheus metrics server. The Prometheus server will be installed in the main Garden Enterprise namespace.
Type
Required
Default
Boolean
No
0

Fluentd Config

Configuration for Fluentd.

Install Fluentd

Check this box if you want Garden Enterprise to automatically install the Fluentd logs collector. Fluentd will be installed in the main Garden Enterprise namespace. Note that Fluentd expects to find an Elasticsearch host at 'elasticsearch-master.garden-enterprise'
Type
Required
Default
Boolean
No
0

Elasticsearch Config

Configuration for Elasticsearch.

Install Elasticsearch

Check this box if you want Garden Enterprise to automatically install an Elasticsearch search engine for logs. Elasticsearch will be installed in the main Garden Enterprise namespace.
Type
Required
Default
Boolean
No
0

JWT Certificates

Keys used to sign and verify JSON Web Tokens.

JWT Private Key

The private key used to sign JSON Web Tokens.
Type
Required
Default
File
Yes
โ€‹

JWT Public Key

The public key used to verify JSON Web Tokens.
Type
Required
Default
File
Yes
โ€‹

CRON Job Settings

Settings for maintenance and automatic environment cleanup CRON jobs.

In-Cluster Auth Token

A random, user-generated token that's used for authenticating maintenance and cleanup CronJobs against the API service.
Type
Required
Default
Password
Yes
โ€‹

Experimental Features

Use the checkboxes below to enable certain experimental features.
Enterprise (Self-Hosted) - Previous
Monitoring Services
Next - Enterprise (Self-Hosted)
Updating the Admin Console
Last modified 4mo ago
Copy link
Outline
General Settings
Main Garden Enterprise Hostname
Kubernetes Version
TLS Secret
Log Level
API Replica Count
Automatically Install Ingress Controller
Install Ingress Controller with a Load Balancer service or as a DaemonSet with HostPorts.
IngressClass Pod Annotation
IngressClass Pod Annotation
Additional Ingress Annotations
Node Selectors
Container Runtime
Workflow Runner Config
Workflow Namespace
Workflow Runner Log Level
Vault Config
KMS Provider
Azure Application Client Id
Azure Application Client Secret
Azure Account Tenant Id
Azure Vault Name
Azure Key Name
AWS Region
AWS Access Key ID
AWS Secret Access Key
AWS KMS ID
GCP Region
GCP Project
GCP Key Ring
GCP Crypto Key
Vault AppRole RoleID
Vault App Role Secret ID
SSO via SAML
Enable SSO
SSO certificate.
SSO Entry Point.
VCS Config
VCS Provider
GitHub Distribution
GitHub Instance Hostname
GitHub App ID
GitHub App Client ID
GitHub App Client Secret
GitHub App Webhook Secret
Turn debugging on for GitHub Api client
GitHub Private Key
Gitlab Instance Hostname
Gitlab App ID
Gitlab App Secret
Gitlab Access Token
Gitlab Webhooks Secret
Database Config
Database Hostname
Database Port
Database user name
Database name
Database Password
SSL Mode
Seed data
Username
GitHub / GitLab username
Organization name
Grafana Config
Install Grafana
Enable Ingress for Grafana
Public Hostname for Grafana
Grafana Admin Password
Kibana Config
Install Kibana
Enable Ingress for Kibana
Public Hostname for Kibana
Prometheus Config
Install Prometheus
Fluentd Config
Install Fluentd
Elasticsearch Config
Install Elasticsearch
JWT Certificates
JWT Private Key
JWT Public Key
CRON Job Settings
In-Cluster Auth Token
Experimental Features