Get startedSign in

Sandboxing your cluster

Deploy an instance with no outbound network dependencies to Plural

Background

By default there are two ways your Plural Console will communicate with Plural:

  • An HTTP call to confirm feature entitlements against your current subscription
  • OIDC handshake if you have configured our OIDC provider

Both of these can be disabled individually or collectively. You might still have other things making outbound network requests, in particular, we ship with two repos pre-configured:

  • https://github.com/pluralsh/deployment-operator
  • https://github.com/pluralsh/scaffolds

The former is much more important as it hosts upgrades to our deployment agent (although it won't break anything if not pullable due to proxy configuration).

Also our deprecation and compatibility tracking ultimately source their data from the https://github.com/pluralsh/console repo.

TLDR

You should read below to get a feel for what these configuration fields all mean, but a near-working setup of our chart for all these settings is given below (with the expectation of you plugging in your install-specific values). These should be overlayed on the values that the plural cli generates by default:

yaml
console:
  config:
    airgap: true # if you cannot allow egress
    agentHelmValues:
      image:
        repository: your.enterprise.registry/pluralsh/deployment-operator

      # configure agentk (if this isn't pullable kubernetes dashboarding functionality will break but deployments can still proceed)
      agentk:
        image:
          repository: your.enterprise.registry/pluralsh/agentk
  customOidc:
    enabled: true # if you want to bring your own OIDC provider
    clientId: some-client-id
    clientSecret: some-client-secret
    discoveryUrl: https://{your-idp-domain}/.well-known/openid-configuration

extraSecretEnv:
  CONSOLE_LICENSE_KEY: your-license-key # if you're using an airgapped license.
  CONSOLE_ADMIN_EMAILS: someone@example.com # if you want to auto-configure some emails as admins 

# If you need to disable built-in ingress tls
# main plural ingress
# ingress:
#   tls:
#     enabled: false

# # disable for KAS ingress too
# kas:
#   ingress:
#     tls:
#       enabled: false

global:
  registry: your.enterprise.registry

# configure kas image for the kubernetes proxy server setup
kas:
  agent:
    proxy:
      image:
        repository: your.enteprise.registry/some/nginx

  image:
    repository: your.enterprise.registry/pluralsh/kas

  redis:
    registry: your.enterprise.registry
    repository: redis

# if you need to enable the internal git server
gitServer:
  enabled: true # if you want to enable the built-in git server for our default repos, especially for sourcing the deployment operator
  repository: your.enterprise.registry/git-server