Skip to content

Client controller

Details of how to configure the client controller service.

Certificate renewals

The client controller is responsible for initializing certificates for mutual TLS between kdb Insights Enterprise and external clients, e.g. RT clients.

Variable Type Example Default
env.KXI_CERT_RENEW_BEFORE string 15m
env.KXI_CERT_DURATION string 1h

Certificates managed by cert-manager are automatically renewed before they expired.

Cert-manager will calculate when to renew a certificate based on its duration and a 'renew before' setting which specifies how long before expiry a certificate should be renewed. The default duration for certificates is 90 days and the default 'renew before' setting is 15 days. So, by default a 90 day certificate will be renewed 15 days before it is due to expire. The default values for duration and 'renew before' can be overridden using the KXI_CERT_DURATION and KXI_CERT_RENEW_BEFORE environment variables. These can be set in the base chart as follows


In this example, certificates will have a duration of 1 hour and will be renewed 15 minutes before they expire.

These values get mapped directly to the spec.duration and spec.renewBefore fields for certificate resources so they must be specified in Go time.duration format.

See the notes under for more information.

ReplicaCount and Resources

Client Controller can be tuned to allow the user to better align against available resources

  replicaCount: 1
      cpu: 100m
      memory: 128Mi
      cpu: 100m
      memory: 128Mi
variable type default description
replicaCount int 3 No. of Client Controller pods to run
resources.requests.cpu string 100m Requested CPU for the Client Controller
resources.requests.memory string 128Mi Requested memory for the Client Controller
resources.limits.cpu string 250m Max CPU given to Client Controller
resources.limits.memory string 128Mi Max Memory given to Client Controller