Custom K8s configuration
Note: For Helm chart installation, shared storage setup, and production architecture recommendations, see Helm Chart Configuration & Dependencies and Exivity Kubernetes best practices. This page covers advanced and custom configuration only.
On our GitHub page you can find some examples on custom configuration.
External PostgreSQL and RabbitMQ services are third-party middleware. Exivity documents the connection values required by the application, but you are responsible for provisioning, operating, securing, monitoring, backing up, and supporting those services.
External Database
Configuring Database
The application uses the embedded PostgreSQL chart dependency by default, based on the Bitnami PostgreSQL Helm chart. For production, use an external PostgreSQL service where possible and configure the connection through Helm values.
# SQL-config.yaml
postgresql:
enabled: false
host: exivity-db-host
port: 5432
global:
postgresql:
auth:
database: exivity-db-name
username: your-db-username-for-exivity
password: set-this-from-the-command-line
Use randomly generated secure passwords when installing by using the --set or --set-string flag on the helm install command to overwrite the default values.
Examples
# Example postgresql settings for use in your exivity values.yaml, when wanting to deploy a larger PostgreSQL instance
postgresql:
# -- Install PostgreSQL
enabled: true
primary:
# -- Size of the persistent volume
persistence:
size: 50Gi
# -- Size of the buffers and memory used by PostgreSQL
extendedConfiguration: |
shared_buffers = 2GB
work_mem = 32MB
wal_buffers = 64MB
global:
postgresql:
auth:
# -- Database name
database: exivity
# -- Database username
username: exivity
# -- Database password
password: Password12!
# -- Database root password, not needed when you bring your own DB
postgresPassword: Password13!
# Example postgresql settings for use in your exivity values.yaml, when using a separately hosted PostgreSQL instance
postgresql:
# -- Don't deploy a PostgreSQL instance on the cluster
enabled: false
global:
postgresql:
auth:
# -- Database name
database: exivity
# -- Database username
username: exivity
# -- Database password
password: Password12!
# -- Database root password, not needed when you bring your own DB
postgresPassword: Password13!
# -- Your own DB host
host: "exivity.postgres.your.host"
# -- Your own DB port
port: 5432
# -- Your own DB sslmode: disable, require, verify-ca, or verify-full
sslmode: "require"
Database Initialization
By default, installing or upgrading the Exivity Helm deployment will also schedule a Job which will initialize the database. The script that is executed by the container running the tasks is idempotent. Running it on every chart deployment ensures that the state of the database is correct. The TTL for the job is set to 300 seconds.
Be mindful that spec.template.spec on a Job object is immutable; redeploying the application when the database-init Job object still exists may return an error for that reason.
External AMQP provider
The Exivity Helm chart embeds RabbitMQ by default through the Bitnami RabbitMQ Helm chart. Site-local in-cluster RabbitMQ is the recommended default for Exivity, but following the Bitnami container catalog changes on September 29, 2025, the embedded dependency now uses the unsupported bitnamilegacy/rabbitmq image. For production, keep RabbitMQ site-local but run it outside the Exivity chart, preferably with the RabbitMQ Cluster Operator, and connect Exivity through the values shown below. External or managed RabbitMQ is also valid when required by your platform standards. See the Best practices RabbitMQ section for the full recommendation.
# AMQP-config.yaml
rabbitmq:
enabled: false
host: your-ampq-host
port: 5672
vhost: /
auth:
username: your-AMPQ-username
password: set-this-from-the-command-line
Details for all the available configuration options can be found on the chart page.
Use randomly generated secure passwords when installing by using the --set or --set-string flag on the helm install command to overwrite the default values.
Examples
# Example rabbitmq settings for use in your exivity values.yaml, when using a separately hosted RabbitMQ instance
rabbitmq:
# -- Don't deploy a RabbitMQ instance on the cluster
enabled: false
clustering:
enabled: false
# -- The username and password to connect to your RabbitMQ instance
auth:
username: user
password: pass
# -- Your own RabbitMQ host
host: "exivity.rabbitmq.your.host"
# -- Your own RabbitMQ port
port: 5672
# -- Your own RabbitMQ vhost
vhost: "/"
# TLS connection: true/false
secure: true
Random Key Generation
The Exivity application uses a number of randomly generated strings for cryptographic purposes. Two of these are generated when installing the helm chart for the first time. Both of these will be deployed to the namespace as Kubernetes Secrets with a data entry containing a random alphanumeric string 32 characters in length. These two secrets are:
- exivity-jwt-secret
- exivity-app-key
On subsequent upgrades the values are not edited.
When uninstalling the helm chart, these object will be removed, and the values deleted with them.
LDAP TLS Certificate
To trust a custom LDAP CA certificate for LDAP over TLS, set both ldap.tlsCacert and ldap.tlsCacertPath:
ldap:
tlsCacert: |
-----BEGIN CERTIFICATE-----
[Your Root CA certificate here]
-----END CERTIFICATE-----
tlsCacertPath: "/etc/ssl/certs/ldap.pem"
The chart mounts the certificate into proximity-api and sets LDAPTLS_CACERT to the configured path.
USE CA Certificates
To add custom CA certificates for extractor traffic, set service.use.caCertificates:
service:
use:
caCertificates:
rootCA.pem: |
-----BEGIN CERTIFICATE-----
[Your Root CA certificate here]
-----END CERTIFICATE-----