Skip to main content
Cysmiq self-hosted deployments are configured through the Replicated Admin Console. This page documents the available configuration options.

Configuration

Basic settings for your deployment.
OptionDescription
Organization NameYour organization’s display name
Application Domain NameThe domain where Cysmiq will be accessible (required)

Expose Services

Choose how to make Cysmiq accessible from outside the cluster.
ModeDescription
DIYManual configuration for custom setups
IngressStandard Kubernetes Ingress (default)
Contour HTTPProxyFor clusters using Contour
NodePortDirect NodePort access

Ingress options

When using Ingress mode:
OptionDescription
Ingress Class NameThe IngressClass cluster resource name
Admin Console HostnameHostname for the Admin Console (leave blank to disable)
Cysmiq HostnameHostname for the main application
Use TLS with IngressEnable TLS termination (default: enabled)
AnnotationsCustom annotations for your ingress controller

HTTPProxy options

When using Contour HTTPProxy mode:
OptionDescription
HTTPProxy HostnameThe fully qualified domain name
Use TLS with HTTPProxyEnable TLS termination (default: enabled). Use BYO TLS to have Cysmiq create the TLS secret from your certificate and key, or leave BYO TLS disabled to provision the secret externally
AnnotationsCustom annotations (e.g., cert-manager settings)

NodePort options

When using NodePort mode:
OptionDescription
Admin Console NodePortPort for Admin Console (30000-32767)
Cysmiq HTTP NodePortPort for HTTP access (30000-32767)
Cysmiq HTTPS NodePortPort for HTTPS access (when BYO TLS enabled)
Caddy Service Custom LabelsCustom labels for the Caddy Service (YAML key value pairs)

Database

Choose between embedded or external MySQL.
TypeDescription
Embedded MySQLManaged MySQL instance within the cluster (default)
External DatabaseConnect to your own MySQL-compatible database

Embedded database options

Advanced MySQL fields appear after enabling Configure MySQL.
OptionDescriptionDefault
Configure MySQLShow advanced embedded MySQL configuration fieldsDisabled
InnoDB Buffer Pool SizeSize of the InnoDB buffer pool for embedded MySQL. For dedicated database nodes, set this to 50% to 70% of available RAM128M
Enable MySQL Slow Query LogLog queries that exceed the configured slow query thresholdEnabled
MySQL Slow Query Long Query Time (seconds)Slow query threshold in seconds. Fractional values are supported. Appears when Enable MySQL Slow Query Log is enabled5
InnoDB Flush Log at Transaction CommitControls InnoDB durability and write throughput. Options are 1, 2, or 01
Max ConnectionsMaximum simultaneous MySQL client connections151
Max Allowed PacketMaximum packet or generated string size. Accepts MySQL size notation such as 16M, 64M, or 1G16M
InnoDB Log File SizeSize of each InnoDB redo log file. Accepts MySQL size notation48M
InnoDB Flush MethodMethod used to flush InnoDB data and log files. Options are fsync, O_DIRECT, or O_DIRECT_NO_FSYNCfsync

External database options

OptionDescription
Database ConnectionConnection type (default: mysql)
Database HostHostname or IP of your database server
Database PortConnection port (default: 3306)
Database NameDatabase name (default: guardrails)
Database UsernameDatabase user
Database PasswordDatabase password

Storage

Customize persistent storage settings. Storage fields appear after enabling Configure Storage Settings.
OptionDescriptionDefault
Configure Storage SettingsShow storage configuration fieldsDisabled
Storage Class NameCustom storage class for all PVCs(cluster default)
MinIO Storage SizeStorage for object storage10Gi
RabbitMQ Storage SizeStorage for message queue8Gi
Redis KVDB Storage SizeStorage for key-value store8Gi
MySQL Storage SizeStorage for embedded database8Gi

Analysis service storage

Each analysis service can use either temporary (EmptyDir) or persistent storage. Choose the volume type first, then size.
ServiceVolume Type OptionsDefault Size
Source ManagerEmptyDir / PVC10Gi
Code AnalysisEmptyDir / PVC10Gi
SBOM AnalysisEmptyDir / PVC10Gi

RabbitMQ

Choose between embedded or external RabbitMQ.
TypeDescription
Embedded RabbitMQManaged RabbitMQ within the cluster (default)
External RabbitMQConnect to your own RabbitMQ instance

Embedded RabbitMQ options

OptionDescriptionDefault
Max Message Size (bytes)Maximum RabbitMQ message size in bytes for embedded RabbitMQ. RabbitMQ’s hard ceiling is 536870912 bytes16777216

External RabbitMQ options

OptionDescriptionDefault
RabbitMQ HostHostname or IP-
RabbitMQ PortConnection port5672
RabbitMQ UserUsername-
RabbitMQ PasswordPassword-
RabbitMQ Virtual HostVirtual host path-

Mail

Configure SMTP for email notifications. Mail fields appear after enabling Configure Mail.
OptionDescription
Configure MailShow SMTP configuration fields
MailerMail transport type (default: smtp)
Mail HostSMTP server hostname
Mail PortSMTP port (default: 1025)
Mail From AddressSender email address
Mail From NameSender display name
Mail UsernameSMTP authentication username
Mail PasswordSMTP authentication password
Mail EncryptionEncryption method (e.g., tls)

Resource Requests and Limits

Customize CPU and memory allocation for each service. CPU and memory request and limit fields appear after enabling Configure resource requests and limits.
ServiceCPU RequestCPU LimitMemory RequestMemory Limit
Cysmiq100m500m128Mi1Gi
Cysmiq Horizon500m2000m4Gi8Gi
Cysmiq WS50m200m64Mi512Mi
Cysmiq Scheduler50m200m32Mi256Mi
Code Analysis50m1000m32Mi1Gi
SBOM Analysis50m200m32Mi1Gi
Source Manager50m200m64Mi1Gi
Embedded Database200m1000m512Mi2Gi
RabbitMQ256m1000m1Gi2Gi
Redis KVDB50m200m64Mi1Gi
Redis Cache50m200m64Mi1500Mi
MinIO200m1000m512Mi1Gi
Additional options:
  • Redis Cache Max Memory
  • MinIO Ephemeral Storage Requests
  • MinIO Ephemeral Storage Limits
  • PHP Memory Limit: PHP memory_limit for the Cysmiq application. Default: 256M

Scaling

Configure replica counts for horizontal scaling. Fields appear after enabling Configure internal service scaling.
ServiceDefault Replicas
Cysmiq1
Cysmiq Horizon1
Cysmiq WS1
Cysmiq Scheduler1
Code Analysis1
SBOM Analysis1
Source Manager1
Cysmiq Caddy1

Networking

OptionDescriptionDefault
IP Stack ModeDual Stack (IPv4+IPv6) or IPv6 OnlyDual Stack

Proxy

Configure HTTP proxy for outbound connections. Fields appear after enabling Configure HTTP Proxy.
OptionDescription
HTTP_PROXYHTTP proxy URL
HTTPS_PROXYHTTPS proxy URL
NO_PROXYComma-separated hosts to exclude from proxying

Security

OptionDescriptionDefault
Enforce SSLRequire HTTPS connectionsEnabled
Enable Network PoliciesDeploy NetworkPolicy resourcesDisabled
Create Role and RoleBinding for CysmiqGrant the Cysmiq service account permission to get, list, and watch resources in the namespace. Disable this if RBAC is managed externallyEnabled
Use custom service account for CysmiqServiceAccount name for Cysmiq pods when you manage service accounts outside the default deployment-
Egress CIDRsAllowed egress CIDR blocks for analysis services10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7

BYO TLS Certificate

For Contour HTTPProxy, DIY, or NodePort exposure modes:
OptionDescription
Use your own TLS certificate and keyCreate the TLS secret from a PEM-encoded certificate and private key. Ignored for Ingress mode
TLS CertificatePEM-encoded certificate (with chain)
TLS Private KeyPEM-encoded private key
For Contour HTTPProxy, the certificate creates the tls-<hostname> secret used by HTTPProxy. For DIY or NodePort, the certificate creates the guardrails-ai-tls secret used by Caddy and enables HTTPS on port 443.

Telemetry

OptionDescription
Telemetry ModeSend error telemetry to Cysmiq or disable collection

Scanning Configuration

OptionDescriptionDefault
Enable Code-Analysis Memory SamplingMemory profiling for analysisDisabled
Code Analysis Process Pool WorkersNumber of process workers1
Code Analysis Thread Pool WorkersNumber of thread workers1
Enable GitHub ChecksPost check results to GitHubEnabled
Enable GitHub PR CommentsPost PR commentsEnabled
Scan Concurrency LimitMaximum concurrent scans(unlimited)
Dependency TimeoutTimeout in seconds for source manager and object storage connections used by code analysis and SBOM analysis300
Queue TimeoutTimeout in seconds for queue jobs in code analysis and SBOM analysis600
App Custom Environment VariablesYAML key/value pairs appended to the Cysmiq application ConfigMap. Content must use KEY: "value" format-