Configuration
Basic settings for your deployment.| Option | Description |
|---|---|
| Organization Name | Your organization’s display name |
| Application Domain Name | The domain where Cysmiq will be accessible (required) |
Expose Services
Choose how to make Cysmiq accessible from outside the cluster.| Mode | Description |
|---|---|
| DIY | Manual configuration for custom setups |
| Ingress | Standard Kubernetes Ingress (default) |
| Contour HTTPProxy | For clusters using Contour |
| NodePort | Direct NodePort access |
Ingress options
When using Ingress mode:| Option | Description |
|---|---|
| Ingress Class Name | The IngressClass cluster resource name |
| Admin Console Hostname | Hostname for the Admin Console (leave blank to disable) |
| Cysmiq Hostname | Hostname for the main application |
| Use TLS with Ingress | Enable TLS termination (default: enabled) |
| Annotations | Custom annotations for your ingress controller |
HTTPProxy options
When using Contour HTTPProxy mode:| Option | Description |
|---|---|
| HTTPProxy Hostname | The fully qualified domain name |
| Use TLS with HTTPProxy | Enable TLS termination (default: enabled). Use BYO TLS to have Cysmiq create the TLS secret from your certificate and key, or leave BYO TLS disabled to provision the secret externally |
| Annotations | Custom annotations (e.g., cert-manager settings) |
NodePort options
When using NodePort mode:| Option | Description |
|---|---|
| Admin Console NodePort | Port for Admin Console (30000-32767) |
| Cysmiq HTTP NodePort | Port for HTTP access (30000-32767) |
| Cysmiq HTTPS NodePort | Port for HTTPS access (when BYO TLS enabled) |
| Caddy Service Custom Labels | Custom labels for the Caddy Service (YAML key value pairs) |
Database
Choose between embedded or external MySQL.| Type | Description |
|---|---|
| Embedded MySQL | Managed MySQL instance within the cluster (default) |
| External Database | Connect to your own MySQL-compatible database |
Embedded database options
Advanced MySQL fields appear after enabling Configure MySQL.| Option | Description | Default |
|---|---|---|
| Configure MySQL | Show advanced embedded MySQL configuration fields | Disabled |
| InnoDB Buffer Pool Size | Size of the InnoDB buffer pool for embedded MySQL. For dedicated database nodes, set this to 50% to 70% of available RAM | 128M |
| Enable MySQL Slow Query Log | Log queries that exceed the configured slow query threshold | Enabled |
| MySQL Slow Query Long Query Time (seconds) | Slow query threshold in seconds. Fractional values are supported. Appears when Enable MySQL Slow Query Log is enabled | 5 |
| InnoDB Flush Log at Transaction Commit | Controls InnoDB durability and write throughput. Options are 1, 2, or 0 | 1 |
| Max Connections | Maximum simultaneous MySQL client connections | 151 |
| Max Allowed Packet | Maximum packet or generated string size. Accepts MySQL size notation such as 16M, 64M, or 1G | 16M |
| InnoDB Log File Size | Size of each InnoDB redo log file. Accepts MySQL size notation | 48M |
| InnoDB Flush Method | Method used to flush InnoDB data and log files. Options are fsync, O_DIRECT, or O_DIRECT_NO_FSYNC | fsync |
External database options
| Option | Description |
|---|---|
| Database Connection | Connection type (default: mysql) |
| Database Host | Hostname or IP of your database server |
| Database Port | Connection port (default: 3306) |
| Database Name | Database name (default: guardrails) |
| Database Username | Database user |
| Database Password | Database password |
Storage
Customize persistent storage settings. Storage fields appear after enabling Configure Storage Settings.| Option | Description | Default |
|---|---|---|
| Configure Storage Settings | Show storage configuration fields | Disabled |
| Storage Class Name | Custom storage class for all PVCs | (cluster default) |
| MinIO Storage Size | Storage for object storage | 10Gi |
| RabbitMQ Storage Size | Storage for message queue | 8Gi |
| Redis KVDB Storage Size | Storage for key-value store | 8Gi |
| MySQL Storage Size | Storage for embedded database | 8Gi |
Analysis service storage
Each analysis service can use either temporary (EmptyDir) or persistent storage. Choose the volume type first, then size.| Service | Volume Type Options | Default Size |
|---|---|---|
| Source Manager | EmptyDir / PVC | 10Gi |
| Code Analysis | EmptyDir / PVC | 10Gi |
| SBOM Analysis | EmptyDir / PVC | 10Gi |
RabbitMQ
Choose between embedded or external RabbitMQ.| Type | Description |
|---|---|
| Embedded RabbitMQ | Managed RabbitMQ within the cluster (default) |
| External RabbitMQ | Connect to your own RabbitMQ instance |
Embedded RabbitMQ options
| Option | Description | Default |
|---|---|---|
| Max Message Size (bytes) | Maximum RabbitMQ message size in bytes for embedded RabbitMQ. RabbitMQ’s hard ceiling is 536870912 bytes | 16777216 |
External RabbitMQ options
| Option | Description | Default |
|---|---|---|
| RabbitMQ Host | Hostname or IP | - |
| RabbitMQ Port | Connection port | 5672 |
| RabbitMQ User | Username | - |
| RabbitMQ Password | Password | - |
| RabbitMQ Virtual Host | Virtual host path | - |
| Option | Description |
|---|---|
| Configure Mail | Show SMTP configuration fields |
| Mailer | Mail transport type (default: smtp) |
| Mail Host | SMTP server hostname |
| Mail Port | SMTP port (default: 1025) |
| Mail From Address | Sender email address |
| Mail From Name | Sender display name |
| Mail Username | SMTP authentication username |
| Mail Password | SMTP authentication password |
| Mail Encryption | Encryption method (e.g., tls) |
Resource Requests and Limits
Customize CPU and memory allocation for each service. CPU and memory request and limit fields appear after enabling Configure resource requests and limits.| Service | CPU Request | CPU Limit | Memory Request | Memory Limit |
|---|---|---|---|---|
| Cysmiq | 100m | 500m | 128Mi | 1Gi |
| Cysmiq Horizon | 500m | 2000m | 4Gi | 8Gi |
| Cysmiq WS | 50m | 200m | 64Mi | 512Mi |
| Cysmiq Scheduler | 50m | 200m | 32Mi | 256Mi |
| Code Analysis | 50m | 1000m | 32Mi | 1Gi |
| SBOM Analysis | 50m | 200m | 32Mi | 1Gi |
| Source Manager | 50m | 200m | 64Mi | 1Gi |
| Embedded Database | 200m | 1000m | 512Mi | 2Gi |
| RabbitMQ | 256m | 1000m | 1Gi | 2Gi |
| Redis KVDB | 50m | 200m | 64Mi | 1Gi |
| Redis Cache | 50m | 200m | 64Mi | 1500Mi |
| MinIO | 200m | 1000m | 512Mi | 1Gi |
- Redis Cache Max Memory
- MinIO Ephemeral Storage Requests
- MinIO Ephemeral Storage Limits
- PHP Memory Limit: PHP
memory_limitfor the Cysmiq application. Default:256M
Scaling
Configure replica counts for horizontal scaling. Fields appear after enabling Configure internal service scaling.| Service | Default Replicas |
|---|---|
| Cysmiq | 1 |
| Cysmiq Horizon | 1 |
| Cysmiq WS | 1 |
| Cysmiq Scheduler | 1 |
| Code Analysis | 1 |
| SBOM Analysis | 1 |
| Source Manager | 1 |
| Cysmiq Caddy | 1 |
Networking
| Option | Description | Default |
|---|---|---|
| IP Stack Mode | Dual Stack (IPv4+IPv6) or IPv6 Only | Dual Stack |
Proxy
Configure HTTP proxy for outbound connections. Fields appear after enabling Configure HTTP Proxy.| Option | Description |
|---|---|
| HTTP_PROXY | HTTP proxy URL |
| HTTPS_PROXY | HTTPS proxy URL |
| NO_PROXY | Comma-separated hosts to exclude from proxying |
Security
| Option | Description | Default |
|---|---|---|
| Enforce SSL | Require HTTPS connections | Enabled |
| Enable Network Policies | Deploy NetworkPolicy resources | Disabled |
| Create Role and RoleBinding for Cysmiq | Grant the Cysmiq service account permission to get, list, and watch resources in the namespace. Disable this if RBAC is managed externally | Enabled |
| Use custom service account for Cysmiq | ServiceAccount name for Cysmiq pods when you manage service accounts outside the default deployment | - |
| Egress CIDRs | Allowed egress CIDR blocks for analysis services | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7 |
BYO TLS Certificate
For Contour HTTPProxy, DIY, or NodePort exposure modes:| Option | Description |
|---|---|
| Use your own TLS certificate and key | Create the TLS secret from a PEM-encoded certificate and private key. Ignored for Ingress mode |
| TLS Certificate | PEM-encoded certificate (with chain) |
| TLS Private Key | PEM-encoded private key |
tls-<hostname> secret used by HTTPProxy. For DIY or NodePort, the certificate creates the guardrails-ai-tls secret used by Caddy and enables HTTPS on port 443.
Telemetry
| Option | Description |
|---|---|
| Telemetry Mode | Send error telemetry to Cysmiq or disable collection |
Scanning Configuration
| Option | Description | Default |
|---|---|---|
| Enable Code-Analysis Memory Sampling | Memory profiling for analysis | Disabled |
| Code Analysis Process Pool Workers | Number of process workers | 1 |
| Code Analysis Thread Pool Workers | Number of thread workers | 1 |
| Enable GitHub Checks | Post check results to GitHub | Enabled |
| Enable GitHub PR Comments | Post PR comments | Enabled |
| Scan Concurrency Limit | Maximum concurrent scans | (unlimited) |
| Dependency Timeout | Timeout in seconds for source manager and object storage connections used by code analysis and SBOM analysis | 300 |
| Queue Timeout | Timeout in seconds for queue jobs in code analysis and SBOM analysis | 600 |
| App Custom Environment Variables | YAML key/value pairs appended to the Cysmiq application ConfigMap. Content must use KEY: "value" format | - |