# Default values for sebastian.helm. # This is a YAML-formatted file. # Declare variables to be passed into your templates. namespace: msp nameOverride: "" fullnameOverride: "" host: "localhost" bootstrap: mode: recover # Istio ingress configuration istio: enabled: false gateway: selector: istio: ingress hosts: - sebastian.9minds.ai - green-sebastian.9minds.ai - blue-sebastian.9minds.ai - istio.9minds.ai routes: green: host: green-sebastian.9minds.ai service: sebastian-green port: 3000 blue: host: blue-sebastian.9minds.ai service: sebastian-blue port: 3000 default: host: sebastian.9minds.ai service: sebastian-green port: 3000 istio: host: istio.9minds.ai service: sebastian-green port: 3000 #env: "development" #FIXME: In image change nineminds to public when we we make image public setup: image: name: harbor.nineminds.com/nineminds/sebastian_setup is_private: true credentials: harbor-credentials tag: "latest" entrypoint: /opt/setup/entrypoint.sh pullPolicy: Always runMigrations: true runSeeds: true applianceBootstrap: enabled: false waitTimeoutSeconds: 300 retryIntervalSeconds: 2 lockTimeoutSeconds: 1800 lockStaleSeconds: 120 lockHeartbeatSeconds: 10 waitForBootstrap: image: # Optional lightweight image with psql used by the app initContainer while # the bootstrap job owns migrations/seeds. Empty values fall back to setup.image. name: "" tag: "" pullPolicy: IfNotPresent server: image: name: harbor.nineminds.com/nineminds/alga-psa is_private: true credentials: harbor-credentials tag: "4023e8f" hostNetwork: false verify_email: true # Maximum body size for Next.js server actions (e.g., extension uploads) serverActionsBodyLimit: "200mb" # App-wide search live indexing gate. Keep false during migration/backfill; # set true after search:backfill completes so event subscribers write updates. searchIndexLive: false pullPolicy: Always replicaCount: 2 progressDeadlineSeconds: null service: type: "ClusterIP" port: 3000 persistence: enabled: false size: 10Gi accessModes: - ReadWriteOnce storageClass: "" existingClaim: "" annotations: {} hocuspocus: enabled: true image: name: harbor.nineminds.com/nineminds/sebastian_hocuspocus is_private: true credentials: harbor-credentials tag: "latest" pullPolicy: Always replicaCount: 1 service: type: "ClusterIP" port: 1234 # OpenTelemetry app observability (traces). Off by default; opt-in per deployment. # When enabled, the app exports OTLP traces to otlpEndpoint (the Alloy collector # in production). See templates/deployment.yaml OBSERVABILITY block. observability: enabled: false otlpEndpoint: "" # deploymentId: "" # optional; sent as the X-Deployment-Id OTLP header temporal: address: "temporal-frontend.temporal.svc.cluster.local:7233" namespace: "default" portalDomainTaskQueue: "portal-domain-workflows" # Development Pod Configuration devPod: enabled: false podLabels: {} podAnnotations: sidecar.istio.io/proxyMemory: "4Gi" podSecurityContext: {} # fsGroup: 2000 securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: [] affinity: {} config: db: # postegres configuration only is db enabled is true type: postgres host: db port: 5432 user: postgres password: password server_database: server hocuspocus_database: hocuspocus pgbouncer_user: "" pgbouncer_password: "" pgbouncer_password_secret: name: "" key: "" redis: # Redis configuration only if redis enabled is true host: redis port: 6379 # Prefer using a secret for the password. # If not provided, falls back to literal `password` below (legacy). passwordSecret: name: "" # e.g., "redis-credentials" key: "" # e.g., "REDIS_PASSWORD" password: password db: 0 llm: openai: 'key-here' anthropic: 'key-here' extensions: # Root wildcard domain used for extension apps (e.g., ext.example.com) domainRoot: "" # Storage configuration storage: # Default storage provider configuration default_provider: 'local' # Use 'local' for CE, 's3' for EE providers: # Local filesystem configuration (Community Edition) local: enabled: true base_path: '/data/files' # Base path for file storage # Storage quotas and limits max_file_size: 104857600 # 100MB in bytes allowed_mime_types: - '*/*' # Allow all file types retention_days: 30 # Number of days to retain files # S3 configuration (Enterprise Edition only) s3: enabled: false # Set to true to enable S3 in enterprise edition region: 'us-west-2' bucket: 'company-files' # Separate bucket for extension bundles served by the runner. Required # for EE extensions; when unset, extension bundle uploads will fail # with a configuration error. bundle_bucket: 'alga-ext' access_key: '' # AWS access key secret_key: '' # AWS secret key endpoint: '' # Optional custom endpoint for S3-compatible services # Storage quotas and limits max_file_size: 524288000 # 500MB in bytes allowed_mime_types: - '*/*' # Allow all file types retention_days: 30 # Number of days to retain files # Storage locations configuration locations: documents: # Default location for document storage name: "Documents" path: "/documents" provider: "local" # References the provider config above max_file_size: 104857600 # 100MB in bytes allowed_mime_types: - '*/*' # Allow all file types avatars: # Location for user avatars name: "User Avatars" path: "/avatars" provider: "local" max_file_size: 5242880 # 5MB in bytes allowed_mime_types: - 'image/jpeg' - 'image/png' - 'image/gif' # File upload settings upload: temp_dir: '/tmp/uploads' max_concurrent: 3 chunk_size: 5242880 # 5MB in bytes # Backup configuration backup: enabled: false schedule: '0 0 * * *' # Daily at midnight retention: days: 30 copies: 7 # Runner/extension execution service configuration runner: # Internal URL for the Knative runner service (used for execute + debug stream) baseUrl: "" # Optional literal token for authenticating runner calls. Prefer using an existing # Kubernetes secret via serviceTokenSecret when running in production. serviceToken: "" serviceTokenSecret: name: "" # e.g., alga-psa-shared key: "" # e.g., ALGA_AUTH_KEY debugStream: redisUrl: "" redisUrlSecret: name: "" key: "" streamPrefix: "ext-debug:" maxLen: 2000 redis: enabled: true image: repository: redis tag: latest service: port: 6379 persistence: enabled: true existingClaim: "" size: 20Gi storageClass: "local-path" db: enabled: true image: repository: ankane/pgvector tag: "latest" service: port: 5432 persistence: enabled: true existingClaim: "" size: 20Gi storageClass: "local-path" pgbouncer: enabled: false service: name: pgbouncer port: 6432 persistence: enabled: true storageClass: "local-path" size: "50Gi" # Size for local file storage keepPvcOnUninstall: false email: enabled: false from: "" host: "smtp.example.com" port: 465 user: "" password: "" # Optional: explicitly set provider ("smtp" or "resend"). If omitted, factory auto-detects based on RESEND_API_KEY provider: "" # For RESEND: prefer providing via secret resendApiKeySecret: name: "" # e.g., resend-credentials key: "" # e.g., RESEND_API_KEY # Or provide inline for dev/testing (DO NOT use in production) resendApiKey: "" # Optional custom base URL for self-hosted Resend or proxy resendBaseUrl: "" crypto: salt_bytes: 12 iteration: 1000 key_length: 64 algorithm: sha512 token: expires: 1h auth: nextauth_session_expires: 86400 # API rate limiting # Stage 3 of the rollout flips enforce to "true" so over-budget API # requests return HTTP 429. With "false" (observation mode), denials # only emit a structured WARN log + headers. See docs/api/api-rate-limiting-and-ticket-webhooks.md. rateLimit: enforce: "false" # Gmail Integration (Enterprise Edition) gmail_integration: enabled: false client_id: "" client_secret: "" project_id: "" redirect_uri: "" # Microsoft Graph (Microsoft 365) integration microsoft_integration: enabled: false # Azure AD App Registration (delegated) credentials client_id: "" client_secret: "" # Use tenant GUID for single-tenant; use 'common' only for multi-tenant tenant_id: "" # OAuth redirect URI configured in the app registration redirect_uri: "" # NinjaOne RMM Integration ninjaone_integration: enabled: false client_id: "" client_secret: "" # Optional: specify default region (US, US2, EU, OC, CA) default_region: "US" # Secret Provider Configuration # Controls how secrets are read and written across different providers secrets: # Comma-separated list of providers to try for reading secrets, in order # Supported providers: env, filesystem, vault readChain: "env,filesystem" # Single provider used for writing/updating secrets # Supported providers: filesystem, vault writeProvider: "filesystem" # Optional environment variable prefix for EnvSecretProvider # If set, env provider will look for PREFIX_secretName in addition to secretName envPrefix: "" # Vault configuration (only used if vault is in readChain or writeProvider) vault: # Vault server address (e.g., https://vault.example.com) addr: "" # Vault authentication token token: "" # Path for application secrets (default: kv/data/app/secrets) appSecretPath: "kv/data/app/secrets" # Path template for tenant secrets (default: kv/data/tenants/{tenantId}/secrets) tenantSecretPathTemplate: "kv/data/tenants/{tenantId}/secrets" # Logging Configuration # # This configuration allows for a flexible logging system where you can customize various aspects # of how logs are generated, formatted, stored, and transmitted. Below are the descriptions of # each configuration variable: # # level: Sets the level of logging detail. Options include SYSTEM, TRACE, DEBUG, INFO, WARNING, ERROR, CRITICAL. # Example: level: DEBUG # # is_format_json: Determines if the log format should be JSON (true) or text (false). # JSON format is useful for machine parsing, while text format is more human-readable. # Example: is_format_json: false # # is_full_details: If set to true, logs will include additional details such as the file name and line number # where the log entry originated. This is useful for debugging but can be verbose. # Example: is_full_details: false # # file.enable: Enables or disables logging to files. If set to true, logs will be saved to files # in the specified directory. This is useful for persistent log storage and later analysis. # Example: enable: true # # logging.path: Specifies the directory path where log files will be stored if file logging is enabled. # Ensure that the specified path is writable by the application. # Example: path: './logs' # # external.enable: Enables or disables sending logs to an external logging service via HTTP. # If set to true, logs will be sent to the specified external service, which can be useful for centralized log management. # Example: external.enable: false # # external.host: The hostname of the external logging service to which logs will be sent if external logging is enabled. # Example: host: 'localhost' # # external.port: The port of the external logging service. # Example: port: '8000' # # external.path: The path on the external logging service where logs should be sent. # Example: path: '/print_info' # # external.level: The level of logs to be sent to the external logging service. # Example: level: 'info' # # external.token: The authentication token used to authorize the log requests to the external logging service. # Example: token:'abcd1234' # logging: level: DEBUG #Alternatives -> SYSTEM, TRACE, DEBUG, INFO, WARNING, ERROR, CRITICAL is_format_json: false is_full_details: false file: enabled: true path: './logs' external: enabled: false host: 'localhost' port: '8000' path: '/print_info' level: 'info' token: 'abcd1234' # Secret Provider Configuration # Controls how secrets are read and written across different providers secrets_provider: # Comma-separated list of providers to try for reading secrets, in order # Supported providers: env, filesystem, vault readChain: "env,filesystem" # Single provider used for writing/updating secrets # Supported providers: filesystem, vault writeProvider: "filesystem" # Optional environment variable prefix for EnvSecretProvider # If set, env provider will look for PREFIX_secretName in addition to secretName envPrefix: "" # Vault configuration (only used if vault is in readChain or writeProvider) vault: # Vault server address (e.g., https://vault.example.com) addr: "" # Vault authentication token (prefer injecting via secret) token: "" # Path for application secrets appSecretPath: "kv/data/app/secrets" # Path template for tenant secrets tenantSecretPathTemplate: "kv/data/tenants/{tenantId}/secrets" # Development environment configuration devEnv: enabled: false namespace: msp-dev # Chat provider non-secret runtime settings (optional). # Use this for provider selection/model/project/location, while secrets stay in Vault. chatProvider: aiChatProvider: "" vertexProjectId: "" vertexLocation: "" vertexChatModel: "" vertexOpenapiBaseUrl: "" # Vault Agent configuration for secret injection vaultAgent: enabled: false role: alga-psa secretPath: secret/data/alga-psa/server sharedSecretPath: secret/data/alga-psa/shared gcpServiceAccount: # Optional Vault-injected Google service account JSON for ADC on non-GKE/on-prem. # When secretPath is set, the chart injects a file and sets GOOGLE_APPLICATION_CREDENTIALS. secretPath: "" secretKey: "google_application_credentials_json" fileName: "google-application-credentials.json" # Istio sidecar configuration (esp. for Vault agent compatibility) # By default, exclude Vault's port 8200 from Envoy interception so # init containers/sidecars can reach Vault before Envoy is ready. istio: sidecar: # List of outbound ports to bypass Envoy (comma-joined in template) excludeOutboundPorts: ["8200"] # Optional CIDR ranges to bypass Envoy egress (string). Leave empty to disable. excludeOutboundIPRanges: "" # Optional CIDR ranges to allow via Envoy only (string). Leave empty to disable. includeOutboundIPRanges: "" # Hosted Environment Configuration # Used for cloud-hosted environments (different from dev environments) hostedEnv: enabled: false namespace: "" codeServer: enabled: false service: type: "ClusterIP" port: 8080 includeOutboundIPRanges: ""