284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
543 lines
16 KiB
YAML
543 lines
16 KiB
YAML
# Default values for sebastian.helm.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
namespace: msp
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
host: "localhost"
|
|
|
|
bootstrap:
|
|
mode: recover
|
|
|
|
# Istio ingress configuration
|
|
istio:
|
|
enabled: false
|
|
gateway:
|
|
selector:
|
|
istio: ingress
|
|
hosts:
|
|
- sebastian.9minds.ai
|
|
- green-sebastian.9minds.ai
|
|
- blue-sebastian.9minds.ai
|
|
- istio.9minds.ai
|
|
routes:
|
|
green:
|
|
host: green-sebastian.9minds.ai
|
|
service: sebastian-green
|
|
port: 3000
|
|
blue:
|
|
host: blue-sebastian.9minds.ai
|
|
service: sebastian-blue
|
|
port: 3000
|
|
default:
|
|
host: sebastian.9minds.ai
|
|
service: sebastian-green
|
|
port: 3000
|
|
istio:
|
|
host: istio.9minds.ai
|
|
service: sebastian-green
|
|
port: 3000
|
|
#env: "development"
|
|
|
|
#FIXME: In image change nineminds to public when we we make image public
|
|
setup:
|
|
image:
|
|
name: harbor.nineminds.com/nineminds/sebastian_setup
|
|
is_private: true
|
|
credentials: harbor-credentials
|
|
tag: "latest"
|
|
entrypoint: /opt/setup/entrypoint.sh
|
|
pullPolicy: Always
|
|
runMigrations: true
|
|
runSeeds: true
|
|
applianceBootstrap:
|
|
enabled: false
|
|
waitTimeoutSeconds: 300
|
|
retryIntervalSeconds: 2
|
|
lockTimeoutSeconds: 1800
|
|
lockStaleSeconds: 120
|
|
lockHeartbeatSeconds: 10
|
|
waitForBootstrap:
|
|
image:
|
|
# Optional lightweight image with psql used by the app initContainer while
|
|
# the bootstrap job owns migrations/seeds. Empty values fall back to setup.image.
|
|
name: ""
|
|
tag: ""
|
|
pullPolicy: IfNotPresent
|
|
|
|
server:
|
|
image:
|
|
name: harbor.nineminds.com/nineminds/alga-psa
|
|
is_private: true
|
|
credentials: harbor-credentials
|
|
tag: "4023e8f"
|
|
hostNetwork: false
|
|
verify_email: true
|
|
# Maximum body size for Next.js server actions (e.g., extension uploads)
|
|
serverActionsBodyLimit: "200mb"
|
|
# App-wide search live indexing gate. Keep false during migration/backfill;
|
|
# set true after search:backfill completes so event subscribers write updates.
|
|
searchIndexLive: false
|
|
pullPolicy: Always
|
|
replicaCount: 2
|
|
progressDeadlineSeconds: null
|
|
service:
|
|
type: "ClusterIP"
|
|
port: 3000
|
|
persistence:
|
|
enabled: false
|
|
size: 10Gi
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
storageClass: ""
|
|
existingClaim: ""
|
|
annotations: {}
|
|
|
|
|
|
hocuspocus:
|
|
enabled: true
|
|
image:
|
|
name: harbor.nineminds.com/nineminds/sebastian_hocuspocus
|
|
is_private: true
|
|
credentials: harbor-credentials
|
|
tag: "latest"
|
|
pullPolicy: Always
|
|
replicaCount: 1
|
|
service:
|
|
type: "ClusterIP"
|
|
port: 1234
|
|
|
|
# OpenTelemetry app observability (traces). Off by default; opt-in per deployment.
|
|
# When enabled, the app exports OTLP traces to otlpEndpoint (the Alloy collector
|
|
# in production). See templates/deployment.yaml OBSERVABILITY block.
|
|
observability:
|
|
enabled: false
|
|
otlpEndpoint: ""
|
|
# deploymentId: "" # optional; sent as the X-Deployment-Id OTLP header
|
|
|
|
temporal:
|
|
address: "temporal-frontend.temporal.svc.cluster.local:7233"
|
|
namespace: "default"
|
|
portalDomainTaskQueue: "portal-domain-workflows"
|
|
|
|
# Development Pod Configuration
|
|
devPod:
|
|
enabled: false
|
|
|
|
podLabels: {}
|
|
|
|
podAnnotations:
|
|
sidecar.istio.io/proxyMemory: "4Gi"
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
|
|
config:
|
|
db: # postegres configuration only is db enabled is true
|
|
type: postgres
|
|
host: db
|
|
port: 5432
|
|
user: postgres
|
|
password: password
|
|
server_database: server
|
|
hocuspocus_database: hocuspocus
|
|
pgbouncer_user: ""
|
|
pgbouncer_password: ""
|
|
pgbouncer_password_secret:
|
|
name: ""
|
|
key: ""
|
|
redis: # Redis configuration only if redis enabled is true
|
|
host: redis
|
|
port: 6379
|
|
# Prefer using a secret for the password.
|
|
# If not provided, falls back to literal `password` below (legacy).
|
|
passwordSecret:
|
|
name: "" # e.g., "redis-credentials"
|
|
key: "" # e.g., "REDIS_PASSWORD"
|
|
password: password
|
|
db: 0
|
|
llm:
|
|
openai: 'key-here'
|
|
anthropic: 'key-here'
|
|
extensions:
|
|
# Root wildcard domain used for extension apps (e.g., ext.example.com)
|
|
domainRoot: ""
|
|
# Storage configuration
|
|
storage:
|
|
# Default storage provider configuration
|
|
default_provider: 'local' # Use 'local' for CE, 's3' for EE
|
|
providers:
|
|
# Local filesystem configuration (Community Edition)
|
|
local:
|
|
enabled: true
|
|
base_path: '/data/files' # Base path for file storage
|
|
# Storage quotas and limits
|
|
max_file_size: 104857600 # 100MB in bytes
|
|
allowed_mime_types:
|
|
- '*/*' # Allow all file types
|
|
retention_days: 30 # Number of days to retain files
|
|
# S3 configuration (Enterprise Edition only)
|
|
s3:
|
|
enabled: false # Set to true to enable S3 in enterprise edition
|
|
region: 'us-west-2'
|
|
bucket: 'company-files'
|
|
# Separate bucket for extension bundles served by the runner. Required
|
|
# for EE extensions; when unset, extension bundle uploads will fail
|
|
# with a configuration error.
|
|
bundle_bucket: 'alga-ext'
|
|
access_key: '' # AWS access key
|
|
secret_key: '' # AWS secret key
|
|
endpoint: '' # Optional custom endpoint for S3-compatible services
|
|
# Storage quotas and limits
|
|
max_file_size: 524288000 # 500MB in bytes
|
|
allowed_mime_types:
|
|
- '*/*' # Allow all file types
|
|
retention_days: 30 # Number of days to retain files
|
|
# Storage locations configuration
|
|
locations:
|
|
documents: # Default location for document storage
|
|
name: "Documents"
|
|
path: "/documents"
|
|
provider: "local" # References the provider config above
|
|
max_file_size: 104857600 # 100MB in bytes
|
|
allowed_mime_types:
|
|
- '*/*' # Allow all file types
|
|
avatars: # Location for user avatars
|
|
name: "User Avatars"
|
|
path: "/avatars"
|
|
provider: "local"
|
|
max_file_size: 5242880 # 5MB in bytes
|
|
allowed_mime_types:
|
|
- 'image/jpeg'
|
|
- 'image/png'
|
|
- 'image/gif'
|
|
# File upload settings
|
|
upload:
|
|
temp_dir: '/tmp/uploads'
|
|
max_concurrent: 3
|
|
chunk_size: 5242880 # 5MB in bytes
|
|
# Backup configuration
|
|
backup:
|
|
enabled: false
|
|
schedule: '0 0 * * *' # Daily at midnight
|
|
retention:
|
|
days: 30
|
|
copies: 7
|
|
|
|
# Runner/extension execution service configuration
|
|
runner:
|
|
# Internal URL for the Knative runner service (used for execute + debug stream)
|
|
baseUrl: ""
|
|
# Optional literal token for authenticating runner calls. Prefer using an existing
|
|
# Kubernetes secret via serviceTokenSecret when running in production.
|
|
serviceToken: ""
|
|
serviceTokenSecret:
|
|
name: "" # e.g., alga-psa-shared
|
|
key: "" # e.g., ALGA_AUTH_KEY
|
|
debugStream:
|
|
redisUrl: ""
|
|
redisUrlSecret:
|
|
name: ""
|
|
key: ""
|
|
streamPrefix: "ext-debug:"
|
|
maxLen: 2000
|
|
|
|
|
|
redis:
|
|
enabled: true
|
|
image:
|
|
repository: redis
|
|
tag: latest
|
|
service:
|
|
port: 6379
|
|
persistence:
|
|
enabled: true
|
|
existingClaim: ""
|
|
size: 20Gi
|
|
storageClass: "local-path"
|
|
|
|
|
|
db:
|
|
enabled: true
|
|
image:
|
|
repository: ankane/pgvector
|
|
tag: "latest"
|
|
service:
|
|
port: 5432
|
|
persistence:
|
|
enabled: true
|
|
existingClaim: ""
|
|
size: 20Gi
|
|
storageClass: "local-path"
|
|
|
|
pgbouncer:
|
|
enabled: false
|
|
service:
|
|
name: pgbouncer
|
|
port: 6432
|
|
|
|
persistence:
|
|
enabled: true
|
|
storageClass: "local-path"
|
|
size: "50Gi" # Size for local file storage
|
|
keepPvcOnUninstall: false
|
|
|
|
email:
|
|
enabled: false
|
|
from: ""
|
|
host: "smtp.example.com"
|
|
port: 465
|
|
user: ""
|
|
password: ""
|
|
# Optional: explicitly set provider ("smtp" or "resend"). If omitted, factory auto-detects based on RESEND_API_KEY
|
|
provider: ""
|
|
# For RESEND: prefer providing via secret
|
|
resendApiKeySecret:
|
|
name: "" # e.g., resend-credentials
|
|
key: "" # e.g., RESEND_API_KEY
|
|
# Or provide inline for dev/testing (DO NOT use in production)
|
|
resendApiKey: ""
|
|
# Optional custom base URL for self-hosted Resend or proxy
|
|
resendBaseUrl: ""
|
|
|
|
|
|
crypto:
|
|
salt_bytes: 12
|
|
iteration: 1000
|
|
key_length: 64
|
|
algorithm: sha512
|
|
|
|
|
|
token:
|
|
expires: 1h
|
|
|
|
auth:
|
|
nextauth_session_expires: 86400
|
|
|
|
# API rate limiting
|
|
# Stage 3 of the rollout flips enforce to "true" so over-budget API
|
|
# requests return HTTP 429. With "false" (observation mode), denials
|
|
# only emit a structured WARN log + headers. See docs/api/api-rate-limiting-and-ticket-webhooks.md.
|
|
rateLimit:
|
|
enforce: "false"
|
|
|
|
# Gmail Integration (Enterprise Edition)
|
|
gmail_integration:
|
|
enabled: false
|
|
client_id: ""
|
|
client_secret: ""
|
|
project_id: ""
|
|
redirect_uri: ""
|
|
|
|
# Microsoft Graph (Microsoft 365) integration
|
|
microsoft_integration:
|
|
enabled: false
|
|
# Azure AD App Registration (delegated) credentials
|
|
client_id: ""
|
|
client_secret: ""
|
|
# Use tenant GUID for single-tenant; use 'common' only for multi-tenant
|
|
tenant_id: ""
|
|
# OAuth redirect URI configured in the app registration
|
|
redirect_uri: ""
|
|
|
|
# NinjaOne RMM Integration
|
|
ninjaone_integration:
|
|
enabled: false
|
|
client_id: ""
|
|
client_secret: ""
|
|
# Optional: specify default region (US, US2, EU, OC, CA)
|
|
default_region: "US"
|
|
|
|
# Secret Provider Configuration
|
|
# Controls how secrets are read and written across different providers
|
|
secrets:
|
|
# Comma-separated list of providers to try for reading secrets, in order
|
|
# Supported providers: env, filesystem, vault
|
|
readChain: "env,filesystem"
|
|
|
|
# Single provider used for writing/updating secrets
|
|
# Supported providers: filesystem, vault
|
|
writeProvider: "filesystem"
|
|
|
|
# Optional environment variable prefix for EnvSecretProvider
|
|
# If set, env provider will look for PREFIX_secretName in addition to secretName
|
|
envPrefix: ""
|
|
|
|
# Vault configuration (only used if vault is in readChain or writeProvider)
|
|
vault:
|
|
# Vault server address (e.g., https://vault.example.com)
|
|
addr: ""
|
|
# Vault authentication token
|
|
token: ""
|
|
# Path for application secrets (default: kv/data/app/secrets)
|
|
appSecretPath: "kv/data/app/secrets"
|
|
# Path template for tenant secrets (default: kv/data/tenants/{tenantId}/secrets)
|
|
tenantSecretPathTemplate: "kv/data/tenants/{tenantId}/secrets"
|
|
|
|
|
|
# Logging Configuration
|
|
#
|
|
# This configuration allows for a flexible logging system where you can customize various aspects
|
|
# of how logs are generated, formatted, stored, and transmitted. Below are the descriptions of
|
|
# each configuration variable:
|
|
#
|
|
# level: Sets the level of logging detail. Options include SYSTEM, TRACE, DEBUG, INFO, WARNING, ERROR, CRITICAL.
|
|
# Example: level: DEBUG
|
|
#
|
|
# is_format_json: Determines if the log format should be JSON (true) or text (false).
|
|
# JSON format is useful for machine parsing, while text format is more human-readable.
|
|
# Example: is_format_json: false
|
|
#
|
|
# is_full_details: If set to true, logs will include additional details such as the file name and line number
|
|
# where the log entry originated. This is useful for debugging but can be verbose.
|
|
# Example: is_full_details: false
|
|
#
|
|
# file.enable: Enables or disables logging to files. If set to true, logs will be saved to files
|
|
# in the specified directory. This is useful for persistent log storage and later analysis.
|
|
# Example: enable: true
|
|
#
|
|
# logging.path: Specifies the directory path where log files will be stored if file logging is enabled.
|
|
# Ensure that the specified path is writable by the application.
|
|
# Example: path: './logs'
|
|
#
|
|
# external.enable: Enables or disables sending logs to an external logging service via HTTP.
|
|
# If set to true, logs will be sent to the specified external service, which can be useful for centralized log management.
|
|
# Example: external.enable: false
|
|
#
|
|
# external.host: The hostname of the external logging service to which logs will be sent if external logging is enabled.
|
|
# Example: host: 'localhost'
|
|
#
|
|
# external.port: The port of the external logging service.
|
|
# Example: port: '8000'
|
|
#
|
|
# external.path: The path on the external logging service where logs should be sent.
|
|
# Example: path: '/print_info'
|
|
#
|
|
# external.level: The level of logs to be sent to the external logging service.
|
|
# Example: level: 'info'
|
|
#
|
|
# external.token: The authentication token used to authorize the log requests to the external logging service.
|
|
# Example: token:'abcd1234'
|
|
#
|
|
|
|
logging:
|
|
level: DEBUG #Alternatives -> SYSTEM, TRACE, DEBUG, INFO, WARNING, ERROR, CRITICAL
|
|
is_format_json: false
|
|
is_full_details: false
|
|
file:
|
|
enabled: true
|
|
path: './logs'
|
|
external:
|
|
enabled: false
|
|
host: 'localhost'
|
|
port: '8000'
|
|
path: '/print_info'
|
|
level: 'info'
|
|
token: 'abcd1234'
|
|
|
|
# Secret Provider Configuration
|
|
# Controls how secrets are read and written across different providers
|
|
secrets_provider:
|
|
# Comma-separated list of providers to try for reading secrets, in order
|
|
# Supported providers: env, filesystem, vault
|
|
readChain: "env,filesystem"
|
|
|
|
# Single provider used for writing/updating secrets
|
|
# Supported providers: filesystem, vault
|
|
writeProvider: "filesystem"
|
|
|
|
# Optional environment variable prefix for EnvSecretProvider
|
|
# If set, env provider will look for PREFIX_secretName in addition to secretName
|
|
envPrefix: ""
|
|
|
|
# Vault configuration (only used if vault is in readChain or writeProvider)
|
|
vault:
|
|
# Vault server address (e.g., https://vault.example.com)
|
|
addr: ""
|
|
# Vault authentication token (prefer injecting via secret)
|
|
token: ""
|
|
# Path for application secrets
|
|
appSecretPath: "kv/data/app/secrets"
|
|
# Path template for tenant secrets
|
|
tenantSecretPathTemplate: "kv/data/tenants/{tenantId}/secrets"
|
|
|
|
# Development environment configuration
|
|
devEnv:
|
|
enabled: false
|
|
namespace: msp-dev
|
|
|
|
# Chat provider non-secret runtime settings (optional).
|
|
# Use this for provider selection/model/project/location, while secrets stay in Vault.
|
|
chatProvider:
|
|
aiChatProvider: ""
|
|
vertexProjectId: ""
|
|
vertexLocation: ""
|
|
vertexChatModel: ""
|
|
vertexOpenapiBaseUrl: ""
|
|
|
|
# Vault Agent configuration for secret injection
|
|
vaultAgent:
|
|
enabled: false
|
|
role: alga-psa
|
|
secretPath: secret/data/alga-psa/server
|
|
sharedSecretPath: secret/data/alga-psa/shared
|
|
gcpServiceAccount:
|
|
# Optional Vault-injected Google service account JSON for ADC on non-GKE/on-prem.
|
|
# When secretPath is set, the chart injects a file and sets GOOGLE_APPLICATION_CREDENTIALS.
|
|
secretPath: ""
|
|
secretKey: "google_application_credentials_json"
|
|
fileName: "google-application-credentials.json"
|
|
|
|
# Istio sidecar configuration (esp. for Vault agent compatibility)
|
|
# By default, exclude Vault's port 8200 from Envoy interception so
|
|
# init containers/sidecars can reach Vault before Envoy is ready.
|
|
istio:
|
|
sidecar:
|
|
# List of outbound ports to bypass Envoy (comma-joined in template)
|
|
excludeOutboundPorts: ["8200"]
|
|
# Optional CIDR ranges to bypass Envoy egress (string). Leave empty to disable.
|
|
excludeOutboundIPRanges: ""
|
|
# Optional CIDR ranges to allow via Envoy only (string). Leave empty to disable.
|
|
includeOutboundIPRanges: ""
|
|
|
|
# Hosted Environment Configuration
|
|
# Used for cloud-hosted environments (different from dev environments)
|
|
hostedEnv:
|
|
enabled: false
|
|
namespace: ""
|
|
codeServer:
|
|
enabled: false
|
|
service:
|
|
type: "ClusterIP"
|
|
port: 8080
|
|
includeOutboundIPRanges: ""
|