Helm Values
Below are the default and configurable values for an overrides file for the Tangram Pro™ Helm chart.
Chart Values
Maintainers
| Name | Url | |
|---|---|---|
| Tangram Flex | ops@tangramflex.com | https://tangramflex.com |
Table of Contents
- Official Deployment Guide
- TPRO Sub-Charts
- Changing The Registry
- Development
- Releases
- Patching
- Upgrading
- More Information
- Chart Values
Sub-Charts
| Name | Repository | Version | Chart URL |
|---|---|---|---|
| argo-workflows | https://argoproj.github.io/argo-helm | 0.41.1 | https://artifacthub.io/packages/helm/argo/argo-workflows |
| docker-registry | https://helm.twun.io | 2.2.3 | https://artifacthub.io/packages/helm/twuni/docker-registry |
| gitea | Tangram-vendored & customized | 10.3.0 | https://artifacthub.io/packages/helm/gitea/gitea |
| minio | oci://registry-1.docker.io/bitnamicharts | 13.2.1 | https://artifacthub.io/packages/helm/bitnami/minio |
| ollama | https://otwld.github.io/ollama-helm | 0.64.0 | https://artifacthub.io/packages/helm/ollama-helm/ollama |
| postgresql | oci://registry-1.docker.io/bitnamicharts | 15.5.16 | https://artifacthub.io/packages/helm/bitnami/postgresql |
| redis | oci://registry-1.docker.io/bitnamicharts | 20.6.2 | https://artifacthub.io/packages/helm/bitnami/redis |
Values
Toolkits
| Key | Type | Default | Description |
|---|---|---|---|
| tags | object | Tags are what enable the various Tangram Pro toolkits | |
| tags.basic | bool | true | enable or disable TPRO Basic toolkit |
| tags.designer | bool | true | enable or disable TPRO Designer toolkit |
| tags.developer | bool | true | enable or disable TPRO Developer toolkit |
| tags.verifier | bool | true | enable or disable TPRO Verifier toolkit |
| tags.ai | bool | false | enable or disable TPRO AI Assistant toolkit |
Extra Labels
| Key | Type | Default | Description |
|---|---|---|---|
| extraLabelsTemplates | object | extra labels to apply across all deployments, pods, or statefulsets these are template strings. each section has access to the values file along with section specific variables detailed below. | |
| extraLabelsTemplates.pods | object | {} | Pod labels. The following variables are available for use: pods: |
| extraLabelsTemplates.deployments | object | {} | Deployment labels. The following variables are available for use: deployments: |
| extraLabelsTemplates.statefulsets | object | {} | Statefulset labels. The following variables are available for use: statefulsets: |
Global Config
| Key | Type | Default | Description |
|---|---|---|---|
| global | object | global config params for Tangram Pro | |
| global.imageRegistry | string | "registry-gitlab.tangramflex.tech/pro" | container image registry for image pull |
| global.imagePullSecrets | list | ["gitlab-pro-registry"] | container image registry imagePullSecrets |
| global.postgresql | object | The postgres chart requires the secret be installed prior to a helm upgrade. The pre-upgrade hook does not run if the postgres chart fails to find an existing secret. It does run, however, if we provide a placeholder value for postgresPassword. This "posgresPassword" key-value pair can be removed once gitea and postgres shave been deployed everywhere. | |
| global.postgresql.auth | object | The postgresql auth config | |
| global.postgresql.auth.postgresPassword | string | "placeholder" | placeholder value |
| global.postgresql.auth.password | string | "placeholder" | placeholder value |
| global.security | object | Section for Bitnami chart security config | |
| global.security.allowInsecureImages | bool | true | This is for Bitnami charts to check for images not provided by bitnami. Tangram vendors all of the images used in our chart and customize most of them so we will set this to a value of 'true' by default. |
| global.storageClass | string | "" | Global storage class for PVCs |
Misc
| Key | Type | Default | Description |
|---|---|---|---|
| metricsEnabled | bool | true | Global toggle for Prometheus metrics |
| createClusterRoles | bool | true | Only set this to true if it is the first Tangram Pro install in your cluster and the installer has cluster-admin privileges |
| subdomain | string | "" | sub-domain for TPRO instance. |
| domain | string | "tangramflex.io" | root domain for TPRO instance. |
| storagePath | string | "/storage" | Minio storage path |
| logEnv | string | "production" | Tangram Pro log level |
ArgoCD
| Key | Type | Default | Description |
|---|---|---|---|
| argocd | object | Using ArgoCD to deploy TPro For use when deploying the helm chart with Argo CD. ArgoCD and Helm differ in how they utilize hooks. | |
| argocd.upgrade | bool | false | Set argocd.upgrade = false if this is a clean/new deployment. Set it to "true" after you have successfully deploy TPro |
| argocd.enabled | bool | false | Set argocd.enabled = true if you are using ArgoCD to deploy TPro |
Tolerations
| Key | Type | Default | Description |
|---|---|---|---|
| tolerations | list | [] | Tolerations assigned to all pods tolerations: |
Affinity
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} | Affinity assigned to all pods |
Topology Spread Constraints
| Key | Type | Default | Description |
|---|---|---|---|
| topologySpreadConstraints | list | [] | Topology spread constraints assigned to all pods The chart determines the labelSelector automatically, so do not specify it. Example: topologySpreadConstraints: |
Registry
| Key | Type | Default | Description |
|---|---|---|---|
| registry | object | Tangram Flex GitLab container registry credentials (use a PAT for local, and deploy token for anything else) | |
| registry.username | string | "" | username to connect to the container registry |
| registry.password | string | "" | password to connect to the container registry |
| registry.existingSecret | string | "" | use existingSecret if you already created the image pull secret |
Licensing
| Key | Type | Default | Description |
|---|---|---|---|
| license | object | Tangram Pro license public and private keys and password | |
| license.publicKeyFile | string | "" | public key file name |
| license.privateKeyFile | string | "" | private key file name |
| license.privateKeyPass | string | "" | private key password |
| license.existingSecret | string | "" | use existingSecret if using existing license the secret needs to be created like this: kubectl create secret generic license \ |
TLS
| Key | Type | Default | Description |
|---|---|---|---|
| tls | object | TLS certificate to be used for HTTPS. tls.certFile, tls.keyFile, tls.existingSecret, and tls.clusterIssuer are meant to be used with an Ingress like NGINX that is the TLS termination point. For Pod to Pod TLS, configure tls.ca.existingSecret and each service specific TLS settings | |
| tls.certFile | string | "" | certFile is only used if cert-manager is not used |
| tls.keyFile | string | "" | keyFile is only used if cert-manager is not used |
| tls.clusterIssuer | string | "letsencrypt-prod" | clusterIssuer is to be used with cert-manager |
| tls.createCertificate | bool | true | If no certFile, keyFile, or existingSecret is provided, whether to create a Certmanager certificate |
| tls.existingSecret | string | "" | use existingSecret if using existing TLS |
| tls.ca | object | Additional CA to trust, if different from tls.certFile | |
| tls.ca.enabled | bool | false | option to toggle certificate authority |
| tls.ca.existingSecrets | list | [] | Names between the secrets and configmaps must be unique. existingSecrets: |
| tls.ca.existingConfigMaps | list | [] | provide an existing configmap if available. existingConfigMaps: |
| tls.pki | object | PKI for TLS | |
| tls.pki.enabled | bool | false | toggle for pki |
NetworkPolicy
| Key | Type | Default | Description |
|---|---|---|---|
| networkPolicy | object | Enable NetworkPolicies to increase security | |
| networkPolicy.enabled | bool | true | toggle network policies on or off |
| networkPolicy.ingressController | list | [] | rules for the ingressController. anything placed here will be rendered out following standard k8s network policy resource https://kubernetes.io/docs/concepts/services-networking/network-policies/ Example: ingressController: |
| networkPolicy.monitoringAccess | list | [] | rules for the allowing prometheus access. anything placed here will be rendered out following standard k8s network policy resource https://kubernetes.io/docs/concepts/services-networking/network-policies/ Example: monitoringAccess: |
| networkPolicy.kedaHTTPProxy | list | [] | rules for the kedaHTTPProxy. anything placed here will be rendered out following standard k8s network policy resource https://kubernetes.io/docs/concepts/services-networking/network-policies/ Example: kedaHTTPProxy: |
| networkPolicy.nodeCIDR | string | "172.20.0.0/16" | the k8s service CIDR defaults to the CIDR block for the Tangram Flex Prod clusters |
Frontend
| Key | Type | Default | Description |
|---|---|---|---|
| frontend | object | Tangram Pro frontend configuration | |
| frontend.replicas | int | 2 | number of replicas for frontend deployment |
| frontend.ingress | object | frontend ingress config | |
| frontend.ingress.enabled | bool | true | toggles the ingress for frontend |
| frontend.tls | object | frontend TLS config | |
| frontend.tls.enabled | bool | false | toggle for configuring TLS for frontend |
| frontend.tls.existingSecret | string | "cert-frontend" | provide an existing secret for TLS config |
| frontend.tls.cipherSuites | string | "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384" | See: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for an available list of ciphers |
| frontend.tls.tlsProtocols | string | "TLSv1.2" | List of allowed TLS versions, space separated. Ex. TLSv1.2 TLSv1.3 |
| frontend.image | object | image details for the deployment. See values.yaml | |
| frontend.image.repository | string | "/service/frontend" | frontend image repo |
| frontend.image.tag | string | "2.4.14-578e87ae" | frontend image tag |
| frontend.image.name | string | "Tangram Pro Frontend" | frontend image name |
| frontend.image.license | string | "Proprietary" | frontend image license type |
| frontend.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| frontend.image.releasedate | string | "06/25/2025" | frontend image release date |
| frontend.service | object | service options for frontend | |
| frontend.service.annotations | object | {} | annotations to the service |
| frontend.resourceConstraints | object | configure resources for deployment | |
| frontend.resourceConstraints.enabled | bool | true | enable resourceConstraints for frontend deployment resources |
| frontend.resourceConstraints.cpu | object | CPU options for frontend deployment resources | |
| frontend.resourceConstraints.cpu.request | string | "10m" | CPU request options for frontend deployment resources |
| frontend.resourceConstraints.cpu.limit | string | "100m" | CPU limit options for frontend deployment resources |
| frontend.resourceConstraints.memory | object | Memroy options for frontend deployment resources | |
| frontend.resourceConstraints.memory.request | string | "25Mi" | Memory request options for frontend deployment resources |
| frontend.resourceConstraints.memory.limit | string | "200Mi" | Memory limit options for frontend deployment resources |
| frontend.hpa | object | HPA config options for frontend deployment | |
| frontend.hpa.enabled | bool | true | toggle to enable or disable frontend HPA |
| frontend.hpa.maxReplicas | int | 8 | maxReplicas for frontend HPA |
| frontend.hpa.metrics | list | metrics: | frontend HPA metrics options |
| frontend.hpa.behavior | object | frontend HPA scaling behavior | |
| frontend.hpa.behavior.scaleDown | object | HPA scale down behavior for frontend | |
| frontend.hpa.behavior.scaleDown.policies | list | policies: | HPA scaledown policy behavior |
| frontend.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| frontend.podSecurityContext | object | podSecurityContext config options for deployment | |
| frontend.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| frontend.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| frontend.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| frontend.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| frontend.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| frontend.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| frontend.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| frontend.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| frontend.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| frontend.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| frontend.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| frontend.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| frontend.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| frontend.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Docs
| Key | Type | Default | Description |
|---|---|---|---|
| docs | object | Tangram Pro Docs configuration | |
| docs.replicas | int | 2 | replica count for docs deployment |
| docs.ingress | object | ingress config for docs deployment | |
| docs.ingress.enabled | bool | true | ingress toggle for docs deployment |
| docs.tls | object | docs TLS config options | |
| docs.tls.enabled | bool | false | toggle for docs TLS |
| docs.tls.existingSecret | string | "cert-docs" | provide an existing secret for TLS |
| docs.tls.cipherSuites | string | "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384" | TLS cipher suites to use for docs deployment See: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for an available list of ciphers |
| docs.tls.tlsProtocols | string | "TLSv1.2" | List of allowed TLS versions, space separated. Ex. TLSv1.2 TLSv1.3 |
| docs.image | object | Docs image info | |
| docs.image.repository | string | "/docs" | Docs image repo |
| docs.image.tag | string | "2.4.14-ae68ec9c" | Docs image tag |
| docs.image.name | string | "Tangram Pro Docs" | Docs image name |
| docs.image.license | string | "Proprietary" | Docs image license type |
| docs.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| docs.image.releasedate | string | "06/26/2025" | Tangram Pro docs image release date |
| docs.service | object | docs deployment service opts | |
| docs.service.annotations | object | {} | annotations to the docs service. these can be templated |
| docs.resourceConstraints | object | resource constraint options for docs service | |
| docs.resourceConstraints.enabled | bool | true | toggle for docs resource constraint options |
| docs.resourceConstraints.cpu | object | CPU config options for docs deployment | |
| docs.resourceConstraints.cpu.request | string | "10m" | CPU request value for docs deployment |
| docs.resourceConstraints.cpu.limit | string | "100m" | CPU request limits for docs deployment |
| docs.resourceConstraints.memory | object | Memory config options for docs deployment | |
| docs.resourceConstraints.memory.request | string | "25Mi" | Memory request value for docs deployment |
| docs.resourceConstraints.memory.limit | string | "200Mi" | Memory request value for docs deployment |
| docs.podSecurityContext | object | podSecurityContext config options for deployment | |
| docs.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| docs.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| docs.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| docs.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| docs.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| docs.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| docs.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| docs.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| docs.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| docs.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| docs.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| docs.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| docs.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| docs.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Preload Job
| Key | Type | Default | Description |
|---|---|---|---|
| preload | object | Preload image values | |
| preload.enabled | bool | true | toggle to enable or disable the preload image job |
| preload.job | object | see preload.job within values.yaml for full defaults | Preload job options |
| preload.job.image | object | Preload job image info | |
| preload.job.image.repository | string | "/image/skopeo" | Preload Job image repo |
| preload.job.image.tag | string | "v1.14.2" | Preload Job image tag |
| preload.job.image.url | string | "https://github.com/containers/skopeo" | Tangram Pro product URL |
| preload.job.image.releasedate | string | "02/01/2024" | Preload Job image release date |
| preload.job.image.license | string | "Apache-2.0" | Preload Job image license type |
| preload.job.image.name | string | "Skopeo" | Preload Job image name |
Ollama
| Key | Type | Default | Description |
|---|---|---|---|
| ollama | object | AI Assistant model configuration | |
| ollama.fullnameOverride | string | "ollama" | AI Assistant model configuration |
| ollama.imagePullSecrets | list | imagePullSecrets: | AI Assistant model configuration |
| ollama.oras | object | Oras configuration for pulling model artifacts | |
| ollama.oras.image | object | Oras image information | |
| ollama.oras.image.repository | string | "image/oras" | Oras image repository |
| ollama.oras.image.tag | string | "1.2.2-40d9fc50" | Oras image tag |
| ollama.oras.image.name | string | "Oras" | Oras image name |
| ollama.oras.image.license | string | "Apache-2.0" | Oras image license type |
| ollama.oras.image.url | string | "https://oras.land" | Oras product URL |
| ollama.oras.image.releasedate | string | "03/17/2025" | Oras image release date |
| ollama.models | list | models: | List of AI models to be pulled and loaded into Ollama |
| ollama.image | object | Ollama image info | |
| ollama.image.repository | string | "registry-gitlab.tangramflex.tech/pro/image/ollama" | Ollama image repo |
| ollama.image.tag | string | "0.6.4" | Ollama image tag |
| ollama.image.name | string | "Ollama" | Ollama image name |
| ollama.image.license | string | "MIT" | Ollama image license type |
| ollama.image.url | string | "https://ollama.com" | Tangram Pro product URL |
| ollama.image.releasedate | string | "04/03/2025" | Ollama image release date |
| ollama.extraEnv | list | extraEnv: | AI Assistant model extra environment variables for Ollama |
| ollama.initContainers | list | initContainers: | Init containers configuration for Ollama deployment |
| ollama.volumeMounts | list | volumeMounts: | Volume mounts for the Ollama container |
| ollama.volumes | list | volumes: | Volumes configuration for the Ollama pod |
| ollama.keda | object | AI Assistant model configuration | |
| ollama.keda.httpScaledObject | object | corresponds directly to https://github.com/kedacore/http-add-on/blob/main/docs/ref/v0.2.0/http_scaled_object.md#the-httpscaledobject. this will be templated to a K8s httpScaledObject YAML | |
| ollama.keda.httpScaledObject.enabled | bool | false | toggle whether or not a httpScaledObject is created by K8s |
| ollama.keda.httpScaledObject.replicas | object | httpScaledObject replicacount | |
| ollama.keda.httpScaledObject.replicas.min | int | 0 | min number of httpScaledObject to create |
| ollama.keda.httpScaledObject.replicas.max | int | 1 | max number of httpScaledObject to create |
| ollama.keda.httpScaledObject.scaledownPeriod | int | 7200 | number of seconds that KEDA will wait to see if an event has occurred before scaling down |
| ollama.keda.httpScaledObject.scalingMetric | object | This is the second most important part of the spec because it describes how the workload has to scale. This section contains 2 nested sections (requestRate and concurrency) which are mutually exclusive between themselves. https://github.com/kedacore/http-add-on/blob/main/docs/ref/v0.8.0/http_scaled_object.md#scalingmetric | |
| ollama.keda.httpScaledObject.scalingMetric.concurrency | object | This section enables scaling based on the request concurrency. https://github.com/kedacore/http-add-on/blob/main/docs/ref/v0.8.0/http_scaled_object.md#concurrency | |
| ollama.keda.httpScaledObject.scalingMetric.concurrency.targetValue | int | 100 | This is the target value for the scaling configuration. https://github.com/kedacore/http-add-on/blob/main/docs/ref/v0.8.0/http_scaled_object.md#targetvalue |
| ollama.ollama | object | These values map exactly to chart values located at https://otwld.github.io/ollama-helm | |
| ollama.ollama.gpu | object | GPU options for Ollama | |
| ollama.ollama.gpu.enabled | bool | false | toggle GPU enabled or disabled based on hardware available |
| ollama.ollama.mountPath | string | "/home/ollama/.oras" | directory where models are mounted |
| ollama.persistentVolume | object | persistentVolume options for storing models | |
| ollama.persistentVolume.enabled | bool | true | toggle option to enable or disable persistence using PVC |
| ollama.persistentVolume.size | string | "50Gi" | disk size in gigabyte for PV to store models |
| ollama.networkPolicy | object | networkPolicy config options | |
| ollama.networkPolicy.enabled | bool | true | Whether to deploy Ollama network policy |
| ollama.networkPolicy.egressCidrs | list | List of allowed egress IPs | |
| ollama.podSecurityContext | object | podSecurityContext config options for deployment | |
| ollama.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| ollama.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| ollama.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| ollama.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| ollama.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| ollama.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| ollama.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| ollama.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| ollama.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| ollama.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| ollama.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| ollama.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| ollama.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Chatbot
| Key | Type | Default | Description |
|---|---|---|---|
| chatbot | object | AI Assistant configuration options | |
| chatbot.modelProvider | string | "ollama" | model provider for the AI Assistant |
| chatbot.chatModel | string | "gemma3:12b" | model used for chat completion |
| chatbot.embeddingModel | string | "nomic-embed-text:v1.5" | model used for vector embeddings |
| chatbot.embeddingModelChunkSize | int | 512 | chunk size for the vector embeddings 512 relates to nomic-embed-text:v1.5. |
| chatbot.embeddingModelChunkOverlap | int | 50 | amount of overlap between chunks for vector embeddings |
| chatbot.chatTemperature | float | 0.1 | chat completion temperature level for the chat experience |
| chatbot.minimumScoreThreshold | float | 0.4 | minimum score threshold for the chat experience |
| chatbot.kDocumentChunks | int | 5 | number of document chunks to use for the chat experience |
| chatbot.azureopenai | object | {"apiKey":{"existingSecret":"","keyName":""},"apiVersion":"2024-10-21","deploymentName":"chatgpt-4o","embeddingDeploymentName":"text-embedding-3-large","embeddingModel":"text-embedding-3-large","fallbackDeploymentName":"chatgpt-4o-mini","fallbackModel":"gpt-4o-mini","instanceName":"main","model":"gpt-4o"} | Azure OpenAI configuration options |
| chatbot.azureopenai.apiKey | object | {"existingSecret":"","keyName":""} | Azure OpenAI API key configuration |
| chatbot.azureopenai.apiKey.existingSecret | string | "" | existing secret for Azure OpenAI API key |
| chatbot.azureopenai.apiKey.keyName | string | "" | existing secret key for Azure OpenAI API key |
| chatbot.azureopenai.instanceName | string | "main" | Azure OpenAI instance name |
| chatbot.azureopenai.model | string | "gpt-4o" | Azure OpenAI model name to use for chat completion |
| chatbot.azureopenai.deploymentName | string | "chatgpt-4o" | Azure OpenAI deployment name for chat model |
| chatbot.azureopenai.fallbackModel | string | "gpt-4o-mini" | Azure OpenAI fallback model name to use for chat completion |
| chatbot.azureopenai.fallbackDeploymentName | string | "chatgpt-4o-mini" | Azure OpenAI fallback deployment name for chat model |
| chatbot.azureopenai.embeddingModel | string | "text-embedding-3-large" | Azure OpenAI embedding model name |
| chatbot.azureopenai.embeddingDeploymentName | string | "text-embedding-3-large" | Azure OpenAI deployment name for embedding model |
| chatbot.azureopenai.apiVersion | string | "2024-10-21" | Azure OpenAI API version |
| chatbot.numCtx | int | 32768 | context length for the chat completion model. 32768 relates to the chatModel. |
| chatbot.metricsEnabled | bool | true | toggle metrics for ai assistant |
| chatbot.podSecurityContext | object | podSecurityContext config options for deployment | |
| chatbot.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| chatbot.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| chatbot.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| chatbot.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| chatbot.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| chatbot.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| chatbot.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| chatbot.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| chatbot.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| chatbot.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| chatbot.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| chatbot.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| chatbot.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| chatbot.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| chatbot.replicas | int | 1 | number of replica pods for the AI Assistant. |
| chatbot.image | object | Chatbot image info | |
| chatbot.image.repository | string | "/ai/chatbot" | Chatbot image repo |
| chatbot.image.tag | string | "2.4.13-04ae28e0" | Chatbot image tag |
| chatbot.image.name | string | "Tangram Pro Chatbot" | Chatbot image name |
| chatbot.image.license | string | "Proprietary" | Chatbot image license typ |
| chatbot.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| chatbot.image.releasedate | string | "06/13/2025" | Chatbot image releasedate |
| chatbot.service | object | Chatbot service opts | |
| chatbot.service.annotations | object | {} | Annotations to the chatbot service. |
| chatbot.postgresql | object | database config for chatbot | |
| chatbot.postgresql.auth | object | database auth config for chatbot | |
| chatbot.postgresql.auth.existingSecret | string | "" | provide an existing secret containing postgresql connection information for chatbot deployment. |
| chatbot.hpa | object | HPA options for chatbot | |
| chatbot.hpa.enabled | bool | true | toggle to enable or disable HPA for chatbot |
| chatbot.hpa.maxReplicas | int | 8 | chatbot max replicas for deployment |
| chatbot.hpa.metrics | list | metrics: | chatbot metrics |
| chatbot.hpa.behavior | object | HPA behavior options | |
| chatbot.hpa.behavior.scaleDown | object | scaledown behavior for deployment | |
| chatbot.hpa.behavior.scaleDown.policies | list | policies: | policy settings for HPA |
| chatbot.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| chatbot.keda | object | specify options for using Keda with Chatbot | |
| chatbot.keda.useProxyHost | bool | false | toggle for using proxyHost with keda |
| chatbot.keda.proxyHost | string | "http://keda-add-ons-http-interceptor-proxy.keda.svc.cluster.local:8080" | Proxy host URL to use with Keda/Chatbot. should point to the service of the interceptor proxy endpoint. |
| chatbot.resourceConstraints | object | resource constraint options for chatbot service | |
| chatbot.resourceConstraints.enabled | bool | true | toggle for chatbot resource constraint options |
| chatbot.resourceConstraints.cpu | object | CPU config options for chatbot deployment | |
| chatbot.resourceConstraints.cpu.request | string | "100m" | CPU request value for chatbot deployment |
| chatbot.resourceConstraints.cpu.limit | string | "2000m" | CPU request limits for chatbot deployment |
| chatbot.resourceConstraints.memory | object | Memory config options for chatbot deployment | |
| chatbot.resourceConstraints.memory.request | string | "100Mi" | Memory request value for chatbot deployment |
| chatbot.resourceConstraints.memory.limit | string | "750Mi" | Memory request value for chatbot deployment |
| chatbot.tls | object | TLS options for the chatbot | |
| chatbot.tls.enabled | bool | false | toggle TLS for chatbot |
| chatbot.tls.existingSecret | string | "cert-service-chatbot" | provide an existing Secret for use with chatbot TLS config |
| chatbot.tls.cipherSuites | string | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | 1.3 cipher suites. This should be a comma separated list. Only affects TLS 1.2 cipher suites, as golang doesn't allow you to change |
| chatbot.tls.minTlsVersion | string | "TLS1_2" | Min and max TLS version are in the format TLS_1_1, TLS1_2, TLS1_3, etc |
| chatbot.tls.maxTlsVersion | string | "TLS1_2" | Disable 1.3 |
Backend
| Key | Type | Default | Description |
|---|---|---|---|
| backend | object | Tangram Pro backend configuration | |
| backend.cleanupSchedule | string | "0 * * * *" | schedule for backend cleanup job |
| backend.cleanupEnabled | bool | true | whether or not to enable the backend cleanup job |
| backend.minio | object | Minio storage config for backend | |
| backend.minio.enableAutoCleanup | bool | true | toggle enableAutoCleanup for minio bucket storage |
| backend.minio.cleanupUpperThresholdPercent | int | 40 | start cleanup at this allocation of the PVC cleanupUpperThresholdPercent |
| backend.minio.cleanupLowerThresholdPercent | int | 30 | stop cleanup if storage consumed is at or below the cleanupLowerThresholdPercent |
| backend.dockerRegistry | object | dockerRegistry storage config for backend | |
| backend.dockerRegistry.enableAutoCleanup | bool | true | toggle enableAutoCleanup for dockerRegistry bucket storage |
| backend.dockerRegistry.cleanupUpperThresholdPercent | int | 40 | start cleanup at this allocation of the PVC cleanupUpperThresholdPercent |
| backend.dockerRegistry.cleanupLowerThresholdPercent | int | 30 | stop cleanup if storage consumed is at or below the cleanupLowerThresholdPercent |
| backend.audit | object | Audit config for backend | |
| backend.audit.shutdownOnFailure | bool | true | toggle to shutdown on backend pod failure |
| backend.audit.existingSecret | string | "audit-checksum" | provide an existing secret for backend audit |
| backend.auth | object | auth config for backend | |
| backend.auth.tokenExpiration | int | 86400 | duration in seconds before a user's auth token for TPRO expires. |
| backend.ingress | object | ingress config for backend | |
| backend.ingress.enabled | bool | true | toggle ingress for backend |
| backend.license | object | license options for backend | |
| backend.license.enabled | bool | false | toggle for whether to mount an initial license to backend |
| backend.license.content | string | "" | content of license note: content will not be used to create a secret if existingSecret is set |
| backend.license.existingSecret | string | "" | name of secret [arbitrary secret name] the secret needs to be created like this: kubectl create secret generic "[arbitrary secret name]" \ |
| backend.oauth | object | OAuth config options for backend | |
| backend.oauth.config | object | OAuth config options for backendoauth: | |
| backend.oauth.config.required | bool | false | boolean to force oauth only for all users |
| backend.oauth.existingSecret | string | "" | this should the name of the secret containing the oauth config Create the Oauth Config Secretread -r -d "" oauth_providers |
| backend.swagger | string | "false" | toggle swagger availability for backend |
| backend.featureFlags | string | "" | comma separated list of feature flags |
| backend.podSecurityContext | object | podSecurityContext config options for deployment | |
| backend.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| backend.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| backend.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| backend.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| backend.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| backend.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| backend.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| backend.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| backend.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| backend.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| backend.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| backend.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| backend.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| backend.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| backend.replicas | int | 2 | number of backend pods to deploy |
| backend.image | object | Backend image info | |
| backend.image.repository | string | "/service/backend" | Backend image repo |
| backend.image.tag | string | "2.4.13-b4abc123" | Backend image tag |
| backend.image.name | string | "Tangram Pro Backend" | Backend image name |
| backend.image.license | string | "Proprietary" | Backend image license type |
| backend.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| backend.image.releasedate | string | "06/17/2025" | Backend image releasedate |
| backend.service | object | annotation opts for backend service | |
| backend.service.annotations | object | {} | annotations for backend service |
| backend.postgresql | object | postgresql auth config for backend | |
| backend.postgresql.auth | object | postgresql auth config for backend | |
| backend.postgresql.auth.existingSecret | string | "" | exisitng secret containing postgresql config information for backend to use for connection |
| backend.metricsEnabled | bool | true | toggle for backend metricz |
| backend.smokeTest | object | Smoke-test options for backend db | |
| backend.smokeTest.enabled | bool | true | option to toggle the smokeTest for backend |
| backend.smokeTest.postgresql | object | smokeTest db config | |
| backend.smokeTest.postgresql.database | string | "tangram_test" | smokeTest db |
| backend.smokeTest.postgresql.auth | object | smokeTest auth config | |
| backend.smokeTest.postgresql.auth.existingSecret | string | "" | provide an existing secret containing auth information for smokeTest db connection |
| backend.smokeTest.debug | bool | false | smokeTest log-level |
| backend.smokeTest.image | object | Backend SmokeTest image info | |
| backend.smokeTest.image.repository | string | "/k6-load-testing" | Backend SmokeTest image repo |
| backend.smokeTest.image.tag | string | "1.2.0" | Backend SmokeTest image tag |
| backend.smokeTest.image.name | string | "Tangram Pro Backend Smoke Testing" | Backend SmokeTest image name |
| backend.smokeTest.image.license | string | "Proprietary" | Backend SmokeTest image license type |
| backend.smokeTest.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| backend.smokeTest.image.releasedate | string | "06/08/2023" | Backend SmokeTest image release date |
| backend.smokeTest.resources | object | smokeTest resource constraint options | |
| backend.smokeTest.resources.limits | object | smokeTest resource constraint limits | |
| backend.smokeTest.resources.limits.memory | string | "128Mi" | smokeTest memory resource constraint limit |
| backend.smokeTest.resources.limits.cpu | string | "125m" | smokeTest CPU resource constraint limit |
| backend.smokeTest.podSecurityContext | object | podSecurityContext config options for smokeTest | |
| backend.smokeTest.podSecurityContext.enabled | bool | true | toggle podSecurityContext for smokeTest |
| backend.smokeTest.podSecurityContext.runAsNonRoot | bool | true | runAsNonRoot for smokeTest |
| backend.smokeTest.podSecurityContext.runAsUser | int | 12345 | runAsUser for smokeTest |
| backend.smokeTest.podSecurityContext.runAsGroup | int | 12345 | runAsGroup for smokeTest |
| backend.smokeTest.podSecurityContext.fsGroup | int | 12345 | fsGroup for smokeTest |
| backend.smokeTest.testUser | object | service account for use with the smokeTest | |
| backend.smokeTest.testUser.existingSecret | string | "service-backend-smoke-test-auth" | existing secret to for the smokeTest to connect to the smokeTest db |
| backend.smokeTest.testUser.usernamePrefix | string | "testuser" | username prefix for the test user |
| backend.smokeTest.testUser.emailDomain | string | "tangramflex.test" | mail domain for the smokeTest user |
| backend.smokeTest.duration | string | "1m" | Keep this duration relatively short. Test user creation occurs once per run, so if the backend isn't up at the start of the test, the script needs to complete and start over again to create the user |
| backend.smokeTest.virtualUsers | int | 1 | number of virtual users to use for smokeTest |
| backend.smokeTest.prometheusReadWriteServerUrl | string | "http://monitoring-prometheus.monitoring.svc:9090/api/v1/write" | prometheus endpoint to write smokeTest data |
| backend.smokeTest.insecureSkipTlsVerify | bool | false | toggle for checking HTTPS for smokeTest |
| backend.resourceConstraints | object | resource constraint options for backend service | |
| backend.resourceConstraints.enabled | bool | true | toggle for backend resource constraint options |
| backend.resourceConstraints.cpu | object | CPU config options for backend deployment | |
| backend.resourceConstraints.cpu.request | string | "100m" | CPU request value for backend deployment |
| backend.resourceConstraints.cpu.limit | string | "2000m" | CPU request limits for backend deployment |
| backend.resourceConstraints.memory | object | Memory config options for backend deployment | |
| backend.resourceConstraints.memory.request | string | "100Mi" | Memory request value for backend deployment |
| backend.resourceConstraints.memory.limit | string | "750Mi" | Memory request value for backend deployment |
| backend.hpa | object | backend hpa config | |
| backend.hpa.enabled | bool | true | toggle to enable or disable hpa for backend |
| backend.hpa.maxReplicas | int | 8 | max replicas for backend HPA config |
| backend.hpa.metrics | list | metrics: | backend HPA metrics config |
| backend.hpa.behavior | object | backend HPA scaling behavior | |
| backend.hpa.behavior.scaleDown | object | scaledown behavior for deployment | |
| backend.hpa.behavior.scaleDown.policies | list | policies: | policy settings for HPA |
| backend.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| backend.installType | string | "PRO" | install type for backend. Placed in service-backend configmap |
| backend.workflows | object | workflow options for backend | |
| backend.workflows.nodeAffinity | object | nodeAffinity config for backend | |
| backend.workflows.nodeAffinity.nodeSelectorKey | string | "" | nodeSelectorKey to use for node affinity |
| backend.workflows.nodeAffinity.nodeSelectorValues | string | "" | nodeSelectorValues to use for node affinity |
| backend.workflows.toleration | object | toleration rules for backend | |
| backend.workflows.toleration.nodeTaintKey | string | "" | nodeTaintKey for backend pods |
| backend.workflows.resources | object | resource config for backend workflow deployment | |
| backend.workflows.resources.requests | object | resource request options for backend workflow deployment | |
| backend.workflows.resources.requests.cpu | string | "1.5" | CPU request options for backend workflow deployment |
| backend.workflows.resources.requests.memory | string | "1.5Gi" | Memory request options for backend workflow deployment |
| backend.workflows.resources.limits | object | resource limit options for backend workflow deployment | |
| backend.workflows.resources.limits.cpu | string | "4" | CPU limit options for backend workflow deployment |
| backend.workflows.resources.limits.memory | string | "4Gi" | Memory limit options for backend workflow deployment |
| backend.zoho | object | Zoho Configuration | |
| backend.zoho.enabled | bool | false | toggle for enabling Zoho integration |
| backend.zoho.secretName | string | "zoho-auth" | name of the secret generated for zoho secret |
| backend.zoho.clientId | string | "" | clientID for the zoho app registration |
| backend.zoho.clientSecret | string | "" | clientSecret for the zoho app registration |
| backend.zoho.refreshToken | string | "" | refresh token value for zoho |
| backend.zoho.layoutId | string | "6359469000000619222" | ID of the layout for zoho |
| backend.zoho.contactLayoutId | string | "6359469000000091033" | id of the contact layout for zoho |
| backend.tls | object | TLS config for backend | |
| backend.tls.enabled | bool | false | toggle to enable or disable TLS for backend |
| backend.tls.existingSecret | string | "cert-service-backend" | existing k8s secret for backend TLS configuration |
| backend.tls.cipherSuites | string | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | Only affects TLS 1.2 cipher suites, as golang doesn't allow you to change 1.3 cipher suites. This should be a comma separated list. |
| backend.tls.minTlsVersion | string | "TLS1_2" | Min and max TLS version are in the format TLS_1_1, TLS1_2, TLS1_3, etc |
| backend.tls.maxTlsVersion | string | "TLS1_2" | Disable 1.3 |
| backend.flexInstance | object | flexInstance expiration option for backend | |
| backend.flexInstance.expiration | int | 3600 | Idle timeout of flex instance in seconds |
Watcher
| Key | Type | Default | Description |
|---|---|---|---|
| watcher | object | Tangram Pro watcher configuration | |
| watcher.verifierDeletionDelaySeconds | int | 600 | seconds before deletions should occur |
| watcher.replicas | int | 2 | Watcher # of replicas |
| watcher.image | object | Watcher image info | |
| watcher.image.repository | string | "/service/backend/watcher" | Watcher image repo |
| watcher.image.tag | string | "2.4.13-b4abc123" | Watcher image tag |
| watcher.image.name | string | "Tangram Pro Workflow Watcher" | Watcher image name |
| watcher.image.license | string | "Proprietary" | Watcher image license type |
| watcher.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| watcher.image.releasedate | string | "06/17/2025" | Watcher image releasedate |
| watcher.service | object | annotation opts to the watcher service. | |
| watcher.service.annotations | object | {} | annotations to the watcher service. these can be templated. |
| watcher.metricsEnabled | bool | true | toggle to disable or enable metricz for watcher |
| watcher.resourceConstraints | object | watcher resource constraint config options | |
| watcher.resourceConstraints.enabled | bool | true | toggle to disable or enable resourceConstraints for watcher |
| watcher.resourceConstraints.limits | object | resourceConstraints limits for watcher | |
| watcher.resourceConstraints.limits.cpu | string | "2000m" | CPU resourceConstraints limits for watcher |
| watcher.resourceConstraints.limits.memory | string | "750Mi" | Memory resourceConstraints limits for watcher |
| watcher.resourceConstraints.requests | object | resourceConstraints requests for watcher | |
| watcher.resourceConstraints.requests.cpu | string | "100m" | CPU resourceConstraints requests for watcher |
| watcher.resourceConstraints.requests.memory | string | "100Mi" | Memory resourceConstraints requests for watcher |
| watcher.hpa | object | hpa options for watcher | |
| watcher.hpa.enabled | bool | true | toggle to enable or disable hpa for watcher |
| watcher.hpa.maxReplicas | int | 8 | maxReplicas for watcher HPA |
| watcher.hpa.metrics | list | metrics: | metrics for watcher HPA |
| watcher.hpa.behavior | object | scaling behavior for watcher HPA | |
| watcher.hpa.behavior.scaleDown | object | scaledown behavior for deployment | |
| watcher.hpa.behavior.scaleDown.policies | list | policies: | policy settings for HPA |
| watcher.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| watcher.podSecurityContext | object | podSecurityContext config options for deployment | |
| watcher.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| watcher.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| watcher.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| watcher.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| watcher.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| watcher.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| watcher.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| watcher.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| watcher.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| watcher.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| watcher.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| watcher.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| watcher.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| watcher.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| watcher.postgresql | object | watcher postgresql config | |
| watcher.postgresql.auth | object | watcher postgresql auth config | |
| watcher.postgresql.auth.existingSecret | string | "" | provide an existing secret containing auth information for watcher's db connection |
| watcher.tls | object | watcher TLS config | |
| watcher.tls.enabled | bool | false | toggle for enabling or disabling TLS for watcher |
| watcher.tls.existingSecret | string | "cert-service-watcher" | provide an existing k8s secret for TLS config for watcher |
| watcher.tls.cipherSuites | string | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | Only affects TLS 1.2 cipher suites, as golang doesn't allow you to change 1.3 cipher suites. This should be a comma separated list. |
| watcher.tls.minTlsVersion | string | "TLS1_2" | Min and max TLS version are in the format TLS_1_1, TLS1_2, TLS1_3, etc |
| watcher.tls.maxTlsVersion | string | "TLS1_2" | Disable 1.3 |
Lifecycle Hooks
| Key | Type | Default | Description |
|---|---|---|---|
| hooks | object | Tangram Pro Helm chart hooks configuration Hooks run during chart installs, upgrades, rollbacks, and deletions | |
| hooks.tools | object | The hook tools image contains commands needed to run hook scripts | |
| hooks.tools.image | object | Hooks tools image info | |
| hooks.tools.image.repository | string | "/image/helm-hook" | Hooks image repo |
| hooks.tools.image.tag | string | "2.4.11-9e633eec" | Hooks image tag |
| hooks.tools.image.name | string | "Tangram Pro Helm Hook" | Hooks image name |
| hooks.tools.image.license | string | "Proprietary" | Hooks image license type |
| hooks.tools.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| hooks.tools.image.releasedate | string | "04/24/2025" | Hooks image release date |
| hooks.debug | bool | false | log-level for helm hook events |
| hooks.podSecurityContext | object | podSecurityContext config options for deployment | |
| hooks.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| hooks.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| hooks.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| hooks.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| hooks.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| hooks.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| hooks.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| hooks.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| hooks.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| hooks.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| hooks.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| hooks.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| hooks.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| hooks.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Minio
| Key | Type | Default | Description |
|---|---|---|---|
| minio | sub-chart | https://artifacthub.io/packages/helm/bitnami/minio | See the official chart values for param values |
Argo Workflows
| Key | Type | Default | Description |
|---|---|---|---|
| argo-workflows | sub-chart | https://artifacthub.io/packages/helm/argo/argo-workflows | See the official chart values for param values |
Docker Registry
| Key | Type | Default | Description |
|---|---|---|---|
| docker-registry | sub-chart | https://artifacthub.io/packages/helm/twuni/docker-registry | See the official chart values for param values |
Gitea
| Key | Type | Default | Description |
|---|---|---|---|
| gitea | sub-chart | https://artifacthub.io/packages/helm/gitea/gitea | See the official chart values for param values. Note: The chart uses a deployment and expects RWX PVC if the deployment has more than one replica. We are utilizing it more like a statefulset by setting the deployment strategy to recreate and only having 1 replica. |
Database Option
| Key | Type | Default | Description |
|---|---|---|---|
| usePostgres | bool | true | chart toggle to use Postgresql as the application database. |
Postgresql
| Key | Type | Default | Description |
|---|---|---|---|
| postgresql | sub-chart | https://artifacthub.io/packages/helm/bitnami/postgresql | See the official chart values for param values. |
Redis
| Key | Type | Default | Description |
|---|---|---|---|
| redis | sub-chart | https://artifacthub.io/packages/helm/bitnami/redis | See the official chart values for param values. |
Redis Logger
| Key | Type | Default | Description |
|---|---|---|---|
| redisLogger | object | RedisLogger allows us to capture Redis logs for STIGs | |
| redisLogger.intervalSeconds | int | 10 | polling interval at which the redis pod logs are captured |
| redisLogger.podSecurityContext | object | podSecurityContext config options for deployment | |
| redisLogger.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| redisLogger.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| redisLogger.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| redisLogger.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| redisLogger.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| redisLogger.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| redisLogger.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| redisLogger.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| redisLogger.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| redisLogger.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| redisLogger.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| redisLogger.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| redisLogger.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| redisLogger.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| redisLogger.image | object | Redis Logger image details | |
| redisLogger.image.repository | string | "/image/redis-logger" | Redis Logger image repo |
| redisLogger.image.tag | string | "2.4.0-dc23cf4e" | Redis Logger image tag |
| redisLogger.image.name | string | "Tangram Pro Redis Logger" | Redis Logger image name |
| redisLogger.image.license | string | "Proprietary" | Redis Logger image license type |
| redisLogger.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| redisLogger.image.releasedate | string | "09/06/2024" | Redis Logger image release date |
| redisLogger.resources | object | Resource constraint options for redis logger | |
| redisLogger.resources.limits | object | Resource limit options for redis logger | |
| redisLogger.resources.limits.memory | string | "128Mi" | Memory resource constraint options for redis logger |
| redisLogger.resources.limits.cpu | string | "125m" | CPU resource constraint options for redis logger |
Plugins
| Key | Type | Default | Description |
|---|---|---|---|
| plugins | list | ["cargo","code-gen-3","flex-transpiler","gplusplus","kaniko","document-render"] | Tangram Pro workflow plugins |
Storage
| Key | Type | Default | Description |
|---|---|---|---|
| storage | object | Pro Storage configuration | |
| storage.cloud | object | cloud storage config | |
| storage.cloud.aws | object | aws-specific storage config for TPRO storage | |
| storage.cloud.aws.s3Endpoint | string | "s3.us-gov-west-1.amazonaws.com" | Should be in the form of s3.[region].amazonaws.com or s3-fips.[region].amazonaws.com |
| storage.cloud.aws.irsa | object | IRSA config options for aws-specific storage | |
| storage.cloud.aws.irsa.enabled | bool | false | this toggle determines if the role_arn is set as an annotation on the service accounts for IRSA with EKS |
| storage.cloud.aws.irsa.role_arn | string | "" | the arn of a role in aws, with access to the buckets, with the pattern: arn:[region]:iam::[account_id]:role/[role_name] |
| storage.cloud.aws.extraEnvVars | string | see values.yaml storage.cloud.aws.extraEnvVars section | auth details for the endpoint |
| storage.buckets | object | see values.yaml storage.buckets section | buckets to create for Minio Minio buckets to create within Minio |
| storage.buckets.USER_PROFILE_PICTURE | object | USER_PROFILE_PICTURE: | minio bucket for user profile photos |
| storage.buckets.API_RESOURCE | object | API_RESOURCE: | minio bucket for api-resources |
| storage.buckets.BACKUP | object | BACKUP: | minio bucket for backup data |
| storage.buckets.FILE_RESOURCE | object | FILE_RESOURCE: | minio bucket for user-uploaded files |
| storage.buckets.COMPONENT_ARTIFACTS | object | COMPONENT_ARTIFACTS: | minio bucket for component artifacts |
| storage.buckets.ORG_ARTIFACT | object | ORG_ARTIFACT: | minio bucket for org artifacts |
| storage.buckets.ORG_LOGO | object | ORG_LOGO: | minio bucket for the org logo |
| storage.buckets.USER_ARTIFACT | object | USER_ARTIFACT: | minio bucket for user artifacts |
| storage.buckets.DOCKER_REGISTRY | object | DOCKER_REGISTRY: | minio bucket for docker container images |
| storage.buckets.ARGO_ARTIFACT | object | ARGO_ARTIFACT: | minio bucket for argo workflow artifacts |
| storage.buckets.RUN_LOGS | object | RUN_LOGS: | minio bucket for run logs |
| storage.buckets.PROJECT_IAC | object | PROJECT_IAC: | minio bucket for project IAC resources |
| storage.buckets.CSI_ADAPTERS | object | CSI_ADAPTERS: | minio bucket for CSI adapters |
| storage.buckets.CSI | object | CSI: | minio bucket for CSIS resources |
| storage.buckets.PROVIDER_CLASS | object | PROVIDER_CLASS: | minio bucket for provider classes resources |
| storage.buckets.INTEGRATION_LOGS | object | INTEGRATION_LOGS: | minio bucket for integration logs |
Backup
| Key | Type | Default | Description |
|---|---|---|---|
| backup | object | Backup config for Pro | |
| backup.enabled | bool | false | toggle to disable or enable backups |
| backup.schedule | string | "0 0 31 2 0" | schedule at which the backup occurs |
| backup.storageSize | string | "60Gi" | storage size for backup PVC |
| backup.skipDocker | string | "false" | toggle to include or exlude registry images in backup |
| backup.destination | object | optional S3-compatible backup location | |
| backup.destination.type | string | "internal" | "internal" for cluster minio (default), "external" for external S3-compatible storage |
| backup.destination.external | object | s3 config | |
| backup.destination.external.endpoint | string | "https://s3.us-gov-west-1.amazonaws.com" | s3 endpoint. only used if destination.type=external. e.g. https://s3.us-gov-west-1.amazonaws.com |
| backup.destination.external.bucket | string | "" | external S3 bucket name |
| backup.destination.external.accessKeySecretName | string | "external-s3-creds" | secret for external S3 access credentials |
| backup.destination.external.accessKeyField | string | "access-key" | key inside the secret |
| backup.destination.external.secretKeyField | string | "secret-key" | key inside the secret |
| backup.podSecurityContext | object | podSecurityContext config options for deployment | |
| backup.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| backup.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| backup.containerSecurityContext | object | containerSecurityContext config options for deployment | |
| backup.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| backup.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| backup.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| backup.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| backup.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| backup.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| backup.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| backup.containerSecurityContext.capabilities | object | With Linux capabilities, you can grant certain privileges to a process without granting all the privileges of the root user. To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest. | |
| backup.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| backup.containerSecurityContext.seccompProfile | object | The seccompProfile field is a SeccompProfile object consisting of type and localhostProfile. | |
| backup.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |