Helm Values
Below are the default and configurable values for an overrides file for the Tangram Pro™ Helm chart.
Chart Values
Maintainers
| Name | Url | |
|---|---|---|
| Tangram Flex | ops@tangramflex.com | https://tangramflex.com |
Table of Contents
- Official Deployment Guide
- TPRO Sub-Charts
- Changing The Registry
- Development
- Releases
- Patching
- Upgrading
- More Information
- Chart Values
Sub-Charts
| Name | Repository | Version | Chart URL |
|---|---|---|---|
| argo-workflows | https://argoproj.github.io/argo-helm | 0.41.1 | https://artifacthub.io/packages/helm/argo/argo-workflows |
| docker-registry | https://helm.twun.io | 2.2.3 | https://artifacthub.io/packages/helm/twuni/docker-registry |
| gitea | Tangram-vendored & customized | 10.3.0 | https://artifacthub.io/packages/helm/gitea/gitea |
| minio | oci://registry-1.docker.io/bitnamicharts | 13.2.1 | https://artifacthub.io/packages/helm/bitnami/minio |
| ollama | https://otwld.github.io/ollama-helm | 0.64.0 | https://artifacthub.io/packages/helm/ollama-helm/ollama |
| postgresql | oci://registry-1.docker.io/bitnamicharts | 15.5.16 | https://artifacthub.io/packages/helm/bitnami/postgresql |
| redis | oci://registry-1.docker.io/bitnamicharts | 20.6.2 | https://artifacthub.io/packages/helm/bitnami/redis |
Values
Toolkits
| Key | Type | Default | Description |
|---|---|---|---|
| tags.basic | bool | true | enable or disable TPRO Basic toolkit |
| tags.designer | bool | true | enable or disable TPRO Designer toolkit |
| tags.developer | bool | true | enable or disable TPRO Developer toolkit |
| tags.verifier | bool | true | enable or disable TPRO Verifier toolkit |
| tags.ai | bool | false | enable or disable TPRO AI Assistant toolkit |
Global Config
| Key | Type | Default | Description |
|---|---|---|---|
| global.imageRegistry | string | "registry-gitlab.tangramflex.tech/pro" | container image registry for image pull |
| global.imagePullSecrets | list | ["gitlab-pro-registry"] | container image registry imagePullSecrets |
| global.postgresql.auth.postgresPassword | string | "placeholder" | placeholder value |
| global.postgresql.auth.password | string | "placeholder" | placeholder value |
Misc
| Key | Type | Default | Description |
|---|---|---|---|
| metricsEnabled | bool | true | Global toggle for Prometheus metrics |
| createClusterRoles | bool | true | Only set this to true if it is the first Tangram Pro install in your cluster and the installer has cluster-admin privileges |
| subdomain | string | "" | sub-domain for TPRO instance. |
| domain | string | "tangramflex.io" | root domain for TPRO instance. |
| storagePath | string | "/storage" | Minio storage path |
| logEnv | string | "production" | Tangram Pro log level |
ArgoCD
| Key | Type | Default | Description |
|---|---|---|---|
| argocd.upgrade | bool | false | Set argocd.upgrade = false if this is a clean/new deployment. Set it to "true" after you have successfully deploy TPro |
| argocd.enabled | bool | false | Set argocd.enabled = true if you are using ArgoCD to deploy TPro |
Tolerations
| Key | Type | Default | Description |
|---|---|---|---|
| tolerations | list | [] | Tolerations assigned to all pods {"tolerations":[{"key":"key1","operator":"Equal","value":"value1","effect":"NoSchedule"}]} |
Topology Constraints
| Key | Type | Default | Description |
|---|---|---|---|
| topologySpreadConstraints | list | [{"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"}] | Topology spread constraints assigned to all pods The chart determines the labelSelector automatically, so do not specify it |
Registry
| Key | Type | Default | Description |
|---|---|---|---|
| registry.username | string | "" | username to connect to the container registry |
| registry.password | string | "" | password to connect to the container registry |
| registry.existingSecret | string | "" | use existingSecret if you already created the image pull secret |
Licensing
| Key | Type | Default | Description |
|---|---|---|---|
| license.publicKeyFile | string | "" | public key file name |
| license.privateKeyFile | string | "" | private key file name |
| license.privateKeyPass | string | "" | private key password |
| license.existingSecret | string | "" | use existingSecret if using existing license the secret needs to be created like this: kubectl create secret generic license \ --from-file=tangram_id_rsa.pub="/path/to/tangram_id_rsa.pub" \ --from-file=id_rsa="/path/to/id_rsa" \ --from-literal=LICENSE_PRIVATE_KEY_PASS="TANGRAM_PROVIDED_KEY_PASS" |
TLS
| Key | Type | Default | Description |
|---|---|---|---|
| tls.certFile | string | "" | certFile is only used if cert-manager is not used |
| tls.keyFile | string | "" | keyFile is only used if cert-manager is not used |
| tls.clusterIssuer | string | "letsencrypt-prod" | clusterIssuer is to be used with cert-manager |
| tls.createCertificate | bool | true | If no certFile, keyFile, or existingSecret is provided, whether to create a Certmanager certificate |
| tls.existingSecret | string | "" | use existingSecret if using existing TLS |
| tls.ca.enabled | bool | false | option to toggle certificate authority |
| tls.ca.existingSecrets | list | [{"key":"ca.crt","name":"cert-service-backend"}] | Names between the secrets and configmaps must be unique. |
| tls.ca.existingConfigMaps | list | [] | provide an existing configmap if available. [{"name":"my-config-map","key":"ca.pem"}] |
| tls.pki.enabled | bool | false | toggle for pki |
NetworkPolicy
| Key | Type | Default | Description |
|---|---|---|---|
| networkPolicy.enabled | bool | true | toggle network policies on or off |
| networkPolicy.ingressController | list | [] | rules for the ingressController. anything placed here will be rendered out following standard k8s network policy resource https://kubernetes.io/docs/concepts/services-networking/network-policies/ Ex: {"from":[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"nginx"}},"podSelector":{"matchLabels":{"app.kubernetes.io/name":"ingress-nginx"}}}]} |
| networkPolicy.kedaHTTPProxy | list | [] | rules for the kedaHTTPProxy. anything placed here will be rendered out following standard k8s network policy resource https://kubernetes.io/docs/concepts/services-networking/network-policies/ Ex: {"from":[{"namespaceSelector":{"matchLabels":{"kubernetes.io/metadata.name":"keda"}},"podSelector":{"matchLabels":{"app.kubernetes.io/component":"interceptor","app.kubernetes.io/instance":"keda-http-add-on"}}}]} |
| networkPolicy.nodeCIDR | string | "172.20.0.0/16" | the k8s service CIDR defaults to the CIDR block for the Tangram Flex Prod clusters |
Frontend
| Key | Type | Default | Description |
|---|---|---|---|
| frontend.replicas | int | 2 | number of replicas for frontend deployment |
| frontend.ingress.enabled | bool | true | toggles the ingress for frontend |
| frontend.tls.enabled | bool | false | toggle for configuring TLS for frontend |
| frontend.tls.existingSecret | string | "cert-frontend" | provide an existing secret for TLS config |
| frontend.tls.cipherSuites | string | "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384" | See: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for an available list of ciphers |
| frontend.tls.tlsProtocols | string | "TLSv1.2" | List of allowed TLS versions, space separated. Ex. TLSv1.2 TLSv1.3 |
| frontend.image.repository | string | "/service/frontend" | frontend image repo |
| frontend.image.tag | string | "2.4.7-346d5217" | frontend image tag |
| frontend.image.name | string | "Tangram Pro Frontend" | frontend image name |
| frontend.image.license | string | "Proprietary" | frontend image license type |
| frontend.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| frontend.image.releasedate | string | "01/31/2025" | frontend image release date |
| frontend.resourceConstraints.enabled | bool | true | enable resourceConstraints for frontend deployment resources |
| frontend.resourceConstraints.cpu.request | string | "10m" | CPU request options for frontend deployment resources |
| frontend.resourceConstraints.cpu.limit | string | "100m" | CPU limit options for frontend deployment resources |
| frontend.resourceConstraints.memory.request | string | "25Mi" | Memory request options for frontend deployment resources |
| frontend.resourceConstraints.memory.limit | string | "200Mi" | Memory limit options for frontend deployment resources |
| frontend.hpa.enabled | bool | true | toggle to enable or disable frontend HPA |
| frontend.hpa.maxReplicas | int | 8 | maxReplicas for frontend HPA |
| frontend.hpa.metrics | list | [{"resource":{"name":"cpu","target":{"averageUtilization":50,"type":"Utilization"}},"type":"Resource"}] | frontend HPA metrics options |
| frontend.hpa.behavior.scaleDown.policies | list | [{"periodSeconds":60,"type":"Percent","value":25}] | HPA scaledown policy behavior |
| frontend.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| frontend.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| frontend.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| frontend.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| frontend.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| frontend.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| frontend.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| frontend.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| frontend.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| frontend.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| frontend.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| frontend.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Docs
| Key | Type | Default | Description |
|---|---|---|---|
| docs.replicas | int | 2 | replica count for docs deployment |
| docs.ingress.enabled | bool | true | ingress toggle for docs deployment |
| docs.tls.enabled | bool | false | toggle for docs TLS |
| docs.tls.existingSecret | string | "cert-docs" | provide an existing secret for TLS |
| docs.tls.cipherSuites | string | "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384" | TLS cipher suites to use for docs deployment See: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for an available list of ciphers |
| docs.tls.tlsProtocols | string | "TLSv1.2" | List of allowed TLS versions, space separated. Ex. TLSv1.2 TLSv1.3 |
| docs.image.repository | string | "/docs" | Docs image repo |
| docs.image.tag | string | "2.4.6-8ecae168" | Docs image tag |
| docs.image.name | string | "Tangram Pro Docs" | Docs image name |
| docs.image.license | string | "Proprietary" | Docs image license type |
| docs.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| docs.image.releasedate | string | "01/27/2025" | Tangram Pro docs image release date |
| docs.resourceConstraints.enabled | bool | true | toggle for docs resource constraint options |
| docs.resourceConstraints.cpu.request | string | "10m" | CPU request value for docs deployment |
| docs.resourceConstraints.cpu.limit | string | "100m" | CPU request limits for docs deployment |
| docs.resourceConstraints.memory.request | string | "25Mi" | Memory request value for docs deployment |
| docs.resourceConstraints.memory.limit | string | "200Mi" | Memory request value for docs deployment |
| docs.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| docs.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| docs.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| docs.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| docs.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| docs.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| docs.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| docs.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| docs.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| docs.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| docs.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Preload Job
| Key | Type | Default | Description |
|---|---|---|---|
| preload.enabled | bool | true | toggle to enable or disable the preload image job |
| preload.job.image.repository | string | "/image/skopeo" | Preload Job image repo |
| preload.job.image.tag | string | "v1.14.2" | Preload Job image tag |
| preload.job.image.url | string | "https://github.com/containers/skopeo" | Tangram Pro product URL |
| preload.job.image.releasedate | string | "02/01/2024" | Preload Job image release date |
| preload.job.image.license | string | "Apache-2.0" | Preload Job image license type |
| preload.job.image.name | string | "Skopeo" | Preload Job image name |
Ollama
| Key | Type | Default | Description |
|---|---|---|---|
| ollama.fullnameOverride | string | "ollama" | AI Assistant model configuration |
| ollama.imagePullSecrets | list | [{"name":"gitlab-pro-registry"}] | AI Assistant model configuration |
| ollama.image.repository | string | "registry-gitlab.tangramflex.tech/pro/image/ollama" | Ollama image repo |
| ollama.image.tag | string | "0.5.1" | Ollama image tag |
| ollama.image.name | string | "Ollama" | Ollama image name |
| ollama.image.license | string | "MIT" | Ollama image license type |
| ollama.image.url | string | "https://ollama.com" | Tangram Pro product URL |
| ollama.image.releasedate | string | "12/09/2024" | Ollama image release date |
| ollama.keda.httpScaledObject.enabled | bool | false | toggle whether or not a httpScaledObject is created by K8s |
| ollama.keda.httpScaledObject.replicas.min | int | 0 | min number of httpScaledObject to create |
| ollama.keda.httpScaledObject.replicas.max | int | 1 | max number of httpScaledObject to create |
| ollama.keda.httpScaledObject.scaledownPeriod | int | 7200 | number of seconds that KEDA will wait to see if an event has occurred before scaling down |
| ollama.keda.httpScaledObject.scalingMetric.concurrency.targetValue | int | 100 | This is the target value for the scaling configuration. https://github.com/kedacore/http-add-on/blob/main/docs/ref/v0.8.0/http_scaled_object.md#targetvalue |
| ollama.ollama.gpu.enabled | bool | false | toggle GPU enabled or disabled based on hardware available |
| ollama.ollama.models | list | ["llama3.1:8b","mxbai-embed-large:335m"] | list of models available to Ollama |
| ollama.ollama.mountPath | string | "/home/ollama/.ollama" | directory where models are mounted |
| ollama.persistentVolume.enabled | bool | true | toggle option to enable or disable persistence using PVC |
| ollama.persistentVolume.size | string | "50Gi" | disk size in gigabyte for PV to store models |
| ollama.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| ollama.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| ollama.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| ollama.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| ollama.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| ollama.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| ollama.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| ollama.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| ollama.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| ollama.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Chatbot
| Key | Type | Default | Description |
|---|---|---|---|
| chatbot.chatModel | string | "llama3.1:8b" | model used for chat completion |
| chatbot.embeddingModel | string | "mxbai-embed-large:335m" | model used for vector embeddings |
| chatbot.embeddingModelChunkSize | int | 512 | chunk size for the vector embeddings 512 relates to mxbai-embed-large:335m. |
| chatbot.embeddingModelChunkOverlap | int | 50 | amount of overlap between chunks for vector embeddings |
| chatbot.chatTemperature | float | 0.1 | chat completion temperature level for the chat experience |
| chatbot.numCtx | int | 8192 | context length for the chat completion model. 8192 relates to llama3.1:8b. |
| chatbot.metricsEnabled | bool | true | toggle metrics for ai assistant |
| chatbot.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| chatbot.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| chatbot.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| chatbot.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| chatbot.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| chatbot.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| chatbot.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| chatbot.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| chatbot.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| chatbot.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| chatbot.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| chatbot.replicas | int | 1 | number of replica pods for the AI Assistant. |
| chatbot.image.repository | string | "/ai/chatbot" | Chatbot image repo |
| chatbot.image.tag | string | "2.4.7-fc6058dc" | Chatbot image tag |
| chatbot.image.name | string | "Tangram Pro Chatbot" | Chatbot image name |
| chatbot.image.license | string | "Proprietary" | Chatbot image license typ |
| chatbot.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| chatbot.image.releasedate | string | "01/30/2025" | Chatbot image releasedate |
| chatbot.postgresql.auth.existingSecret | string | "" | provide an existing secret containing postgresql connection information for chatbot deployment. |
| chatbot.hpa.enabled | bool | true | toggle to enable or disable HPA for chatbot |
| chatbot.hpa.maxReplicas | int | 8 | chatbot max replicas for deployment |
| chatbot.hpa.metrics | list | [{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}] | chatbot metrics |
| chatbot.hpa.behavior.scaleDown.policies | list | [{"periodSeconds":60,"type":"Percent","value":25}] | policy settings for HPA |
| chatbot.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| chatbot.keda.useProxyHost | bool | false | toggle for using proxyHost with keda |
| chatbot.keda.proxyHost | string | "http://keda-add-ons-http-interceptor-proxy.keda.svc.cluster.local:8080" | Proxy host URL to use with Keda/Chatbot. should point to the service of the interceptor proxy endpoint. |
| chatbot.resourceConstraints.enabled | bool | true | toggle for chatbot resource constraint options |
| chatbot.resourceConstraints.cpu.request | string | "100m" | CPU request value for chatbot deployment |
| chatbot.resourceConstraints.cpu.limit | string | "2000m" | CPU request limits for chatbot deployment |
| chatbot.resourceConstraints.memory.request | string | "100Mi" | Memory request value for chatbot deployment |
| chatbot.resourceConstraints.memory.limit | string | "750Mi" | Memory request value for chatbot deployment |
| chatbot.tls.enabled | bool | false | toggle TLS for chatbot |
| chatbot.tls.existingSecret | string | "cert-service-chatbot" | provide an existing Secret for use with chatbot TLS config |
| chatbot.tls.cipherSuites | string | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | 1.3 cipher suites. This should be a comma separated list. Only affects TLS 1.2 cipher suites, as golang doesn't allow you to change |
| chatbot.tls.minTlsVersion | string | "TLS1_2" | Min and max TLS version are in the format TLS_1_1, TLS1_2, TLS1_3, etc |
| chatbot.tls.maxTlsVersion | string | "TLS1_2" | Disable 1.3 |
Backend
| Key | Type | Default | Description |
|---|---|---|---|
| backend.minio.enableAutoCleanup | bool | true | toggle enableAutoCleanup for minio bucket storage |
| backend.minio.cleanupUpperThresholdPercent | int | 80 | stop cleanup if storage consumed is at or above the cleanupUpperThresholdPercent |
| backend.minio.cleanupLowerThresholdPercent | int | 50 | stop cleanup if storage consumed is at or below the cleanupLowerThresholdPercent |
| backend.audit.shutdownOnFailure | bool | true | toggle to shutdown on backend pod failure |
| backend.audit.existingSecret | string | "audit-checksum" | provide an existing secret for backend audit |
| backend.auth.tokenExpiration | int | 86400 | duration in seconds before a user's auth token for TPRO expires. |
| backend.ingress.enabled | bool | true | toggle ingress for backend |
| backend.license.enabled | bool | false | toggle for whether to mount an initial license to backend |
| backend.license.content | string | "" | content of license note: content will not be used to create a secret if existingSecret is set |
| backend.license.existingSecret | string | "" | name of secret [arbitrary secret name] the secret needs to be created like this: kubectl create secret generic [arbitrary secret name] --from-file=license.tflicense="[/path/to/license.tflicense]" |
| backend.oauth.config.required | bool | false | force oauth only for all users |
| backend.oauth.config.providers.okta.url | string | "" | URL of provider, i.e., https://company.okta.com |
| backend.oauth.config.providers.okta.client_id | string | "" | client_id of the oauth app registration |
| backend.oauth.config.providers.okta.client_secret | string | "" | client_secret of the oauth app registration |
| backend.oauth.config.providers.okta.admin_users | list | [] | list of users to grant admin access. i.e., ["username1", "username2"] or yaml list using '-' |
| backend.oauth.config.providers.okta.toolkits | list | [] | # list of toolkits ["DESIGNER", "DEVELOPER", "VERIFIER"] to grant or yaml list using '-' |
| backend.oauth.config.providers.okta.required_domains | list | [] | list of domains which require oauth login |
| backend.oauth.existingSecret | string | "" | this should the name of the secret containing the oauth config Create the Oauth Config Secret read -r -d "" oauth_providers <<-EOF required: false providers: okta: # name of provider, i.e., 'okta' url: "" # URL of provider, i,e., https://company.okta.com client_id: "" # client_id client_secret: "" # client_secret admin_users: [] # list of users to grant admin access, i.e., ["username1", "username2"] or yaml list using '-' toolkits: [] # list of toolkits ["DESIGNER", "DEVELOPER", "VERIFIER"] to grant, or yaml list using '-' EOF kubectl -n [namespace] \ create secret generic [oauth-secret-name] \ `--from-literal=oauth-config.yml="$oauth_providers" -o yaml --dry-run=client |
| backend.swagger | string | "false" | toggle swagger availability for backend |
| backend.featureFlags | string | "" | comma separated list of feature flags |
| backend.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| backend.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| backend.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| backend.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| backend.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| backend.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| backend.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| backend.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| backend.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| backend.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| backend.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| backend.replicas | int | 2 | number of backend pods to deploy |
| backend.image.repository | string | "/service/backend" | Backend image repo |
| backend.image.tag | string | "2.4.7-f1d51cbf" | Backend image tag |
| backend.image.name | string | "Tangram Pro Backend" | Backend image name |
| backend.image.license | string | "Proprietary" | Backend image license type |
| backend.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| backend.image.releasedate | string | "02/11/2025" | Backend image releasedate |
| backend.postgresql.auth.existingSecret | string | "" | exisitng secret containing postgresql config information for backend to use for connection |
| backend.metricsEnabled | bool | true | toggle for backend metricz |
| backend.smokeTest.enabled | bool | true | option to toggle the smokeTest for backend |
| backend.smokeTest.postgresql.database | string | "tangram_test" | smokeTest db |
| backend.smokeTest.postgresql.auth.existingSecret | string | "" | provide an existing secret containing auth information for smokeTest db connection |
| backend.smokeTest.debug | bool | false | smokeTest log-level |
| backend.smokeTest.image.repository | string | "/k6-load-testing" | Backend SmokeTest image repo |
| backend.smokeTest.image.tag | string | "1.1.0" | Backend SmokeTest image tag |
| backend.smokeTest.image.name | string | "Tangram Pro Backend Smoke Testing" | Backend SmokeTest image name |
| backend.smokeTest.image.license | string | "Proprietary" | Backend SmokeTest image license type |
| backend.smokeTest.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| backend.smokeTest.image.releasedate | string | "06/08/2023" | Backend SmokeTest image release date |
| backend.smokeTest.resources.limits.memory | string | "128Mi" | smokeTest memory resource constraint limit |
| backend.smokeTest.resources.limits.cpu | string | "125m" | smokeTest CPU resource constraint limit |
| backend.smokeTest.podSecurityContext.enabled | bool | true | toggle podSecurityContext for smokeTest |
| backend.smokeTest.podSecurityContext.runAsNonRoot | bool | true | runAsNonRoot for smokeTest |
| backend.smokeTest.podSecurityContext.runAsUser | int | 12345 | runAsUser for smokeTest |
| backend.smokeTest.podSecurityContext.runAsGroup | int | 12345 | runAsGroup for smokeTest |
| backend.smokeTest.podSecurityContext.fsGroup | int | 12345 | fsGroup for smokeTest |
| backend.smokeTest.testUser.existingSecret | string | "service-backend-smoke-test-auth" | existing secret to for the smokeTest to connect to the smokeTest db |
| backend.smokeTest.testUser.usernamePrefix | string | "testuser" | username prefix for the test user |
| backend.smokeTest.testUser.emailDomain | string | "tangramflex.test" | mail domain for the smokeTest user |
| backend.smokeTest.duration | string | "1m" | Keep this duration relatively short. Test user creation occurs once per run, so if the backend isn't up at the start of the test, the script needs to complete and start over again to create the user |
| backend.smokeTest.virtualUsers | int | 1 | number of virtual users to use for smokeTest |
| backend.smokeTest.prometheusReadWriteServerUrl | string | "http://monitoring-prometheus.monitoring.svc:9090/api/v1/write" | prometheus endpoint to write smokeTest data |
| backend.smokeTest.insecureSkipTlsVerify | bool | false | toggle for checking HTTPS for smokeTest |
| backend.resourceConstraints.enabled | bool | true | toggle for backend resource constraint options |
| backend.resourceConstraints.cpu.request | string | "100m" | CPU request value for backend deployment |
| backend.resourceConstraints.cpu.limit | string | "2000m" | CPU request limits for backend deployment |
| backend.resourceConstraints.memory.request | string | "100Mi" | Memory request value for backend deployment |
| backend.resourceConstraints.memory.limit | string | "750Mi" | Memory request value for backend deployment |
| backend.hpa.enabled | bool | true | toggle to enable or disable hpa for backend |
| backend.hpa.maxReplicas | int | 8 | max replicas for backend HPA config |
| backend.hpa.metrics | list | [{"resource":{"name":"cpu","target":{"averageUtilization":50,"type":"Utilization"}},"type":"Resource"}] | backend HPA metrics config |
| backend.hpa.behavior.scaleDown.policies | list | [{"periodSeconds":60,"type":"Percent","value":25}] | policy settings for HPA |
| backend.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| backend.installType | string | "PRO" | install type for backend. Placed in service-backend configmap |
| backend.workflows.nodeAffinity.nodeSelectorKey | string | "tangramflex.tech/node-role" | nodeSelectorKey to use for node affinity |
| backend.workflows.nodeAffinity.nodeSelectorValues | string | "workflows" | nodeSelectorValues to use for node affinity |
| backend.workflows.toleration.nodeTaintKey | string | "tangramflex.tech/workflows" | nodeTaintKey for backend pods |
| backend.workflows.resources.requests.cpu | string | "1.5" | CPU request options for backend workflow deployment |
| backend.workflows.resources.requests.memory | string | "1.5Gi" | Memory request options for backend workflow deployment |
| backend.workflows.resources.limits.cpu | string | "4" | CPU limit options for backend workflow deployment |
| backend.workflows.resources.limits.memory | string | "4Gi" | Memory limit options for backend workflow deployment |
| backend.zoho.enabled | bool | false | toggle for enabling Zoho integration |
| backend.zoho.secretName | string | "zoho-auth" | name of the secret generated for zoho secret |
| backend.zoho.clientId | string | "" | clientID for the zoho app registration |
| backend.zoho.clientSecret | string | "" | clientSecret for the zoho app registration |
| backend.zoho.refreshToken | string | "" | refresh token value for zoho |
| backend.zoho.layoutId | string | "6359469000000619222" | ID of the layout for zoho |
| backend.zoho.contactLayoutId | string | "6359469000000091033" | id of the contact layout for zoho |
| backend.tls.enabled | bool | false | toggle to enable or disable TLS for backend |
| backend.tls.existingSecret | string | "cert-service-backend" | existing k8s secret for backend TLS configuration |
| backend.tls.cipherSuites | string | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | Only affects TLS 1.2 cipher suites, as golang doesn't allow you to change 1.3 cipher suites. This should be a comma separated list. |
| backend.tls.minTlsVersion | string | "TLS1_2" | Min and max TLS version are in the format TLS_1_1, TLS1_2, TLS1_3, etc |
| backend.tls.maxTlsVersion | string | "TLS1_2" | Disable 1.3 |
| backend.flexInstance.expiration | int | 3600 | Idle timeout of flex instance in seconds |
Watcher
| Key | Type | Default | Description |
|---|---|---|---|
| watcher.verifierDeletionDelaySeconds | int | 600 | seconds before deletions should occur |
| watcher.replicas | int | 2 | Watcher # of replicas |
| watcher.image.repository | string | "/service/backend/watcher" | Watcher image repo |
| watcher.image.tag | string | "2.4.7-f1d51cbf" | Watcher image tag |
| watcher.image.name | string | "Tangram Pro Workflow Watcher" | Watcher image name |
| watcher.image.license | string | "Proprietary" | Watcher image license type |
| watcher.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| watcher.image.releasedate | string | "02/11/2025" | Watcher image releasedate |
| watcher.metricsEnabled | bool | true | toggle to disable or enable metricz for watcher |
| watcher.resourceConstraints.enabled | bool | true | toggle to disable or enable resourceConstraints for watcher |
| watcher.resourceConstraints.limits.cpu | string | "2000m" | CPU resourceConstraints limits for watcher |
| watcher.resourceConstraints.limits.memory | string | "750Mi" | Memory resourceConstraints limits for watcher |
| watcher.resourceConstraints.requests.cpu | string | "100m" | CPU resourceConstraints requests for watcher |
| watcher.resourceConstraints.requests.memory | string | "100Mi" | Memory resourceConstraints requests for watcher |
| watcher.hpa.enabled | bool | true | toggle to enable or disable hpa for watcher |
| watcher.hpa.maxReplicas | int | 8 | maxReplicas for watcher HPA |
| watcher.hpa.metrics | list | [{"resource":{"name":"cpu","target":{"averageUtilization":50,"type":"Utilization"}},"type":"Resource"}] | metrics for watcher HPA |
| watcher.hpa.behavior.scaleDown.policies | list | [{"periodSeconds":60,"type":"Percent","value":25}] | policy settings for HPA |
| watcher.hpa.behavior.scaleDown.selectPolicy | string | "Min" | min/max/disabled |
| watcher.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| watcher.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| watcher.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| watcher.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| watcher.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| watcher.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| watcher.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| watcher.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| watcher.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| watcher.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| watcher.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| watcher.postgresql.auth.existingSecret | string | "" | provide an existing secret containing auth information for watcher's db connection |
| watcher.tls.enabled | bool | false | toggle for enabling or disabling TLS for watcher |
| watcher.tls.existingSecret | string | "cert-service-watcher" | provide an existing k8s secret for TLS config for watcher |
| watcher.tls.cipherSuites | string | "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" | Only affects TLS 1.2 cipher suites, as golang doesn't allow you to change 1.3 cipher suites. This should be a comma separated list. |
| watcher.tls.minTlsVersion | string | "TLS1_2" | Min and max TLS version are in the format TLS_1_1, TLS1_2, TLS1_3, etc |
| watcher.tls.maxTlsVersion | string | "TLS1_2" | Disable 1.3 |
Lifecycle Hooks
| Key | Type | Default | Description |
|---|---|---|---|
| hooks.tools.image.repository | string | "/image/helm-hook" | Hooks image repo |
| hooks.tools.image.tag | string | "2.4.3-a1144df4" | Hooks image tag |
| hooks.tools.image.name | string | "Tangram Pro Helm Hook" | Hooks image name |
| hooks.tools.image.license | string | "Proprietary" | Hooks image license type |
| hooks.tools.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| hooks.tools.image.releasedate | string | "10/23/2024" | Hooks image release date |
| hooks.debug | bool | false | log-level for helm hook events |
| hooks.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| hooks.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| hooks.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| hooks.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| hooks.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| hooks.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| hooks.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| hooks.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| hooks.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| hooks.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| hooks.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
Minio
| Key | Type | Default | Description |
|---|---|---|---|
| minio | sub-chart | https://artifacthub.io/packages/helm/bitnami/minio | See the official chart values for param values |
Argo Workflows
| Key | Type | Default | Description |
|---|---|---|---|
| argo-workflows | sub-chart | https://artifacthub.io/packages/helm/argo/argo-workflows | See the official chart values for param values |
Docker Registry
| Key | Type | Default | Description |
|---|---|---|---|
| docker-registry | sub-chart | https://artifacthub.io/packages/helm/twuni/docker-registry | See the official chart values for param values |
Gitea
| Key | Type | Default | Description |
|---|---|---|---|
| gitea | sub-chart | https://artifacthub.io/packages/helm/gitea/gitea | See the official chart values for param values. Note: The chart uses a deployment and expects RWX PVC if the deployment has more than one replica. We are utilizing it more like a statefulset by setting the deployment strategy to recreate and only having 1 replica. |
Database Option
| Key | Type | Default | Description |
|---|---|---|---|
| usePostgres | bool | true | chart toggle to use Postgresql as the application database. |
Postgresql
| Key | Type | Default | Description |
|---|---|---|---|
| postgresql | sub-chart | https://artifacthub.io/packages/helm/bitnami/postgresql | See the official chart values for param values. |
Redis
| Key | Type | Default | Description |
|---|---|---|---|
| redis | sub-chart | https://artifacthub.io/packages/helm/bitnami/redis | See the official chart values for param values. |
Redis Logger
| Key | Type | Default | Description |
|---|---|---|---|
| redisLogger.intervalSeconds | int | 10 | polling interval at which the redis pod logs are captured |
| redisLogger.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| redisLogger.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| redisLogger.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| redisLogger.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| redisLogger.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| redisLogger.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| redisLogger.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| redisLogger.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| redisLogger.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| redisLogger.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| redisLogger.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |
| redisLogger.image.repository | string | "/image/redis-logger" | Redis Logger image repo |
| redisLogger.image.tag | string | "2.4.0-dc23cf4e" | Redis Logger image tag |
| redisLogger.image.name | string | "Tangram Pro Redis Logger" | Redis Logger image name |
| redisLogger.image.license | string | "Proprietary" | Redis Logger image license type |
| redisLogger.image.url | string | "https://tangramflex.com/tangram-pro" | Tangram Pro product URL |
| redisLogger.image.releasedate | string | "09/06/2024" | Redis Logger image release date |
| redisLogger.resources.limits.memory | string | "128Mi" | Memory resource constraint options for redis logger |
| redisLogger.resources.limits.cpu | string | "125m" | CPU resource constraint options for redis logger |
Plugins
| Key | Type | Default | Description |
|---|---|---|---|
| plugins | list | ["cargo","code-gen-3","flex-transpiler","gplusplus","kaniko","document-render"] | Tangram Pro workflow plugins |
Storage
| Key | Type | Default | Description |
|---|---|---|---|
| storage.cloud.aws.s3Endpoint | string | "s3.us-gov-west-1.amazonaws.com" | Should be in the form of s3.[region].amazonaws.com or s3-fips.[region].amazonaws.com |
| storage.cloud.aws.irsa.enabled | bool | false | this toggle determines if the role_arn is set as an annotation on the service accounts for IRSA with EKS |
| storage.cloud.aws.irsa.role_arn | string | "" | the arn of a role in aws, with access to the buckets, with the pattern: arn:[region]:iam::[account_id]:role/[role_name] |
| storage.cloud.aws.extraEnvVars | string | see values.yaml storage.cloud.aws.extraEnvVars section | auth details for the endpoint |
Backup
| Key | Type | Default | Description |
|---|---|---|---|
| backup.enabled | bool | true | toggle to disable or enable backups |
| backup.schedule | string | "0 0 31 2 0" | schedule at which the backup occurs |
| backup.storageSize | string | "40Gi" | storage size for backup PVC |
| backup.skipDocker | string | "false" | toggle to include or exlude registry images in backup |
| backup.podSecurityContext.enabled | bool | true | toggle podSecurityContext for deployment |
| backup.podSecurityContext.fsGroup | int | 1000 | podSecurityContext fsGroup value |
| backup.containerSecurityContext.enabled | bool | true | toggle the containerSecurityContext for deployment |
| backup.containerSecurityContext.runAsNonRoot | bool | true | set runAsNonRoot for deployment |
| backup.containerSecurityContext.runAsUser | int | 1000 | set runAsNonRoot for deployment |
| backup.containerSecurityContext.runAsGroup | int | 1000 | set runAsGroup for deployment |
| backup.containerSecurityContext.privileged | bool | false | Running as privileged or unprivileged |
| backup.containerSecurityContext.readOnlyRootFilesystem | bool | false | Mounts the container's root filesystem as read-only |
| backup.containerSecurityContext.allowPrivilegeEscalation | bool | false | Controls whether a process can gain more privileges than its parent process |
| backup.containerSecurityContext.capabilities.drop | list | ["ALL"] | set capability to drop |
| backup.containerSecurityContext.seccompProfile.type | string | "RuntimeDefault" | Valid options for type include RuntimeDefault, Unconfined, and Localhost. |