Title here
Summary here
Helm Values
ENBUILD Helm Chart Values
The following key value pairs are used to configure ENBUILD.
Parameters
Global parameters
| Name | Description | Value |
|---|---|---|
global.AppVersion | [default: “”] Provide custom appVersion, to override the default one. All the ENBUILD images will be of the same version. To use indidual tag for each service set the tag on per service basis. | "" |
global.domain | What domain to use to expose the ENBUILD using istio or Ingress | ijuned.com |
global.disable_tls_gitlab | Set to true if you are using self-signed certificates | false |
global.ingress.enabled | Should we create the Ingress Resources ? | false |
global.ingress.tls | Is Ingress TLS enabled ? | false |
global.ingress.tls_secret | If Ingress is TLS enabled, Provide the Secret for the TLS Certificate. | "" |
global.ingress.classname | Ingress classname if enabled. | "" |
global.ingress.annotations | Ingress annotations if enabled. | [] |
global.istio.enabled | Should we create the Istio Resources ? | false |
global.istio.gateway | Istio gateway to use for creating Virtual Service. | istio-system/main |
global.image.registry | Container registry to pull images from | registry.gitlab.com |
global.image.pullPolicy | Container imagePullPolicy | Always |
global.storageClass | Explicit StorageClass to use for stateful dependencies when the cluster has no default StorageClass | "" |
global.image.registry_credentials | if the image.registry is private container registry, provide the credentials | {} |
global.image.registry_credentials.username | Container registry Username | "" |
global.image.registry_credentials.password | Container registry password | "" |
global.gitlabRegistryCredentials | Optional GitLab Container Registry credentials. Leave unset on normal deploys; supply via –set at install time when an environment needs to pull images from registry.gitlab.com in addition to the primary global.image.registry. | {} |
global.gitlabRegistryCredentials.username | Optional GitLab Container Registry username (or “oauth2” when password is a PAT). Leave unset on normal deploys; supply via –set at install time when an environment needs to pull images from registry.gitlab.com in addition to the primary global.image.registry. Pairs with password below. | "" |
global.gitlabRegistryCredentials.password | GitLab Container Registry password / PAT (with read_registry scope). NEVER commit a real value; provide via –set or an untracked secrets values file at install time. | "" |
global.gitlabRegistryCredentials.registry | GitLab Container Registry host. Overridable for self-hosted GitLab instances (rare). | "registry.gitlab.com" |
ENBUILD Lightning Features to be enabled
| Name | Description | Value |
|---|---|---|
lightning_features.develop_lightning.application | Enable Bolt deployment | false |
lightning_features.develop_lightning.models | Enable JupyterHub deployment | false |
lightning_features.secure_lightning.ctf | Enable CTF deployment | false |
lightning_features.deploy_lightning.infra_lightning | Enable Data Lightning deployment | false |
lightning_features.deploy_lightning.data_lightning | Enable Data Lightning deployment | false |
lightning_features.deploy_lightning.ai_lightning | Enable AI Lightning deployment | false |
lightning_features.operations_lightning.headlamp | Enable Headlamp deployment | false |
lightning_features.operations_lightning.monitoring | Enable Loki Stack deployment | false |
ENBUILD RabbitMQ parameters
| Name | Description | Value |
|---|---|---|
rabbitmq.enabled | Set to false to use existing RabbitMQ | true |
rabbitmq.replicaCount | RabbitMQ replicaCount | 1 |
rabbitmq.auth.username | RabbitMQ username | admin |
rabbitmq.auth.password | RabbitMQ password | SuperSecret |
rabbitmq.auth.erlangCookie | RabbitMQ erlangCookie | lamba |
rabbitmq.auth.securePassword | Set to false to make Bitnami RabbitMQ chart honour auth.password instead of generating a random password. Must be false to prevent a PVC-wipe from creating a new random admin password that mismatches the backend connection string. | false |
rabbitmq.host | If rabbitmq.enabled is false , provide the right rabbitmq endpoint | "" |
rabbitmq.queue_prefix | Queue Prefix for all RabbitMQ Queues | enbuild |
rabbitmq.image.registry | RabbitMQ image registry | registry.gitlab.com |
rabbitmq.image.repository | RabbitMQ image repository | enbuild-staging/vivsoft-platform-ui/rabbitmq |
rabbitmq.image.tag | RabbitMQ image tag | 3.12.14 |
ENBUILD Database parameters
| Name | Description | Value |
|---|---|---|
mongodb.enabled | Set to true to Deploy the MongoDB. | false |
mongodb.mongo_root_username | DB username. If mongodb.enabled this is used to to set the username. Else this is username for existing Cosmos or DocumentDB | "" |
mongodb.mongo_root_password | DB Password. If mongodb.enabled this is used to to set the password. Else this is password for existing Cosmos or DocumentDB | "" |
mongodb.mongo_server | If mongodb.enabled is false , provide the right cosmosDB/DocumentDB endpoint | "" |
mongodb.mongo_endpoint_override | Verbatim MONGODB_ENDPOINT for bk/mq/ai/user. Set this for HA topologies (3-node replicaSet, cosmosDB with auth params) where the assembled mongodb://USER:PW@MONGO_SERVER URI lacks the necessary query string (?replicaSet=...&authSource=admin). When set, MONGO_INITDB_ROOT_USERNAME / PASSWORD / MONGO_SERVER vars are still rendered into the secret (the mongo StatefulSet itself still consumes them) but the BE pods use this URI directly instead of assembling from parts. Leave empty for single-node defaults. | "" |
mongodb.image.repository | Container repository for mongodb Container | enbuild-staging/vivsoft-platform-ui/mongodb |
mongodb.image.tag | Container tag for mongodb Container | 4.4.5 |
mongodb.storageClassName | Explicit StorageClass for MongoDB PVCs. If empty, uses global.storageClass | "" |
ENBUILD UI Services parameters
| Name | Description | Value |
|---|---|---|
enbuildUi.image.repository | Container repository for enbuildUi | enbuild-staging/vivsoft-platform-ui/enbuild-frontend |
enbuildUi.image.tag | Container image tag. Skip to use the HelmChart appVersion as Image Tag | undefined |
enbuildUi.replicas | Container enbuildUI Replicas | 1 |
enbuildUi.service_type | enbuildUI service_type | ClusterIP |
enbuildUi.node_port | enbuildUI node_port | 30080 |
enbuildUi.hostname | enbuild service hostname. enbuildUi.hostname.global.domain becomes your FQDN | enbuild |
enbuildUi.kiali_url | kiali_url | /kiali/ |
enbuildUi.grafana_url | grafana_url | /grafana/d/os6Bh8Omk/kubernetes-cluster?orgId=1&refresh=30s |
enbuildUi.loki_url | loki_url | /grafana/d/liz0yRCZz/logs-app?orgId=1 |
enbuildUi.kubecost_url | kubecost_url | kubecost/overview.html |
ENBUILD Backend Services parameters
| Name | Description | Value |
|---|---|---|
enbuildBk.image.repository | Container repository for enbuildBk | enbuild-staging/vivsoft-platform-ui/enbuild-backend |
enbuildBk.image.tag | Container image tag. Skip to use the HelmChart appVersion as Image Tag | undefined |
enbuildBk.replicas | Container enbuildBk Replicas | 1 |
enbuildBk.service_type | enbuildBk service_type | ClusterIP |
enbuildBk.encryption_key | encryption_key to be used by Backend | encryption_key |
enbuildBk.gitlabPat.existingSecret | Name of an operator-managed Secret carrying GITLAB_TOKEN (and optionally GITLAB_HOST). When set, the deployment adds an envFrom for that secret; the inline GITLAB_TOKEN from enbuildConsumer.gitlab.token is omitted to avoid duplicate envvars. Use this in P1 environments where the PAT is provisioned out-of-band and rotated separately. Backwards-compatible default: empty (uses inline values). | "" |
enbuildBk.exportSigning.existingSecret | Name of an operator-managed Secret carrying SIEM_SIGNING_KEY (PEM-encoded ECDSA P-256 private key) for the CCM-32 audit export bundle (EN-1237). Strongly preferred over privateKeyPem for production. Backwards-compatible default: empty. | "" |
enbuildBk.exportSigning.privateKeyPem | Inline PEM private key used to sign /audit/export-bundle responses. Dev/test only; production should use existingSecret. Multiline string. Backwards-compatible default: empty (signing disabled; bundle returns signed=false). | "" |
enbuildBk.kubeProxyFallbackActor | Headlamp K8sApiProxy fallback actor email. When Headlamp requests carry no X-Actor-Email/JWT, the KubeProxyController falls back to this value. Empty = hardcoded controller default (alice@example.com). | "" |
enbuildBk.clusterRpcTimeoutMs | ClusterRpcService timeout (ms) for hub-to-agent RPCs. Raise from the 10000 source default to avoid “Lost connection to the cluster” under serial-dispatch agents with concurrent Headlamp requests. | "30000" |
enbuildBk.healthProbe.enabled | Enable liveness/readiness probes on enbuild-bk. Set to false on environments where the Terminus RSS threshold causes a death loop from K8sApiProxy /openapi/v2 buffering. | true |
enbuildBk.healthProbe.livenessPath | HTTP path for the bk liveness probe. Default is the combined endpoint on the standard released backend; P1-CCM overrides to /api/health/live (heap-only) to keep the RSS dimension out of the liveness check. | "/api/health" |
enbuildBk.healthProbe.readinessPath | HTTP path for the bk readiness probe. Default is the combined endpoint; P1-CCM overrides to /api/health/ready (heap + mongo + disk). | "/api/health" |
enbuildBk.kubeProxyCache.schemaTtlSeconds | TTL (seconds) for the /openapi/v2 and API-discovery schema cache tier. Empty = source default 300 s. | "300" |
enbuildBk.kubeProxyCache.listTtlSeconds | TTL (seconds) for resource-list cache tier. Empty = source default 10 s. | "10" |
enbuildBk.kubeProxyCache.maxEntries | LRU entry cap per cache tier. Empty = source default 50. | "50" |
enbuildBk.securityTooling.existingSecret | Name of an operator-managed Secret carrying hub-self CCM-13d security-tooling env (TWISTLOCK_API_URL/USERNAME/PASSWORD, ANCHORE_API_URL/USERNAME/PASSWORD, FALCO_CLUSTER_ID, FALCO_WEBHOOK_SECRET, OPA_GATEKEEPER_ENABLED, FALCO_AUDIT_LANE). Added as an envFrom on the bk container. Keeps Big Bang tool creds out of Helm values + rotatable out-of-band; bridges them cross-namespace into the bk pod. Backwards-compatible default: empty (hub-self reports those sources unavailable until set). | "" |
enbuildBk.installAgent.existingSecret | Name of an operator-managed Secret carrying the 3 sensitive install-agent env vars: GITLAB_TOKEN (gitlab.com PAT for cloning the agent chart repo), ENBUILD_REPO1_USER (registry1.dso.mil pull username), ENBUILD_REPO1_TOKEN (registry1.dso.mil pull token). When set, the deployment adds an envFrom for that secret. When empty (default), the install-agent endpoint 503s on use with a clear error AND NOTES.txt prints a warning at install time. Operator pre-creates via kubectl -n enbuild create secret generic enbuild-install-agent-creds --from-literal=GITLAB_TOKEN=... --from-literal=ENBUILD_REPO1_USER=... --from-literal=ENBUILD_REPO1_TOKEN=.... Rotation = kubectl recreate Secret + rollout restart BE. | "" |
enbuildBk.installAgent.hubUrl | Hub gRPC endpoint (host:port) the spoke agent dials outbound. Default is the legacy vendor13-ib NLB DNS; override per environment via examples/enbuild/values- | enbuild-ib-vendor13.staging.dso.mil:443 |
enbuildBk.installAgent.tlsServerName | HA-path TLS SAN/SNI override (optional). Set to the hub cert SAN when HUB_URL points at an AWS NLB DNS name (Route53 round-robins per-AZ IPs); spokes dial the DNS + use this for verification. Leave empty for the legacy hostAliases path. | "" |
enbuildBk.installAgent.hubInternalIps | Legacy CSV of per-AZ NLB IPs for spoke /etc/hosts hostAliases (air-gapped clusters that can’t use AWS DNS). Empty by default; the HA path (tlsServerName + DNS) supersedes it. | "" |
enbuildBk.installAgent.agentImageTag | SHA of the enbuild-agent container image install-agent helm-installs on the spoke. Bump per agent release. Defaults baked in here so a fresh helm install gets a known-good tag without operator action; override via –set on rolls. | ac99ae1830c427a65db31a6874e5d4414d90133f |
enbuildBk.installAgent.chartRepo | Git URL of the chart repo install-agent’s Job clones to obtain enbuild-core / enbuild-stack / enbuild-agent charts. Default = platform-one-eks; override for forks or alt mirrors. | https://gitlab.com/enbuild-staging/iac-templates/platform-one-eks.git |
enbuildBk.installAgent.chartRef | Branch/tag of the chart repo install-agent’s Job clones. Default tracks the long-lived integration branch where chart edits land before merge to main. | feat/p1ccm-agent-chart-skeleton |
enbuildBk.serviceAccount | Override the BE pod’s ServiceAccount. When empty (default), the pod binds to {{ .Release.Name }}-enbuild-bk-installer (minted by enbuild-bk-rbac.yaml; carries the perms install-agent needs). Override only if a deployment mode needs a different SA. | "" |
ENBUILD USER Services parameters
| Name | Description | Value |
|---|---|---|
enbuildUser.image.repository | Container repository for enbuildUser | enbuild-staging/vivsoft-platform-ui/enbuild-user |
enbuildUser.image.tag | Container image tag. Skip to use the HelmChart appVersion as Image Tag | undefined |
enbuildUser.replicas | Container enbuildUser Replicas | 1 |
enbuildUser.service_type | enbuildUser service_type | ClusterIP |
ENBUILD Consumer Services parameters
| Name | Description | Value |
|---|---|---|
enbuildConsumer.image.registry | Per-service registry override. Unset → falls back to global.image.registry. Use to consume an mq-consumer image from a non-default registry (e.g. GitLab staging while waiting for an Iron Bank rebuild). Leave unset for normal deployments. | "" |
enbuildConsumer.image.repository | Container repository for enbuildConsumer | enbuild-staging/vivsoft-platform-ui/enbuild-mq-consumer |
enbuildConsumer.image.tag | Container image tag. Skip to use the HelmChart appVersion as Image Tag | undefined |
enbuildConsumer.replicas | Container enbuildConsumer Replicas | 1 |
enbuildConsumer.command | Command override for the MQ consumer container | ["npm"] |
enbuildConsumer.args | Args override for the MQ consumer container | ["run","run:mq:all"] |
ENBUILD AI Services parameters
| Name | Description | Value |
|---|---|---|
enbuildAI.image.repository | Container repository for enbuildAI | enbuild-staging/vivsoft-platform-ui/enbuild-ai |
enbuildAI.image.tag | Container image tag. Skip to use the HelmChart appVersion as Image Tag | undefined |
enbuildAI.replicas | Container enbuilAI Replicas | 1 |
enbuildAI.service_type | enbuildAI service_type | ClusterIP |
enbuildAI.api_key | api_key [default: “dummy”] for OpenAI service if you planning to use OpenAI service | dummy |
enbuildAI.ollama.enabled | model_name for OpenAI service. | "ollama/llama3.2" |
enbuildAI.model_name | model_name for OpenAI service. | "ollama/llama3.2" |
enbuildAI.ollama_endpoint | ollama_endpoint for OpenAI service. | "http://open-webui-ollama:11434" |
enbuildAI.serviceAccount.create | Create a dedicated service account for AI pod | false |
enbuildAI.serviceAccount.name | Name of service account. If empty, uses release name pattern | "" |
enbuildAI.serviceAccount.annotations | Annotations for AI service account (e.g., for IRSA) | {} |
enbuildBolt Services parameters
| Name | Description | Value |
|---|---|---|
enbuildBolt.image.repository | Container repository for enbuildBolt | ghcr.io/vivsoftorg/dev-lightning |
enbuildBolt.image.tag | Container image tag. Skip to use the HelmChart appVersion as Image Tag | v1.0.0 |
enbuildBolt.replicas | Container enbuildBolt Replicas | 1 |
enbuildBolt.service_type | enbuildBolt service_type | ClusterIP |
enbuildCTF Services parameters
| Name | Description | Value |
|---|---|---|
enbuildCTF.image.repository | Container repository for enbuildCTF | enbuild-staging/vivsoft-platform-ui/enbuild-ctf |
enbuildCTF.image.tag | Container image tag. Skip to use the HelmChart appVersion as Image Tag | undefined |
enbuildCTF.replicas | Container enbuildCTF Replicas | 1 |
enbuildCTF.service_type | enbuildCTF service_type | ClusterIP |
enbuildCTF.debug | Set to true to enable debug mode in CTF backend | true |
enbuildCTF.cors_origins | Allowed CORS origins for CTF backend | ['http://localhost:5173','http://localhost:5000','http://localhost:3000'] |
enbuildCTF.log_level | Log level for CTF backend | DEBUG |
enbuildCTF.aws_region | AWS region for CTF backend to use AWS services like S3 | us-east-1 |
enbuildCTF.resources.requests.memory | Memory resource request for CTF backend | 1Gi |
enbuildCTF.resources.requests.cpu | CPU resource request for CTF backend | 500m |
enbuildCTF.resources.limits.memory | Memory resource limit for CTF backend | 1Gi |
enbuildCTF.resources.limits.cpu | CPU resource limit for CTF backend | 1 |
enbuildCTF.serviceAccount.create | Create a dedicated service account for CTF pod | false |
enbuildCTF.serviceAccount.name | Name of service account. If empty, uses release name pattern | "" |
enbuildCTF.serviceAccount.annotations | Annotations for CTF service account (e.g., for IRSA) | {} |