Skip to main content

Helm Chart

Pulling the Helm Chart

Obtain a Registry Key

To pull the Helm chart and required images, you will need a key to access the Akuity Platform container registry. This key will be provided to you by Akuity.

Pull the Chart

export DOCKER_PASSWORD=<registry_key>
helm registry login us-docker.pkg.dev -u _json_key_base64 -p $DOCKER_PASSWORD
helm pull oci://us-docker.pkg.dev/akuity/akp-sh/charts/akuity-platform --untar

Parameters

License Key

NameDescriptionValue
licenseKey""

Image Parameters

NameDescriptionValue
image.repositoryImage repository of the Akuity Platformus-docker.pkg.dev/akuity/akp-sh/akuity-platform
image.tagOverrides the image tag (default is the chart version)""
image.secret.createCreates the 'akuity-pullsecrets' secrettrue
image.usernameUsername to the Akuity Platform container registry_json_key_base64
image.passwordPassword to the Akuity Platform container registry""
image.argocd.hostOverrides the Argo CD image host""
image.argocd.repoOverrides the Argo CD image repository""

Portal Parameters

NameDescriptionValue
portal.urlPublic URL to portal (e.g. https://akuity.example.com)""
portal.imagePullPolicyPortal server image pull policyAlways
portal.maxEmailInvitationsPerBatchMaximum number of invitation emails which can be sent in one go5
portal.autoscaling.enabledEnables horizontal pod autoscaling for the portal servertrue
portal.autoscaling.minReplicasSets the minimum number of replicas3
portal.autoscaling.maxReplicasSets the maximum number of replicas10
portal.autoscaling.targetCPUUtilizationPercentageSets the target CPU utilization percentage80
portal.autoscaling.targetMemoryUtilizationPercentageSets the target memory utilization percentage80
portal.seed.organization.nameCreates an organization with a given nameundefined
portal.seed.organization.ownerCreates an owner for the given organization with the given e-mail address.undefined
portal.resourcesResources limits and requests for the portal server containers{}
portal.envAdditional environment variables added to the portal server{}
portal.env.MIN_ORGANIZATION_NAME_LENGTHThe minimum length of an organization name that is allowed on the platform, minimum value is 2, defaults to 4 if undefinedundefined
portal.env.MIN_CLUSTER_NAME_LENGTHThe minimum length of a cluster name that is allowed on the platform, minimum value is 2, defaults to 3 if undefinedundefined
portal.env.MIN_INSTANCE_NAME_LENGTHThe minimum length of an Argo CD instance name that is allowed on the platform, minimum value is 2, defaults to 3 if undefinedundefined
portal.topologySpreadConstraintsSets topology spread constraints for the portal server deploymentundefined

Platform controller Parameters

NameDescriptionValue
platformController.imagePullPolicyPlatform controller image pull policyAlways
platformController.domainSuffixPlatform controller domain suffix to use (defaults to hostname of .portal.url)""

Resources limits and requests for the platform controller containers

NameDescriptionValue
platformController.envAdds additional environment variables to the platform controller configmap{}
platformController.env.ARGOCD_APP_RESYNC_INTERVAL_SECONDSArgo CD Application resync interval in seconds (if 0 or undefined then Argo CD built-in default is used)undefined
platformController.env.AGENT_STATUS_UPDATE_INTERVAL_SECONDSAgent status update interval in seconds (if 0 or undefined then Agent built-in default is used)undefined
platformController.env.SHARED_K3S_DB_CONNECTION_AUTHSet to true for all tenants to use database.user and database.password credentials rather than a personal credentials for each tenant. This might be needed when connecting to the database through RDS Proxy which has a limit of 200 usersundefined
platformController.commonAgentCertcommon agent cert provides the shared certificate for both *.cdsvcs.akuity.example.com as well as *.kargosvcs.akuity.example.com domains used by agents""
platformController.argocdAgentCertargocd agent cert provides the certificate for only *.cdsvcs.akuity.example.com used by argocd agents""
platformController.kargoAgentCertkargo agent cert provides the certificate for only *.kargosvcs.akuity.example.com domains used by kargo agents""

Notification controller Parameters

NameDescriptionValue
notificationController.enabledEnabled the notification controllerfalse
notificationController.imagePullPolicyNotification controller image pull policyAlways
notificationController.resourcesResources limits and requests for the notification controller containers{}
notificationController.envAdds additional environment variables to the notification controller configmap{}
addonController.enabledEnabled the addon controllerfalse
addonController.imagePullPolicyNotification controller image pull policyAlways
addonController.resourcesResources limits and requests for the addon controller containers{}
addonController.envAdds additional environment variables to the addon controller configmap{}

Secret Parameters

NameDescriptionValue
secret.createCreates the 'akuity-platform' Secrettrue
tls.secret.createCreates the 'akuity-platform-tls' Secret used as the Traefik default certificate. Set to false if creating the secret in another way (e.g. cert-manager)true
tls.crtTLS certificate. Can be valid for multiple domains (e.g. https://akuity.example.com, https://*.cd.akuity.example.com, https://*.cdsvcs.akuity.example.com)""
tls.keyTLS private key""
tls.additionalCertificatesList of additional TLS certificates to serve in the form of Kubernetes Secrets. This may be necessary if different certificates are used for different domains (e.g. https://akuity.example.com, https://*.cd.akuity.example.com, https://*.cdsvcs.akuity.example.com)[]

Database Parameters

NameDescriptionValue
database.hostDatabase hostname""
database.portDatabase port5432
database.userDatabase username""
database.passwordDatabase password""
database.dbnameDatabase namepostgres
database.schemanameSchema namepublic
database.createSchemacreate schema automaticallyfalse
database.dataKey256-bit base64 encoded encryption key used for envelope encryption of sensitive data columns. A random key can be generated with the following command: openssl rand -base64 32. NOTE: loss of this key will result in permanent and irrevocable data loss!""
database.readOnlyHostDatabase read-only hostname. Used for connection load balancing of read requests to read-only database replicas. If omitted, will default to the write hostname.""
database.sslmodeDatabase SSL moderequire

SSO Parameters

Single Sign-On configuration. Either OIDC or auth0 must be configured.

NameDescriptionValue
sso.oidc.enabledEnable OIDC authenticationtrue
sso.oidc.issuerOIDC issuer URL. This value is ignored if dex is enabled and served as a subpath""
sso.oidc.clientIDOIDC client ID. If dex is enabled, value will be used as Dex's client ID""
sso.oidc.clientSecretOIDC client secret. If dex is enabled, value will be used as Dex's client secret""
sso.oidc.scopesOIDC scopes to request (default: openid,profile,email,offline_access)openid,profile,email,offline_access
sso.oidc.logoutURLOIDC logout url""
sso.oidc.insecureSkipTLSVerifySkip TLS verification of the OIDC provider. This will be needed if dex is served as a subpath, and TLS is not yet configured.false
sso.auth0.enabledEnable Auth0 configurationfalse
sso.auth0.domainAuth0 domain (e.g. example.us.auth0.com)""
sso.auth0.audienceAuth0 Audience of the token""
sso.auth0.clientIDAuth0 client id for portal servicenil
sso.auth0.cliClientIDAuth0 client id for CLInil
sso.dex.enabledInstall dexfalse
sso.dex.image.repositoryImage repository for Dexghcr.io/dexidp/dex
sso.dex.image.tagOverrides the Dex image tagv2.35.3
sso.dex.image.secret.createCreates the 'dex-pullsecrets' secretfalse
sso.dex.image.usernameUsername for the Dex container registry""
sso.dex.image.passwordPassword for the Dex container registry""
sso.dex.secret.createCreates the 'dex' Secret whose data values will be mounted as environment variables to the Dex Deploymenttrue
sso.dex.secret.dataSecret data keys and plain-text values to set in the 'dex' Secret. These will be environment variables to dex so they can be referenced in the dex/config.yaml{}
sso.dex.resourcesResources limits and requests for the Dex containers{}
sso.dex.issuerSubPathServe dex as a subpath of the portal URL (e.g. https://akuity.example.com/dex)true
sso.dex.ingress.enabledEnable ingress to dexfalse
sso.dex.ingress.hostHost value to dex ingress""
sso.dex.configAdditional dex/config.yaml configuration. See https://dexidp.io/docs/ for dex documentation. Configuration can reference environment variables in the 'dex' Secret (e.g. $MICROSOFT_CLIENT_SECRET){}
sso.roleFromGroupsContains the SSO groups that will be automatically assigned rolesundefined
sso.roleFromGroups.memberComma separated list of SSO groups that will be assigned the 'member' role""
sso.roleFromGroups.adminComma separated list of SSO groups that will be assigned the 'admin' role""
sso.roleFromGroups.ownerComma separated list of SSO groups that will be assigned the 'owner' role""

Traefik Parameters

Traefik is a required component of the Akuity Platform.

The Akuity Platform expects a traefik-external ingress class to be present and is installed with Traefik in this section.

NameDescriptionValue
traefik.enabledInstall Traefiktrue
traefik.image.repositoryImage repository for Traefikpublic.ecr.aws/docker/library/traefik
traefik.image.tagOverrides the Traefik image tagv3.1.2
traefik.image.secret.createCreates the 'traefik-pullsecrets' secretfalse
traefik.image.usernameUsername for the Traefik container registry""
traefik.image.passwordPassword for the Traefik container registry""
traefik.crd.enabledInstall Traefik CRDstrue
traefik.websecureRedirectRedirect 80 to 443. Only set this to false for testing purposestrue
traefik.autoscaling.enabledEnables horizontal pod autoscaling for Traefiktrue
traefik.autoscaling.minReplicasSets the minimum number of replicas3
traefik.autoscaling.maxReplicasSets the maximum number of replicas20
traefik.autoscaling.targetCPUUtilizationPercentageSets the target CPU utilization percentage80
traefik.autoscaling.targetMemoryUtilizationPercentageSets the target memory utilization percentage80
traefik.replicasIf autoscaling is not enabled, the number of replicas for the Traefik deployment1
traefik.resourcesResources limits and requests for the Traefik containers{}
traefik.topologySpreadConstraintsSets topology spread constraints for the Traefik deploymentundefined

Other Parameters

NameDescriptionValue
agent.insecureSkipTLSVerifySkip TLS verification from agents to Akuity Platformfalse
aws.enabledAdd AWS specific annotations to resourcestrue
kargoInstanceValuesKargo instance parametersnil
instanceValuesArgo CD instance parametersnil
instanceValues.k3sk3s parametersundefined
instanceValues.kustomizationKustomizations to be applied to Argo CD instancesundefined
instanceValues.k3s_proxyk3s proxy parametersundefined
instanceValues.pgpoolpgpool parametersundefined
smtp.hostSMTP host""
smtp.portSMTP port587
smtp.userSMTP username""
smtp.passwordSMTP password""
liquibase.image.repositoryImage repository for Liquibasequay.io/akuity/liquibase
liquibase.image.tagOverrides the Liquibase image tag4.29
liquibase.image.secret.createCreates the 'liquibase-pullsecrets' secretfalse
liquibase.image.usernameUsername for the Liquibase container registry""
liquibase.image.passwordPassword for the Liquibase container registry""

Instance Upgrader Parameters

Instance Upgrader is a job that upgrades managed instances during Akuity Platform upgrade.

NameDescriptionValue
instanceUpgrader.enabledEnables the instance upgrader jobtrue