Skip to main content
Version: 0.1.0

Helm Values Reference

Version: 0.1.0

Complete reference for all Helm chart values. Charts are published to the DecisionBox Helm repository:

helm repo add decisionbox https://decisionbox-io.github.io/decisionbox-platform
helm repo update

Source code for the charts is in helm-charts/.

decisionbox-api

Image

KeyTypeDefaultDescription
replicaCountint1Number of API replicas
image.repositorystringghcr.io/decisionbox-io/decisionbox-apiContainer image
image.tagstringmainImage tag (defaults to appVersion if not set)
image.pullPolicystringAlwaysPull policy
imagePullSecretslist[]Image pull secrets (set for private registries)

Deployment

KeyTypeDefaultDescription
namespacestringdecisionboxKubernetes namespace
containerPortint8080Container port
serviceAccountNamestringdecisionbox-apiAPI service account name
serviceAccountAnnotationsmap{}API SA annotations (e.g., Workload Identity)
agentServiceAccount.namestringdecisionbox-agentAgent service account name (for K8s Jobs)
agentServiceAccount.annotationsmap{}Agent SA annotations (e.g., Workload Identity for read-only access)

Environment Variables

KeyTypeDefaultDescription
env.ENVstringprodEnvironment name
env.LOG_LEVELstringwarnLog level (debug, info, warn, error)
env.MONGODB_URIstringMongoDB connection string (required if mongodb.enabled=false)
env.MONGODB_DBstringdecisionboxMongoDB database name
env.SECRET_PROVIDERstringmongodbSecret provider: mongodb, gcp, or aws
env.SECRET_NAMESPACEstringdecisionboxSecret name prefix
env.SECRET_GCP_PROJECT_IDstringGCP project (when SECRET_PROVIDER=gcp)
env.SECRET_AWS_REGIONstringAWS region (when SECRET_PROVIDER=aws)
env.RUNNER_MODEstringkubernetesAgent runner: kubernetes or subprocess
env.AGENT_IMAGEstringghcr.io/decisionbox-io/decisionbox-agent:latestAgent container image
env.AGENT_NAMESPACEstringdecisionboxNamespace for agent Jobs
env.AGENT_SERVICE_ACCOUNTstringdecisionbox-agentK8s service account for agent Jobs (Workload Identity)
env.AGENT_JOB_TIMEOUT_HOURSstring6Max time to watch agent Jobs
extraEnvlist[]Additional env vars as {name, value} pairs
extraEnvFromlist[]Additional env sources (e.g., secretRef)

Resources

KeyTypeDefaultDescription
resources.requests.cpustring100mCPU request
resources.requests.memorystring512MiMemory request
resources.limits.cpustring1000mCPU limit
resources.limits.memorystring2GiMemory limit

Service

KeyTypeDefaultDescription
service.typestringClusterIPService type
service.portint8080Service port

Ingress

KeyTypeDefaultDescription
ingress.enabledboolfalseEnable ingress (keep disabled — API is internal)
ingress.ingressClassNamestring""Ingress class (e.g., alb for AWS, nginx for NGINX)
ingress.annotationsmap{}Ingress annotations (e.g., ALB scheme, target type)
ingress.hoststring""Hostname for host-based routing
ingress.tlsSecretNamestring""TLS secret name
ingress.pathTypestringPrefixIngress path type
ingress.pathstring/Ingress path

RBAC

KeyTypeDefaultDescription
rbac.enabledbooltrueCreate Role + RoleBinding for agent Jobs
rbac.roleNamestringagent-job-managerRole name

Probes

KeyTypeDefaultDescription
livenessProbe.pathstring/healthLiveness endpoint
livenessProbe.initialDelaySecondsint15Initial delay
livenessProbe.periodSecondsint30Check interval
readinessProbe.pathstring/healthReadiness endpoint
readinessProbe.initialDelaySecondsint5Initial delay
readinessProbe.periodSecondsint10Check interval

Security Context

KeyTypeDefaultDescription
securityContext.runAsNonRootbooltrueRequire non-root
securityContext.runAsUserint1000User ID
securityContext.fsGroupint1000Filesystem group
containerSecurityContext.readOnlyRootFilesystembooltrueRead-only root FS
containerSecurityContext.allowPrivilegeEscalationboolfalseNo privilege escalation
containerSecurityContext.capabilities.droplist[ALL]Drop all capabilities

MongoDB Subchart

KeyTypeDefaultDescription
mongodb.enabledbooltrueDeploy bundled MongoDB
mongodb.architecturestringstandaloneMongoDB architecture
mongodb.auth.enabledboolfalseEnable MongoDB authentication
mongodb.persistence.sizestring1GiPersistent volume size

When mongodb.enabled=true, the deployment includes an init container that waits for MongoDB to be ready. The MongoDB URI is auto-computed from the chart values.

For production, set mongodb.enabled=false and provide env.MONGODB_URI pointing to your MongoDB instance (Atlas or self-hosted).

decisionbox-dashboard

Image

KeyTypeDefaultDescription
replicaCountint1Number of dashboard replicas
image.repositorystringghcr.io/decisionbox-io/decisionbox-dashboardContainer image
image.tagstringmainImage tag
image.pullPolicystringAlwaysPull policy
imagePullSecretslist[]Image pull secrets (set for private registries)

Deployment

KeyTypeDefaultDescription
namespacestringdecisionboxKubernetes namespace
containerPortint3000Container port
automountServiceAccountTokenboolfalseDashboard does not need K8s API access

Environment Variables

KeyTypeDefaultDescription
env.API_URLstringhttp://decisionbox-api-service:8080API service URL (internal)

The dashboard proxies /api/* requests to the API URL. This must point to the API's ClusterIP service.

Resources

KeyTypeDefaultDescription
resources.requests.cpustring100mCPU request
resources.requests.memorystring128MiMemory request
resources.limits.cpustring500mCPU limit
resources.limits.memorystring512MiMemory limit

Service

KeyTypeDefaultDescription
service.typestringClusterIPService type
service.portint3000Service port

Ingress

KeyTypeDefaultDescription
ingress.enabledbooltrueEnable ingress (dashboard is user-facing)
ingress.ingressClassNamestring""Ingress class (e.g., alb for AWS, nginx for NGINX)
ingress.annotationsmap{}Ingress annotations (e.g., ALB scheme, target type)
ingress.hoststring""Hostname
ingress.tlsSecretNamestring""TLS secret
ingress.pathTypestringPrefixPath type
ingress.pathstring/Path

Probes

KeyTypeDefaultDescription
livenessProbe.pathstring/healthLiveness endpoint
livenessProbe.initialDelaySecondsint15Initial delay
livenessProbe.periodSecondsint15Check interval
readinessProbe.pathstring/healthReadiness endpoint
readinessProbe.initialDelaySecondsint5Initial delay
readinessProbe.periodSecondsint10Check interval

Security Context

Same as the API chart — non-root (UID 1000), read-only filesystem, no capabilities, seccomp RuntimeDefault. The dashboard mounts /tmp and /app/.next/cache as emptyDir volumes.

Example: Production Values File

Sensitive values (MONGODB_URI, SECRET_ENCRYPTION_KEY) are stored in a K8s Secret and injected via extraEnvFrom — never in the values file.

# values-prod.yaml (API)

mongodb:
  enabled: false

env:
  LOG_LEVEL: "warn"
  MONGODB_DB: "decisionbox_prod"
  SECRET_PROVIDER: "gcp"
  SECRET_GCP_PROJECT_ID: "my-project"
  SECRET_NAMESPACE: "decisionbox"

extraEnvFrom:
  - secretRef:
      name: decisionbox-api-secrets

serviceAccountAnnotations:
  iam.gke.io/gcp-service-account: "decisionbox-prod-api@my-project.iam.gserviceaccount.com"

resources:
  requests:
    cpu: "250m"
    memory: "1Gi"
  limits:
    cpu: "2000m"
    memory: "4Gi"

Create the K8s Secret separately:

kubectl create secret generic decisionbox-api-secrets \
  --from-literal=SECRET_ENCRYPTION_KEY="$(openssl rand -base64 32)" \
  --from-literal=MONGODB_URI="mongodb+srv://user:pass@cluster.mongodb.net/decisionbox_prod" \
  -n decisionbox

AWS (EKS + Secrets Manager + Bedrock)

# values-prod.yaml (API)

mongodb:
  enabled: false

env:
  LOG_LEVEL: "warn"
  MONGODB_DB: "decisionbox_prod"
  SECRET_PROVIDER: "aws"
  SECRET_NAMESPACE: "decisionbox"

extraEnvFrom:
  - secretRef:
      name: decisionbox-api-secrets

serviceAccountAnnotations:
  eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/decisionbox-prod-api"

agentServiceAccount:
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/decisionbox-prod-agent"

resources:
  requests:
    cpu: "250m"
    memory: "1Gi"
  limits:
    cpu: "2000m"
    memory: "4Gi"

Next Steps