Values Reference
This page documents all configurable values in the em-runtime Helm chart. Values are organized by scope: global, per-service, infrastructure subcharts, and testing.Global Values
| Key | Type | Default | Description |
|---|---|---|---|
hostname | string | "localhost" | External hostname for the platform. Used in HTTPRoute hostnames, CORS origins, and Keycloak redirect URIs. |
scheme | string | "http" | URL scheme (http or https). Combined with hostname to form BASE_URL. |
existingSecret | string | "" | Name of a pre-existing Secret containing external database credentials. Required when postgres.enabled or redis.enabled is false. |
gatewayName | string | "em-runtime-gateway" | Name of the Kubernetes Gateway resource that HTTPRoutes reference. |
gatewayNamespace | string | "gateway" | Namespace where the Gateway resource is deployed. |
pullPolicy | string | "IfNotPresent" | Default image pull policy for all containers. |
imagePullSecrets | list | [{name: "em-registry-secret"}] | Default image pull secrets for private registry access. |
Bootstrap
| Key | Type | Default | Description |
|---|---|---|---|
bootstrap.organizationId | string | "emergence" | Default organization identifier (also used as Keycloak realm name). Must be alphanumeric with hyphens or underscores. |
bootstrap.organizationName | string | "Emergence" | Display name of the default organization. |
bootstrap.organizationDescription | string | "Emergence organization" | Description of the default organization. |
bootstrap.adminEmail | string | "admin@emergence.local" | Admin email for platform services bootstrap. |
CORS
| Key | Type | Default | Description |
|---|---|---|---|
cors.enabled | bool | true | Enables CORS middleware on all runtime services. |
HTTPRoute
| Key | Type | Default | Description |
|---|---|---|---|
httpRoute.enabled | bool | true | Creates an HTTPRoute resource. |
httpRoute.rules | list | See below | Routing rules mapping external path prefixes to internal services. |
Default HTTPRoute Rules
| Path Prefix | Service | Port | Rewrite |
|---|---|---|---|
/keycloak | keycloak | 8080 | None |
/api/governance | em-runtime-governance | 8000 | /governance |
/api/assets | em-runtime-assets | 8000 | /assets |
/api/utils | em-runtime-utils | 8000 | /utils |
Service Accounts (Bootstrap)
| Key | Type | Default | Description |
|---|---|---|---|
serviceAccounts.enabled | bool | true | Enables service account creation during bootstrap. |
serviceAccounts.services | list | 5 services | List of service accounts to create in Keycloak master realm. |
svc-data-readiness, svc-readiness, svc-scheduler, svc-cleanup, svc-indexer.
Runtime Service Values
The following values apply to each ofem-runtime-governance, em-runtime-assets, and em-runtime-utils. Replace <service> with the service name.
Deployment
| Key | Type | Default | Description |
|---|---|---|---|
<service>.replicaCount | int | 1 | Number of replicas. |
<service>.image.repository | string | "ghcr.io/emergenceai/em-runtime-<name>" | Container image repository. |
<service>.image.tag | string | Chart version | Container image tag. |
<service>.image.pullPolicy | string | "IfNotPresent" | Image pull policy. |
<service>.deploymentStrategy | object | {type: "Recreate"} | Update strategy (Assets only, for PVC compatibility). |
Autoscaling
| Key | Type | Default | Description |
|---|---|---|---|
<service>.autoscaling.enabled | bool | false | Enable Horizontal Pod Autoscaler. |
<service>.autoscaling.minReplicas | int | 1 | Minimum replicas. |
<service>.autoscaling.maxReplicas | int | 10 | Maximum replicas. |
<service>.autoscaling.targetCPUUtilizationPercentage | int | 80 | CPU utilization target for scaling. |
Resources
| Key | Type | Default (Governance/Assets) | Default (Utils) |
|---|---|---|---|
<service>.resources.requests.cpu | string | "250m" | "100m" |
<service>.resources.requests.memory | string | "512Mi" | "256Mi" |
<service>.resources.limits.cpu | string | "1000m" | "500m" |
<service>.resources.limits.memory | string | "1Gi" | "512Mi" |
Security Context
| Key | Type | Default | Description |
|---|---|---|---|
<service>.podSecurityContext.runAsNonRoot | bool | true | Enforce non-root execution. |
<service>.podSecurityContext.runAsUser | int | 1000 | User ID for the container. |
<service>.podSecurityContext.fsGroup | int | 1000 | Filesystem group. |
<service>.securityContext.readOnlyRootFilesystem | bool | true | Read-only root filesystem. |
<service>.securityContext.allowPrivilegeEscalation | bool | false | Prevent privilege escalation. |
<service>.securityContext.capabilities.drop | list | ["ALL"] | Drop all Linux capabilities. |
Health Probes
| Key | Type | Default | Description |
|---|---|---|---|
<service>.livenessProbe.httpGet.path | string | "/health" | Liveness check path. |
<service>.livenessProbe.httpGet.port | int | 8000 | Liveness check port. |
<service>.readinessProbe.httpGet.path | string | "/health" | Readiness check path. |
<service>.startupProbe.failureThreshold | int | 30 | Startup probe attempts before failure. |
<service>.startupProbe.periodSeconds | int | 10 | Seconds between startup probe checks. |
Scheduling
| Key | Type | Default | Description |
|---|---|---|---|
<service>.nodeSelector | object | {} | Node label constraints. |
<service>.tolerations | list | [] | Toleration rules for tainted nodes. |
<service>.affinity | object | {} | Pod scheduling affinity rules. |
Service
| Key | Type | Default | Description |
|---|---|---|---|
<service>.service.type | string | "ClusterIP" | Service type. |
<service>.service.port | int | 8000 | Service port. |
<service>.service.annotations | object | {} | Service annotations. |
Default Environment Variables
All Services
| Key | Default | Description |
|---|---|---|
ENVIRONMENT | "production" | Runtime environment identifier. |
LOG_LEVEL | "INFO" | Log verbosity (DEBUG, INFO, WARNING, ERROR). |
LOG_FORMAT | "JSON" | Log output format. |
ROOT_PATH | "/api" | API root path prefix. |
DOCS_ENABLED | "true" | Enable OpenAPI documentation endpoints. |
OTEL_ENABLED | "true" | Master switch for OpenTelemetry. |
OTEL_EXPORTER_OTLP_ENDPOINT | "http://otel-collector:4317" | OTLP collector gRPC endpoint. |
OTEL_TRACES_ENABLED | "true" | Enable distributed tracing. |
OTEL_METRICS_ENABLED | "true" | Enable metrics export. |
OTEL_LOGS_ENABLED | "true" | Enable log record export. |
OTEL_TRACE_SAMPLE_RATE | "0.1" | Trace sampling ratio (0.0-1.0). |
Assets and Utils Only
| Key | Default | Description |
|---|---|---|
GOVERNANCE_API_URL | "http://em-runtime-governance:8000" | Internal governance service URL. |
AUTH_CHECK_URL | "http://keycloak:8080/keycloak" | Keycloak URL for token validation. |
Secret-Backed Variables (via envVars)
These are sourced from em-runtime-secrets and can be overridden by setting the same key in env:
| Key | Services | Description |
|---|---|---|
BASE_URL | All | Platform base URL (from hostname + scheme). |
CORS_ENABLED | All | CORS middleware toggle. |
POSTGRES_HOST | All | PostgreSQL hostname. |
POSTGRES_PORT | All | PostgreSQL port. |
POSTGRES_USER | All | PostgreSQL username. |
POSTGRES_PASSWORD | All | PostgreSQL password. |
POSTGRES_DB | All | Per-service database name. |
REDIS_HOST | All | Redis hostname. |
REDIS_PORT | All | Redis port. |
REDIS_SCHEME | All | Redis connection scheme. |
REDIS_PASSWORD | All | Redis password. |
S3 Storage Variables
| Variable | Default | Description |
|---|---|---|
STORAGE_TYPE | local | Storage backend: local or s3. |
S3_ENDPOINT_URL | None | Custom S3 endpoint (required for GCS, MinIO). |
S3_ACCESS_KEY_ID | None | Access key ID. |
S3_SECRET_ACCESS_KEY | None | Secret access key. |
S3_REGION | us-east-1 | Bucket region. |
S3_BUCKET_NAME | em-runtime | Bucket name. |
S3_PREFIX_UPLOADED | uploaded | Prefix for user-uploaded artifacts. |
S3_PREFIX_GENERATED | generated | Prefix for system-generated artifacts. |
Assets Storage (PVC)
| Key | Type | Default | Description |
|---|---|---|---|
em-runtime-assets.storage.enabled | bool | true | Enable PVC storage. Set false for S3. |
em-runtime-assets.storage.size | string | "10Gi" | PVC size. |
em-runtime-assets.storage.accessModes | list | ["ReadWriteMany"] | PVC access modes. |
em-runtime-assets.storage.mountPath | string | "/var/lib/em-runtime/storage" | Mount path in container. |
em-runtime-assets.storage.storageClass | string | "" | StorageClass name (empty uses default). |
Infrastructure Subcharts
Keycloak
| Key | Type | Default | Description |
|---|---|---|---|
keycloak.replicaCount | int | 1 | Number of Keycloak replicas. |
keycloak.resources.requests.cpu | string | "1000m" | CPU request. |
keycloak.resources.requests.memory | string | "1280Mi" | Memory request. |
keycloak.resources.limits.cpu | string | "2000m" | CPU limit. |
keycloak.resources.limits.memory | string | "2Gi" | Memory limit. |
OpenFGA
| Key | Type | Default | Description |
|---|---|---|---|
openfga.replicaCount | int | 1 | Number of OpenFGA replicas. |
openfga.autoscaling.enabled | bool | false | Enable HPA. |
openfga.autoscaling.targetCPUUtilizationPercentage | int | 80 | CPU scaling target. |
openfga.autoscaling.targetMemoryUtilizationPercentage | int | 80 | Memory scaling target. |
openfga.resources.requests.cpu | string | "100m" | CPU request. |
openfga.resources.requests.memory | string | "256Mi" | Memory request. |
Infisical (On-Premises / Cloud-Agnostic)
Infisical is one of two supported secrets backends. For cloud deployments on GCP, ESO + GCP Secret Manager can be used instead. See Secrets Management for a comparison.| Key | Type | Default | Description |
|---|---|---|---|
infisical.enabled | bool | true | Enable the Infisical subchart. Set false when using ESO + GCP Secret Manager. |
infisical-standalone.infisical.replicaCount | int | 1 | Number of Infisical replicas. |
infisical-standalone.infisical.resources.requests.cpu | string | "350m" | CPU request. |
infisical-standalone.infisical.resources.requests.memory | string | "512Mi" | Memory request. |
PostgreSQL (In-Cluster)
| Key | Type | Default | Description |
|---|---|---|---|
postgres.enabled | bool | true | Enable in-cluster PostgreSQL. Set false for external. |
postgres.replicaCount | int | 1 | Number of PostgreSQL replicas. |
postgres.persistence.enabled | bool | true | Enable data persistence. |
postgres.persistence.size | string | "8Gi" | Persistent volume size. |
Redis (In-Cluster)
| Key | Type | Default | Description |
|---|---|---|---|
redis.enabled | bool | true | Enable in-cluster Redis. Set false for external. |
redis.replicaCount | int | 1 | Number of Redis replicas. |
redis.persistence.enabled | bool | true | Enable data persistence. |
redis.persistence.size | string | "8Gi" | Persistent volume size. |
Next Steps
Helm Configuration
Deployment modes, secrets, and production setup guide.
Upgrades
Version upgrades, migration steps, and rollback.