chore: import upstream snapshot with attribution
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled

This commit is contained in:
wehub-resource-sync
2026-07-13 13:20:55 +08:00
commit d25d482dc2
13754 changed files with 4996608 additions and 0 deletions
+334
View File
@@ -0,0 +1,334 @@
# values-aws.yaml
#
# When to use: Amazon EKS. Configures EBS GP3 storage, ALB ingress with
# AWS Certificate Manager, IRSA-style ServiceAccount annotations, and
# GPU-instance node selectors for Ollama.
#
# Prerequisites:
# - EKS cluster (Kubernetes 1.25+)
# - EBS CSI driver add-on (aws eks create-addon --addon-name aws-ebs-csi-driver)
# - AWS Load Balancer Controller (for ALB ingress)
# - (recommended) cert-manager OR an ACM certificate ARN for the ingress
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-aws.yaml \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
# --set app.env.CRON_SECRET="$CRON_SECRET" \
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
#
# Choosing a secret strategy
# --------------------------
# Pick one of three modes — see helm/sim/README.md for details.
#
# 1. Inline (default below): set values directly in app.env. The chart
# writes every key into a chart-managed Secret. Simplest, but stores
# plaintext in your values file.
#
# 2. existingSecret: pre-create a Kubernetes Secret out-of-band and
# reference it via app.secrets.existingSecret.name. You are
# responsible for ensuring the Secret contains every key your app
# needs (BETTER_AUTH_SECRET, ENCRYPTION_KEY, INTERNAL_API_SECRET,
# AWS_SECRET_ACCESS_KEY, OPENAI_API_KEY, ...). The chart-managed
# Secret is not rendered in this mode, so anything missing from your
# Secret will be empty at runtime.
#
# 3. External Secrets Operator (ESO): sync from AWS Secrets Manager /
# Parameter Store via the External Secrets Operator. Map every key
# via externalSecrets.remoteRefs.app.<KEY>. The chart fails template
# rendering if a key is set in app.env but not mapped — see the
# commented ESO block at the bottom of this file.
# Global configuration
global:
imageRegistry: "ghcr.io"
storageClass: "gp3" # gp3 is the recommended EBS type (cheaper + faster than gp2). Requires a gp3 StorageClass — create one if your cluster only ships gp2.
# Main application
app:
enabled: true
replicaCount: 2
# Node selector for application pods
# Uncomment and customize based on your EKS node labels:
# nodeSelector:
# node.kubernetes.io/instance-type: "t3.large"
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
# Production URLs (REQUIRED - update with your actual domain names)
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
# SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002)
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers
# Security settings (REQUIRED - replace with your own secure secrets)
# Generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
CRON_SECRET: "your-secure-production-cron-secret-here"
# Optional: API Key Encryption (RECOMMENDED for production)
# Generate 64-character hex string using: openssl rand -hex 32
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
NODE_ENV: "production"
NEXT_TELEMETRY_DISABLED: "1"
# AWS Bedrock - when using IRSA (see serviceAccount below), the default credential chain
# resolves automatically. Setting this hides the credential fields in the Agent block UI.
NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS: "true" # Uncomment if using Bedrock with IRSA
# AWS S3 Cloud Storage Configuration (RECOMMENDED for production)
# Create S3 buckets in your AWS account and configure IAM permissions
AWS_REGION: "us-west-2"
AWS_ACCESS_KEY_ID: "" # AWS access key (or use IRSA for EKS)
AWS_SECRET_ACCESS_KEY: "" # AWS secret key (or use IRSA for EKS)
S3_BUCKET_NAME: "workspace-files" # Workspace files
S3_KB_BUCKET_NAME: "knowledge-base" # Knowledge base documents
S3_EXECUTION_FILES_BUCKET_NAME: "execution-files" # Workflow execution outputs
S3_CHAT_BUCKET_NAME: "chat-files" # Deployed chat assets
S3_COPILOT_BUCKET_NAME: "copilot-files" # Copilot attachments
S3_PROFILE_PICTURES_BUCKET_NAME: "profile-pictures" # User avatars
S3_OG_IMAGES_BUCKET_NAME: "og-images" # OpenGraph preview images
S3_WORKSPACE_LOGOS_BUCKET_NAME: "workspace-logos" # Workspace logos
# For S3-compatible storage (Cloudflare R2, MinIO, Backblaze B2) instead of AWS S3:
# S3_ENDPOINT: "https://<account>.r2.cloudflarestorage.com" # custom endpoint; set AWS_REGION: "auto" for R2
# S3_FORCE_PATH_STYLE: "true" # required for MinIO/Ceph; omit for AWS S3 and R2
# Realtime service
realtime:
enabled: true
replicaCount: 2
# Node selector for realtime pods
# Uncomment and customize based on your EKS node labels:
# nodeSelector:
# node.kubernetes.io/instance-type: "t3.medium"
resources:
limits:
memory: "4Gi"
cpu: "1000m"
requests:
memory: "2Gi"
cpu: "500m"
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
ALLOWED_ORIGINS: "https://simstudio.acme.com"
NODE_ENV: "production"
# Database migrations
migrations:
enabled: true
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "1Gi"
cpu: "500m"
# PostgreSQL database
postgresql:
enabled: true
# Node selector for database pods
# Uncomment and customize (recommended: memory-optimized EC2 instances like r5.large):
# nodeSelector:
# node.kubernetes.io/instance-type: "r5.large"
# Database authentication (REQUIRED - set secure credentials)
auth:
username: postgres
password: "your-secure-postgres-password"
database: simstudio
# Resource allocation optimized for AWS EKS
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
# Persistent storage using AWS EBS volumes
persistence:
enabled: true
storageClass: "gp2" # Use gp2 (default) or create gp3 StorageClass
size: 50Gi
accessModes:
- ReadWriteOnce
# SSL/TLS configuration (requires cert-manager to be installed)
tls:
enabled: false # Set to true if cert-manager is installed
certificatesSecret: postgres-tls-secret
# PostgreSQL performance tuning for AWS infrastructure
config:
maxConnections: 1000
sharedBuffers: "2GB"
maxWalSize: "8GB"
minWalSize: "160MB"
# Ollama AI models with GPU acceleration (AWS EC2 GPU instances)
# Set ollama.enabled: false if you don't need local AI models
ollama:
enabled: false
replicaCount: 1
# GPU node targeting - uncomment and customize for GPU instances
# Recommended: g4dn.xlarge or p3.2xlarge instances
# nodeSelector:
# node.kubernetes.io/instance-type: "g4dn.xlarge"
tolerations:
- key: "nvidia.com/gpu"
operator: "Equal"
value: "true"
effect: "NoSchedule"
# GPU resource allocation for AI model serving
gpu:
enabled: true
count: 1
resources:
limits:
memory: "16Gi"
cpu: "4000m"
nvidia.com/gpu: "1"
requests:
memory: "8Gi"
cpu: "2000m"
# High-performance storage for AI models
persistence:
enabled: true
storageClass: "gp2" # Use gp2 (default) or create gp3 StorageClass
size: 100Gi
accessModes:
- ReadWriteOnce
env:
NVIDIA_DRIVER_CAPABILITIES: "all"
OLLAMA_LOAD_TIMEOUT: "-1"
OLLAMA_KEEP_ALIVE: "-1"
OLLAMA_DEBUG: "1"
# Ingress using AWS Application Load Balancer (ALB)
ingress:
enabled: true
className: alb
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/ssl-redirect: "443"
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-west-2:123456789012:certificate/your-cert-arn"
# Main application
app:
host: simstudio.acme.com
paths:
- path: /
pathType: Prefix
# Realtime service
realtime:
host: simstudio-ws.acme.com
paths:
- path: /
pathType: Prefix
# TLS configuration
tls:
enabled: true
secretName: simstudio-tls-secret
# Pod disruption budget for high availability
podDisruptionBudget:
enabled: true
minAvailable: null
maxUnavailable: 1
unhealthyPodEvictionPolicy: AlwaysAllow
# Network policies
networkPolicy:
enabled: true
# Pod anti-affinity for high availability across AWS Availability Zones
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: ["simstudio"]
topologyKey: kubernetes.io/hostname
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: ["simstudio"]
topologyKey: topology.kubernetes.io/zone
# Service Account with IAM roles for service account (IRSA) integration
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/SimStudioServiceRole"
# -----------------------------------------------------------------------------
# External Secrets Operator (ESO) — recommended for production on AWS
# -----------------------------------------------------------------------------
# To switch from inline secrets to ESO:
# 1. Install external-secrets in the cluster (https://external-secrets.io).
# 2. Create a ClusterSecretStore backed by AWS Secrets Manager or
# SSM Parameter Store and grant IRSA access from this namespace.
# 3. Remove entries from app.env above (or leave them and the chart will
# fail-fast naming each unmapped key).
# 4. Uncomment the block below and replace the paths with the names of the
# secrets in your store.
#
# externalSecrets:
# enabled: true
# secretStoreRef:
# name: "aws-secret-store" # name of your ClusterSecretStore
# kind: "ClusterSecretStore"
# remoteRefs:
# app:
# BETTER_AUTH_SECRET: "sim/app/better-auth-secret"
# ENCRYPTION_KEY: "sim/app/encryption-key"
# INTERNAL_API_SECRET: "sim/app/internal-api-secret"
# CRON_SECRET: "sim/app/cron-secret"
# API_ENCRYPTION_KEY: "sim/app/api-encryption-key"
# # AWS provider keys — required when not using IRSA for S3/Bedrock.
# AWS_ACCESS_KEY_ID: "sim/aws/access-key-id"
# AWS_SECRET_ACCESS_KEY: "sim/aws/secret-access-key"
# # Add any other keys your deployment needs:
# OPENAI_API_KEY: "sim/providers/openai-api-key"
# # ANTHROPIC_API_KEY: "sim/providers/anthropic-api-key"
# postgresql:
# password: "sim/postgresql/password"
+330
View File
@@ -0,0 +1,330 @@
# values-azure.yaml
#
# When to use: Azure Kubernetes Service (AKS). Configures managed-csi /
# managed-csi-premium storage, NGINX ingress, role-based node targeting,
# and NVIDIA GPU node pool tolerations for Ollama.
#
# Prerequisites:
# - AKS cluster (Kubernetes 1.25+)
# - NGINX ingress controller installed
# - (optional) cert-manager for TLS
# - (optional) GPU node pool labeled with role: datalake / accelerator: nvidia
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-azure.yaml \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
# --set app.env.CRON_SECRET="$CRON_SECRET" \
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
#
# Choosing a secret strategy
# --------------------------
# Pick one of three modes — see helm/sim/README.md for details.
#
# 1. Inline (default below): set values directly in app.env. The chart
# writes every key into a chart-managed Secret. Simplest, but stores
# plaintext in your values file.
#
# 2. existingSecret: pre-create a Kubernetes Secret out-of-band and
# reference it via app.secrets.existingSecret.name. You are
# responsible for ensuring the Secret contains every key your app
# needs (BETTER_AUTH_SECRET, ENCRYPTION_KEY, INTERNAL_API_SECRET,
# AZURE_OPENAI_API_KEY, AZURE_ACCOUNT_KEY, ...). The chart-managed
# Secret is not rendered in this mode, so anything missing from your
# Secret will be empty at runtime.
#
# 3. External Secrets Operator (ESO): sync from Azure Key Vault via the
# External Secrets Operator. Map every key via
# externalSecrets.remoteRefs.app.<KEY>. The chart fails template
# rendering if a key is set in app.env but not mapped — see the
# commented ESO block at the bottom of this file.
# Global configuration
global:
imageRegistry: "ghcr.io"
# Use "managed-csi-premium" for Premium SSD, "managed-csi" for Standard SSD
# IMPORTANT: For production, use a StorageClass with reclaimPolicy: Retain
# to protect database volumes from accidental deletion.
storageClass: "managed-csi"
# Main application
app:
enabled: true
replicaCount: 2
# Node selector for application pods
# Uncomment and customize based on your AKS node labels:
# nodeSelector:
# agentpool: "application"
resources:
limits:
memory: "4Gi"
requests:
memory: "2Gi"
cpu: "500m"
# Production URLs (REQUIRED - update with your actual domain names)
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
# SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002)
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers
# Security settings (REQUIRED - replace with your own secure secrets)
# Generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
CRON_SECRET: "your-secure-production-cron-secret-here"
# Optional: API Key Encryption (RECOMMENDED for production)
# Generate 64-character hex string using: openssl rand -hex 32
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
NODE_ENV: "production"
NEXT_TELEMETRY_DISABLED: "1"
# Azure OpenAI / Azure Anthropic (Azure AI Foundry) — set to use server-side credentials.
# When NEXT_PUBLIC_AZURE_CONFIGURED is true, the endpoint/key/version fields are hidden in
# the Agent block UI so users just pick a model and run.
AZURE_OPENAI_ENDPOINT: "" # e.g. https://your-resource.openai.azure.com
AZURE_OPENAI_API_KEY: "" # Azure OpenAI API key
AZURE_OPENAI_API_VERSION: "" # e.g. 2024-07-01-preview
AZURE_ANTHROPIC_ENDPOINT: "" # Azure AI Foundry endpoint for Anthropic models
AZURE_ANTHROPIC_API_KEY: "" # Azure Anthropic API key
AZURE_ANTHROPIC_API_VERSION: "" # Azure Anthropic API version (e.g., 2023-06-01)
NEXT_PUBLIC_AZURE_CONFIGURED: "true" # Set to "true" once credentials are configured above
KB_OPENAI_MODEL_NAME: "" # Azure deployment name serving the KB embedding model (used only when AZURE_OPENAI_* is set)
WAND_OPENAI_MODEL_NAME: "" # Wand generation model deployment name
# Azure Mistral OCR (optional — Azure-hosted document OCR for knowledge base processing)
OCR_AZURE_ENDPOINT: "" # Azure Mistral OCR service endpoint
OCR_AZURE_MODEL_NAME: "" # Azure Mistral OCR model name
OCR_AZURE_API_KEY: "" # Azure Mistral OCR API key
# Email — Azure Communication Services (recommended on Azure; alternative to Resend/SES/SMTP)
AZURE_ACS_CONNECTION_STRING: "" # Azure Communication Services connection string
# Azure Blob Storage Configuration (RECOMMENDED for production)
# Create a storage account and containers in your Azure subscription
AZURE_ACCOUNT_NAME: "simstudiostorageacct" # Azure storage account name
AZURE_ACCOUNT_KEY: "" # Storage account access key
# Or use connection string instead of account name/key:
# AZURE_CONNECTION_STRING: "DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...;EndpointSuffix=core.windows.net"
AZURE_STORAGE_CONTAINER_NAME: "workspace-files" # Workspace files container
AZURE_STORAGE_KB_CONTAINER_NAME: "knowledge-base" # Knowledge base documents container
AZURE_STORAGE_EXECUTION_FILES_CONTAINER_NAME: "execution-files" # Workflow execution outputs
AZURE_STORAGE_CHAT_CONTAINER_NAME: "chat-files" # Deployed chat assets container
AZURE_STORAGE_COPILOT_CONTAINER_NAME: "copilot-files" # Copilot attachments container
AZURE_STORAGE_PROFILE_PICTURES_CONTAINER_NAME: "profile-pictures" # User avatars container
AZURE_STORAGE_OG_IMAGES_CONTAINER_NAME: "og-images" # OpenGraph preview images container
AZURE_STORAGE_WORKSPACE_LOGOS_CONTAINER_NAME: "workspace-logos" # Workspace logos container
# Realtime service
realtime:
enabled: true
replicaCount: 2
# Node selector for realtime pods
# Uncomment and customize based on your AKS node labels:
# nodeSelector:
# agentpool: "application"
resources:
limits:
memory: "4Gi"
requests:
memory: "1Gi"
cpu: "250m"
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
ALLOWED_ORIGINS: "https://simstudio.acme.com"
NODE_ENV: "production"
# Database migrations
migrations:
enabled: true
# PostgreSQL database
postgresql:
enabled: true
# Node selector for database pods
# Uncomment and customize (recommended: memory-optimized VM sizes):
# nodeSelector:
# agentpool: "database"
# Database authentication (REQUIRED - set secure credentials)
auth:
username: postgres
password: "your-secure-postgres-password"
database: simstudio
# Resource allocation for production workloads
resources:
limits:
memory: "2Gi"
requests:
memory: "1Gi"
cpu: "500m"
# Persistent storage using Azure Managed Disk
persistence:
enabled: true
storageClass: "managed-csi"
size: 10Gi
# SSL/TLS configuration (requires cert-manager to be installed)
tls:
enabled: false # Set to true if cert-manager is installed
certificatesSecret: postgres-tls-secret
# PostgreSQL performance tuning for Azure infrastructure
config:
maxConnections: 1000
sharedBuffers: "1280MB"
maxWalSize: "4GB"
minWalSize: "80MB"
# Ollama AI models with GPU acceleration (Azure NC-series VMs)
# Set ollama.enabled: false if you don't need local AI models
ollama:
enabled: false
replicaCount: 1
# GPU node targeting - uncomment and customize for GPU node pools
# Recommended: NC6s_v3 or NC12s_v3 VMs
# nodeSelector:
# agentpool: "gpu"
tolerations:
- key: "sku"
operator: "Equal"
value: "gpu"
effect: "NoSchedule"
# GPU resource allocation for AI model serving
gpu:
enabled: true
count: 1
resources:
limits:
memory: "8Gi"
nvidia.com/gpu: "1"
requests:
memory: "4Gi"
cpu: "1000m"
# High-performance storage for AI models (use managed-csi-premium for GPU workloads)
persistence:
enabled: true
storageClass: "managed-csi-premium"
size: 100Gi
env:
NVIDIA_DRIVER_CAPABILITIES: "all"
OLLAMA_LOAD_TIMEOUT: "-1"
OLLAMA_KEEP_ALIVE: "-1"
OLLAMA_DEBUG: "1"
# Ingress configuration
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# Main application
app:
host: simstudio.acme.com
paths:
- path: /
pathType: Prefix
# Realtime service
realtime:
host: simstudio-ws.acme.com
paths:
- path: /
pathType: Prefix
# TLS configuration
tls:
enabled: true
secretName: simstudio-tls-secret
# Internal Ingress configuration
ingressInternal:
enabled: false
className: azure-application-gateway
annotations:
appgw.ingress.kubernetes.io/use-private-ip: "true"
# Main application
app:
host: simstudio-internal.acme.local
paths:
- path: /
pathType: Prefix
# Realtime service
realtime:
host: simstudio-internal.acme.local
paths:
- path: /socket.io
pathType: Prefix
# TLS configuration
tls:
enabled: true
secretName: simstudio-internal-tls-secret
# -----------------------------------------------------------------------------
# External Secrets Operator (ESO) — recommended for production on Azure
# -----------------------------------------------------------------------------
# To switch from inline secrets to ESO:
# 1. Install external-secrets in the cluster (https://external-secrets.io).
# 2. Create a ClusterSecretStore backed by Azure Key Vault and grant
# Workload Identity / managed-identity access from this namespace.
# 3. Remove entries from app.env above (or leave them and the chart will
# fail-fast naming each unmapped key).
# 4. Uncomment the block below and replace the paths with the names of the
# secrets in your Key Vault.
#
# externalSecrets:
# enabled: true
# secretStoreRef:
# name: "azure-keyvault-store" # name of your ClusterSecretStore
# kind: "ClusterSecretStore"
# remoteRefs:
# app:
# BETTER_AUTH_SECRET: "sim-better-auth-secret"
# ENCRYPTION_KEY: "sim-encryption-key"
# INTERNAL_API_SECRET: "sim-internal-api-secret"
# CRON_SECRET: "sim-cron-secret"
# API_ENCRYPTION_KEY: "sim-api-encryption-key"
# # Azure provider keys
# AZURE_OPENAI_API_KEY: "sim-azure-openai-api-key"
# AZURE_ANTHROPIC_API_KEY: "sim-azure-anthropic-api-key"
# AZURE_ACCOUNT_KEY: "sim-azure-storage-account-key"
# # Use AZURE_CONNECTION_STRING instead if you prefer a single connection string:
# # AZURE_CONNECTION_STRING: "sim-azure-storage-connection-string"
# OCR_AZURE_API_KEY: "sim-azure-ocr-api-key"
# AZURE_ACS_CONNECTION_STRING: "sim-azure-acs-connection-string"
# # Non-secret config (deployment names, endpoints) — still required here: ESO mode requires
# # every non-empty app.env key to be mapped, even ones that aren't sensitive.
# KB_OPENAI_MODEL_NAME: "sim-kb-openai-model-name"
# WAND_OPENAI_MODEL_NAME: "sim-wand-openai-model-name"
# OCR_AZURE_ENDPOINT: "sim-azure-ocr-endpoint"
# OCR_AZURE_MODEL_NAME: "sim-azure-ocr-model-name"
# postgresql:
# password: "sim-postgresql-password"
+166
View File
@@ -0,0 +1,166 @@
# values-copilot.yaml
#
# When to use: enable the Sim Copilot service (the chat / Mothership backend)
# alongside the main app. Provisions a dedicated Copilot Deployment, its own
# Postgres StatefulSet, and a migration Job for the Copilot schema.
#
# Prerequisites: same as the base install. Merge this file with your main
# values file (e.g. values-production.yaml) using multiple --values flags.
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-production.yaml \
# --values ./helm/sim/examples/values-copilot.yaml \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
# --set app.env.CRON_SECRET="$CRON_SECRET" \
# --set postgresql.auth.password="$POSTGRES_PASSWORD" \
# --set copilot.postgresql.auth.password="$COPILOT_POSTGRES_PASSWORD" \
# --set copilot.server.env.AGENT_API_DB_ENCRYPTION_KEY="$AGENT_API_DB_ENCRYPTION_KEY" \
# --set copilot.server.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
# --set copilot.server.env.LICENSE_KEY="$COPILOT_LICENSE_KEY" \
# --set copilot.server.env.SIM_BASE_URL="https://sim.example.com" \
# --set copilot.server.env.SIM_AGENT_API_KEY="$SIM_AGENT_API_KEY" \
# --set copilot.server.env.REDIS_URL="redis://default:password@redis:6379" \
# --set copilot.server.env.OPENAI_API_KEY_1="$OPENAI_API_KEY"
#
# All copilot.server.env.* keys above are required when copilot.enabled=true,
# plus at least one model provider key (OPENAI_API_KEY_1 or ANTHROPIC_API_KEY_1).
# LICENSE_KEY is issued by the Sim team. SIM_AGENT_API_KEY must equal the
# COPILOT_API_KEY value on the main app side. SIM_BASE_URL is the public app URL.
# Enable the copilot service
copilot:
enabled: true
# Server configuration
server:
image:
repository: simstudioai/copilot
tag: "" # defaults to Chart.AppVersion; override to pin a specific release
pullPolicy: IfNotPresent
replicaCount: 2
# Node scheduling (OPTIONAL)
# By default, copilot runs on the same nodes as the main Sim platform
nodeSelector: {}
# nodeSelector:
# workload-type: copilot
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "1Gi"
cpu: "500m"
# Required secrets (set via values or provide your own secret)
env:
AGENT_API_DB_ENCRYPTION_KEY: "" # openssl rand -hex 32
INTERNAL_API_SECRET: "" # reuse Sim INTERNAL_API_SECRET
LICENSE_KEY: "" # Provided by Sim team
OPENAI_API_KEY_1: "" # At least one provider key required
ANTHROPIC_API_KEY_1: "" # Optional secondary provider
SIM_BASE_URL: "https://sim.example.com" # Base URL for Sim deployment
SIM_AGENT_API_KEY: "" # Must match SIM-side COPILOT_API_KEY
REDIS_URL: "redis://default:password@redis:6379"
# Optional configuration
CORS_ALLOWED_ORIGINS: "https://sim.example.com"
OTEL_EXPORTER_OTLP_ENDPOINT: ""
# Non-secret operational tunables — inlined as plain container env, never go through
# the Secret/ExternalSecret, so they don't need externalSecrets.remoteRefs.copilot entries
envDefaults:
PORT: "8080"
SERVICE_NAME: "copilot"
ENVIRONMENT: "production"
LOG_LEVEL: "info"
# Create a Secret from the values above. Set create=false to reference an existing secret instead.
secret:
create: true
name: ""
annotations: {}
extraEnv: []
extraEnvFrom: []
service:
type: ClusterIP
port: 8080
targetPort: 8080
# Internal PostgreSQL database (disable to use an external database)
postgresql:
enabled: true
image:
repository: postgres
tag: 17-alpine
pullPolicy: IfNotPresent
auth:
username: copilot
password: "" # REQUIRED - set via --set copilot.postgresql.auth.password
database: copilot
nodeSelector: {}
# nodeSelector:
# workload-type: copilot
resources:
limits:
memory: "1Gi"
cpu: "500m"
requests:
memory: "512Mi"
cpu: "250m"
persistence:
enabled: true
size: 10Gi
# External database configuration (only used when postgresql.enabled=false)
database:
existingSecretName: ""
secretKey: DATABASE_URL
url: ""
# Migration job
migrations:
enabled: true
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "256Mi"
cpu: "100m"
# Optional: Configure ingress to expose copilot service
# Uncomment if you need external access to copilot
# ingress:
# enabled: true
# className: nginx
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt-prod
# nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# copilot:
# host: copilot.yourdomain.com
# paths:
# - path: /
# pathType: Prefix
# tls:
# enabled: true
# secretName: copilot-tls-secret
# If using private Docker Hub repository
# global:
# imagePullSecrets:
# - name: dockerhub-secret
+132
View File
@@ -0,0 +1,132 @@
# values-development.yaml
#
# When to use: local development on kind / minikube / Docker Desktop, or any
# throwaway cluster where you don't need HA, TLS, or persistence guarantees.
# Minimal resource requests, single replica, no ingress.
#
# Prerequisites: a working kubectl context.
#
# Install:
# helm install sim-dev ./helm/sim \
# --namespace sim-dev --create-namespace \
# --values ./helm/sim/examples/values-development.yaml \
# --set app.env.BETTER_AUTH_SECRET=$(openssl rand -hex 32) \
# --set app.env.ENCRYPTION_KEY=$(openssl rand -hex 32) \
# --set app.env.INTERNAL_API_SECRET=$(openssl rand -hex 32) \
# --set app.env.CRON_SECRET=$(openssl rand -hex 32) \
# --set postgresql.auth.password=$(openssl rand -base64 24 | tr -d '/+=')
# Global configuration
global:
imageRegistry: "ghcr.io"
# Main application
app:
enabled: true
replicaCount: 1
# Resource allocation for development environment
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
# Development URLs
env:
NEXT_PUBLIC_APP_URL: "http://localhost:3000"
BETTER_AUTH_URL: "http://localhost:3000"
NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002"
# Example secrets for development (replace with secure values for production)
# For production, generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "dev-32-char-auth-secret-not-secure-dev"
ENCRYPTION_KEY: "dev-32-char-encryption-key-not-secure"
INTERNAL_API_SECRET: "dev-32-char-internal-secret-not-secure"
CRON_SECRET: "dev-32-char-cron-secret-not-for-prod"
# Optional: API Key Encryption (leave empty for dev, encrypts API keys at rest)
# For production, generate 64-char hex using: openssl rand -hex 32
API_ENCRYPTION_KEY: "" # Optional - if not set, API keys stored in plain text
# Realtime service
realtime:
enabled: true
replicaCount: 1
# Resource allocation for realtime WebSocket service in development
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "1Gi"
cpu: "500m"
env:
NEXT_PUBLIC_APP_URL: "http://localhost:3000"
BETTER_AUTH_URL: "http://localhost:3000"
BETTER_AUTH_SECRET: "dev-32-char-auth-secret-not-secure-dev"
ALLOWED_ORIGINS: "http://localhost:3000"
# Database migrations
migrations:
enabled: true
# PostgreSQL database
postgresql:
enabled: true
# Simple authentication for development
auth:
username: postgres
password: "postgres"
database: simstudio
# PostgreSQL with pgvector extension for vector operations
image:
repository: pgvector/pgvector
tag: pg17
pullPolicy: IfNotPresent
# Minimal resource allocation for development PostgreSQL
resources:
limits:
memory: "1Gi"
cpu: "500m"
requests:
memory: "512Mi"
cpu: "250m"
# Persistence disabled for easier development (data will be lost on restart)
persistence:
enabled: false
# SSL/TLS disabled for local development
tls:
enabled: false
# Minimal PostgreSQL configuration for development
config:
maxConnections: 100
sharedBuffers: "256MB"
maxWalSize: "1GB"
minWalSize: "80MB"
# Ollama AI models (disabled by default for development)
ollama:
enabled: false
# Ingress (disabled for development - use port-forward for local access)
ingress:
enabled: false
# Pod disruption budget (disabled for development)
podDisruptionBudget:
enabled: false
# Network policies (disabled for development)
networkPolicy:
enabled: false
@@ -0,0 +1,68 @@
# values-existing-secret.yaml
#
# When to use: GitOps workflows where secrets are managed outside Helm via
# Sealed Secrets, SOPS, kubeseal, or manual `kubectl create secret`. The
# chart references your pre-created Kubernetes Secret objects by name
# instead of templating values into a chart-managed Secret.
#
# Prerequisites:
# Create the Secret objects before `helm install`. Example:
# kubectl create secret generic my-app-secrets --namespace sim \
# --from-literal=BETTER_AUTH_SECRET=$(openssl rand -hex 32) \
# --from-literal=ENCRYPTION_KEY=$(openssl rand -hex 32) \
# --from-literal=INTERNAL_API_SECRET=$(openssl rand -hex 32) \
# --from-literal=CRON_SECRET=$(openssl rand -hex 32)
# Full Secret manifests are at the bottom of this file.
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-existing-secret.yaml
app:
enabled: true
replicaCount: 2
secrets:
existingSecret:
enabled: true
name: "sim-app-secrets"
env:
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
BETTER_AUTH_URL: "https://sim.example.com"
NEXT_PUBLIC_SOCKET_URL: "wss://sim-ws.example.com"
NODE_ENV: "production"
realtime:
enabled: true
replicaCount: 2
env:
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
BETTER_AUTH_URL: "https://sim.example.com"
ALLOWED_ORIGINS: "https://sim.example.com"
NODE_ENV: "production"
postgresql:
enabled: true
auth:
username: postgres
database: sim
existingSecret:
enabled: true
name: "sim-postgresql-secret"
passwordKey: "POSTGRES_PASSWORD"
# ---
# Create secrets before installing:
# ---
# kubectl create secret generic sim-app-secrets \
# --namespace sim \
# --from-literal=BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \
# --from-literal=ENCRYPTION_KEY="$(openssl rand -hex 32)" \
# --from-literal=INTERNAL_API_SECRET="$(openssl rand -hex 32)" \
# --from-literal=CRON_SECRET="$(openssl rand -hex 32)" \
# --from-literal=API_ENCRYPTION_KEY="$(openssl rand -hex 32)"
# kubectl create secret generic sim-postgresql-secret \
# --namespace sim \
# --from-literal=POSTGRES_PASSWORD="$(openssl rand -base64 16 | tr -d '/+=')"
+187
View File
@@ -0,0 +1,187 @@
# values-external-db.yaml
#
# When to use: production deployments that use a managed Postgres service
# (AWS RDS, Azure Database for PostgreSQL, Google Cloud SQL, Neon, Supabase)
# instead of the chart's in-cluster Postgres StatefulSet. The in-cluster
# Postgres is disabled (postgresql.enabled=false).
#
# Prerequisites:
# - A reachable managed Postgres instance with pgvector extension available
# - DB credentials provisioned (user, password, database)
# - Network reachability from the cluster (peering, private link, or public
# endpoint with TLS)
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-external-db.yaml \
# --set externalDatabase.host=your-db.example.com \
# --set externalDatabase.username=simstudio_user \
# --set externalDatabase.password="$DB_PASSWORD" \
# --set externalDatabase.database=simstudio_prod \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET"
# Global configuration
global:
imageRegistry: "ghcr.io"
# Main application
app:
enabled: true
replicaCount: 2
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
SOCKET_SERVER_URL: "https://simstudio-ws.acme.com"
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
# Security settings (REQUIRED - replace with your own secure secrets)
# Generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "" # Set via --set flag or external secret manager
ENCRYPTION_KEY: "" # Set via --set flag or external secret manager
INTERNAL_API_SECRET: "" # Set via --set flag or external secret manager
CRON_SECRET: "" # Set via --set flag or external secret manager
# Optional: API Key Encryption (RECOMMENDED for production)
# Generate 64-character hex string using: openssl rand -hex 32
API_ENCRYPTION_KEY: "" # Optional but recommended - encrypts API keys at rest
NODE_ENV: "production"
NEXT_TELEMETRY_DISABLED: "1"
# Realtime service
realtime:
enabled: true
replicaCount: 2
resources:
limits:
memory: "4Gi"
cpu: "1000m"
requests:
memory: "2Gi"
cpu: "500m"
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
BETTER_AUTH_SECRET: "" # Must match main app secret - set via --set flag
ALLOWED_ORIGINS: "https://simstudio.acme.com"
NODE_ENV: "production"
# Database migrations
migrations:
enabled: true
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "1Gi"
cpu: "500m"
# Disable internal PostgreSQL
postgresql:
enabled: false
# Configure external database connection
externalDatabase:
enabled: true
# Database connection details (REQUIRED - configure for your external database)
host: "" # Database hostname (e.g., "postgres.acme.com" or RDS endpoint)
port: 5432
username: "" # Database username (e.g., "simstudio_user")
password: "" # Database password - set via --set flag or external secret
database: "" # Database name (e.g., "simstudio_production")
# SSL mode for database connections (recommended: 'require' for production)
sslMode: "require" # Options: disable, allow, prefer, require, verify-ca, verify-full
# Ollama (optional for AI models)
ollama:
enabled: false
# Ingress configuration
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
app:
host: simstudio.acme.com
paths:
- path: /
pathType: Prefix
realtime:
host: simstudio-ws.acme.com
paths:
- path: /
pathType: Prefix
tls:
enabled: true
secretName: simstudio-tls-secret
# Production-ready features (autoscaling, monitoring, etc.)
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 20
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
podDisruptionBudget:
enabled: true
minAvailable: null
maxUnavailable: 1
unhealthyPodEvictionPolicy: AlwaysAllow
monitoring:
serviceMonitor:
enabled: true
labels:
monitoring: "prometheus"
interval: 15s
networkPolicy:
enabled: true
# Custom egress rules to allow database connectivity to an external DB.
# The chart's app/realtime NetworkPolicies already permit egress to
# `postgresql.service.targetPort` when `postgresql.enabled=true`. For an
# external DB on a different port (or off-cluster), append to extraRules.
egress:
extraRules:
- to: []
ports:
- protocol: TCP
port: 5432
# Example deployment command with secure secret generation:
# helm install sim ./helm/sim \
# --values ./helm/sim/examples/values-external-db.yaml \
# --set externalDatabase.host="your-db-host.com" \
# --set externalDatabase.username="your-db-user" \
# --set externalDatabase.password="your-db-password" \
# --set externalDatabase.database="your-db-name" \
# --set app.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \
# --set app.env.ENCRYPTION_KEY="$(openssl rand -hex 32)" \
# --set app.env.INTERNAL_API_SECRET="$(openssl rand -hex 32)" \
# --set app.env.CRON_SECRET="$(openssl rand -hex 32)" \
# --set app.env.API_ENCRYPTION_KEY="$(openssl rand -hex 32)" \
# --set realtime.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)"
@@ -0,0 +1,123 @@
# values-external-secrets.yaml
#
# When to use: production deployments where secrets live in an external store
# (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)
# and you want External Secrets Operator (ESO) to sync them into Kubernetes
# Secrets that the chart consumes.
#
# Prerequisites:
# 1. Install ESO once per cluster:
# helm repo add external-secrets https://charts.external-secrets.io
# helm install external-secrets external-secrets/external-secrets \
# -n external-secrets --create-namespace
# 2. Create a SecretStore or ClusterSecretStore for your provider — see
# example manifests at the bottom of this file.
# 3. Pre-populate your remote store with the secret keys referenced in
# externalSecrets.remoteRefs below.
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-external-secrets.yaml
externalSecrets:
enabled: true
apiVersion: "v1"
refreshInterval: "1h"
secretStoreRef:
name: "sim-secret-store"
kind: "ClusterSecretStore"
remoteRefs:
app:
BETTER_AUTH_SECRET: "sim/app/better-auth-secret"
ENCRYPTION_KEY: "sim/app/encryption-key"
INTERNAL_API_SECRET: "sim/app/internal-api-secret"
CRON_SECRET: "sim/app/cron-secret"
API_ENCRYPTION_KEY: "sim/app/api-encryption-key"
postgresql:
password: "sim/postgresql/password"
# Only needed when copilot.enabled=true and copilot.server.secret.create=true
# (uncomment and pre-populate the referenced paths in your secret store):
# copilot:
# AGENT_API_DB_ENCRYPTION_KEY: "sim/copilot/agent-api-db-encryption-key"
# INTERNAL_API_SECRET: "sim/copilot/internal-api-secret"
# LICENSE_KEY: "sim/copilot/license-key"
# SIM_BASE_URL: "sim/copilot/sim-base-url"
# SIM_AGENT_API_KEY: "sim/copilot/sim-agent-api-key"
# REDIS_URL: "sim/copilot/redis-url"
# OPENAI_API_KEY_1: "sim/copilot/openai-api-key"
app:
enabled: true
replicaCount: 2
# In ESO mode, app.env may only contain keys that are also mapped under
# externalSecrets.remoteRefs.app (the chart-managed Secret is not rendered,
# so any unmapped value would silently go nowhere). Non-secret URL/config
# belongs in envDefaults — those are inlined on the container as `env:`
# and don't flow through the Secret.
envDefaults:
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
BETTER_AUTH_URL: "https://sim.example.com"
NEXT_PUBLIC_SOCKET_URL: "wss://sim-ws.example.com"
NODE_ENV: "production"
realtime:
enabled: true
replicaCount: 2
envDefaults:
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
BETTER_AUTH_URL: "https://sim.example.com"
ALLOWED_ORIGINS: "https://sim.example.com"
NODE_ENV: "production"
postgresql:
enabled: true
auth:
username: postgres
database: sim
# ---
# SecretStore Examples (apply one of these to your cluster before installing)
# ---
# Azure Key Vault (Workload Identity):
# apiVersion: external-secrets.io/v1beta1
# kind: ClusterSecretStore
# metadata:
# name: sim-secret-store
# spec:
# provider:
# azurekv:
# authType: WorkloadIdentity
# vaultUrl: "https://your-keyvault.vault.azure.net"
# serviceAccountRef:
# name: external-secrets-sa
# namespace: external-secrets
# AWS Secrets Manager (IRSA):
# apiVersion: external-secrets.io/v1beta1
# kind: ClusterSecretStore
# metadata:
# name: sim-secret-store
# spec:
# provider:
# aws:
# service: SecretsManager
# region: us-east-1
# role: arn:aws:iam::123456789012:role/external-secrets-role
# HashiCorp Vault (Kubernetes Auth):
# apiVersion: external-secrets.io/v1beta1
# kind: ClusterSecretStore
# metadata:
# name: sim-secret-store
# spec:
# provider:
# vault:
# server: "https://vault.example.com"
# path: "secret"
# version: "v2"
# auth:
# kubernetes:
# mountPath: "kubernetes"
# role: "external-secrets"
+333
View File
@@ -0,0 +1,333 @@
# values-gcp.yaml
#
# When to use: Google Kubernetes Engine (GKE). Configures Persistent Disk
# storage, Google Cloud Load Balancer with managed certs, Workload Identity
# annotations, and Tesla T4/V100 GPU node selectors for Ollama.
#
# Prerequisites:
# - GKE cluster (Kubernetes 1.25+)
# - Workload Identity enabled (for IAM-bound ServiceAccount)
# - (optional) Managed certificate or cert-manager for TLS
# - (optional) GPU node pool with accelerator labels for Ollama
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-gcp.yaml \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
# --set app.env.CRON_SECRET="$CRON_SECRET" \
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
#
# Choosing a secret strategy
# --------------------------
# Pick one of three modes — see helm/sim/README.md for details.
#
# 1. Inline (default below): set values directly in app.env. The chart
# writes every key into a chart-managed Secret. Simplest, but stores
# plaintext in your values file.
#
# 2. existingSecret: pre-create a Kubernetes Secret out-of-band and
# reference it via app.secrets.existingSecret.name. You are
# responsible for ensuring the Secret contains every key your app
# needs (BETTER_AUTH_SECRET, ENCRYPTION_KEY, INTERNAL_API_SECRET,
# OPENAI_API_KEY, ...). The chart-managed Secret is not rendered in
# this mode, so anything missing from your Secret will be empty at
# runtime.
#
# 3. External Secrets Operator (ESO): sync from Google Secret Manager
# via the External Secrets Operator. Map every key via
# externalSecrets.remoteRefs.app.<KEY>. The chart fails template
# rendering if a key is set in app.env but not mapped — see the
# commented ESO block at the bottom of this file.
# Global configuration
global:
imageRegistry: "ghcr.io"
storageClass: "standard-rwo"
# Main application
app:
enabled: true
replicaCount: 2
# Node selector for application pods
# Uncomment and customize based on your GKE node labels:
# nodeSelector:
# cloud.google.com/gke-nodepool: "default-pool"
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
# Production URLs (REQUIRED - update with your actual domain names)
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
# SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002)
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers
# Security settings (REQUIRED - replace with your own secure secrets)
# Generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
CRON_SECRET: "your-secure-production-cron-secret-here"
# Optional: API Key Encryption (RECOMMENDED for production)
# Generate 64-character hex string using: openssl rand -hex 32
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
NODE_ENV: "production"
NEXT_TELEMETRY_DISABLED: "1"
# GCP-specific environment variables
GOOGLE_CLOUD_PROJECT: "your-project-id"
GOOGLE_CLOUD_REGION: "us-central1"
# Realtime service
realtime:
enabled: true
replicaCount: 2
# Node selector for realtime pods
# Uncomment and customize based on your GKE node labels:
# nodeSelector:
# cloud.google.com/gke-nodepool: "default-pool"
resources:
limits:
memory: "4Gi"
cpu: "1000m"
requests:
memory: "2Gi"
cpu: "500m"
env:
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
BETTER_AUTH_URL: "https://simstudio.acme.com"
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
ALLOWED_ORIGINS: "https://simstudio.acme.com"
NODE_ENV: "production"
# Database migrations
migrations:
enabled: true
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "1Gi"
cpu: "500m"
# PostgreSQL database
postgresql:
enabled: true
# Node selector for database pods
# Uncomment and customize (recommended: memory-optimized machine types):
# nodeSelector:
# cloud.google.com/gke-nodepool: "database-pool"
# Database authentication (REQUIRED - set secure credentials)
auth:
username: postgres
password: "your-secure-postgres-password"
database: simstudio
# Resource allocation optimized for GKE
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
# Persistent storage using Google Cloud Persistent Disk
persistence:
enabled: true
storageClass: "standard-rwo"
size: 50Gi
accessModes:
- ReadWriteOnce
# SSL/TLS configuration (requires cert-manager to be installed)
tls:
enabled: false # Set to true if cert-manager is installed
certificatesSecret: postgres-tls-secret
# PostgreSQL performance tuning for GCP infrastructure
config:
maxConnections: 1000
sharedBuffers: "2GB"
maxWalSize: "8GB"
minWalSize: "160MB"
# Ollama AI models with GPU acceleration (GCP GPU instances)
# Set ollama.enabled: false if you don't need local AI models
ollama:
enabled: false
replicaCount: 1
# GPU node targeting - uncomment and customize for GPU node pools
# Recommended: T4 or V100 GPU instances
# nodeSelector:
# cloud.google.com/gke-nodepool: "gpu-pool"
# cloud.google.com/gke-accelerator: "nvidia-tesla-t4"
tolerations:
- key: "nvidia.com/gpu"
operator: "Equal"
value: "present"
effect: "NoSchedule"
# GPU resource allocation for AI model serving
gpu:
enabled: true
count: 1
resources:
limits:
memory: "16Gi"
cpu: "4000m"
nvidia.com/gpu: "1"
requests:
memory: "8Gi"
cpu: "2000m"
# High-performance SSD storage for AI models
persistence:
enabled: true
storageClass: "premium-rwo"
size: 100Gi
accessModes:
- ReadWriteOnce
env:
NVIDIA_DRIVER_CAPABILITIES: "all"
OLLAMA_LOAD_TIMEOUT: "-1"
OLLAMA_KEEP_ALIVE: "-1"
OLLAMA_DEBUG: "1"
# Ingress using Google Cloud Load Balancer
ingress:
enabled: true
className: gce
annotations:
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.global-static-ip-name: "simstudio-ip"
networking.gke.io/managed-certificates: "simstudio-ssl-cert"
kubernetes.io/ingress.allow-http: "false"
# Main application
app:
host: simstudio.acme.com
paths:
- path: /
pathType: Prefix
# Realtime service
realtime:
host: simstudio-ws.acme.com
paths:
- path: /
pathType: Prefix
# TLS configuration
tls:
enabled: true
secretName: simstudio-tls-secret
# Pod disruption budget for high availability
podDisruptionBudget:
enabled: true
minAvailable: null
maxUnavailable: 1
unhealthyPodEvictionPolicy: AlwaysAllow
# Network policies
networkPolicy:
enabled: true
# Pod anti-affinity for high availability across GCP zones
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: ["simstudio"]
topologyKey: kubernetes.io/hostname
- weight: 50
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: ["simstudio"]
topologyKey: topology.gke.io/zone
# Service Account with Workload Identity integration
serviceAccount:
create: true
annotations:
iam.gke.io/gcp-service-account: "simstudio@your-project-id.iam.gserviceaccount.com"
# Additional environment variables for GCP service integration
extraEnvVars:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/var/secrets/google/key.json"
# Additional volumes for service account credentials
extraVolumes:
- name: google-cloud-key
secret:
secretName: google-service-account-key
extraVolumeMounts:
- name: google-cloud-key
mountPath: /var/secrets/google
readOnly: true
# -----------------------------------------------------------------------------
# External Secrets Operator (ESO) — recommended for production on GCP
# -----------------------------------------------------------------------------
# To switch from inline secrets to ESO:
# 1. Install external-secrets in the cluster (https://external-secrets.io).
# 2. Create a ClusterSecretStore backed by Google Secret Manager and bind
# Workload Identity from this namespace's ServiceAccount.
# 3. Remove entries from app.env above (or leave them and the chart will
# fail-fast naming each unmapped key).
# 4. Uncomment the block below and replace the paths with the names of the
# secrets in your project.
#
# externalSecrets:
# enabled: true
# secretStoreRef:
# name: "gcp-secret-store" # name of your ClusterSecretStore
# kind: "ClusterSecretStore"
# remoteRefs:
# app:
# BETTER_AUTH_SECRET: "sim-better-auth-secret"
# ENCRYPTION_KEY: "sim-encryption-key"
# INTERNAL_API_SECRET: "sim-internal-api-secret"
# CRON_SECRET: "sim-cron-secret"
# API_ENCRYPTION_KEY: "sim-api-encryption-key"
# # Provider keys typical for a GCP deployment. Vertex AI auth is
# # usually handled by Workload Identity, so VERTEX_CREDENTIALS is
# # only needed when running outside the GCP credential chain.
# OPENAI_API_KEY: "sim-openai-api-key"
# # ANTHROPIC_API_KEY: "sim-anthropic-api-key"
# # VERTEX_CREDENTIALS: "sim-vertex-credentials-json"
# postgresql:
# password: "sim-postgresql-password"
+245
View File
@@ -0,0 +1,245 @@
# values-production.yaml
#
# When to use: generic production deployment on any cluster. Enables HA
# (replicaCount > 1, PDB), NetworkPolicy, HPA, ServiceMonitor, and
# PSS-restricted security defaults.
#
# Prerequisites:
# - A premium StorageClass with reclaimPolicy: Retain
# - cert-manager (for TLS) or pre-provisioned certs
# - ingress-nginx (or equivalent) for ingress
# - metrics-server in the cluster (HPA)
# - (recommended) Prometheus Operator for ServiceMonitor
# - (recommended) External Secrets Operator — see values-external-secrets.yaml
#
# Install:
# helm install sim ./helm/sim \
# --namespace sim --create-namespace \
# --values ./helm/sim/examples/values-production.yaml \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
# --set app.env.CRON_SECRET="$CRON_SECRET" \
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
# Global configuration
global:
imageRegistry: "ghcr.io"
# For production, use a StorageClass with reclaimPolicy: Retain
storageClass: "managed-csi-premium"
# Main application
app:
enabled: true
replicaCount: 2
resources:
limits:
memory: "8Gi"
cpu: "2000m"
requests:
memory: "6Gi"
cpu: "1000m"
# Production URLs (REQUIRED - update with your actual domain names)
env:
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
BETTER_AUTH_URL: "https://sim.acme.ai"
SOCKET_SERVER_URL: "https://sim-ws.acme.ai"
NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
# Security settings (REQUIRED - replace with your own secure secrets)
# Generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
ENCRYPTION_KEY: "your-production-encryption-key-here"
INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
CRON_SECRET: "your-production-cron-secret-here"
# Optional: API Key Encryption (RECOMMENDED for production)
# Generate 64-character hex string using: openssl rand -hex 32
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
# Email verification (set to true if you want to require email verification)
EMAIL_VERIFICATION_ENABLED: "false"
# Optional third-party service integrations (configure as needed)
RESEND_API_KEY: "your-resend-api-key"
GOOGLE_CLIENT_ID: "your-google-client-id"
GOOGLE_CLIENT_SECRET: "your-google-client-secret"
# DISABLE_GOOGLE_AUTH: "true" # Uncomment to hide Google OAuth login
# DISABLE_GITHUB_AUTH: "true" # Uncomment to hide GitHub OAuth login
# Realtime service
realtime:
enabled: true
replicaCount: 2
resources:
limits:
memory: "1Gi"
cpu: "500m"
requests:
memory: "512Mi"
cpu: "250m"
env:
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
BETTER_AUTH_URL: "https://sim.acme.ai"
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
ALLOWED_ORIGINS: "https://sim.acme.ai"
# Database migrations
migrations:
enabled: true
resources:
limits:
memory: "2Gi"
cpu: "1000m"
requests:
memory: "1Gi"
cpu: "500m"
# PostgreSQL database
postgresql:
enabled: true
# Database authentication (REQUIRED - set secure credentials)
auth:
username: postgres
password: "your-secure-postgres-password"
database: simstudio
# Resource allocation for production workloads
resources:
limits:
memory: "4Gi"
cpu: "2000m"
requests:
memory: "2Gi"
cpu: "1000m"
# Persistent storage configuration
persistence:
enabled: true
storageClass: "managed-csi-premium"
size: 50Gi
# SSL/TLS configuration (recommended for production)
tls:
enabled: true
certificatesSecret: postgres-tls-secret
# PostgreSQL performance configuration for production
config:
maxConnections: 1000
sharedBuffers: "2GB"
maxWalSize: "8GB"
minWalSize: "160MB"
# Ollama AI models (optional - enable if you need local AI model serving)
ollama:
enabled: false
# Ingress configuration
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# Main application
app:
host: sim.acme.ai
paths:
- path: /
pathType: Prefix
# Realtime service
realtime:
host: sim-ws.acme.ai
paths:
- path: /
pathType: Prefix
# TLS configuration
tls:
enabled: true
secretName: sim-tls-secret
# Horizontal Pod Autoscaler (automatically scales pods based on CPU/memory usage)
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 20
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 50
periodSeconds: 60
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 100
periodSeconds: 15
- type: Pods
value: 2
periodSeconds: 60
# Pod disruption budget (ensures minimum availability during cluster maintenance)
podDisruptionBudget:
enabled: true
minAvailable: null
maxUnavailable: 1
unhealthyPodEvictionPolicy: AlwaysAllow
# Monitoring integration with Prometheus
monitoring:
serviceMonitor:
enabled: true
labels:
monitoring: "prometheus"
interval: 15s
scrapeTimeout: 10s
# Network policies (restricts pod-to-pod communication for security)
networkPolicy:
enabled: true
# Shared storage for data sharing between pods (enterprise feature)
sharedStorage:
enabled: true
storageClass: "managed-csi-premium"
volumes:
- name: output-share
size: 100Gi
accessModes:
- ReadWriteMany
- name: model-share
size: 200Gi
accessModes:
- ReadWriteMany
# Telemetry and observability (comprehensive monitoring and tracing)
telemetry:
enabled: true
resources:
limits:
memory: "1Gi"
cpu: "500m"
requests:
memory: "512Mi"
cpu: "200m"
# Configure endpoints based on your observability infrastructure
prometheus:
enabled: true
endpoint: "http://prometheus-server/api/v1/write"
jaeger:
enabled: true
endpoint: "http://jaeger-collector:14250"
+106
View File
@@ -0,0 +1,106 @@
# values-whitelabeled.yaml
#
# When to use: whitelabeled / branded deployment. Replaces the default Sim
# branding (logo, product name, support URLs) with your own. The example
# below uses "Acme Corp" placeholders — replace with your brand.
#
# Prerequisites: a hosted logo URL and brand assets.
#
# Install:
# helm install acme ./helm/sim \
# --namespace acme --create-namespace \
# --values ./helm/sim/examples/values-whitelabeled.yaml \
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
# --set app.env.CRON_SECRET="$CRON_SECRET" \
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
# Global configuration
global:
imageRegistry: "ghcr.io"
storageClass: "managed-csi-premium"
# Main application with custom branding
app:
enabled: true
replicaCount: 1
# Custom branding configuration
env:
# Application URLs (update with your domain)
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
BETTER_AUTH_URL: "https://sim.acme.ai"
SOCKET_SERVER_URL: "https://sim-ws.acme.ai"
NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
# Security settings (REQUIRED)
# Generate using: openssl rand -hex 32
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
ENCRYPTION_KEY: "your-production-encryption-key-here"
INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
CRON_SECRET: "your-production-cron-secret-here"
# Optional: API Key Encryption (RECOMMENDED for production)
# Generate 64-character hex string using: openssl rand -hex 32
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
# UI Branding & Whitelabeling Configuration
NEXT_PUBLIC_BRAND_NAME: "Acme AI Studio"
NEXT_PUBLIC_BRAND_LOGO_URL: "https://acme.com/assets/logo.png"
NEXT_PUBLIC_BRAND_FAVICON_URL: "https://acme.com/assets/favicon.ico"
NEXT_PUBLIC_CUSTOM_CSS_URL: "https://acme.com/assets/theme.css"
NEXT_PUBLIC_SUPPORT_EMAIL: "ai-support@acme.com"
NEXT_PUBLIC_DOCUMENTATION_URL: "https://docs.acme.com/ai-studio"
NEXT_PUBLIC_TERMS_URL: "https://acme.com/terms"
NEXT_PUBLIC_PRIVACY_URL: "https://acme.com/privacy"
# Realtime service
realtime:
enabled: true
replicaCount: 1
env:
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
BETTER_AUTH_URL: "https://sim.acme.ai"
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
ALLOWED_ORIGINS: "https://sim.acme.ai"
# PostgreSQL database
postgresql:
enabled: true
auth:
password: "your-secure-db-password-here"
persistence:
enabled: true
size: 20Gi
# Ingress configuration
ingress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
app:
host: "sim.acme.ai"
paths:
- path: /
pathType: Prefix
realtime:
host: "sim-ws.acme.ai"
paths:
- path: /
pathType: Prefix
tls:
enabled: true
secretName: "sim-acme-tls"
# Auto-scaling
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 70