chore: import upstream snapshot with attribution
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,334 @@
|
||||
# values-aws.yaml
|
||||
#
|
||||
# When to use: Amazon EKS. Configures EBS GP3 storage, ALB ingress with
|
||||
# AWS Certificate Manager, IRSA-style ServiceAccount annotations, and
|
||||
# GPU-instance node selectors for Ollama.
|
||||
#
|
||||
# Prerequisites:
|
||||
# - EKS cluster (Kubernetes 1.25+)
|
||||
# - EBS CSI driver add-on (aws eks create-addon --addon-name aws-ebs-csi-driver)
|
||||
# - AWS Load Balancer Controller (for ALB ingress)
|
||||
# - (recommended) cert-manager OR an ACM certificate ARN for the ingress
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-aws.yaml \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
|
||||
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
|
||||
# --set app.env.CRON_SECRET="$CRON_SECRET" \
|
||||
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
|
||||
#
|
||||
# Choosing a secret strategy
|
||||
# --------------------------
|
||||
# Pick one of three modes — see helm/sim/README.md for details.
|
||||
#
|
||||
# 1. Inline (default below): set values directly in app.env. The chart
|
||||
# writes every key into a chart-managed Secret. Simplest, but stores
|
||||
# plaintext in your values file.
|
||||
#
|
||||
# 2. existingSecret: pre-create a Kubernetes Secret out-of-band and
|
||||
# reference it via app.secrets.existingSecret.name. You are
|
||||
# responsible for ensuring the Secret contains every key your app
|
||||
# needs (BETTER_AUTH_SECRET, ENCRYPTION_KEY, INTERNAL_API_SECRET,
|
||||
# AWS_SECRET_ACCESS_KEY, OPENAI_API_KEY, ...). The chart-managed
|
||||
# Secret is not rendered in this mode, so anything missing from your
|
||||
# Secret will be empty at runtime.
|
||||
#
|
||||
# 3. External Secrets Operator (ESO): sync from AWS Secrets Manager /
|
||||
# Parameter Store via the External Secrets Operator. Map every key
|
||||
# via externalSecrets.remoteRefs.app.<KEY>. The chart fails template
|
||||
# rendering if a key is set in app.env but not mapped — see the
|
||||
# commented ESO block at the bottom of this file.
|
||||
|
||||
# Global configuration
|
||||
global:
|
||||
imageRegistry: "ghcr.io"
|
||||
storageClass: "gp3" # gp3 is the recommended EBS type (cheaper + faster than gp2). Requires a gp3 StorageClass — create one if your cluster only ships gp2.
|
||||
|
||||
# Main application
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
# Node selector for application pods
|
||||
# Uncomment and customize based on your EKS node labels:
|
||||
# nodeSelector:
|
||||
# node.kubernetes.io/instance-type: "t3.large"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# Production URLs (REQUIRED - update with your actual domain names)
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
# SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002)
|
||||
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers
|
||||
|
||||
# Security settings (REQUIRED - replace with your own secure secrets)
|
||||
# Generate using: openssl rand -hex 32
|
||||
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
|
||||
ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
|
||||
INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
|
||||
CRON_SECRET: "your-secure-production-cron-secret-here"
|
||||
|
||||
# Optional: API Key Encryption (RECOMMENDED for production)
|
||||
# Generate 64-character hex string using: openssl rand -hex 32
|
||||
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
|
||||
|
||||
NODE_ENV: "production"
|
||||
NEXT_TELEMETRY_DISABLED: "1"
|
||||
|
||||
# AWS Bedrock - when using IRSA (see serviceAccount below), the default credential chain
|
||||
# resolves automatically. Setting this hides the credential fields in the Agent block UI.
|
||||
NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS: "true" # Uncomment if using Bedrock with IRSA
|
||||
|
||||
# AWS S3 Cloud Storage Configuration (RECOMMENDED for production)
|
||||
# Create S3 buckets in your AWS account and configure IAM permissions
|
||||
AWS_REGION: "us-west-2"
|
||||
AWS_ACCESS_KEY_ID: "" # AWS access key (or use IRSA for EKS)
|
||||
AWS_SECRET_ACCESS_KEY: "" # AWS secret key (or use IRSA for EKS)
|
||||
S3_BUCKET_NAME: "workspace-files" # Workspace files
|
||||
S3_KB_BUCKET_NAME: "knowledge-base" # Knowledge base documents
|
||||
S3_EXECUTION_FILES_BUCKET_NAME: "execution-files" # Workflow execution outputs
|
||||
S3_CHAT_BUCKET_NAME: "chat-files" # Deployed chat assets
|
||||
S3_COPILOT_BUCKET_NAME: "copilot-files" # Copilot attachments
|
||||
S3_PROFILE_PICTURES_BUCKET_NAME: "profile-pictures" # User avatars
|
||||
S3_OG_IMAGES_BUCKET_NAME: "og-images" # OpenGraph preview images
|
||||
S3_WORKSPACE_LOGOS_BUCKET_NAME: "workspace-logos" # Workspace logos
|
||||
# For S3-compatible storage (Cloudflare R2, MinIO, Backblaze B2) instead of AWS S3:
|
||||
# S3_ENDPOINT: "https://<account>.r2.cloudflarestorage.com" # custom endpoint; set AWS_REGION: "auto" for R2
|
||||
# S3_FORCE_PATH_STYLE: "true" # required for MinIO/Ceph; omit for AWS S3 and R2
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
# Node selector for realtime pods
|
||||
# Uncomment and customize based on your EKS node labels:
|
||||
# nodeSelector:
|
||||
# node.kubernetes.io/instance-type: "t3.medium"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "500m"
|
||||
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
|
||||
ALLOWED_ORIGINS: "https://simstudio.acme.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
# Database migrations
|
||||
migrations:
|
||||
enabled: true
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
|
||||
# PostgreSQL database
|
||||
postgresql:
|
||||
enabled: true
|
||||
|
||||
# Node selector for database pods
|
||||
# Uncomment and customize (recommended: memory-optimized EC2 instances like r5.large):
|
||||
# nodeSelector:
|
||||
# node.kubernetes.io/instance-type: "r5.large"
|
||||
|
||||
# Database authentication (REQUIRED - set secure credentials)
|
||||
auth:
|
||||
username: postgres
|
||||
password: "your-secure-postgres-password"
|
||||
database: simstudio
|
||||
|
||||
# Resource allocation optimized for AWS EKS
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# Persistent storage using AWS EBS volumes
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "gp2" # Use gp2 (default) or create gp3 StorageClass
|
||||
size: 50Gi
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
|
||||
# SSL/TLS configuration (requires cert-manager to be installed)
|
||||
tls:
|
||||
enabled: false # Set to true if cert-manager is installed
|
||||
certificatesSecret: postgres-tls-secret
|
||||
|
||||
# PostgreSQL performance tuning for AWS infrastructure
|
||||
config:
|
||||
maxConnections: 1000
|
||||
sharedBuffers: "2GB"
|
||||
maxWalSize: "8GB"
|
||||
minWalSize: "160MB"
|
||||
|
||||
# Ollama AI models with GPU acceleration (AWS EC2 GPU instances)
|
||||
# Set ollama.enabled: false if you don't need local AI models
|
||||
ollama:
|
||||
enabled: false
|
||||
replicaCount: 1
|
||||
|
||||
# GPU node targeting - uncomment and customize for GPU instances
|
||||
# Recommended: g4dn.xlarge or p3.2xlarge instances
|
||||
# nodeSelector:
|
||||
# node.kubernetes.io/instance-type: "g4dn.xlarge"
|
||||
|
||||
tolerations:
|
||||
- key: "nvidia.com/gpu"
|
||||
operator: "Equal"
|
||||
value: "true"
|
||||
effect: "NoSchedule"
|
||||
|
||||
# GPU resource allocation for AI model serving
|
||||
gpu:
|
||||
enabled: true
|
||||
count: 1
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "16Gi"
|
||||
cpu: "4000m"
|
||||
nvidia.com/gpu: "1"
|
||||
requests:
|
||||
memory: "8Gi"
|
||||
cpu: "2000m"
|
||||
|
||||
# High-performance storage for AI models
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "gp2" # Use gp2 (default) or create gp3 StorageClass
|
||||
size: 100Gi
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
|
||||
env:
|
||||
NVIDIA_DRIVER_CAPABILITIES: "all"
|
||||
OLLAMA_LOAD_TIMEOUT: "-1"
|
||||
OLLAMA_KEEP_ALIVE: "-1"
|
||||
OLLAMA_DEBUG: "1"
|
||||
|
||||
# Ingress using AWS Application Load Balancer (ALB)
|
||||
ingress:
|
||||
enabled: true
|
||||
className: alb
|
||||
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: alb
|
||||
alb.ingress.kubernetes.io/scheme: internet-facing
|
||||
alb.ingress.kubernetes.io/target-type: ip
|
||||
alb.ingress.kubernetes.io/ssl-redirect: "443"
|
||||
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-west-2:123456789012:certificate/your-cert-arn"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
host: simstudio.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
host: simstudio-ws.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# TLS configuration
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: simstudio-tls-secret
|
||||
|
||||
# Pod disruption budget for high availability
|
||||
podDisruptionBudget:
|
||||
enabled: true
|
||||
minAvailable: null
|
||||
maxUnavailable: 1
|
||||
unhealthyPodEvictionPolicy: AlwaysAllow
|
||||
# Network policies
|
||||
networkPolicy:
|
||||
enabled: true
|
||||
|
||||
# Pod anti-affinity for high availability across AWS Availability Zones
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values: ["simstudio"]
|
||||
topologyKey: kubernetes.io/hostname
|
||||
- weight: 50
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values: ["simstudio"]
|
||||
topologyKey: topology.kubernetes.io/zone
|
||||
|
||||
# Service Account with IAM roles for service account (IRSA) integration
|
||||
serviceAccount:
|
||||
create: true
|
||||
annotations:
|
||||
eks.amazonaws.com/role-arn: "arn:aws:iam::123456789012:role/SimStudioServiceRole"
|
||||
# -----------------------------------------------------------------------------
|
||||
# External Secrets Operator (ESO) — recommended for production on AWS
|
||||
# -----------------------------------------------------------------------------
|
||||
# To switch from inline secrets to ESO:
|
||||
# 1. Install external-secrets in the cluster (https://external-secrets.io).
|
||||
# 2. Create a ClusterSecretStore backed by AWS Secrets Manager or
|
||||
# SSM Parameter Store and grant IRSA access from this namespace.
|
||||
# 3. Remove entries from app.env above (or leave them and the chart will
|
||||
# fail-fast naming each unmapped key).
|
||||
# 4. Uncomment the block below and replace the paths with the names of the
|
||||
# secrets in your store.
|
||||
#
|
||||
# externalSecrets:
|
||||
# enabled: true
|
||||
# secretStoreRef:
|
||||
# name: "aws-secret-store" # name of your ClusterSecretStore
|
||||
# kind: "ClusterSecretStore"
|
||||
# remoteRefs:
|
||||
# app:
|
||||
# BETTER_AUTH_SECRET: "sim/app/better-auth-secret"
|
||||
# ENCRYPTION_KEY: "sim/app/encryption-key"
|
||||
# INTERNAL_API_SECRET: "sim/app/internal-api-secret"
|
||||
# CRON_SECRET: "sim/app/cron-secret"
|
||||
# API_ENCRYPTION_KEY: "sim/app/api-encryption-key"
|
||||
# # AWS provider keys — required when not using IRSA for S3/Bedrock.
|
||||
# AWS_ACCESS_KEY_ID: "sim/aws/access-key-id"
|
||||
# AWS_SECRET_ACCESS_KEY: "sim/aws/secret-access-key"
|
||||
# # Add any other keys your deployment needs:
|
||||
# OPENAI_API_KEY: "sim/providers/openai-api-key"
|
||||
# # ANTHROPIC_API_KEY: "sim/providers/anthropic-api-key"
|
||||
# postgresql:
|
||||
# password: "sim/postgresql/password"
|
||||
@@ -0,0 +1,330 @@
|
||||
# values-azure.yaml
|
||||
#
|
||||
# When to use: Azure Kubernetes Service (AKS). Configures managed-csi /
|
||||
# managed-csi-premium storage, NGINX ingress, role-based node targeting,
|
||||
# and NVIDIA GPU node pool tolerations for Ollama.
|
||||
#
|
||||
# Prerequisites:
|
||||
# - AKS cluster (Kubernetes 1.25+)
|
||||
# - NGINX ingress controller installed
|
||||
# - (optional) cert-manager for TLS
|
||||
# - (optional) GPU node pool labeled with role: datalake / accelerator: nvidia
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-azure.yaml \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
|
||||
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
|
||||
# --set app.env.CRON_SECRET="$CRON_SECRET" \
|
||||
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
|
||||
#
|
||||
# Choosing a secret strategy
|
||||
# --------------------------
|
||||
# Pick one of three modes — see helm/sim/README.md for details.
|
||||
#
|
||||
# 1. Inline (default below): set values directly in app.env. The chart
|
||||
# writes every key into a chart-managed Secret. Simplest, but stores
|
||||
# plaintext in your values file.
|
||||
#
|
||||
# 2. existingSecret: pre-create a Kubernetes Secret out-of-band and
|
||||
# reference it via app.secrets.existingSecret.name. You are
|
||||
# responsible for ensuring the Secret contains every key your app
|
||||
# needs (BETTER_AUTH_SECRET, ENCRYPTION_KEY, INTERNAL_API_SECRET,
|
||||
# AZURE_OPENAI_API_KEY, AZURE_ACCOUNT_KEY, ...). The chart-managed
|
||||
# Secret is not rendered in this mode, so anything missing from your
|
||||
# Secret will be empty at runtime.
|
||||
#
|
||||
# 3. External Secrets Operator (ESO): sync from Azure Key Vault via the
|
||||
# External Secrets Operator. Map every key via
|
||||
# externalSecrets.remoteRefs.app.<KEY>. The chart fails template
|
||||
# rendering if a key is set in app.env but not mapped — see the
|
||||
# commented ESO block at the bottom of this file.
|
||||
|
||||
# Global configuration
|
||||
global:
|
||||
imageRegistry: "ghcr.io"
|
||||
# Use "managed-csi-premium" for Premium SSD, "managed-csi" for Standard SSD
|
||||
# IMPORTANT: For production, use a StorageClass with reclaimPolicy: Retain
|
||||
# to protect database volumes from accidental deletion.
|
||||
storageClass: "managed-csi"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
# Node selector for application pods
|
||||
# Uncomment and customize based on your AKS node labels:
|
||||
# nodeSelector:
|
||||
# agentpool: "application"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "500m"
|
||||
|
||||
# Production URLs (REQUIRED - update with your actual domain names)
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
# SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002)
|
||||
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers
|
||||
|
||||
# Security settings (REQUIRED - replace with your own secure secrets)
|
||||
# Generate using: openssl rand -hex 32
|
||||
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
|
||||
ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
|
||||
INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
|
||||
CRON_SECRET: "your-secure-production-cron-secret-here"
|
||||
|
||||
# Optional: API Key Encryption (RECOMMENDED for production)
|
||||
# Generate 64-character hex string using: openssl rand -hex 32
|
||||
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
|
||||
|
||||
NODE_ENV: "production"
|
||||
NEXT_TELEMETRY_DISABLED: "1"
|
||||
|
||||
# Azure OpenAI / Azure Anthropic (Azure AI Foundry) — set to use server-side credentials.
|
||||
# When NEXT_PUBLIC_AZURE_CONFIGURED is true, the endpoint/key/version fields are hidden in
|
||||
# the Agent block UI so users just pick a model and run.
|
||||
AZURE_OPENAI_ENDPOINT: "" # e.g. https://your-resource.openai.azure.com
|
||||
AZURE_OPENAI_API_KEY: "" # Azure OpenAI API key
|
||||
AZURE_OPENAI_API_VERSION: "" # e.g. 2024-07-01-preview
|
||||
AZURE_ANTHROPIC_ENDPOINT: "" # Azure AI Foundry endpoint for Anthropic models
|
||||
AZURE_ANTHROPIC_API_KEY: "" # Azure Anthropic API key
|
||||
AZURE_ANTHROPIC_API_VERSION: "" # Azure Anthropic API version (e.g., 2023-06-01)
|
||||
NEXT_PUBLIC_AZURE_CONFIGURED: "true" # Set to "true" once credentials are configured above
|
||||
KB_OPENAI_MODEL_NAME: "" # Azure deployment name serving the KB embedding model (used only when AZURE_OPENAI_* is set)
|
||||
WAND_OPENAI_MODEL_NAME: "" # Wand generation model deployment name
|
||||
|
||||
# Azure Mistral OCR (optional — Azure-hosted document OCR for knowledge base processing)
|
||||
OCR_AZURE_ENDPOINT: "" # Azure Mistral OCR service endpoint
|
||||
OCR_AZURE_MODEL_NAME: "" # Azure Mistral OCR model name
|
||||
OCR_AZURE_API_KEY: "" # Azure Mistral OCR API key
|
||||
|
||||
# Email — Azure Communication Services (recommended on Azure; alternative to Resend/SES/SMTP)
|
||||
AZURE_ACS_CONNECTION_STRING: "" # Azure Communication Services connection string
|
||||
|
||||
# Azure Blob Storage Configuration (RECOMMENDED for production)
|
||||
# Create a storage account and containers in your Azure subscription
|
||||
AZURE_ACCOUNT_NAME: "simstudiostorageacct" # Azure storage account name
|
||||
AZURE_ACCOUNT_KEY: "" # Storage account access key
|
||||
# Or use connection string instead of account name/key:
|
||||
# AZURE_CONNECTION_STRING: "DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...;EndpointSuffix=core.windows.net"
|
||||
AZURE_STORAGE_CONTAINER_NAME: "workspace-files" # Workspace files container
|
||||
AZURE_STORAGE_KB_CONTAINER_NAME: "knowledge-base" # Knowledge base documents container
|
||||
AZURE_STORAGE_EXECUTION_FILES_CONTAINER_NAME: "execution-files" # Workflow execution outputs
|
||||
AZURE_STORAGE_CHAT_CONTAINER_NAME: "chat-files" # Deployed chat assets container
|
||||
AZURE_STORAGE_COPILOT_CONTAINER_NAME: "copilot-files" # Copilot attachments container
|
||||
AZURE_STORAGE_PROFILE_PICTURES_CONTAINER_NAME: "profile-pictures" # User avatars container
|
||||
AZURE_STORAGE_OG_IMAGES_CONTAINER_NAME: "og-images" # OpenGraph preview images container
|
||||
AZURE_STORAGE_WORKSPACE_LOGOS_CONTAINER_NAME: "workspace-logos" # Workspace logos container
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
# Node selector for realtime pods
|
||||
# Uncomment and customize based on your AKS node labels:
|
||||
# nodeSelector:
|
||||
# agentpool: "application"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "250m"
|
||||
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
|
||||
ALLOWED_ORIGINS: "https://simstudio.acme.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
# Database migrations
|
||||
migrations:
|
||||
enabled: true
|
||||
|
||||
# PostgreSQL database
|
||||
postgresql:
|
||||
enabled: true
|
||||
|
||||
# Node selector for database pods
|
||||
# Uncomment and customize (recommended: memory-optimized VM sizes):
|
||||
# nodeSelector:
|
||||
# agentpool: "database"
|
||||
|
||||
# Database authentication (REQUIRED - set secure credentials)
|
||||
auth:
|
||||
username: postgres
|
||||
password: "your-secure-postgres-password"
|
||||
database: simstudio
|
||||
|
||||
# Resource allocation for production workloads
|
||||
resources:
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
|
||||
# Persistent storage using Azure Managed Disk
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "managed-csi"
|
||||
size: 10Gi
|
||||
|
||||
# SSL/TLS configuration (requires cert-manager to be installed)
|
||||
tls:
|
||||
enabled: false # Set to true if cert-manager is installed
|
||||
certificatesSecret: postgres-tls-secret
|
||||
|
||||
# PostgreSQL performance tuning for Azure infrastructure
|
||||
config:
|
||||
maxConnections: 1000
|
||||
sharedBuffers: "1280MB"
|
||||
maxWalSize: "4GB"
|
||||
minWalSize: "80MB"
|
||||
|
||||
# Ollama AI models with GPU acceleration (Azure NC-series VMs)
|
||||
# Set ollama.enabled: false if you don't need local AI models
|
||||
ollama:
|
||||
enabled: false
|
||||
replicaCount: 1
|
||||
|
||||
# GPU node targeting - uncomment and customize for GPU node pools
|
||||
# Recommended: NC6s_v3 or NC12s_v3 VMs
|
||||
# nodeSelector:
|
||||
# agentpool: "gpu"
|
||||
|
||||
tolerations:
|
||||
- key: "sku"
|
||||
operator: "Equal"
|
||||
value: "gpu"
|
||||
effect: "NoSchedule"
|
||||
|
||||
# GPU resource allocation for AI model serving
|
||||
gpu:
|
||||
enabled: true
|
||||
count: 1
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "8Gi"
|
||||
nvidia.com/gpu: "1"
|
||||
requests:
|
||||
memory: "4Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# High-performance storage for AI models (use managed-csi-premium for GPU workloads)
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "managed-csi-premium"
|
||||
size: 100Gi
|
||||
|
||||
env:
|
||||
NVIDIA_DRIVER_CAPABILITIES: "all"
|
||||
OLLAMA_LOAD_TIMEOUT: "-1"
|
||||
OLLAMA_KEEP_ALIVE: "-1"
|
||||
OLLAMA_DEBUG: "1"
|
||||
|
||||
# Ingress configuration
|
||||
ingress:
|
||||
enabled: true
|
||||
className: nginx
|
||||
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
host: simstudio.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
host: simstudio-ws.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# TLS configuration
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: simstudio-tls-secret
|
||||
|
||||
# Internal Ingress configuration
|
||||
ingressInternal:
|
||||
enabled: false
|
||||
className: azure-application-gateway
|
||||
|
||||
annotations:
|
||||
appgw.ingress.kubernetes.io/use-private-ip: "true"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
host: simstudio-internal.acme.local
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
host: simstudio-internal.acme.local
|
||||
paths:
|
||||
- path: /socket.io
|
||||
pathType: Prefix
|
||||
|
||||
# TLS configuration
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: simstudio-internal-tls-secret
|
||||
# -----------------------------------------------------------------------------
|
||||
# External Secrets Operator (ESO) — recommended for production on Azure
|
||||
# -----------------------------------------------------------------------------
|
||||
# To switch from inline secrets to ESO:
|
||||
# 1. Install external-secrets in the cluster (https://external-secrets.io).
|
||||
# 2. Create a ClusterSecretStore backed by Azure Key Vault and grant
|
||||
# Workload Identity / managed-identity access from this namespace.
|
||||
# 3. Remove entries from app.env above (or leave them and the chart will
|
||||
# fail-fast naming each unmapped key).
|
||||
# 4. Uncomment the block below and replace the paths with the names of the
|
||||
# secrets in your Key Vault.
|
||||
#
|
||||
# externalSecrets:
|
||||
# enabled: true
|
||||
# secretStoreRef:
|
||||
# name: "azure-keyvault-store" # name of your ClusterSecretStore
|
||||
# kind: "ClusterSecretStore"
|
||||
# remoteRefs:
|
||||
# app:
|
||||
# BETTER_AUTH_SECRET: "sim-better-auth-secret"
|
||||
# ENCRYPTION_KEY: "sim-encryption-key"
|
||||
# INTERNAL_API_SECRET: "sim-internal-api-secret"
|
||||
# CRON_SECRET: "sim-cron-secret"
|
||||
# API_ENCRYPTION_KEY: "sim-api-encryption-key"
|
||||
# # Azure provider keys
|
||||
# AZURE_OPENAI_API_KEY: "sim-azure-openai-api-key"
|
||||
# AZURE_ANTHROPIC_API_KEY: "sim-azure-anthropic-api-key"
|
||||
# AZURE_ACCOUNT_KEY: "sim-azure-storage-account-key"
|
||||
# # Use AZURE_CONNECTION_STRING instead if you prefer a single connection string:
|
||||
# # AZURE_CONNECTION_STRING: "sim-azure-storage-connection-string"
|
||||
# OCR_AZURE_API_KEY: "sim-azure-ocr-api-key"
|
||||
# AZURE_ACS_CONNECTION_STRING: "sim-azure-acs-connection-string"
|
||||
# # Non-secret config (deployment names, endpoints) — still required here: ESO mode requires
|
||||
# # every non-empty app.env key to be mapped, even ones that aren't sensitive.
|
||||
# KB_OPENAI_MODEL_NAME: "sim-kb-openai-model-name"
|
||||
# WAND_OPENAI_MODEL_NAME: "sim-wand-openai-model-name"
|
||||
# OCR_AZURE_ENDPOINT: "sim-azure-ocr-endpoint"
|
||||
# OCR_AZURE_MODEL_NAME: "sim-azure-ocr-model-name"
|
||||
# postgresql:
|
||||
# password: "sim-postgresql-password"
|
||||
@@ -0,0 +1,166 @@
|
||||
# values-copilot.yaml
|
||||
#
|
||||
# When to use: enable the Sim Copilot service (the chat / Mothership backend)
|
||||
# alongside the main app. Provisions a dedicated Copilot Deployment, its own
|
||||
# Postgres StatefulSet, and a migration Job for the Copilot schema.
|
||||
#
|
||||
# Prerequisites: same as the base install. Merge this file with your main
|
||||
# values file (e.g. values-production.yaml) using multiple --values flags.
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-production.yaml \
|
||||
# --values ./helm/sim/examples/values-copilot.yaml \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
|
||||
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
|
||||
# --set app.env.CRON_SECRET="$CRON_SECRET" \
|
||||
# --set postgresql.auth.password="$POSTGRES_PASSWORD" \
|
||||
# --set copilot.postgresql.auth.password="$COPILOT_POSTGRES_PASSWORD" \
|
||||
# --set copilot.server.env.AGENT_API_DB_ENCRYPTION_KEY="$AGENT_API_DB_ENCRYPTION_KEY" \
|
||||
# --set copilot.server.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
|
||||
# --set copilot.server.env.LICENSE_KEY="$COPILOT_LICENSE_KEY" \
|
||||
# --set copilot.server.env.SIM_BASE_URL="https://sim.example.com" \
|
||||
# --set copilot.server.env.SIM_AGENT_API_KEY="$SIM_AGENT_API_KEY" \
|
||||
# --set copilot.server.env.REDIS_URL="redis://default:password@redis:6379" \
|
||||
# --set copilot.server.env.OPENAI_API_KEY_1="$OPENAI_API_KEY"
|
||||
#
|
||||
# All copilot.server.env.* keys above are required when copilot.enabled=true,
|
||||
# plus at least one model provider key (OPENAI_API_KEY_1 or ANTHROPIC_API_KEY_1).
|
||||
# LICENSE_KEY is issued by the Sim team. SIM_AGENT_API_KEY must equal the
|
||||
# COPILOT_API_KEY value on the main app side. SIM_BASE_URL is the public app URL.
|
||||
|
||||
# Enable the copilot service
|
||||
copilot:
|
||||
enabled: true
|
||||
|
||||
# Server configuration
|
||||
server:
|
||||
image:
|
||||
repository: simstudioai/copilot
|
||||
tag: "" # defaults to Chart.AppVersion; override to pin a specific release
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
replicaCount: 2
|
||||
|
||||
# Node scheduling (OPTIONAL)
|
||||
# By default, copilot runs on the same nodes as the main Sim platform
|
||||
nodeSelector: {}
|
||||
# nodeSelector:
|
||||
# workload-type: copilot
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
|
||||
# Required secrets (set via values or provide your own secret)
|
||||
env:
|
||||
AGENT_API_DB_ENCRYPTION_KEY: "" # openssl rand -hex 32
|
||||
INTERNAL_API_SECRET: "" # reuse Sim INTERNAL_API_SECRET
|
||||
LICENSE_KEY: "" # Provided by Sim team
|
||||
OPENAI_API_KEY_1: "" # At least one provider key required
|
||||
ANTHROPIC_API_KEY_1: "" # Optional secondary provider
|
||||
SIM_BASE_URL: "https://sim.example.com" # Base URL for Sim deployment
|
||||
SIM_AGENT_API_KEY: "" # Must match SIM-side COPILOT_API_KEY
|
||||
REDIS_URL: "redis://default:password@redis:6379"
|
||||
# Optional configuration
|
||||
CORS_ALLOWED_ORIGINS: "https://sim.example.com"
|
||||
OTEL_EXPORTER_OTLP_ENDPOINT: ""
|
||||
|
||||
# Non-secret operational tunables — inlined as plain container env, never go through
|
||||
# the Secret/ExternalSecret, so they don't need externalSecrets.remoteRefs.copilot entries
|
||||
envDefaults:
|
||||
PORT: "8080"
|
||||
SERVICE_NAME: "copilot"
|
||||
ENVIRONMENT: "production"
|
||||
LOG_LEVEL: "info"
|
||||
|
||||
# Create a Secret from the values above. Set create=false to reference an existing secret instead.
|
||||
secret:
|
||||
create: true
|
||||
name: ""
|
||||
annotations: {}
|
||||
|
||||
extraEnv: []
|
||||
extraEnvFrom: []
|
||||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
|
||||
# Internal PostgreSQL database (disable to use an external database)
|
||||
postgresql:
|
||||
enabled: true
|
||||
|
||||
image:
|
||||
repository: postgres
|
||||
tag: 17-alpine
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
auth:
|
||||
username: copilot
|
||||
password: "" # REQUIRED - set via --set copilot.postgresql.auth.password
|
||||
database: copilot
|
||||
|
||||
nodeSelector: {}
|
||||
# nodeSelector:
|
||||
# workload-type: copilot
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
requests:
|
||||
memory: "512Mi"
|
||||
cpu: "250m"
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 10Gi
|
||||
|
||||
# External database configuration (only used when postgresql.enabled=false)
|
||||
database:
|
||||
existingSecretName: ""
|
||||
secretKey: DATABASE_URL
|
||||
url: ""
|
||||
|
||||
# Migration job
|
||||
migrations:
|
||||
enabled: true
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "512Mi"
|
||||
cpu: "500m"
|
||||
requests:
|
||||
memory: "256Mi"
|
||||
cpu: "100m"
|
||||
|
||||
# Optional: Configure ingress to expose copilot service
|
||||
# Uncomment if you need external access to copilot
|
||||
# ingress:
|
||||
# enabled: true
|
||||
# className: nginx
|
||||
# annotations:
|
||||
# cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
# nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
# copilot:
|
||||
# host: copilot.yourdomain.com
|
||||
# paths:
|
||||
# - path: /
|
||||
# pathType: Prefix
|
||||
# tls:
|
||||
# enabled: true
|
||||
# secretName: copilot-tls-secret
|
||||
|
||||
# If using private Docker Hub repository
|
||||
# global:
|
||||
# imagePullSecrets:
|
||||
# - name: dockerhub-secret
|
||||
|
||||
@@ -0,0 +1,132 @@
|
||||
# values-development.yaml
|
||||
#
|
||||
# When to use: local development on kind / minikube / Docker Desktop, or any
|
||||
# throwaway cluster where you don't need HA, TLS, or persistence guarantees.
|
||||
# Minimal resource requests, single replica, no ingress.
|
||||
#
|
||||
# Prerequisites: a working kubectl context.
|
||||
#
|
||||
# Install:
|
||||
# helm install sim-dev ./helm/sim \
|
||||
# --namespace sim-dev --create-namespace \
|
||||
# --values ./helm/sim/examples/values-development.yaml \
|
||||
# --set app.env.BETTER_AUTH_SECRET=$(openssl rand -hex 32) \
|
||||
# --set app.env.ENCRYPTION_KEY=$(openssl rand -hex 32) \
|
||||
# --set app.env.INTERNAL_API_SECRET=$(openssl rand -hex 32) \
|
||||
# --set app.env.CRON_SECRET=$(openssl rand -hex 32) \
|
||||
# --set postgresql.auth.password=$(openssl rand -base64 24 | tr -d '/+=')
|
||||
|
||||
# Global configuration
|
||||
global:
|
||||
imageRegistry: "ghcr.io"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 1
|
||||
|
||||
# Resource allocation for development environment
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# Development URLs
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "http://localhost:3000"
|
||||
BETTER_AUTH_URL: "http://localhost:3000"
|
||||
NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002"
|
||||
|
||||
# Example secrets for development (replace with secure values for production)
|
||||
# For production, generate using: openssl rand -hex 32
|
||||
BETTER_AUTH_SECRET: "dev-32-char-auth-secret-not-secure-dev"
|
||||
ENCRYPTION_KEY: "dev-32-char-encryption-key-not-secure"
|
||||
INTERNAL_API_SECRET: "dev-32-char-internal-secret-not-secure"
|
||||
CRON_SECRET: "dev-32-char-cron-secret-not-for-prod"
|
||||
|
||||
# Optional: API Key Encryption (leave empty for dev, encrypts API keys at rest)
|
||||
# For production, generate 64-char hex using: openssl rand -hex 32
|
||||
API_ENCRYPTION_KEY: "" # Optional - if not set, API keys stored in plain text
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 1
|
||||
|
||||
# Resource allocation for realtime WebSocket service in development
|
||||
resources:
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "http://localhost:3000"
|
||||
BETTER_AUTH_URL: "http://localhost:3000"
|
||||
BETTER_AUTH_SECRET: "dev-32-char-auth-secret-not-secure-dev"
|
||||
ALLOWED_ORIGINS: "http://localhost:3000"
|
||||
|
||||
# Database migrations
|
||||
migrations:
|
||||
enabled: true
|
||||
|
||||
# PostgreSQL database
|
||||
postgresql:
|
||||
enabled: true
|
||||
|
||||
# Simple authentication for development
|
||||
auth:
|
||||
username: postgres
|
||||
password: "postgres"
|
||||
database: simstudio
|
||||
|
||||
# PostgreSQL with pgvector extension for vector operations
|
||||
image:
|
||||
repository: pgvector/pgvector
|
||||
tag: pg17
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
# Minimal resource allocation for development PostgreSQL
|
||||
resources:
|
||||
limits:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
requests:
|
||||
memory: "512Mi"
|
||||
cpu: "250m"
|
||||
|
||||
# Persistence disabled for easier development (data will be lost on restart)
|
||||
persistence:
|
||||
enabled: false
|
||||
|
||||
# SSL/TLS disabled for local development
|
||||
tls:
|
||||
enabled: false
|
||||
|
||||
# Minimal PostgreSQL configuration for development
|
||||
config:
|
||||
maxConnections: 100
|
||||
sharedBuffers: "256MB"
|
||||
maxWalSize: "1GB"
|
||||
minWalSize: "80MB"
|
||||
|
||||
# Ollama AI models (disabled by default for development)
|
||||
ollama:
|
||||
enabled: false
|
||||
|
||||
# Ingress (disabled for development - use port-forward for local access)
|
||||
ingress:
|
||||
enabled: false
|
||||
|
||||
# Pod disruption budget (disabled for development)
|
||||
podDisruptionBudget:
|
||||
enabled: false
|
||||
|
||||
# Network policies (disabled for development)
|
||||
networkPolicy:
|
||||
enabled: false
|
||||
@@ -0,0 +1,68 @@
|
||||
# values-existing-secret.yaml
|
||||
#
|
||||
# When to use: GitOps workflows where secrets are managed outside Helm via
|
||||
# Sealed Secrets, SOPS, kubeseal, or manual `kubectl create secret`. The
|
||||
# chart references your pre-created Kubernetes Secret objects by name
|
||||
# instead of templating values into a chart-managed Secret.
|
||||
#
|
||||
# Prerequisites:
|
||||
# Create the Secret objects before `helm install`. Example:
|
||||
# kubectl create secret generic my-app-secrets --namespace sim \
|
||||
# --from-literal=BETTER_AUTH_SECRET=$(openssl rand -hex 32) \
|
||||
# --from-literal=ENCRYPTION_KEY=$(openssl rand -hex 32) \
|
||||
# --from-literal=INTERNAL_API_SECRET=$(openssl rand -hex 32) \
|
||||
# --from-literal=CRON_SECRET=$(openssl rand -hex 32)
|
||||
# Full Secret manifests are at the bottom of this file.
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-existing-secret.yaml
|
||||
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
secrets:
|
||||
existingSecret:
|
||||
enabled: true
|
||||
name: "sim-app-secrets"
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
|
||||
BETTER_AUTH_URL: "https://sim.example.com"
|
||||
NEXT_PUBLIC_SOCKET_URL: "wss://sim-ws.example.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
|
||||
BETTER_AUTH_URL: "https://sim.example.com"
|
||||
ALLOWED_ORIGINS: "https://sim.example.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
postgresql:
|
||||
enabled: true
|
||||
auth:
|
||||
username: postgres
|
||||
database: sim
|
||||
existingSecret:
|
||||
enabled: true
|
||||
name: "sim-postgresql-secret"
|
||||
passwordKey: "POSTGRES_PASSWORD"
|
||||
|
||||
# ---
|
||||
# Create secrets before installing:
|
||||
# ---
|
||||
|
||||
# kubectl create secret generic sim-app-secrets \
|
||||
# --namespace sim \
|
||||
# --from-literal=BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \
|
||||
# --from-literal=ENCRYPTION_KEY="$(openssl rand -hex 32)" \
|
||||
# --from-literal=INTERNAL_API_SECRET="$(openssl rand -hex 32)" \
|
||||
# --from-literal=CRON_SECRET="$(openssl rand -hex 32)" \
|
||||
# --from-literal=API_ENCRYPTION_KEY="$(openssl rand -hex 32)"
|
||||
|
||||
# kubectl create secret generic sim-postgresql-secret \
|
||||
# --namespace sim \
|
||||
# --from-literal=POSTGRES_PASSWORD="$(openssl rand -base64 16 | tr -d '/+=')"
|
||||
@@ -0,0 +1,187 @@
|
||||
# values-external-db.yaml
|
||||
#
|
||||
# When to use: production deployments that use a managed Postgres service
|
||||
# (AWS RDS, Azure Database for PostgreSQL, Google Cloud SQL, Neon, Supabase)
|
||||
# instead of the chart's in-cluster Postgres StatefulSet. The in-cluster
|
||||
# Postgres is disabled (postgresql.enabled=false).
|
||||
#
|
||||
# Prerequisites:
|
||||
# - A reachable managed Postgres instance with pgvector extension available
|
||||
# - DB credentials provisioned (user, password, database)
|
||||
# - Network reachability from the cluster (peering, private link, or public
|
||||
# endpoint with TLS)
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-external-db.yaml \
|
||||
# --set externalDatabase.host=your-db.example.com \
|
||||
# --set externalDatabase.username=simstudio_user \
|
||||
# --set externalDatabase.password="$DB_PASSWORD" \
|
||||
# --set externalDatabase.database=simstudio_prod \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
|
||||
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET"
|
||||
|
||||
# Global configuration
|
||||
global:
|
||||
imageRegistry: "ghcr.io"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
SOCKET_SERVER_URL: "https://simstudio-ws.acme.com"
|
||||
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com"
|
||||
|
||||
# Security settings (REQUIRED - replace with your own secure secrets)
|
||||
# Generate using: openssl rand -hex 32
|
||||
BETTER_AUTH_SECRET: "" # Set via --set flag or external secret manager
|
||||
ENCRYPTION_KEY: "" # Set via --set flag or external secret manager
|
||||
INTERNAL_API_SECRET: "" # Set via --set flag or external secret manager
|
||||
CRON_SECRET: "" # Set via --set flag or external secret manager
|
||||
|
||||
# Optional: API Key Encryption (RECOMMENDED for production)
|
||||
# Generate 64-character hex string using: openssl rand -hex 32
|
||||
API_ENCRYPTION_KEY: "" # Optional but recommended - encrypts API keys at rest
|
||||
|
||||
NODE_ENV: "production"
|
||||
NEXT_TELEMETRY_DISABLED: "1"
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "500m"
|
||||
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_SECRET: "" # Must match main app secret - set via --set flag
|
||||
ALLOWED_ORIGINS: "https://simstudio.acme.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
# Database migrations
|
||||
migrations:
|
||||
enabled: true
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
|
||||
# Disable internal PostgreSQL
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
# Configure external database connection
|
||||
externalDatabase:
|
||||
enabled: true
|
||||
|
||||
# Database connection details (REQUIRED - configure for your external database)
|
||||
host: "" # Database hostname (e.g., "postgres.acme.com" or RDS endpoint)
|
||||
port: 5432
|
||||
username: "" # Database username (e.g., "simstudio_user")
|
||||
password: "" # Database password - set via --set flag or external secret
|
||||
database: "" # Database name (e.g., "simstudio_production")
|
||||
|
||||
# SSL mode for database connections (recommended: 'require' for production)
|
||||
sslMode: "require" # Options: disable, allow, prefer, require, verify-ca, verify-full
|
||||
|
||||
# Ollama (optional for AI models)
|
||||
ollama:
|
||||
enabled: false
|
||||
|
||||
# Ingress configuration
|
||||
ingress:
|
||||
enabled: true
|
||||
className: nginx
|
||||
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
||||
|
||||
app:
|
||||
host: simstudio.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
realtime:
|
||||
host: simstudio-ws.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: simstudio-tls-secret
|
||||
|
||||
# Production-ready features (autoscaling, monitoring, etc.)
|
||||
autoscaling:
|
||||
enabled: true
|
||||
minReplicas: 2
|
||||
maxReplicas: 20
|
||||
targetCPUUtilizationPercentage: 70
|
||||
targetMemoryUtilizationPercentage: 80
|
||||
|
||||
podDisruptionBudget:
|
||||
enabled: true
|
||||
minAvailable: null
|
||||
maxUnavailable: 1
|
||||
unhealthyPodEvictionPolicy: AlwaysAllow
|
||||
monitoring:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
labels:
|
||||
monitoring: "prometheus"
|
||||
interval: 15s
|
||||
|
||||
networkPolicy:
|
||||
enabled: true
|
||||
# Custom egress rules to allow database connectivity to an external DB.
|
||||
# The chart's app/realtime NetworkPolicies already permit egress to
|
||||
# `postgresql.service.targetPort` when `postgresql.enabled=true`. For an
|
||||
# external DB on a different port (or off-cluster), append to extraRules.
|
||||
egress:
|
||||
extraRules:
|
||||
- to: []
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 5432
|
||||
|
||||
# Example deployment command with secure secret generation:
|
||||
# helm install sim ./helm/sim \
|
||||
# --values ./helm/sim/examples/values-external-db.yaml \
|
||||
# --set externalDatabase.host="your-db-host.com" \
|
||||
# --set externalDatabase.username="your-db-user" \
|
||||
# --set externalDatabase.password="your-db-password" \
|
||||
# --set externalDatabase.database="your-db-name" \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \
|
||||
# --set app.env.ENCRYPTION_KEY="$(openssl rand -hex 32)" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$(openssl rand -hex 32)" \
|
||||
# --set app.env.CRON_SECRET="$(openssl rand -hex 32)" \
|
||||
# --set app.env.API_ENCRYPTION_KEY="$(openssl rand -hex 32)" \
|
||||
# --set realtime.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)"
|
||||
@@ -0,0 +1,123 @@
|
||||
# values-external-secrets.yaml
|
||||
#
|
||||
# When to use: production deployments where secrets live in an external store
|
||||
# (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)
|
||||
# and you want External Secrets Operator (ESO) to sync them into Kubernetes
|
||||
# Secrets that the chart consumes.
|
||||
#
|
||||
# Prerequisites:
|
||||
# 1. Install ESO once per cluster:
|
||||
# helm repo add external-secrets https://charts.external-secrets.io
|
||||
# helm install external-secrets external-secrets/external-secrets \
|
||||
# -n external-secrets --create-namespace
|
||||
# 2. Create a SecretStore or ClusterSecretStore for your provider — see
|
||||
# example manifests at the bottom of this file.
|
||||
# 3. Pre-populate your remote store with the secret keys referenced in
|
||||
# externalSecrets.remoteRefs below.
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-external-secrets.yaml
|
||||
|
||||
externalSecrets:
|
||||
enabled: true
|
||||
apiVersion: "v1"
|
||||
refreshInterval: "1h"
|
||||
secretStoreRef:
|
||||
name: "sim-secret-store"
|
||||
kind: "ClusterSecretStore"
|
||||
remoteRefs:
|
||||
app:
|
||||
BETTER_AUTH_SECRET: "sim/app/better-auth-secret"
|
||||
ENCRYPTION_KEY: "sim/app/encryption-key"
|
||||
INTERNAL_API_SECRET: "sim/app/internal-api-secret"
|
||||
CRON_SECRET: "sim/app/cron-secret"
|
||||
API_ENCRYPTION_KEY: "sim/app/api-encryption-key"
|
||||
postgresql:
|
||||
password: "sim/postgresql/password"
|
||||
# Only needed when copilot.enabled=true and copilot.server.secret.create=true
|
||||
# (uncomment and pre-populate the referenced paths in your secret store):
|
||||
# copilot:
|
||||
# AGENT_API_DB_ENCRYPTION_KEY: "sim/copilot/agent-api-db-encryption-key"
|
||||
# INTERNAL_API_SECRET: "sim/copilot/internal-api-secret"
|
||||
# LICENSE_KEY: "sim/copilot/license-key"
|
||||
# SIM_BASE_URL: "sim/copilot/sim-base-url"
|
||||
# SIM_AGENT_API_KEY: "sim/copilot/sim-agent-api-key"
|
||||
# REDIS_URL: "sim/copilot/redis-url"
|
||||
# OPENAI_API_KEY_1: "sim/copilot/openai-api-key"
|
||||
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
# In ESO mode, app.env may only contain keys that are also mapped under
|
||||
# externalSecrets.remoteRefs.app (the chart-managed Secret is not rendered,
|
||||
# so any unmapped value would silently go nowhere). Non-secret URL/config
|
||||
# belongs in envDefaults — those are inlined on the container as `env:`
|
||||
# and don't flow through the Secret.
|
||||
envDefaults:
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
|
||||
BETTER_AUTH_URL: "https://sim.example.com"
|
||||
NEXT_PUBLIC_SOCKET_URL: "wss://sim-ws.example.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
envDefaults:
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.example.com"
|
||||
BETTER_AUTH_URL: "https://sim.example.com"
|
||||
ALLOWED_ORIGINS: "https://sim.example.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
postgresql:
|
||||
enabled: true
|
||||
auth:
|
||||
username: postgres
|
||||
database: sim
|
||||
|
||||
# ---
|
||||
# SecretStore Examples (apply one of these to your cluster before installing)
|
||||
# ---
|
||||
|
||||
# Azure Key Vault (Workload Identity):
|
||||
# apiVersion: external-secrets.io/v1beta1
|
||||
# kind: ClusterSecretStore
|
||||
# metadata:
|
||||
# name: sim-secret-store
|
||||
# spec:
|
||||
# provider:
|
||||
# azurekv:
|
||||
# authType: WorkloadIdentity
|
||||
# vaultUrl: "https://your-keyvault.vault.azure.net"
|
||||
# serviceAccountRef:
|
||||
# name: external-secrets-sa
|
||||
# namespace: external-secrets
|
||||
|
||||
# AWS Secrets Manager (IRSA):
|
||||
# apiVersion: external-secrets.io/v1beta1
|
||||
# kind: ClusterSecretStore
|
||||
# metadata:
|
||||
# name: sim-secret-store
|
||||
# spec:
|
||||
# provider:
|
||||
# aws:
|
||||
# service: SecretsManager
|
||||
# region: us-east-1
|
||||
# role: arn:aws:iam::123456789012:role/external-secrets-role
|
||||
|
||||
# HashiCorp Vault (Kubernetes Auth):
|
||||
# apiVersion: external-secrets.io/v1beta1
|
||||
# kind: ClusterSecretStore
|
||||
# metadata:
|
||||
# name: sim-secret-store
|
||||
# spec:
|
||||
# provider:
|
||||
# vault:
|
||||
# server: "https://vault.example.com"
|
||||
# path: "secret"
|
||||
# version: "v2"
|
||||
# auth:
|
||||
# kubernetes:
|
||||
# mountPath: "kubernetes"
|
||||
# role: "external-secrets"
|
||||
@@ -0,0 +1,333 @@
|
||||
# values-gcp.yaml
|
||||
#
|
||||
# When to use: Google Kubernetes Engine (GKE). Configures Persistent Disk
|
||||
# storage, Google Cloud Load Balancer with managed certs, Workload Identity
|
||||
# annotations, and Tesla T4/V100 GPU node selectors for Ollama.
|
||||
#
|
||||
# Prerequisites:
|
||||
# - GKE cluster (Kubernetes 1.25+)
|
||||
# - Workload Identity enabled (for IAM-bound ServiceAccount)
|
||||
# - (optional) Managed certificate or cert-manager for TLS
|
||||
# - (optional) GPU node pool with accelerator labels for Ollama
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-gcp.yaml \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
|
||||
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
|
||||
# --set app.env.CRON_SECRET="$CRON_SECRET" \
|
||||
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
|
||||
#
|
||||
# Choosing a secret strategy
|
||||
# --------------------------
|
||||
# Pick one of three modes — see helm/sim/README.md for details.
|
||||
#
|
||||
# 1. Inline (default below): set values directly in app.env. The chart
|
||||
# writes every key into a chart-managed Secret. Simplest, but stores
|
||||
# plaintext in your values file.
|
||||
#
|
||||
# 2. existingSecret: pre-create a Kubernetes Secret out-of-band and
|
||||
# reference it via app.secrets.existingSecret.name. You are
|
||||
# responsible for ensuring the Secret contains every key your app
|
||||
# needs (BETTER_AUTH_SECRET, ENCRYPTION_KEY, INTERNAL_API_SECRET,
|
||||
# OPENAI_API_KEY, ...). The chart-managed Secret is not rendered in
|
||||
# this mode, so anything missing from your Secret will be empty at
|
||||
# runtime.
|
||||
#
|
||||
# 3. External Secrets Operator (ESO): sync from Google Secret Manager
|
||||
# via the External Secrets Operator. Map every key via
|
||||
# externalSecrets.remoteRefs.app.<KEY>. The chart fails template
|
||||
# rendering if a key is set in app.env but not mapped — see the
|
||||
# commented ESO block at the bottom of this file.
|
||||
|
||||
# Global configuration
|
||||
global:
|
||||
imageRegistry: "ghcr.io"
|
||||
storageClass: "standard-rwo"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
# Node selector for application pods
|
||||
# Uncomment and customize based on your GKE node labels:
|
||||
# nodeSelector:
|
||||
# cloud.google.com/gke-nodepool: "default-pool"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# Production URLs (REQUIRED - update with your actual domain names)
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
# SOCKET_SERVER_URL is auto-detected (uses internal service http://sim-realtime:3002)
|
||||
NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Public WebSocket URL for browsers
|
||||
|
||||
# Security settings (REQUIRED - replace with your own secure secrets)
|
||||
# Generate using: openssl rand -hex 32
|
||||
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
|
||||
ENCRYPTION_KEY: "your-secure-production-encryption-key-here"
|
||||
INTERNAL_API_SECRET: "your-secure-production-internal-api-secret-here"
|
||||
CRON_SECRET: "your-secure-production-cron-secret-here"
|
||||
|
||||
# Optional: API Key Encryption (RECOMMENDED for production)
|
||||
# Generate 64-character hex string using: openssl rand -hex 32
|
||||
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
|
||||
|
||||
NODE_ENV: "production"
|
||||
NEXT_TELEMETRY_DISABLED: "1"
|
||||
|
||||
# GCP-specific environment variables
|
||||
GOOGLE_CLOUD_PROJECT: "your-project-id"
|
||||
GOOGLE_CLOUD_REGION: "us-central1"
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
# Node selector for realtime pods
|
||||
# Uncomment and customize based on your GKE node labels:
|
||||
# nodeSelector:
|
||||
# cloud.google.com/gke-nodepool: "default-pool"
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "500m"
|
||||
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_URL: "https://simstudio.acme.com"
|
||||
BETTER_AUTH_SECRET: "your-secure-production-auth-secret-here"
|
||||
ALLOWED_ORIGINS: "https://simstudio.acme.com"
|
||||
NODE_ENV: "production"
|
||||
|
||||
# Database migrations
|
||||
migrations:
|
||||
enabled: true
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
|
||||
# PostgreSQL database
|
||||
postgresql:
|
||||
enabled: true
|
||||
|
||||
# Node selector for database pods
|
||||
# Uncomment and customize (recommended: memory-optimized machine types):
|
||||
# nodeSelector:
|
||||
# cloud.google.com/gke-nodepool: "database-pool"
|
||||
|
||||
# Database authentication (REQUIRED - set secure credentials)
|
||||
auth:
|
||||
username: postgres
|
||||
password: "your-secure-postgres-password"
|
||||
database: simstudio
|
||||
|
||||
# Resource allocation optimized for GKE
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# Persistent storage using Google Cloud Persistent Disk
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "standard-rwo"
|
||||
size: 50Gi
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
|
||||
# SSL/TLS configuration (requires cert-manager to be installed)
|
||||
tls:
|
||||
enabled: false # Set to true if cert-manager is installed
|
||||
certificatesSecret: postgres-tls-secret
|
||||
|
||||
# PostgreSQL performance tuning for GCP infrastructure
|
||||
config:
|
||||
maxConnections: 1000
|
||||
sharedBuffers: "2GB"
|
||||
maxWalSize: "8GB"
|
||||
minWalSize: "160MB"
|
||||
|
||||
# Ollama AI models with GPU acceleration (GCP GPU instances)
|
||||
# Set ollama.enabled: false if you don't need local AI models
|
||||
ollama:
|
||||
enabled: false
|
||||
replicaCount: 1
|
||||
|
||||
# GPU node targeting - uncomment and customize for GPU node pools
|
||||
# Recommended: T4 or V100 GPU instances
|
||||
# nodeSelector:
|
||||
# cloud.google.com/gke-nodepool: "gpu-pool"
|
||||
# cloud.google.com/gke-accelerator: "nvidia-tesla-t4"
|
||||
|
||||
tolerations:
|
||||
- key: "nvidia.com/gpu"
|
||||
operator: "Equal"
|
||||
value: "present"
|
||||
effect: "NoSchedule"
|
||||
|
||||
# GPU resource allocation for AI model serving
|
||||
gpu:
|
||||
enabled: true
|
||||
count: 1
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "16Gi"
|
||||
cpu: "4000m"
|
||||
nvidia.com/gpu: "1"
|
||||
requests:
|
||||
memory: "8Gi"
|
||||
cpu: "2000m"
|
||||
|
||||
# High-performance SSD storage for AI models
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "premium-rwo"
|
||||
size: 100Gi
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
|
||||
env:
|
||||
NVIDIA_DRIVER_CAPABILITIES: "all"
|
||||
OLLAMA_LOAD_TIMEOUT: "-1"
|
||||
OLLAMA_KEEP_ALIVE: "-1"
|
||||
OLLAMA_DEBUG: "1"
|
||||
|
||||
# Ingress using Google Cloud Load Balancer
|
||||
ingress:
|
||||
enabled: true
|
||||
className: gce
|
||||
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: gce
|
||||
kubernetes.io/ingress.global-static-ip-name: "simstudio-ip"
|
||||
networking.gke.io/managed-certificates: "simstudio-ssl-cert"
|
||||
kubernetes.io/ingress.allow-http: "false"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
host: simstudio.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
host: simstudio-ws.acme.com
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# TLS configuration
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: simstudio-tls-secret
|
||||
|
||||
# Pod disruption budget for high availability
|
||||
podDisruptionBudget:
|
||||
enabled: true
|
||||
minAvailable: null
|
||||
maxUnavailable: 1
|
||||
unhealthyPodEvictionPolicy: AlwaysAllow
|
||||
# Network policies
|
||||
networkPolicy:
|
||||
enabled: true
|
||||
|
||||
# Pod anti-affinity for high availability across GCP zones
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values: ["simstudio"]
|
||||
topologyKey: kubernetes.io/hostname
|
||||
- weight: 50
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values: ["simstudio"]
|
||||
topologyKey: topology.gke.io/zone
|
||||
|
||||
# Service Account with Workload Identity integration
|
||||
serviceAccount:
|
||||
create: true
|
||||
annotations:
|
||||
iam.gke.io/gcp-service-account: "simstudio@your-project-id.iam.gserviceaccount.com"
|
||||
|
||||
# Additional environment variables for GCP service integration
|
||||
extraEnvVars:
|
||||
- name: GOOGLE_APPLICATION_CREDENTIALS
|
||||
value: "/var/secrets/google/key.json"
|
||||
|
||||
# Additional volumes for service account credentials
|
||||
extraVolumes:
|
||||
- name: google-cloud-key
|
||||
secret:
|
||||
secretName: google-service-account-key
|
||||
|
||||
extraVolumeMounts:
|
||||
- name: google-cloud-key
|
||||
mountPath: /var/secrets/google
|
||||
readOnly: true
|
||||
# -----------------------------------------------------------------------------
|
||||
# External Secrets Operator (ESO) — recommended for production on GCP
|
||||
# -----------------------------------------------------------------------------
|
||||
# To switch from inline secrets to ESO:
|
||||
# 1. Install external-secrets in the cluster (https://external-secrets.io).
|
||||
# 2. Create a ClusterSecretStore backed by Google Secret Manager and bind
|
||||
# Workload Identity from this namespace's ServiceAccount.
|
||||
# 3. Remove entries from app.env above (or leave them and the chart will
|
||||
# fail-fast naming each unmapped key).
|
||||
# 4. Uncomment the block below and replace the paths with the names of the
|
||||
# secrets in your project.
|
||||
#
|
||||
# externalSecrets:
|
||||
# enabled: true
|
||||
# secretStoreRef:
|
||||
# name: "gcp-secret-store" # name of your ClusterSecretStore
|
||||
# kind: "ClusterSecretStore"
|
||||
# remoteRefs:
|
||||
# app:
|
||||
# BETTER_AUTH_SECRET: "sim-better-auth-secret"
|
||||
# ENCRYPTION_KEY: "sim-encryption-key"
|
||||
# INTERNAL_API_SECRET: "sim-internal-api-secret"
|
||||
# CRON_SECRET: "sim-cron-secret"
|
||||
# API_ENCRYPTION_KEY: "sim-api-encryption-key"
|
||||
# # Provider keys typical for a GCP deployment. Vertex AI auth is
|
||||
# # usually handled by Workload Identity, so VERTEX_CREDENTIALS is
|
||||
# # only needed when running outside the GCP credential chain.
|
||||
# OPENAI_API_KEY: "sim-openai-api-key"
|
||||
# # ANTHROPIC_API_KEY: "sim-anthropic-api-key"
|
||||
# # VERTEX_CREDENTIALS: "sim-vertex-credentials-json"
|
||||
# postgresql:
|
||||
# password: "sim-postgresql-password"
|
||||
@@ -0,0 +1,245 @@
|
||||
# values-production.yaml
|
||||
#
|
||||
# When to use: generic production deployment on any cluster. Enables HA
|
||||
# (replicaCount > 1, PDB), NetworkPolicy, HPA, ServiceMonitor, and
|
||||
# PSS-restricted security defaults.
|
||||
#
|
||||
# Prerequisites:
|
||||
# - A premium StorageClass with reclaimPolicy: Retain
|
||||
# - cert-manager (for TLS) or pre-provisioned certs
|
||||
# - ingress-nginx (or equivalent) for ingress
|
||||
# - metrics-server in the cluster (HPA)
|
||||
# - (recommended) Prometheus Operator for ServiceMonitor
|
||||
# - (recommended) External Secrets Operator — see values-external-secrets.yaml
|
||||
#
|
||||
# Install:
|
||||
# helm install sim ./helm/sim \
|
||||
# --namespace sim --create-namespace \
|
||||
# --values ./helm/sim/examples/values-production.yaml \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
|
||||
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
|
||||
# --set app.env.CRON_SECRET="$CRON_SECRET" \
|
||||
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
|
||||
|
||||
# Global configuration
|
||||
global:
|
||||
imageRegistry: "ghcr.io"
|
||||
# For production, use a StorageClass with reclaimPolicy: Retain
|
||||
storageClass: "managed-csi-premium"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "8Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "6Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# Production URLs (REQUIRED - update with your actual domain names)
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
|
||||
BETTER_AUTH_URL: "https://sim.acme.ai"
|
||||
SOCKET_SERVER_URL: "https://sim-ws.acme.ai"
|
||||
NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
|
||||
|
||||
# Security settings (REQUIRED - replace with your own secure secrets)
|
||||
# Generate using: openssl rand -hex 32
|
||||
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
|
||||
ENCRYPTION_KEY: "your-production-encryption-key-here"
|
||||
INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
|
||||
CRON_SECRET: "your-production-cron-secret-here"
|
||||
|
||||
# Optional: API Key Encryption (RECOMMENDED for production)
|
||||
# Generate 64-character hex string using: openssl rand -hex 32
|
||||
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
|
||||
|
||||
# Email verification (set to true if you want to require email verification)
|
||||
EMAIL_VERIFICATION_ENABLED: "false"
|
||||
|
||||
# Optional third-party service integrations (configure as needed)
|
||||
RESEND_API_KEY: "your-resend-api-key"
|
||||
GOOGLE_CLIENT_ID: "your-google-client-id"
|
||||
GOOGLE_CLIENT_SECRET: "your-google-client-secret"
|
||||
# DISABLE_GOOGLE_AUTH: "true" # Uncomment to hide Google OAuth login
|
||||
# DISABLE_GITHUB_AUTH: "true" # Uncomment to hide GitHub OAuth login
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 2
|
||||
|
||||
resources:
|
||||
limits:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
requests:
|
||||
memory: "512Mi"
|
||||
cpu: "250m"
|
||||
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
|
||||
BETTER_AUTH_URL: "https://sim.acme.ai"
|
||||
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
|
||||
ALLOWED_ORIGINS: "https://sim.acme.ai"
|
||||
|
||||
# Database migrations
|
||||
migrations:
|
||||
enabled: true
|
||||
resources:
|
||||
limits:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
requests:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
|
||||
# PostgreSQL database
|
||||
postgresql:
|
||||
enabled: true
|
||||
|
||||
# Database authentication (REQUIRED - set secure credentials)
|
||||
auth:
|
||||
username: postgres
|
||||
password: "your-secure-postgres-password"
|
||||
database: simstudio
|
||||
|
||||
# Resource allocation for production workloads
|
||||
resources:
|
||||
limits:
|
||||
memory: "4Gi"
|
||||
cpu: "2000m"
|
||||
requests:
|
||||
memory: "2Gi"
|
||||
cpu: "1000m"
|
||||
|
||||
# Persistent storage configuration
|
||||
persistence:
|
||||
enabled: true
|
||||
storageClass: "managed-csi-premium"
|
||||
size: 50Gi
|
||||
|
||||
# SSL/TLS configuration (recommended for production)
|
||||
tls:
|
||||
enabled: true
|
||||
certificatesSecret: postgres-tls-secret
|
||||
|
||||
# PostgreSQL performance configuration for production
|
||||
config:
|
||||
maxConnections: 1000
|
||||
sharedBuffers: "2GB"
|
||||
maxWalSize: "8GB"
|
||||
minWalSize: "160MB"
|
||||
|
||||
# Ollama AI models (optional - enable if you need local AI model serving)
|
||||
ollama:
|
||||
enabled: false
|
||||
|
||||
# Ingress configuration
|
||||
ingress:
|
||||
enabled: true
|
||||
className: nginx
|
||||
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
||||
|
||||
# Main application
|
||||
app:
|
||||
host: sim.acme.ai
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
host: sim-ws.acme.ai
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
# TLS configuration
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: sim-tls-secret
|
||||
|
||||
# Horizontal Pod Autoscaler (automatically scales pods based on CPU/memory usage)
|
||||
autoscaling:
|
||||
enabled: true
|
||||
minReplicas: 2
|
||||
maxReplicas: 20
|
||||
targetCPUUtilizationPercentage: 70
|
||||
targetMemoryUtilizationPercentage: 80
|
||||
behavior:
|
||||
scaleDown:
|
||||
stabilizationWindowSeconds: 300
|
||||
policies:
|
||||
- type: Percent
|
||||
value: 50
|
||||
periodSeconds: 60
|
||||
scaleUp:
|
||||
stabilizationWindowSeconds: 60
|
||||
policies:
|
||||
- type: Percent
|
||||
value: 100
|
||||
periodSeconds: 15
|
||||
- type: Pods
|
||||
value: 2
|
||||
periodSeconds: 60
|
||||
|
||||
# Pod disruption budget (ensures minimum availability during cluster maintenance)
|
||||
podDisruptionBudget:
|
||||
enabled: true
|
||||
minAvailable: null
|
||||
maxUnavailable: 1
|
||||
unhealthyPodEvictionPolicy: AlwaysAllow
|
||||
|
||||
# Monitoring integration with Prometheus
|
||||
monitoring:
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
labels:
|
||||
monitoring: "prometheus"
|
||||
interval: 15s
|
||||
scrapeTimeout: 10s
|
||||
|
||||
# Network policies (restricts pod-to-pod communication for security)
|
||||
networkPolicy:
|
||||
enabled: true
|
||||
|
||||
# Shared storage for data sharing between pods (enterprise feature)
|
||||
sharedStorage:
|
||||
enabled: true
|
||||
storageClass: "managed-csi-premium"
|
||||
volumes:
|
||||
- name: output-share
|
||||
size: 100Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
- name: model-share
|
||||
size: 200Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
|
||||
# Telemetry and observability (comprehensive monitoring and tracing)
|
||||
telemetry:
|
||||
enabled: true
|
||||
resources:
|
||||
limits:
|
||||
memory: "1Gi"
|
||||
cpu: "500m"
|
||||
requests:
|
||||
memory: "512Mi"
|
||||
cpu: "200m"
|
||||
# Configure endpoints based on your observability infrastructure
|
||||
prometheus:
|
||||
enabled: true
|
||||
endpoint: "http://prometheus-server/api/v1/write"
|
||||
jaeger:
|
||||
enabled: true
|
||||
endpoint: "http://jaeger-collector:14250"
|
||||
@@ -0,0 +1,106 @@
|
||||
# values-whitelabeled.yaml
|
||||
#
|
||||
# When to use: whitelabeled / branded deployment. Replaces the default Sim
|
||||
# branding (logo, product name, support URLs) with your own. The example
|
||||
# below uses "Acme Corp" placeholders — replace with your brand.
|
||||
#
|
||||
# Prerequisites: a hosted logo URL and brand assets.
|
||||
#
|
||||
# Install:
|
||||
# helm install acme ./helm/sim \
|
||||
# --namespace acme --create-namespace \
|
||||
# --values ./helm/sim/examples/values-whitelabeled.yaml \
|
||||
# --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \
|
||||
# --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \
|
||||
# --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" \
|
||||
# --set app.env.CRON_SECRET="$CRON_SECRET" \
|
||||
# --set postgresql.auth.password="$POSTGRES_PASSWORD"
|
||||
|
||||
# Global configuration
|
||||
global:
|
||||
imageRegistry: "ghcr.io"
|
||||
storageClass: "managed-csi-premium"
|
||||
|
||||
# Main application with custom branding
|
||||
app:
|
||||
enabled: true
|
||||
replicaCount: 1
|
||||
|
||||
# Custom branding configuration
|
||||
env:
|
||||
# Application URLs (update with your domain)
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
|
||||
BETTER_AUTH_URL: "https://sim.acme.ai"
|
||||
SOCKET_SERVER_URL: "https://sim-ws.acme.ai"
|
||||
NEXT_PUBLIC_SOCKET_URL: "https://sim-ws.acme.ai"
|
||||
|
||||
# Security settings (REQUIRED)
|
||||
# Generate using: openssl rand -hex 32
|
||||
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
|
||||
ENCRYPTION_KEY: "your-production-encryption-key-here"
|
||||
INTERNAL_API_SECRET: "your-production-internal-api-secret-here"
|
||||
CRON_SECRET: "your-production-cron-secret-here"
|
||||
|
||||
# Optional: API Key Encryption (RECOMMENDED for production)
|
||||
# Generate 64-character hex string using: openssl rand -hex 32
|
||||
API_ENCRYPTION_KEY: "your-64-char-hex-api-encryption-key-here" # Optional but recommended
|
||||
|
||||
# UI Branding & Whitelabeling Configuration
|
||||
NEXT_PUBLIC_BRAND_NAME: "Acme AI Studio"
|
||||
NEXT_PUBLIC_BRAND_LOGO_URL: "https://acme.com/assets/logo.png"
|
||||
NEXT_PUBLIC_BRAND_FAVICON_URL: "https://acme.com/assets/favicon.ico"
|
||||
NEXT_PUBLIC_CUSTOM_CSS_URL: "https://acme.com/assets/theme.css"
|
||||
NEXT_PUBLIC_SUPPORT_EMAIL: "ai-support@acme.com"
|
||||
NEXT_PUBLIC_DOCUMENTATION_URL: "https://docs.acme.com/ai-studio"
|
||||
NEXT_PUBLIC_TERMS_URL: "https://acme.com/terms"
|
||||
NEXT_PUBLIC_PRIVACY_URL: "https://acme.com/privacy"
|
||||
|
||||
# Realtime service
|
||||
realtime:
|
||||
enabled: true
|
||||
replicaCount: 1
|
||||
env:
|
||||
NEXT_PUBLIC_APP_URL: "https://sim.acme.ai"
|
||||
BETTER_AUTH_URL: "https://sim.acme.ai"
|
||||
BETTER_AUTH_SECRET: "your-production-auth-secret-here"
|
||||
ALLOWED_ORIGINS: "https://sim.acme.ai"
|
||||
|
||||
# PostgreSQL database
|
||||
postgresql:
|
||||
enabled: true
|
||||
auth:
|
||||
password: "your-secure-db-password-here"
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 20Gi
|
||||
|
||||
# Ingress configuration
|
||||
ingress:
|
||||
enabled: true
|
||||
className: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
|
||||
cert-manager.io/cluster-issuer: "letsencrypt-prod"
|
||||
|
||||
app:
|
||||
host: "sim.acme.ai"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
realtime:
|
||||
host: "sim-ws.acme.ai"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
tls:
|
||||
enabled: true
|
||||
secretName: "sim-acme-tls"
|
||||
|
||||
# Auto-scaling
|
||||
autoscaling:
|
||||
enabled: true
|
||||
minReplicas: 2
|
||||
maxReplicas: 10
|
||||
targetCPUUtilizationPercentage: 70
|
||||
Reference in New Issue
Block a user