# values-external-db.yaml # # When to use: production deployments that use a managed Postgres service # (AWS RDS, Azure Database for PostgreSQL, Google Cloud SQL, Neon, Supabase) # instead of the chart's in-cluster Postgres StatefulSet. The in-cluster # Postgres is disabled (postgresql.enabled=false). # # Prerequisites: # - A reachable managed Postgres instance with pgvector extension available # - DB credentials provisioned (user, password, database) # - Network reachability from the cluster (peering, private link, or public # endpoint with TLS) # # Install: # helm install sim ./helm/sim \ # --namespace sim --create-namespace \ # --values ./helm/sim/examples/values-external-db.yaml \ # --set externalDatabase.host=your-db.example.com \ # --set externalDatabase.username=simstudio_user \ # --set externalDatabase.password="$DB_PASSWORD" \ # --set externalDatabase.database=simstudio_prod \ # --set app.env.BETTER_AUTH_SECRET="$BETTER_AUTH_SECRET" \ # --set app.env.ENCRYPTION_KEY="$ENCRYPTION_KEY" \ # --set app.env.INTERNAL_API_SECRET="$INTERNAL_API_SECRET" # Global configuration global: imageRegistry: "ghcr.io" # Main application app: enabled: true replicaCount: 2 resources: limits: memory: "4Gi" cpu: "2000m" requests: memory: "2Gi" cpu: "1000m" env: NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com" BETTER_AUTH_URL: "https://simstudio.acme.com" SOCKET_SERVER_URL: "https://simstudio-ws.acme.com" NEXT_PUBLIC_SOCKET_URL: "https://simstudio-ws.acme.com" # Security settings (REQUIRED - replace with your own secure secrets) # Generate using: openssl rand -hex 32 BETTER_AUTH_SECRET: "" # Set via --set flag or external secret manager ENCRYPTION_KEY: "" # Set via --set flag or external secret manager INTERNAL_API_SECRET: "" # Set via --set flag or external secret manager CRON_SECRET: "" # Set via --set flag or external secret manager # Optional: API Key Encryption (RECOMMENDED for production) # Generate 64-character hex string using: openssl rand -hex 32 API_ENCRYPTION_KEY: "" # Optional but recommended - encrypts API keys at rest NODE_ENV: "production" NEXT_TELEMETRY_DISABLED: "1" # Realtime service realtime: enabled: true replicaCount: 2 resources: limits: memory: "4Gi" cpu: "1000m" requests: memory: "2Gi" cpu: "500m" env: NEXT_PUBLIC_APP_URL: "https://simstudio.acme.com" BETTER_AUTH_URL: "https://simstudio.acme.com" BETTER_AUTH_SECRET: "" # Must match main app secret - set via --set flag ALLOWED_ORIGINS: "https://simstudio.acme.com" NODE_ENV: "production" # Database migrations migrations: enabled: true resources: limits: memory: "2Gi" cpu: "1000m" requests: memory: "1Gi" cpu: "500m" # Disable internal PostgreSQL postgresql: enabled: false # Configure external database connection externalDatabase: enabled: true # Database connection details (REQUIRED - configure for your external database) host: "" # Database hostname (e.g., "postgres.acme.com" or RDS endpoint) port: 5432 username: "" # Database username (e.g., "simstudio_user") password: "" # Database password - set via --set flag or external secret database: "" # Database name (e.g., "simstudio_production") # SSL mode for database connections (recommended: 'require' for production) sslMode: "require" # Options: disable, allow, prefer, require, verify-ca, verify-full # Ollama (optional for AI models) ollama: enabled: false # Ingress configuration ingress: enabled: true className: nginx annotations: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" cert-manager.io/cluster-issuer: "letsencrypt-prod" app: host: simstudio.acme.com paths: - path: / pathType: Prefix realtime: host: simstudio-ws.acme.com paths: - path: / pathType: Prefix tls: enabled: true secretName: simstudio-tls-secret # Production-ready features (autoscaling, monitoring, etc.) autoscaling: enabled: true minReplicas: 2 maxReplicas: 20 targetCPUUtilizationPercentage: 70 targetMemoryUtilizationPercentage: 80 podDisruptionBudget: enabled: true minAvailable: null maxUnavailable: 1 unhealthyPodEvictionPolicy: AlwaysAllow monitoring: serviceMonitor: enabled: true labels: monitoring: "prometheus" interval: 15s networkPolicy: enabled: true # Custom egress rules to allow database connectivity to an external DB. # The chart's app/realtime NetworkPolicies already permit egress to # `postgresql.service.targetPort` when `postgresql.enabled=true`. For an # external DB on a different port (or off-cluster), append to extraRules. egress: extraRules: - to: [] ports: - protocol: TCP port: 5432 # Example deployment command with secure secret generation: # helm install sim ./helm/sim \ # --values ./helm/sim/examples/values-external-db.yaml \ # --set externalDatabase.host="your-db-host.com" \ # --set externalDatabase.username="your-db-user" \ # --set externalDatabase.password="your-db-password" \ # --set externalDatabase.database="your-db-name" \ # --set app.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)" \ # --set app.env.ENCRYPTION_KEY="$(openssl rand -hex 32)" \ # --set app.env.INTERNAL_API_SECRET="$(openssl rand -hex 32)" \ # --set app.env.CRON_SECRET="$(openssl rand -hex 32)" \ # --set app.env.API_ENCRYPTION_KEY="$(openssl rand -hex 32)" \ # --set realtime.env.BETTER_AUTH_SECRET="$(openssl rand -hex 32)"