# values-external-secrets.yaml # # When to use: production deployments where secrets live in an external store # (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) # and you want External Secrets Operator (ESO) to sync them into Kubernetes # Secrets that the chart consumes. # # Prerequisites: # 1. Install ESO once per cluster: # helm repo add external-secrets https://charts.external-secrets.io # helm install external-secrets external-secrets/external-secrets \ # -n external-secrets --create-namespace # 2. Create a SecretStore or ClusterSecretStore for your provider — see # example manifests at the bottom of this file. # 3. Pre-populate your remote store with the secret keys referenced in # externalSecrets.remoteRefs below. # # Install: # helm install sim ./helm/sim \ # --namespace sim --create-namespace \ # --values ./helm/sim/examples/values-external-secrets.yaml externalSecrets: enabled: true apiVersion: "v1" refreshInterval: "1h" secretStoreRef: name: "sim-secret-store" kind: "ClusterSecretStore" remoteRefs: app: BETTER_AUTH_SECRET: "sim/app/better-auth-secret" ENCRYPTION_KEY: "sim/app/encryption-key" INTERNAL_API_SECRET: "sim/app/internal-api-secret" CRON_SECRET: "sim/app/cron-secret" API_ENCRYPTION_KEY: "sim/app/api-encryption-key" postgresql: password: "sim/postgresql/password" # Only needed when copilot.enabled=true and copilot.server.secret.create=true # (uncomment and pre-populate the referenced paths in your secret store): # copilot: # AGENT_API_DB_ENCRYPTION_KEY: "sim/copilot/agent-api-db-encryption-key" # INTERNAL_API_SECRET: "sim/copilot/internal-api-secret" # LICENSE_KEY: "sim/copilot/license-key" # SIM_BASE_URL: "sim/copilot/sim-base-url" # SIM_AGENT_API_KEY: "sim/copilot/sim-agent-api-key" # REDIS_URL: "sim/copilot/redis-url" # OPENAI_API_KEY_1: "sim/copilot/openai-api-key" app: enabled: true replicaCount: 2 # In ESO mode, app.env may only contain keys that are also mapped under # externalSecrets.remoteRefs.app (the chart-managed Secret is not rendered, # so any unmapped value would silently go nowhere). Non-secret URL/config # belongs in envDefaults — those are inlined on the container as `env:` # and don't flow through the Secret. envDefaults: NEXT_PUBLIC_APP_URL: "https://sim.example.com" BETTER_AUTH_URL: "https://sim.example.com" NEXT_PUBLIC_SOCKET_URL: "wss://sim-ws.example.com" NODE_ENV: "production" realtime: enabled: true replicaCount: 2 envDefaults: NEXT_PUBLIC_APP_URL: "https://sim.example.com" BETTER_AUTH_URL: "https://sim.example.com" ALLOWED_ORIGINS: "https://sim.example.com" NODE_ENV: "production" postgresql: enabled: true auth: username: postgres database: sim # --- # SecretStore Examples (apply one of these to your cluster before installing) # --- # Azure Key Vault (Workload Identity): # apiVersion: external-secrets.io/v1beta1 # kind: ClusterSecretStore # metadata: # name: sim-secret-store # spec: # provider: # azurekv: # authType: WorkloadIdentity # vaultUrl: "https://your-keyvault.vault.azure.net" # serviceAccountRef: # name: external-secrets-sa # namespace: external-secrets # AWS Secrets Manager (IRSA): # apiVersion: external-secrets.io/v1beta1 # kind: ClusterSecretStore # metadata: # name: sim-secret-store # spec: # provider: # aws: # service: SecretsManager # region: us-east-1 # role: arn:aws:iam::123456789012:role/external-secrets-role # HashiCorp Vault (Kubernetes Auth): # apiVersion: external-secrets.io/v1beta1 # kind: ClusterSecretStore # metadata: # name: sim-secret-store # spec: # provider: # vault: # server: "https://vault.example.com" # path: "secret" # version: "v2" # auth: # kubernetes: # mountPath: "kubernetes" # role: "external-secrets"