global: imageRegistry: "" imagePullSecrets: [] storageClass: "" security: # Required when using bitnami legacy images allowInsecureImages: true nameOverride: "" fullnameOverride: "" # Secrets configuration # IMPORTANT: The default values below are for TESTING ONLY and should NOT be used in production # For production deployments: # 1. Generate new secrets using: openssl rand -hex 16 # 2. Override these values in your values.yaml or use external secret management # 3. Each secret must be exactly 32 hex characters (16 bytes) secrets: # Enable/disable creation of secrets # Set to false to use external secret management (Vault, Infisical, External Secrets, etc.) # When disabled, you can also use extraEnvVars and podAnnotations for secret injection enabled: true # Name of existing secret to use instead of creating one # If empty, a secret will be created with the values below # The secret must contain the following keys: # - SESSION_SECRET # - MAGIC_LINK_SECRET # - ENCRYPTION_KEY # - MANAGED_WORKER_SECRET existingSecret: "" # Session secret for user authentication (32 hex chars) sessionSecret: "2818143646516f6fffd707b36f334bbb" # Magic link secret for passwordless login (32 hex chars) magicLinkSecret: "44da78b7bbb0dfe709cf38931d25dcdd" # Encryption key for sensitive data (32 hex chars) encryptionKey: "f686147ab967943ebbe9ed3b496e465a" # Worker secret for managed worker authentication (32 hex chars) managedWorkerSecret: "447c29678f9eaf289e9c4b70d3dd8a7f" # Object store credentials moved to s3.auth and s3.external section # Webapp configuration webapp: image: registry: ghcr.io repository: triggerdotdev/trigger.dev tag: "" # Defaults to Chart.appVersion when empty pullPolicy: IfNotPresent # Init container for shared directory setup volumePermissions: image: registry: docker.io repository: busybox tag: "1.35" pullPolicy: IfNotPresent # Sidecar for token syncing tokenSyncer: image: registry: docker.io repository: bitnamilegacy/kubectl tag: "1.28" pullPolicy: IfNotPresent # Origin configuration appOrigin: "http://localhost:3040" loginOrigin: "http://localhost:3040" apiOrigin: "http://localhost:3040" replicaCount: 1 service: type: ClusterIP port: 3030 targetPort: 3000 podAnnotations: {} # podSecurityContext: # fsGroup: 1000 # securityContext: # runAsNonRoot: true # runAsUser: 1000 nodeSelector: {} tolerations: [] affinity: {} # Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template topologySpreadConstraints: [] logLevel: "info" gracefulShutdownTimeout: 1000 # Bootstrap configuration bootstrap: enabled: true workerGroupName: "bootstrap" workerTokenPath: "/home/node/shared/worker_token" # Limits limits: taskPayloadOffloadThreshold: 524288 # 512KB taskPayloadMaximumSize: 3145728 # 3MB batchTaskPayloadMaximumSize: 1000000 # 1MB taskRunMetadataMaximumSize: 262144 # 256KB defaultEnvExecutionConcurrencyLimit: 100 defaultOrgExecutionConcurrencyLimit: 300 # Resources resources: {} # Example resource configuration: # limits: # cpu: 1000m # memory: 2Gi # requests: # cpu: 500m # memory: 1Gi # Connectivity check configuration connectivityCheck: postgres: true # Set to false to disable DATABASE_HOST env var (overrides postgres.external.connectivityCheck) # Extra environment variables for webapp extraEnvVars: [] # - name: CUSTOM_VAR # value: "custom-value" # - name: SECRET_VAR # valueFrom: # secretKeyRef: # name: my-secret # key: secret-key # # Example: PostgreSQL SSL with custom CA certificate # - name: NODE_EXTRA_CA_CERTS # value: "/etc/ssl/certs/postgres-ca.crt" # Extra volumes for the webapp pod extraVolumes: [] # - name: config-volume # configMap: # name: my-config # - name: secret-volume # secret: # secretName: my-secret # # Example: PostgreSQL SSL CA certificate volume # - name: postgres-ca-cert # secret: # secretName: postgres-ca-secret # items: # - key: ca.crt # path: postgres-ca.crt # Extra volume mounts for the webapp container extraVolumeMounts: [] # - name: config-volume # mountPath: /etc/config # readOnly: true # - name: secret-volume # mountPath: /etc/secrets # readOnly: true # # Example: PostgreSQL SSL CA certificate mount # - name: postgres-ca-cert # mountPath: /etc/ssl/certs # readOnly: true # ServiceMonitor for Prometheus monitoring serviceMonitor: enabled: false interval: "30s" path: "/metrics" labels: {} basicAuth: {} # Health probe configuration livenessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 5 successThreshold: 1 readinessProbe: enabled: true initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 5 successThreshold: 1 startupProbe: enabled: false initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 60 successThreshold: 1 clickhouse: logLevel: "info" # one of: log, error, warn, info, debug runReplication: logLevel: "info" # one of: log, error, warn, info, debug # ServiceAccount configuration serviceAccount: create: true # Name of the ServiceAccount to use. Required when create is false - otherwise # the token-syncer RoleBinding would bind to the namespace's "default" SA. name: "" # Annotations to add to the ServiceAccount (e.g. eks.amazonaws.com/role-arn for IRSA) annotations: {} # Observability configuration (OTel) observability: tracing: exporterUrl: "" exporterAuthHeaders: "" loggingEnabled: "0" samplingRate: "20" instrumentPrismaEnabled: "0" disabled: "0" logging: exporterUrl: "" # Log auth headers are currently set to tracing.exporterAuthHeaders metrics: exporterUrl: "" exporterAuthHeaders: "" exporterEnabled: "0" exporterIntervalMs: 30000 # Webapp ingress configuration ingress: enabled: false className: "traefik" # Custom annotations for the ingress resource # Note: The following annotation keys are reserved and will be automatically set: # - cert-manager.io/cluster-issuer (when certManager.enabled is true) # - external-dns.alpha.kubernetes.io/hostname (when externalDns.enabled is true) # - external-dns.alpha.kubernetes.io/ttl (when externalDns.enabled is true) annotations: {} certManager: enabled: false clusterIssuer: "letsencrypt-prod" externalDns: enabled: false hostname: "" ttl: "300" hosts: - host: trigger.local paths: - path: / pathType: Prefix tls: [] # - secretName: trigger-tls # hosts: # - trigger.local # Supervisor configuration supervisor: image: registry: ghcr.io repository: triggerdotdev/supervisor tag: "" # Defaults to Chart.appVersion when empty pullPolicy: IfNotPresent podAnnotations: {} # podSecurityContext: # fsGroup: 1000 # securityContext: # runAsNonRoot: true # runAsUser: 1000 service: type: ClusterIP ports: workload: 3000 metrics: 9088 resources: {} config: kubernetes: forceEnabled: true namespace: "" # Default: uses release namespace workerNodetypeLabel: "" # When set, runs will only be scheduled on nodes with "nodetype=