Helm chart values

This page is the externally-rendered reference for the OrbitalReg Helm chart at charts/orbitalreg/values.yaml. Each section maps to a top-level key.

image

image:
  repository: ghcr.io/orbitalreg/orbital-api
  tag: ""                            # defaults to chart appVersion
  pullPolicy: IfNotPresent
  pullSecrets: []

replicaCount + autoscaling

replicaCount: 3

autoscaling:
  enabled: true
  minReplicas: 3
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70

resources

resources:
  api:
    requests:  { cpu: 500m, memory: 512Mi }
    limits:    { cpu: 2,    memory: 2Gi }
  frontend:
    requests:  { cpu: 50m,  memory: 64Mi }
    limits:    { cpu: 200m, memory: 256Mi }

ingress

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/proxy-body-size: 5g
  hosts:
    - host: registry.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: registry-tls
      hosts: [registry.example.com]

postgres (CNPG)

postgres:
  cnpg:
    enabled: true
    instances: 3
    storage:
      size: 100Gi
      storageClass: fast
    backup:
      enabled: true
      s3:
        endpoint: s3.example.com
        bucket: orbitalreg-postgres-backup
        existingSecret: orbitalreg-cnpg-s3
      retentionPolicy: "30d"
      schedule: "0 2 * * *"

For non-CNPG deployments (managed Postgres, RDS, Cloud SQL):

postgres:
  cnpg:
    enabled: false
  external:
    existingSecret: orbitalreg-postgres
    # Secret must contain DATABASE_URL key

s3

s3:
  endpoint: s3.example.com:9000
  bucket: orbitalreg
  existingSecret: orbitalreg-s3
  # Secret must contain ACCESS_KEY + SECRET_KEY
  region: us-east-1
  forcePathStyle: true              # MinIO / Ceph: true; AWS: false

redis

redis:
  enabled: true                      # in-cluster Redis sub-chart
  external:
    existingSecret: orbitalreg-redis
    # Secret must contain REDIS_URL key

saml

saml:
  enabled: true
  existingSecret: orbitalreg-saml
  # Secret must contain SAML_METADATA_URL, SAML_ENTITY_ID,
  # SAML_CALLBACK_URL keys (or SAML_METADATA_XML for offline metadata)

monitoring

monitoring:
  serviceMonitor:
    enabled: true
    interval: 30s
    labels:
      release: kube-prometheus-stack
  grafanaDashboards:
    enabled: true
    labels:
      grafana_dashboard: "1"
  prometheusRule:
    enabled: true
    labels:
      release: kube-prometheus-stack
    alertOverrides:
      OrbitalRegHighDiskUsage:
        threshold: 80

tracing

tracing:
  enabled: false
  exporter:
    endpoint: ""                     # OTEL_EXPORTER_OTLP_ENDPOINT
    protocol: http/protobuf
  sampler:
    type: parentbased_traceidratio
    arg: 0.1

airGapped

airGapped:
  enabled: true                      # default for new installs
  initialAllowlist:                  # at first boot only
    outboundWebhooks: false
    osvLookups: false
    sigstoreRekor: false
    otelExport: false
    servicePings: false

scanners

scanners:
  workers: 4
  queueDepth: 100
  dbRefresh: mirrored               # automatic | mirrored | manual
  dbMirror:
    trivy: https://artifacts.internal/trivy-db
    grype: https://artifacts.internal/grype-db

backupVerification

backupVerification:
  enabled: true
  schedule: "0 4 * * 1"
  resources:
    requests: { cpu: 500m, memory: 512Mi }
  cluster:
    storage:
      size: 50Gi
      storageClass: fast

license

license:
  existingSecret: orbitalreg-license
  # Secret must contain LICENSE_ENVELOPE key (PEM-armoured)

Full values reference

The chart's authoritative values.yaml ships every default. Render the full set with:

helm show values ./charts/orbitalreg > orbitalreg-defaults.yaml