Helm Values Reference¶
Complete reference for the Verity Helm chart (infra/helm/verity). All configurable values are documented below with their defaults and descriptions.
Global Image Settings¶
| Key | Type | Default | Description |
|---|---|---|---|
global.image.registry |
string | verityacr.azurecr.io |
Container registry for all Verity images. |
global.image.tag |
string | latest |
Image tag applied to all services. Use a specific SHA or semver tag in production. |
global.image.pullPolicy |
string | IfNotPresent |
Kubernetes image pull policy. Set to Always when using latest tag. |
Azure Integration¶
| Key | Type | Default | Description |
|---|---|---|---|
global.azure.workloadIdentityClientId |
string | "" |
Client ID of the Azure AD managed identity for workload identity federation. |
global.azure.keyVaultName |
string | verity-kv |
Name of the Azure Key Vault instance storing secrets. |
global.azure.tenantId |
string | "" |
Azure AD tenant ID for authentication and identity. |
Required in production
You must set workloadIdentityClientId and tenantId for production deployments. These values enable Azure AD authentication and Key Vault secret access.
PostgreSQL¶
Primary relational database for principals, grants, reviews, and system state.
| Key | Type | Default | Description |
|---|---|---|---|
global.postgresql.host |
string | verity-postgres |
PostgreSQL server hostname. |
global.postgresql.port |
int | 5432 |
PostgreSQL server port. |
global.postgresql.database |
string | verity |
Database name. |
global.postgresql.username |
string | verity |
Database username. |
global.postgresql.existingSecret |
string | verity-db-credentials |
Name of the Kubernetes Secret containing the password. |
global.postgresql.existingSecretPasswordKey |
string | password |
Key within the Secret that holds the password value. |
global:
postgresql:
host: verity-postgres
port: 5432
database: verity
username: verity
existingSecret: verity-db-credentials
existingSecretPasswordKey: password
ClickHouse¶
Analytics database for decay score history, metrics aggregation, and reporting.
| Key | Type | Default | Description |
|---|---|---|---|
global.clickhouse.host |
string | verity-clickhouse |
ClickHouse server hostname. |
global.clickhouse.httpPort |
int | 8123 |
HTTP interface port for queries. |
global.clickhouse.nativePort |
int | 9000 |
Native TCP protocol port. |
global.clickhouse.database |
string | verity_analytics |
Database name for analytics data. |
global.clickhouse.username |
string | verity |
ClickHouse username. |
global.clickhouse.existingSecret |
string | verity-clickhouse-credentials |
Kubernetes Secret containing ClickHouse credentials. |
global:
clickhouse:
host: verity-clickhouse
httpPort: 8123
nativePort: 9000
database: verity_analytics
username: verity
existingSecret: verity-clickhouse-credentials
Kafka¶
Event streaming backbone for inter-service communication.
| Key | Type | Default | Description |
|---|---|---|---|
global.kafka.bootstrapServers |
string | verity-kafka:9092 |
Comma-separated list of Kafka broker addresses. |
global.kafka.securityProtocol |
string | PLAINTEXT |
Kafka security protocol. Use SASL_SSL for production. |
Redis¶
In-memory cache for session state, rate limiting, and ephemeral data.
| Key | Type | Default | Description |
|---|---|---|---|
global.redis.url |
string | redis://verity-redis:6379/0 |
Full Redis connection URL. Supports redis:// and rediss:// (TLS). |
Temporal¶
Workflow orchestration engine for long-running processes (reviews, remediations).
| Key | Type | Default | Description |
|---|---|---|---|
global.temporal.host |
string | verity-temporal:7233 |
Temporal server gRPC endpoint. |
global.temporal.namespace |
string | verity |
Temporal namespace for Verity workflows. |
Services¶
Each of Verity's 11 microservices is configured under global.services.<name>. All services share the same configuration schema.
Service Configuration Schema¶
| Key | Type | Description |
|---|---|---|
replicas |
int | Number of pod replicas. |
maxReplicas |
int | Maximum replicas for HPA (only on services with autoscaling). |
resources.requests.cpu |
string | CPU request per pod. |
resources.requests.memory |
string | Memory request per pod. |
resources.limits.cpu |
string | CPU limit per pod. |
resources.limits.memory |
string | Memory limit per pod. |
Connectors¶
Pulls identity and access data from external systems (Azure AD, AWS IAM, GitHub, etc.).
| Key | Default |
|---|---|
global.services.connectors.replicas |
2 |
global.services.connectors.resources.requests.cpu |
250m |
global.services.connectors.resources.requests.memory |
512Mi |
global.services.connectors.resources.limits.cpu |
1 |
global.services.connectors.resources.limits.memory |
1Gi |
Ingestion¶
Normalizes and loads connector output into the data layer.
| Key | Default |
|---|---|
global.services.ingestion.replicas |
2 |
global.services.ingestion.resources.requests.cpu |
500m |
global.services.ingestion.resources.requests.memory |
1Gi |
global.services.ingestion.resources.limits.cpu |
2 |
global.services.ingestion.resources.limits.memory |
2Gi |
Decay Engine¶
Computes and updates decay scores for all principals on a continuous schedule.
| Key | Default |
|---|---|
global.services.decayEngine.replicas |
2 |
global.services.decayEngine.maxReplicas |
5 |
global.services.decayEngine.resources.requests.cpu |
2 |
global.services.decayEngine.resources.requests.memory |
4Gi |
global.services.decayEngine.resources.limits.cpu |
2 |
global.services.decayEngine.resources.limits.memory |
4Gi |
Autoscaling
The Decay Engine supports HPA. Set maxReplicas to control scale-out limits.
Decision¶
Evaluates policy rules against scores and triggers review or remediation workflows.
| Key | Default |
|---|---|
global.services.decision.replicas |
2 |
global.services.decision.resources.requests.cpu |
500m |
global.services.decision.resources.requests.memory |
1Gi |
global.services.decision.resources.limits.cpu |
1 |
global.services.decision.resources.limits.memory |
1Gi |
Workflow Engine¶
Orchestrates Temporal workflows for reviews, remediations, and scheduled tasks.
| Key | Default |
|---|---|
global.services.workflowEngine.replicas |
4 |
global.services.workflowEngine.resources.requests.cpu |
500m |
global.services.workflowEngine.resources.requests.memory |
1Gi |
global.services.workflowEngine.resources.limits.cpu |
1 |
global.services.workflowEngine.resources.limits.memory |
2Gi |
Review Generator¶
Creates access review campaigns based on policy triggers and schedules.
| Key | Default |
|---|---|
global.services.reviewGenerator.replicas |
2 |
global.services.reviewGenerator.resources.requests.cpu |
250m |
global.services.reviewGenerator.resources.requests.memory |
512Mi |
global.services.reviewGenerator.resources.limits.cpu |
1 |
global.services.reviewGenerator.resources.limits.memory |
1Gi |
Remediation¶
Executes approved remediation actions (e.g., removing group memberships, disabling accounts).
| Key | Default |
|---|---|
global.services.remediation.replicas |
2 |
global.services.remediation.resources.requests.cpu |
250m |
global.services.remediation.resources.requests.memory |
512Mi |
global.services.remediation.resources.limits.cpu |
1 |
global.services.remediation.resources.limits.memory |
1Gi |
API Gateway¶
FastAPI-based REST API serving all external requests on port 8000.
| Key | Default |
|---|---|
global.services.apiGateway.replicas |
2 |
global.services.apiGateway.maxReplicas |
10 |
global.services.apiGateway.resources.requests.cpu |
500m |
global.services.apiGateway.resources.requests.memory |
1Gi |
global.services.apiGateway.resources.limits.cpu |
1 |
global.services.apiGateway.resources.limits.memory |
1Gi |
Autoscaling
The API Gateway supports HPA. Set maxReplicas to control scale-out limits under load.
Analytics¶
Runs aggregation queries and materializes dashboards and report data in ClickHouse.
| Key | Default |
|---|---|
global.services.analytics.replicas |
1 |
global.services.analytics.resources.requests.cpu |
500m |
global.services.analytics.resources.requests.memory |
1Gi |
global.services.analytics.resources.limits.cpu |
2 |
global.services.analytics.resources.limits.memory |
2Gi |
Audit¶
Captures and stores immutable audit trail events for compliance.
| Key | Default |
|---|---|
global.services.audit.replicas |
2 |
global.services.audit.resources.requests.cpu |
250m |
global.services.audit.resources.requests.memory |
512Mi |
global.services.audit.resources.limits.cpu |
1 |
global.services.audit.resources.limits.memory |
1Gi |
Frontend¶
Next.js web dashboard for administrators and reviewers.
| Key | Default |
|---|---|
global.services.frontend.replicas |
2 |
global.services.frontend.resources.requests.cpu |
200m |
global.services.frontend.resources.requests.memory |
256Mi |
global.services.frontend.resources.limits.cpu |
500m |
global.services.frontend.resources.limits.memory |
256Mi |
Sub-chart Toggles¶
Enable built-in sub-charts for dependencies, or disable them when using external managed services.
| Key | Type | Default | Description |
|---|---|---|---|
postgresql.enabled |
bool | false |
Deploy PostgreSQL as a sub-chart. Disable when using Azure Database for PostgreSQL or similar. |
redis.enabled |
bool | false |
Deploy Redis as a sub-chart. Disable when using Azure Cache for Redis or similar. |
kafka.enabled |
bool | false |
Deploy Kafka as a sub-chart. Disable when using Azure Event Hubs or Confluent Cloud. |
Tip
In development, set these to true to run all dependencies inside the cluster. In production, use managed services for better reliability and operational overhead.
Network Policies¶
| Key | Type | Default | Description |
|---|---|---|---|
networkPolicy.enabled |
bool | true |
Enable Kubernetes NetworkPolicies to restrict inter-service traffic. |
When enabled, NetworkPolicies are created for each service, allowing only the expected communication paths (e.g., API Gateway → Decision, Decision → Temporal).
Ingress¶
| Key | Type | Default | Description |
|---|---|---|---|
ingress.enabled |
bool | true |
Create an Ingress resource for external access. |
ingress.className |
string | nginx |
Ingress class name (e.g., nginx, traefik, azure-application-gateway). |
ingress.annotations |
map | see below | Annotations for the Ingress resource. |
ingress.host |
string | verity.example.com |
Hostname for the Ingress rule. |
ingress.tls.secretName |
string | verity-tls |
Kubernetes Secret containing the TLS certificate. |
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
host: verity.example.com
tls:
secretName: verity-tls
Example Configurations¶
Minimal — Quick Start¶
A minimal values.yaml for local development with all dependencies in-cluster:
global:
image:
registry: verityacr.azurecr.io
tag: latest
pullPolicy: Always
azure:
tenantId: "your-tenant-id"
workloadIdentityClientId: "your-client-id"
keyVaultName: verity-kv-dev
postgresql:
host: verity-postgres
port: 5432
database: verity
username: verity
existingSecret: verity-db-credentials
existingSecretPasswordKey: password
redis:
url: redis://verity-redis:6379/0
postgresql:
enabled: true
redis:
enabled: true
kafka:
enabled: true
ingress:
enabled: false
networkPolicy:
enabled: false
Development¶
Optimized for a single-node development cluster with reduced resources:
global:
image:
tag: dev
pullPolicy: Always
services:
connectors:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
ingestion:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
decayEngine:
replicas: 1
maxReplicas: 1
resources:
requests: { cpu: 500m, memory: 1Gi }
limits: { cpu: "1", memory: 2Gi }
decision:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
workflowEngine:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
reviewGenerator:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
remediation:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
apiGateway:
replicas: 1
maxReplicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
analytics:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
audit:
replicas: 1
resources:
requests: { cpu: 100m, memory: 256Mi }
limits: { cpu: 500m, memory: 512Mi }
frontend:
replicas: 1
resources:
requests: { cpu: 100m, memory: 128Mi }
limits: { cpu: 250m, memory: 256Mi }
postgresql:
enabled: true
redis:
enabled: true
kafka:
enabled: true
networkPolicy:
enabled: false
ingress:
enabled: false
Staging¶
Mirrors production topology with smaller resource allocations:
global:
image:
tag: "v1.2.0-rc1"
pullPolicy: IfNotPresent
azure:
tenantId: "your-staging-tenant-id"
workloadIdentityClientId: "your-staging-client-id"
keyVaultName: verity-kv-staging
postgresql:
host: verity-staging-postgres.postgres.database.azure.com
port: 5432
database: verity
username: verity
existingSecret: verity-staging-db-credentials
existingSecretPasswordKey: password
clickhouse:
host: verity-staging-clickhouse
database: verity_analytics
username: verity
existingSecret: verity-staging-ch-credentials
kafka:
bootstrapServers: verity-staging-kafka:9092
securityProtocol: SASL_SSL
redis:
url: rediss://verity-staging-redis.redis.cache.windows.net:6380/0
services:
apiGateway:
replicas: 2
maxReplicas: 5
decayEngine:
replicas: 1
maxReplicas: 3
workflowEngine:
replicas: 2
postgresql:
enabled: false
redis:
enabled: false
kafka:
enabled: false
networkPolicy:
enabled: true
ingress:
enabled: true
className: nginx
host: verity-staging.example.com
tls:
secretName: verity-staging-tls
Production¶
Full production configuration with high availability and explicit resource limits:
global:
image:
registry: verityacr.azurecr.io
tag: "v1.2.0"
pullPolicy: IfNotPresent
azure:
tenantId: "your-production-tenant-id"
workloadIdentityClientId: "your-production-client-id"
keyVaultName: verity-kv-prod
postgresql:
host: verity-prod-postgres.postgres.database.azure.com
port: 5432
database: verity
username: verity
existingSecret: verity-prod-db-credentials
existingSecretPasswordKey: password
clickhouse:
host: verity-prod-clickhouse.clickhouse.azure.com
httpPort: 8123
nativePort: 9000
database: verity_analytics
username: verity
existingSecret: verity-prod-ch-credentials
kafka:
bootstrapServers: verity-prod-kafka.servicebus.windows.net:9093
securityProtocol: SASL_SSL
redis:
url: rediss://verity-prod-redis.redis.cache.windows.net:6380/0
temporal:
host: verity-prod-temporal:7233
namespace: verity-prod
services:
connectors:
replicas: 3
resources:
requests: { cpu: 500m, memory: 1Gi }
limits: { cpu: "1", memory: 2Gi }
ingestion:
replicas: 3
resources:
requests: { cpu: "1", memory: 2Gi }
limits: { cpu: "2", memory: 4Gi }
decayEngine:
replicas: 3
maxReplicas: 8
resources:
requests: { cpu: "2", memory: 4Gi }
limits: { cpu: "4", memory: 8Gi }
decision:
replicas: 3
resources:
requests: { cpu: "1", memory: 2Gi }
limits: { cpu: "2", memory: 2Gi }
workflowEngine:
replicas: 6
resources:
requests: { cpu: "1", memory: 2Gi }
limits: { cpu: "2", memory: 4Gi }
reviewGenerator:
replicas: 3
resources:
requests: { cpu: 500m, memory: 1Gi }
limits: { cpu: "1", memory: 2Gi }
remediation:
replicas: 3
resources:
requests: { cpu: 500m, memory: 1Gi }
limits: { cpu: "1", memory: 2Gi }
apiGateway:
replicas: 4
maxReplicas: 20
resources:
requests: { cpu: "1", memory: 2Gi }
limits: { cpu: "2", memory: 2Gi }
analytics:
replicas: 2
resources:
requests: { cpu: "1", memory: 2Gi }
limits: { cpu: "4", memory: 4Gi }
audit:
replicas: 3
resources:
requests: { cpu: 500m, memory: 1Gi }
limits: { cpu: "1", memory: 2Gi }
frontend:
replicas: 3
resources:
requests: { cpu: 500m, memory: 512Mi }
limits: { cpu: "1", memory: 512Mi }
postgresql:
enabled: false
redis:
enabled: false
kafka:
enabled: false
networkPolicy:
enabled: true
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
nginx.ingress.kubernetes.io/rate-limit-connections: "50"
host: verity.example.com
tls:
secretName: verity-prod-tls
Overriding Values with --set¶
Override individual values at install or upgrade time without editing values.yaml:
# Set image tag
helm upgrade verity ./infra/helm/verity --set global.image.tag=v1.3.0
# Scale API Gateway replicas
helm upgrade verity ./infra/helm/verity --set global.services.apiGateway.replicas=6
# Change ingress hostname
helm upgrade verity ./infra/helm/verity --set ingress.host=verity.mycompany.com
# Enable sub-chart PostgreSQL
helm upgrade verity ./infra/helm/verity --set postgresql.enabled=true
# Multiple overrides
helm upgrade verity ./infra/helm/verity \
--set global.image.tag=v1.3.0 \
--set global.services.apiGateway.replicas=6 \
--set ingress.host=verity.mycompany.com
For complex values (maps, lists), use a separate values file:
Override precedence
Values provided via --set take precedence over values files. Multiple -f flags are merged left to right, with later files taking precedence.