sim/helm/sim/values.yaml

# Global configuration
global:
  # Image registry and pull policy
  imageRegistry: "ghcr.io"
  # Use registry for all images, not just simstudioai/* images
  useRegistryForAllImages: false
  imagePullSecrets: []
  
  # Common labels applied to all resources
  commonLabels: {}
  
  # Storage class for persistent volumes
  storageClass: ""

# Main Sim application configuration
app:
  # Enable/disable the main application
  enabled: true
  
  # Image configuration
  image:
    repository: simstudioai/simstudio
    tag: latest
    pullPolicy: Always
  
  # Number of replicas
  replicaCount: 1
  
  # Resource limits and requests
  resources:
    limits:
      memory: "4Gi"
      cpu: "2000m"
    requests:
      memory: "2Gi"
      cpu: "1000m"
  
  # Node selector for pod scheduling (leave empty to allow scheduling on any node)
  nodeSelector: {}
  
  # Pod security context
  podSecurityContext:
    fsGroup: 1001
  
  # Container security context
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
  
  # Environment variables
  env:
    # Application URLs
    NEXT_PUBLIC_APP_URL: "http://localhost:3000"
    BETTER_AUTH_URL: "http://localhost:3000"
    SOCKET_SERVER_URL: "http://localhost:3002"
    NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002"
    
    # Node environment
    NODE_ENV: "production"
    NEXT_TELEMETRY_DISABLED: "1"
    
    # Authentication and encryption secrets (REQUIRED for production)
    # Generate secure 32-character secrets using: openssl rand -hex 32
    BETTER_AUTH_SECRET: ""  # REQUIRED - set via --set flag or external secret manager
    ENCRYPTION_KEY: ""      # REQUIRED - set via --set flag or external secret manager
    
    # Email & Communication
    EMAIL_VERIFICATION_ENABLED: "false"                   # Enable email verification for user registration and login (defaults to false)
    RESEND_API_KEY: ""                                    # Resend API key for transactional emails
    FROM_EMAIL_ADDRESS: ""                                # Complete from address (e.g., "Sim <noreply@domain.com>" or "DoNotReply@domain.com")
    EMAIL_DOMAIN: ""                                      # Domain for sending emails (fallback when FROM_EMAIL_ADDRESS not set)
    
    # OAuth Integration Credentials (leave empty if not using)
    GOOGLE_CLIENT_ID: ""                                  # Google OAuth client ID
    GOOGLE_CLIENT_SECRET: ""                              # Google OAuth client secret
    GITHUB_CLIENT_ID: ""                                  # GitHub OAuth client ID  
    GITHUB_CLIENT_SECRET: ""                              # GitHub OAuth client secret
    
    # AI Provider API Keys (leave empty if not using)
    OPENAI_API_KEY: ""                                    # Primary OpenAI API key
    OPENAI_API_KEY_1: ""                                  # Additional OpenAI API key for load balancing
    OPENAI_API_KEY_2: ""                                  # Additional OpenAI API key for load balancing
    OPENAI_API_KEY_3: ""                                  # Additional OpenAI API key for load balancing
    MISTRAL_API_KEY: ""                                   # Mistral AI API key
    ANTHROPIC_API_KEY_1: ""                               # Primary Anthropic Claude API key
    ANTHROPIC_API_KEY_2: ""                               # Additional Anthropic API key for load balancing
    ANTHROPIC_API_KEY_3: ""                               # Additional Anthropic API key for load balancing
    OLLAMA_URL: ""                                        # Ollama local LLM server URL
    ELEVENLABS_API_KEY: ""                                # ElevenLabs API key for text-to-speech in deployed chat
    
    # Rate Limiting Configuration (per minute)
    RATE_LIMIT_WINDOW_MS: "60000"                         # Rate limit window duration (1 minute)
    RATE_LIMIT_FREE_SYNC: "10"                            # Free tier sync API executions
    RATE_LIMIT_PRO_SYNC: "25"                             # Pro tier sync API executions
    RATE_LIMIT_TEAM_SYNC: "75"                            # Team tier sync API executions
    RATE_LIMIT_ENTERPRISE_SYNC: "150"                     # Enterprise tier sync API executions
    RATE_LIMIT_FREE_ASYNC: "50"                           # Free tier async API executions  
    RATE_LIMIT_PRO_ASYNC: "200"                           # Pro tier async API executions
    RATE_LIMIT_TEAM_ASYNC: "500"                          # Team tier async API executions
    RATE_LIMIT_ENTERPRISE_ASYNC: "1000"                   # Enterprise tier async API executions
    MANUAL_EXECUTION_LIMIT: "999999"                      # Manual execution bypass value
    
    # UI Branding & Whitelabeling Configuration
    NEXT_PUBLIC_BRAND_NAME: "Sim"                         # Custom brand name
    NEXT_PUBLIC_BRAND_LOGO_URL: ""                        # Custom logo URL (leave empty for default)
    NEXT_PUBLIC_BRAND_FAVICON_URL: ""                     # Custom favicon URL (leave empty for default)
    NEXT_PUBLIC_CUSTOM_CSS_URL: ""                        # Custom stylesheet URL (leave empty for none)
    NEXT_PUBLIC_SUPPORT_EMAIL: "help@sim.ai"             # Support email address
    NEXT_PUBLIC_DOCUMENTATION_URL: ""                    # Documentation URL (leave empty for none)
    NEXT_PUBLIC_TERMS_URL: ""                            # Terms of service URL (leave empty for none)
    NEXT_PUBLIC_PRIVACY_URL: ""                          # Privacy policy URL (leave empty for none)
    
    # Access Control (leave empty if not restricting login)
    ALLOWED_LOGIN_EMAILS: ""                             # Comma-separated list of allowed email addresses for login
    ALLOWED_LOGIN_DOMAINS: ""                            # Comma-separated list of allowed email domains for login
    
  
  # Service configuration
  service:
    type: ClusterIP
    port: 3000
    targetPort: 3000
  
  # Health checks
  livenessProbe:
    httpGet:
      path: /
      port: 3000
    initialDelaySeconds: 10
    periodSeconds: 90
    timeoutSeconds: 5
    failureThreshold: 3
  
  readinessProbe:
    httpGet:
      path: /
      port: 3000
    initialDelaySeconds: 10
    periodSeconds: 90
    timeoutSeconds: 5
    failureThreshold: 3

# Realtime socket server configuration
realtime:
  # Enable/disable the realtime service
  enabled: true
  
  # Image configuration
  image:
    repository: simstudioai/realtime
    tag: latest
    pullPolicy: Always
  
  # Number of replicas
  replicaCount: 1
  
  # Resource limits and requests
  resources:
    limits:
      memory: "2Gi"
      cpu: "1000m"
    requests:
      memory: "1Gi"
      cpu: "500m"
  
  # Node selector for pod scheduling (leave empty to allow scheduling on any node)
  nodeSelector: {}
  
  # Pod security context
  podSecurityContext:
    fsGroup: 1001
  
  # Container security context
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
  
  # Environment variables
  env:
    # Application URLs
    NEXT_PUBLIC_APP_URL: "http://localhost:3000"
    BETTER_AUTH_URL: "http://localhost:3000"
    NEXT_PUBLIC_SOCKET_URL: "http://localhost:3002"
    
    # Authentication secret (REQUIRED for production)
    # Must match the BETTER_AUTH_SECRET value from the main app configuration
    BETTER_AUTH_SECRET: ""  # REQUIRED - set via --set flag or external secret manager
    
    # Cross-Origin Resource Sharing (CORS) allowed origins
    ALLOWED_ORIGINS: "http://localhost:3000"
    
    # Node environment
    NODE_ENV: "production"
  
  # Service configuration
  service:
    type: ClusterIP
    port: 3002
    targetPort: 3002
  
  # Health checks
  livenessProbe:
    httpGet:
      path: /health
      port: 3002
    initialDelaySeconds: 10
    periodSeconds: 90
    timeoutSeconds: 5
    failureThreshold: 3
  
  readinessProbe:
    httpGet:
      path: /health
      port: 3002
    initialDelaySeconds: 10
    periodSeconds: 90
    timeoutSeconds: 5
    failureThreshold: 3

# Database migrations job configuration
migrations:
  # Enable/disable migrations job
  enabled: true
  
  # Image configuration
  image:
    repository: simstudioai/migrations
    tag: latest
    pullPolicy: Always
  
  # Resource limits and requests
  resources:
    limits:
      memory: "1Gi"
    requests:
      memory: "512Mi"
      cpu: "100m"
  
  # Pod security context
  podSecurityContext:
    fsGroup: 1001
  
  # Container security context
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001

# PostgreSQL database configuration
postgresql:
  # Enable/disable internal PostgreSQL deployment
  enabled: true
  
  # Image configuration
  image:
    repository: pgvector/pgvector
    tag: pg17
    pullPolicy: IfNotPresent
  
  # Authentication configuration
  auth:
    username: postgres
    password: ""  # REQUIRED - set via --set flag or external secret manager
    database: sim
  
  # Node selector for database pod scheduling (leave empty to allow scheduling on any node)
  nodeSelector: {}
  
  # Resource limits and requests
  resources:
    limits:
      memory: "2Gi"
    requests:
      memory: "1Gi"
      cpu: "500m"
  
  # Pod security context
  podSecurityContext:
    fsGroup: 999
  
  # Container security context
  securityContext:
    runAsUser: 999
  
  # Persistence configuration
  persistence:
    enabled: true
    storageClass: ""
    size: 10Gi
    accessModes:
      - ReadWriteOnce
  
  # SSL/TLS configuration (enable for production deployments with certificates)
  # Requires cert-manager to be installed in the cluster
  tls:
    enabled: false
    certificatesSecret: postgres-tls-secret
    # Certificate configuration (only used if enabled)
    duration: "87600h"  # 10 years (default)
    renewBefore: "2160h"  # Renew 90 days before expiry (default)
    rotationPolicy: ""  # Set to "Always" to rotate private key on renewal (recommended for security)
    privateKey:
      algorithm: RSA  # RSA or ECDSA
      size: 4096  # Key size in bits
    # Issuer reference (REQUIRED if tls.enabled is true)
    issuerRef:
      name: selfsigned-cluster-issuer  # Name of your cert-manager Issuer/ClusterIssuer
      kind: ClusterIssuer  # ClusterIssuer or Issuer
      group: ""  # Optional: cert-manager.io (leave empty for default)
    # Additional DNS names (optional)
    additionalDnsNames: []
    # Example:
    # additionalDnsNames:
    #   - postgres.example.com
    #   - db.example.com
  
  # PostgreSQL configuration
  config:
    maxConnections: 1000
    sharedBuffers: "1280MB"
    maxWalSize: "4GB"
    minWalSize: "80MB"
  
  # Service configuration
  service:
    type: ClusterIP
    port: 5432
    targetPort: 5432
  
  # Health checks
  livenessProbe:
    exec:
      command: ["pg_isready", "-U", "postgres", "-d", "sim"]
    initialDelaySeconds: 10
    periodSeconds: 5
  
  readinessProbe:
    exec:
      command: ["pg_isready", "-U", "postgres", "-d", "sim"]
    initialDelaySeconds: 5
    periodSeconds: 3

# External database configuration (use when connecting to managed database services)
externalDatabase:
  # Enable to use an external database instead of the internal PostgreSQL instance
  enabled: false
  
  # Database connection details
  host: "external-db.example.com"
  port: 5432
  username: postgres
  password: ""
  database: sim
  
  # SSL configuration
  sslMode: require

# Ollama local AI models configuration
ollama:
  # Enable/disable Ollama deployment
  enabled: false
  
  # Image configuration
  image:
    repository: ollama/ollama
    tag: latest
    pullPolicy: Always
  
  # Number of replicas
  replicaCount: 1
  
  # GPU configuration
  gpu:
    enabled: false
    count: 1
  
  # Node selector for GPU workloads (adjust labels based on your cluster configuration)
  nodeSelector:
    accelerator: nvidia
  
  # Tolerations for GPU nodes (adjust based on your cluster's GPU node taints)
  tolerations:
    - key: "sku"
      operator: "Equal"
      value: "gpu"
      effect: "NoSchedule"
  
  # Resource limits and requests
  resources:
    limits:
      memory: "8Gi"
      nvidia.com/gpu: "1"
    requests:
      memory: "4Gi"
      cpu: "1000m"
  
  # Environment variables
  env:
    NVIDIA_DRIVER_CAPABILITIES: "all"
    OLLAMA_LOAD_TIMEOUT: "-1"
    OLLAMA_KEEP_ALIVE: "-1"
    OLLAMA_DEBUG: "1"
  
  # Persistence configuration
  persistence:
    enabled: true
    storageClass: ""
    size: 100Gi
    accessModes:
      - ReadWriteOnce
  
  # Service configuration
  service:
    type: ClusterIP
    port: 11434
    targetPort: 11434
  
  # Health checks
  startupProbe:
    httpGet:
      path: /
      port: 11434
    initialDelaySeconds: 10
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 10
  
  livenessProbe:
    httpGet:
      path: /
      port: 11434
    initialDelaySeconds: 60
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 5
  
  readinessProbe:
    httpGet:
      path: /
      port: 11434
    initialDelaySeconds: 30
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3

# Ingress configuration
ingress:
  # Enable/disable ingress
  enabled: false
  
  # Ingress class name
  className: nginx
  
  # Annotations
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
  
  # Main application host configuration
  app:
    host: sim.local
    paths:
      - path: /
        pathType: Prefix
  
  # Realtime service host configuration
  realtime:
    host: sim-ws.local
    paths:
      - path: /
        pathType: Prefix
  
  # TLS configuration
  tls:
    enabled: false
    secretName: sim-tls-secret

# Service Account configuration
serviceAccount:
  # Specifies whether a service account should be created
  create: true
  
  # Annotations to add to the service account
  annotations: {}
  
  # The name of the service account to use
  name: ""

# Horizontal Pod Autoscaler
autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 10
  targetCPUUtilizationPercentage: 80
  targetMemoryUtilizationPercentage: 80
  # Custom metrics for scaling (advanced users can add custom metrics here)
  customMetrics: []
  # Scaling behavior configuration (customize scale-up/down policies)
  # Example configuration:
  # behavior:
  #   scaleDown:
  #     stabilizationWindowSeconds: 300
  #     policies:
  #     - type: Percent
  #       value: 50
  #       periodSeconds: 60
  #   scaleUp:
  #     stabilizationWindowSeconds: 60
  #     policies:
  #     - type: Percent
  #       value: 100
  #       periodSeconds: 15
  #     - type: Pods
  #       value: 2
  #       periodSeconds: 60
  behavior: {}

# Pod disruption budget
# Note: PDBs only protect against voluntary disruptions (node drains, autoscaler)
# They do NOT affect rolling updates - use deployment.strategy.rollingUpdate for that
podDisruptionBudget:
  enabled: false
  # Use either minAvailable or maxUnavailable (not both)
  # Recommendation: Use maxUnavailable as it scales better with HPA
  # - minAvailable: minimum pods that must remain available (e.g., 1, "50%")
  # - maxUnavailable: maximum pods that can be unavailable (e.g., 1, "25%")
  minAvailable: null
  maxUnavailable: 1
  # unhealthyPodEvictionPolicy: allows eviction of unhealthy pods during node drains
  # Options: IfHealthyBudget (default) | AlwaysAllow (recommended for production)
  # Set to null to use K8s default (IfHealthyBudget)
  unhealthyPodEvictionPolicy: null

# Monitoring configuration
monitoring:
  # ServiceMonitor for Prometheus
  serviceMonitor:
    enabled: false
    # Additional labels for ServiceMonitor
    labels: {}
    # Additional annotations for ServiceMonitor
    annotations: {}
    # Metrics path
    path: /metrics
    # Scrape interval
    interval: 30s
    # Scrape timeout
    scrapeTimeout: 10s
    # Target labels to be added to scraped metrics
    targetLabels: []
    # Metric relabeling configurations
    metricRelabelings: []
    # Relabeling configurations
    relabelings: []

# Network policies
networkPolicy:
  enabled: false
  
  # Custom ingress rules
  ingress: []
  
  # Custom egress rules  
  egress: []

# Shared storage for enterprise workflows requiring data sharing between pods
sharedStorage:
  enabled: false
  # Storage class for shared volumes (must support ReadWriteMany access)
  storageClass: ""
  # Default access modes for shared volumes (ReadWriteMany required for multi-pod access)
  defaultAccessModes:
    - ReadWriteMany
  # Define shared volumes for your workflows (uncomment and customize as needed)
  # Example volume configurations:
  # volumes:
  #   - name: output-share
  #     size: 100Gi
  #     accessModes:
  #       - ReadWriteMany
  #     annotations: {}
  #   - name: rawdata-share
  #     size: 500Gi
  #     accessModes:
  #       - ReadWriteMany
  #   - name: model-share
  #     size: 200Gi
  #     accessModes:
  #       - ReadWriteMany
  #   - name: logs-share
  #     size: 50Gi
  #     accessModes:
  #       - ReadWriteMany
  volumes: []

# Additional volumes for custom configurations (advanced users)
extraVolumes: []
extraVolumeMounts: []

# Additional environment variables for custom integrations
extraEnvVars: []

# Pod annotations for custom metadata
podAnnotations: {}

# Pod labels for custom labeling
podLabels: {}

# Affinity settings for advanced pod scheduling
affinity: {}

# Tolerations for scheduling on tainted nodes
tolerations: []

# CronJob configuration for scheduled tasks
cronjobs:
  # Enable/disable all cron jobs
  enabled: true
  
  # Individual job configurations
  jobs:
    scheduleExecution:
      enabled: true
      name: schedule-execution
      schedule: "*/1 * * * *"
      path: "/api/schedules/execute"
      concurrencyPolicy: Forbid
      successfulJobsHistoryLimit: 3
      failedJobsHistoryLimit: 1
      
    gmailWebhookPoll:
      enabled: true
      name: gmail-webhook-poll
      schedule: "*/1 * * * *"
      path: "/api/webhooks/poll/gmail"
      concurrencyPolicy: Forbid
      successfulJobsHistoryLimit: 3
      failedJobsHistoryLimit: 1
      
    outlookWebhookPoll:
      enabled: true
      name: outlook-webhook-poll
      schedule: "*/1 * * * *"
      path: "/api/webhooks/poll/outlook"
      concurrencyPolicy: Forbid
      successfulJobsHistoryLimit: 3
      failedJobsHistoryLimit: 1
      

  # Global CronJob settings
  image:
    repository: curlimages/curl
    tag: 8.5.0
    pullPolicy: IfNotPresent
    
  resources:
    limits:
      memory: "128Mi"
      cpu: "100m"
    requests:
      memory: "64Mi"
      cpu: "50m"
      
  restartPolicy: OnFailure
  activeDeadlineSeconds: 300
  startingDeadlineSeconds: 60
  
  # Pod security context
  podSecurityContext:
    fsGroup: 1001
  
  # Container security context
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001

# Observability and telemetry configuration
telemetry:
  # Enable/disable telemetry collection
  enabled: false
  
  # OpenTelemetry Collector image
  image:
    repository: otel/opentelemetry-collector-contrib
    tag: 0.91.0
    pullPolicy: IfNotPresent
  
  # Number of collector replicas
  replicaCount: 1
  
  # Resource limits and requests
  resources:
    limits:
      memory: "512Mi"
      cpu: "500m"
    requests:
      memory: "256Mi"
      cpu: "100m"
  
  # Node selector for telemetry pod scheduling (leave empty to allow scheduling on any node)
  nodeSelector: {}
  
  # Tolerations for telemetry workloads
  tolerations: []
  
  # Affinity for telemetry workloads
  affinity: {}
  
  # Service configuration
  service:
    type: ClusterIP
  
  # Jaeger tracing backend
  jaeger:
    enabled: false
    endpoint: "http://jaeger-collector:14250"
    tls:
      enabled: false
  
  # Prometheus metrics backend
  prometheus:
    enabled: false
    endpoint: "http://prometheus-server/api/v1/write"
    auth: ""
  
  # Generic OTLP backend
  otlp:
    enabled: false
    endpoint: "http://otlp-collector:4317"
    tls:
      enabled: false