Helm
gestaltd publishes an OCI Helm chart for Kubernetes deployments.
Install the chart
helm upgrade --install gestaltd \
oci://ghcr.io/valon-technologies/charts/gestaltd \
--namespace gestalt \
--set image.tag=<version> \
-f values.yamlThe default chart profile is for local or disposable testing only:
- platform authentication is omitted
- SQLite uses a PVC mounted at
/data server.encryptionKeyis a static dev-only value- one replica
- no ingress
Before any shared or production deployment, set a real encryption key,
configure authentication, use a networked datastore, and set server.baseUrl
to the public HTTPS URL.
Production values
This example uses OIDC authentication, a networked RelationalDB datastore, and
an internal management listener for /admin and /metrics:
service:
type: ClusterIP
port: 8080
managementService:
enabled: true
type: ClusterIP
port: 9090
config:
server:
public:
port: 8080
management:
host: 0.0.0.0
port: 9090
baseUrl: "${GESTALT_BASE_URL}"
encryptionKey: "${GESTALT_ENCRYPTION_KEY}"
providers:
authentication: oidc
indexeddb: main
providers:
authentication:
oidc:
source:
package: github.com/valon-technologies/gestalt-providers/auth/oidc
version: 0.0.1-alpha.1
config:
issuerUrl: "${OIDC_ISSUER_URL}"
clientId: "${OIDC_CLIENT_ID}"
clientSecret: "${OIDC_CLIENT_SECRET}"
indexeddb:
main:
source:
package: github.com/valon-technologies/gestalt-providers/indexeddb/relationaldb
version: 0.0.1-alpha.1
config:
dsn: "${DATABASE_URL}"
extraEnv:
- name: GESTALT_BASE_URL
value: "https://gestalt.example.com"
- name: GESTALT_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: gestaltd-secrets
key: encryption-key
- name: OIDC_ISSUER_URL
value: "https://login.example.com"
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: gestaltd-secrets
key: oidc-client-id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: gestaltd-secrets
key: oidc-client-secret
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: gestaltd-secrets
key: database-url
preparation:
enabled: trueApply the values file with:
helm upgrade --install gestaltd \
oci://ghcr.io/valon-technologies/charts/gestaltd \
--namespace gestalt \
--set image.tag=<version> \
-f values-production.yamlKeep the management Service internal. If operators need browser access to
/admin, put an internal-only ingress, VPN, or identity-aware proxy in front
of the management Service.
If you protect /admin with server.admin.authorizationPolicy on a split
public/management deployment, also set config.server.management.baseUrl.
Important values
| Value | Purpose |
|---|---|
config | Rendered as /etc/gestaltd/config.yaml. |
extraEnv | Environment variables used by ${VAR} placeholders in config. |
persistence | PVC settings for SQLite or other local state. |
preparation.enabled | Runs gestaltd lock and gestaltd sync --locked in init containers before the main server starts. |
lockedServe.enabled | Adds --locked to the main container without running the chart preparation containers. |
ingress | Public ingress settings. |
managementService | Optional internal Service for the management listener. |
Lock state
Enable preparation.enabled when the chart should prepare locked state from
published provider packages or packaged UI bundles. The chart runs:
/gestaltd lock \
--config /etc/gestaltd-config/config.yaml \
--lockfile /etc/gestaltd-state/gestalt.lock.json
/gestaltd sync --locked \
--config /etc/gestaltd-config/config.yaml \
--lockfile /etc/gestaltd-state/gestalt.lock.json \
--artifacts-dir /etc/gestaltd-state/artifactsFor strict reproducibility, prepare lock state outside the chart, set
preparation.enabled: false, set lockedServe.enabled: true, and bake or
mount gestalt.lock.json and the prepared artifacts before startup.
See Configuration for the lockfile and prepared artifact model.