# Example values.yaml

The following snippet shows an example `values.yaml` file for a Helm installation of CircleCI Server in an air-gapped environment.

## Resources

The chart assumes an environment with the following resources:

*   A K3s cluster for the installation of the Helm chart
    
*   MetalLB pre-configued on the K3s cluster for ingress
    
*   A private Docker registry at `docker.internal.example.com` running on port 5000 with no TLS encryption
    
*   A Nomad instance with mTLS disabled
    
*   An S3 compatible storage instance running at `s3.internal.example.com`, with its API listening on port 9000, and no TLS
    
*   A TLS certificate issued for both domains `server.internal.example.com` and `` *.server.internal.example.com` ``.
    

For more information about specific values, see the standard installation documentation, starting with the following:

*   [Phase 2 AWS - Core Services](https://circleci.com/docs/server-admin/latest/installation/phase-2-aws-core-services/)
    
*   [Phase 2 GCP - Core Services](https://circleci.com/docs/server-admin/latest/installation/phase-2-gcp-core-services/)
    

## `Values.yaml`

`````````

# Private docker registry at docker.internal.example.com:5000
global:
  domainName: "server.internal.example.com"
  license: '<<your-server-license-here>>'
  container:
    registry: "docker.internal.example.com:5000"
    org: "<image-registry-org>"

# GitHub Enterprise
github:
  hostname: "github.internal.example.com"
  unsafeDisableWebhookSSLVerification: true # If using self-signed certificates
  enterprise: true
  selfSignedCert: true # If using self-signed certificates
  # These must be generated and added manually from GitHub Enterprise
  clientId: "<<github-enterprise-oauth-app-client-id>>"
  clientSecret: "<<github-enterprise-oauth-app-client-secret>>"
  defaultToken: "<<github-enterprise-personal-application-token>>"

# TLS with your provider
tls:
  certificate: "<<your-generated-tls-certificate>>"
  privateKey: "<<your-generated-tls-private-key>>"

# Object storage
object_storage:
  bucketName: "circleci-data" # Update to the name of the bucket created in Object Store
  expireAfter: 0
  s3:
    enabled: true
    endpoint: "http://s3.internal.example.com:<port>"
    accessKey: "<<s3-username>>"
    secretKey: "<<s3-password>>"

# Distributor using CircleCI Agent Stored in Object Store
distributor:
  agent_base_url: http://s3.internal.example.com:<port>/circleci-data
  launch_agent_base_url: http://s3.internal.example.com:<port>/circleci-data

# Nomad
nomad:
  buildAgentImage: "docker.internal.example.com:<port>/circleci/picard" # Do not provide image version, only image name and registry
  server:
    gossip:
      encryption:
        key: "<<nomad-gossip-encryption-key>>"
    rpc:
      mTLS:
        enabled: false # mTLS is disabled - it is recommended that this be enabled

# Machine provisioner disabled - Requires cloud connectivity
machine_provisioner:
  enabled: false

docker_provisioner:
  enabled: false

# Additional nginx annotations
nginx:
  annotations:
    # This example uses MetalLB as a k3s load balancer
    metallb.universe.tf/allow-shared-ip: default

# The below values require no special modifications for an air-gapped environment

keyset:
  signing: '<<circleci-signing-key>>'
  encryption: '<<circleci-encryption-key>>'

mongodb:
  auth:
    rootPassword: "<<mongodb-root-password>>"
    password: "<<mongodb-password>>"

pusher:
  secret: "<<pusher-secret>>"

postgresql:
  auth:
    postgresPassword: "<<postgres-password>>"

rabbitmq:
  auth:
    password: "<<rabbitmq-password>>"
    erlangCookie: "<<rabbitmq-erlang-cookie>>"
`````````