# Installation reference ## Example manifests The following are example manifests that contain the basic required parameters necessary to spin up the `circleci-server` Helm installation. ### AWS The snippet below is an example manifest of the necessary parameters for an installation of CircleCI server in an AWS environment. Note that this installation uses IAM roles for service accounts (IRSA), which is recommended. Fields with base64 encoding are marked as such. ````````` global: domainName: "" license: '' container: registry: cciserver.azurecr.io org: apiToken: "" sessionCookieKey: "" keyset: signing: '' encryption: '' nomad: server: gossip: encryption: key: "" rpc: mTLS: enabled: true CACertificate: "" certificate: "" privateKey: "" object_storage: bucketName: '' s3: enabled: true endpoint: "" # ex: https://s3.us-east-1.amazonaws.com region: "" # defaults to us-east-1, Update this value if you are using a different region irsaRole: "" github: clientId: "" clientSecret: "" machine_provisioner: providers: ec2: enabled: true region: "" subnets: - "" securityGroupId: "" irsaRole: "" tags: name1: "value1" name2: "value2" mongodb: auth: rootPassword: "" password: "" postgresql: auth: postgresPassword: "" pusher: secret: "" rabbitmq: auth: password: "" erlangCookie: "" ````````` ### GCP The below is an example manifest of the necessary parameters for an installation of CircleCI server in a GCP environment. Note that this installation uses Workload Identity, which is recommended. Fields with base64 encoding are marked as such. ````````` global: domainName: "" license: '' container: registry: cciserver.azurecr.io org: apiToken: "" sessionCookieKey: "" keyset: signing: '' encryption: '' github: clientId: "" clientSecret: "" object_storage: bucketName: "" gcs: enabled: true workloadIdentity: "" mongodb: auth: rootPassword: "" password: "" machine_provisioner: providers: gcp: enabled: true project_id: network_tags: - zones: - - network: "" subnetwork: "" # leave blank for auto-subnetting workloadIdentity: "" pusher: secret: "" postgresql: auth: postgresPassword: "" rabbitmq: auth: password: "" erlangCookie: "" nomad: server: gossip: encryption: key: "" rpc: mTLS: enabled: true CACertificate: "" certificate: "" privateKey: "" ````````` ## All Helm `values.yaml` options Key Type Default Description api\_service.replicas int `1` Number of replicas to deploy for the api-service deployment. api\_service.resources.limits.cpu string `"2000m"` CPU limit for the api-service deployment. api\_service.resources.limits.memory string `"8Gi"` Memory limit for the api-service deployment. audit\_log\_service.replicas int `1` Number of replicas to deploy for the audit-log-service deployment. audit\_log\_service.resources.limits.cpu string `"2000m"` CPU limit for the audit-log-service deployment. audit\_log\_service.resources.limits.memory string `"3584Mi"` Memory limit for the audit-log-service deployment. branch\_service.replicas int `1` Number of replicas to deploy for the branch-service deployment. branch\_service.resources.limits.cpu string `"1000m"` CPU limit for the branch-service deployment. branch\_service.resources.limits.memory string `"1Gi"` Memory limit for the branch-service deployment. builds\_service.replicas int `1` Number of replicas to deploy for the builds-service deployment. builds\_service.resources.limits.cpu string `"1500m"` CPU limit for the builds-service deployment. builds\_service.resources.limits.memory string `"6Gi"` Memory limit for the builds-service deployment. contexts\_service.replicas int `1` Number of replicas to deploy for the contexts-service deployment. contexts\_service.resources.limits.cpu string `"500m"` CPU limit for the contexts-service deployment. contexts\_service.resources.limits.memory string `"1Gi"` Memory limit for the contexts-service deployment. cron\_service.replicas int `1` Number of replicas to deploy for the cron-service deployment. cron\_service.resources.limits.cpu string `"2000m"` CPU limit for the cron-service deployment. cron\_service.resources.limits.memory string `"4Gi"` Memory limit for the cron-service deployment. distributor.agent\_base\_url string `"https://circleci-binary-releases.s3.amazonaws.com/circleci-agent"` location of the task-agent. When airgapped, the task-agent will need to be hosted within the airgap and this value updated distributor\_cleaner.replicas int `1` Number of replicas to deploy for the distributor-cleaner deployment. distributor\_cleaner.resources.limits.cpu string `"500m"` CPU limit for the distributor-cleaner deployment. distributor\_cleaner.resources.limits.memory string `"512Mi"` Memory limit for the distributor-cleaner deployment. distributor\_dispatcher.replicas int `1` Number of replicas to deploy for the distributor-dispatcher deployment. distributor\_dispatcher.resources.limits.cpu string `"500m"` CPU limit for the distributor-dispatcher deployment. distributor\_dispatcher.resources.limits.memory string `"512Mi"` Memory limit for the distributor-dispatcher deployment. distributor\_external.replicas int `1` Number of replicas to deploy for the distributor-external deployment. distributor\_external.resources.limits.cpu string `"500m"` CPU limit for the distributor-external deployment. distributor\_external.resources.limits.memory string `"512Mi"` Memory limit for the distributor-external deployment. distributor\_internal.replicas int `1` Number of replicas to deploy for the distributor-internal deployment. distributor\_internal.resources.limits.cpu string `"500m"` CPU limit for the distributor-internal deployment. distributor\_internal.resources.limits.memory string `"512Mi"` Memory limit for the distributor-internal deployment. docker\_provisioner.agent\_base\_url string `"https://circleci-binary-releases.s3.amazonaws.com/docker-provisioner"` Location of the docker-provisioner agent. When air-gapped, the docker-provisioner agent will need to be hosted within the air-gap and this value updated docker\_provisioner.config\_path string `""` Path to config with information about docker resource-classes docker\_provisioner.enabled bool `true` docker\_provisioner.external.replicas int `1` Number of replicas to deploy for the docker-provisioner-externalapi deployment. docker\_provisioner.external.resources.limits.memory string `"512Mi"` Memory limit for the docker-provisioner-internalapi deployment docker\_provisioner.internal.replicas int `1` Number of replicas to deploy for the docker-provisioner-internalapi deployment. docker\_provisioner.internal.resources.limits.memory string `"512Mi"` Memory limit for the docker-provisioner-internalapi deployment docker\_provisioner.plugin\_repository\_url string `"https://circleci-binary-releases.s3.amazonaws.com"` Location of the agent plugin binaries. When air-gapped, the plugin binaries will need to be hosted within the air-gap and this value updated docker\_provisioner.provisioner.replicas int `1` Number of replicas to deploy for the docker-provisioner-provisioner deployment. docker\_provisioner.provisioner.resources.limits.memory string `"512Mi"` Memory limit for the docker-provisioner-provisioner deployment domain\_service.replicas int `1` Number of replicas to deploy for the domain-service deployment. domain\_service.resources.limits.cpu string `"2000m"` CPU limit for the domain-service deployment. domain\_service.resources.limits.memory string `"1536Mi"` Memory limit for the domain-service deployment. execution\_gateway.api.replicas int `1` Number of replicas to deploy for the execution-gateway-api deployment. execution\_gateway.api.resources.limits.memory string `"512Mi"` Memory limit for the execution-gateway-api deployment execution\_gateway.force\_legacy\_ui string `"false"` execution\_gateway.plan\_concurrency int `2500` Maximum concurrency you wish to permit per org in your environment execution\_gateway.public\_api.replicas int `1` Number of replicas to deploy for the execution-gateway-public-api deployment. execution\_gateway.public\_api.resources.limits.memory string `"1536Mi"` Memory limit for the execution-gateway-publicapi deployment feature\_flags\_api.replicas int `1` Number of replicas to deploy for the feature-flags-api deployment. feature\_flags\_api.resources.limits.memory string `"512Mi"` Memory limit for the feature-flags-api deployment. frontend.replicas int `1` Number of replicas to deploy for the frontend deployment. frontend.resources.limits.cpu string `"2000m"` CPU limit for the frontend deployment. frontend.resources.limits.memory string `"2Gi"` Memory limit for the frontend deployment. github object `{"clientId":"","clientSecret":"","enterprise":false,"fingerprint":null,"hostname":"ghe.example.com","scheme":"https","unsafeDisableWebhookSSLVerification":false}` VCS Configuration details (currently limited to Github Enterprise and Github.com) github.clientId string `""` Client ID for OAuth Login via Github (2 Options). **Option 1:** Set the value here and CircleCI will create the secret automatically. **Option 2:** Leave this blank, and create the secret yourself. CircleCI will assume it exists. Create on by Navigating to Settings > Developer Settings > OAuth Apps. Your homepage should be set to `{{ .Values.global.scheme }}://{{ .Values.global.domainName }}` and callback should be `{{ .Value.scheme }}://{{ .Values.global.domainName }}/auth/github`. github.clientSecret string `""` Client Secret for OAuth Login via Github (2 Options). **Option 1:** Set the value here and CircleCI will create the secret automatically. **Option 2:** Leave this blank, and create the secret yourself. CircleCI will assume it exists. + Retrieved from the same location as specified in github.clientID. github.enterprise bool `false` Set to `true` for Github Enterprise and `false` for Github.com github.fingerprint string `nil` Required when it is not possible to directly `ssh-keyscan` a GitHub Enterprise instance. It is not possible to proxy `ssh-keyscan`. github.hostname string `"ghe.example.com"` Github hostname. Ignored on Github.com. This is the hostname of your Github Enterprise installation. github.scheme string `"https"` One of ‘http’ or ‘https’. Ignored on Github.com. Set to ‘http’ if your Github Enterprise installation is not using TLS. github.unsafeDisableWebhookSSLVerification bool `false` Disable SSL Verification in webhooks. This is not safe and shouldn’t be done in a production scenario. This is required if your Github installation does not trust the certificate authority that signed your Circle server certificates (e.g they were self signed). global.container.org string `""` The registry organization to pull all images from (if in use), defaults to none. global.container.registry string `"cciserver.azurecr.io"` The registry to pull all images from, defaults to “cciserver.azurecr.io”. global.domainName string `""` Domain name of your CircleCI install global.imagePullSecrets\[0\].name string `"regcred"` global.license string `""` License (2 Options) For your CircleCI Installation **Option 1:** Set the value global.license and CircleCI will create the secret automatically. **Option 2:** Leave this blank, and create the secret yourself. CircleCI will assume it exists. The secret must be named ‘license’ and have the key ‘license’ (where the value equals the base64 encoded string of your license). It must be in the same namespace as your installation. global.loginPageBanner string `""` Login Page Banner, Accepts HTML tags global.nodeAffinity object `{}` NodeAffinity template to apply to all CircleCI pods global.nodeSelector object `{}` NodeSelector template to apply to all CircleCI pods global.scheme string `"https"` Scheme for your CircleCI install global.tolerations object `{}` Tolerations to apply to all CircleCI pods global.tracing.collector\_host string `""` global.tracing.enabled bool `false` global.tracing.sample\_rate float `1` insights\_service.dailyCronHour int `3` Defaults to 3AM local server time. insights\_service.hourlyCronMinute int `35` Defaults to 35 minutes past the hour. insights\_service.isEnabled bool `true` Whether or not to enable the insights-service deployment. insights\_service.replicas int `1` Number of replicas to deploy for the insights-service deployment. insights\_service.skipPermissionsCheck bool `false` Enable to skip the permissions check on the org page and show all projects keyset object `{"encryption":"","signing":""}` Keysets (2 Options) used to encrypt and sign artifacts generated by CircleCI. You need these values to configure server. **Option 1:** Set the values keyset.signing and keyset.encryption here and CircleCI will create the secret automatically. **Option 2:** Leave this blank, and create the secret yourself. CircleCI will assume it exists. The secret must be named ‘signing-keys’ and have the keys; signing-key, encryption-key. keyset.encryption string `""` Encryption Key To generate an artifact ENCRYPTION key run: `docker run circleci/server-keysets:latest generate encryption -a stdout` keyset.signing string `""` Signing Key To generate an artifact SIGNING key run: `docker run circleci/server-keysets:latest generate signing -a stdout` kong.acme.email string `"your-email@example.com"` kong.acme.enabled bool `false` This setting will fetch and renew Let’s Encrypt certs for you. It defaults to false as this only works when there’s a valid DNS entry for your domain (and the app. sub domain) - so you will need to deploy with this turned off and set the DNS records first. You can then set this to true and run `helm upgrade` with the updated setting if you want. kong.debug\_level string `"notice"` Debug level for Kong. Available levels: `debug`, `info`, `warn`, `error`, `crit`, `notice`. kong.image.repository string `"kong"` The Docker image repository for Kong. Note this repository is not managed by CircleCI. kong.image.tag string `"2.8.1"` The Kong image tag. Kong has been tested against this specific version tag; edit this value at your own risk. kong.nginx\_worker\_processes int `10` Determines the number of worker processes spawned by Nginx. kong.replicas int `1` kong.resources.limits.cpu string `"3072m"` CPU limit for the kong deployment. kong.resources.limits.memory string `"3072Mi"` Memory limit for the kong deployment. kong.resources.requests.cpu string `"512m"` CPU request for the kong deployment. kong.resources.requests.memory string `"512Mi"` Memory request for the kong deployment. kong.status\_page bool `false` Set to true for public health check page (kong) for load balancers to hit legacy\_notifier.replicas int `1` Number of replicas to deploy for the legacy-notifier deployment. legacy\_notifier.resources.limits.cpu string `"2000m"` CPU limit for the legacy-notifier deployment. legacy\_notifier.resources.limits.memory string `"2Gi"` Memory limit for the legacy-notifier deployment. machine\_provisioner.agent\_download\_timeout\_seconds int `10` Timeout when attempting to download task-agent or docker-agent (remote docker) in machine-agent machine\_provisioner.config\_path string `""` Path to config with information about images/providers/resource-classes machine\_provisioner.demandFudgeFactor int `2` demandFudgeFactor multiplies the demand from distributor with an additional factor machine\_provisioner.dlcDockerDiskSizeGB int `100` dlcDockerDiskSizeGB Configure size of docker disk size. Used for ratio to prune on machine\_provisioner.dlcMaxDiskThresholdGB int `15` dlcMaxDiskThresholdGB configure dlc max disk threshold machine\_provisioner.dlcUnusedLifespanDays int `3` dlcUnusedLifespanDays Configure how long to keep dlc images and build cache for machine\_provisioner.enabled bool `true` machine\_provisioner.external.replicas int `1` Number of replicas to deploy for the machine-provisioner-externalapi deployment. machine\_provisioner.external.resources.limits.memory string `"512Mi"` Memory limit for the machine-provisioner-externalapi deployment machine\_provisioner.fudgeConstantTerm int `0` fudgeConstantTerm adds to the results for the forecast rules. machine\_provisioner.fudgeScaleFactor float `1.4` fudgeScaleFactor multiplies the results for the forecast rules. machine\_provisioner.installID string `"production"` Unique tag machine provisioner applies to machines it manages. machine\_provisioner.internal.replicas int `1` Number of replicas to deploy for the machine-provisioner-internalapi deployment. machine\_provisioner.internal.resources.limits.memory string `"512Mi"` Memory limit for the machine-provisioner-internalapi deployment machine\_provisioner.leader.replicas int `1` Number of replicas to deploy for the machine-provisioner-leader deployment. machine\_provisioner.leader.resources.limits.memory string `"512Mi"` Memory limit for the machine-provisioner-leader deployment machine\_provisioner.machine\_agent\_base\_url string `"https://circleci-binary-releases.s3.amazonaws.com/machine-provisioner"` Location of the machine-provisioner agent. When air-gapped, the machine-provisioner agent will need to be hosted within the air-gap and this value updated machine\_provisioner.machine\_agent\_download\_timeout\_seconds int `10` Timeout when attempting to download machine-agent onto a VM machine\_provisioner.plugin\_repository\_url string `"https://circleci-binary-releases.s3.amazonaws.com"` Location of the agent plugin binaries. When air-gapped, the plugin binaries will need to be hosted within the air-gap and this value updated machine\_provisioner.providers object `{"ec2":{"accessKey":"","assignPublicIP":false,"enabled":false,"irsaRole":"","linuxAMI":"","region":"us-west-1","secretKey":"","securityGroupId":"sg-123","subnets":["subnet-abc","subnet-def"],"tags":{"key1":"value1","key2":"value2"},"windowsAMI":""},"gcp":{"assignPublicIP":true,"enabled":false,"linuxImage":"","network":"default","network_tags":["circleci-vm"],"project_id":"my-server-project","region":"us-central1","service_account":{"project_id":"... ...","type":"service_account"},"subnetwork":"my-server-vm-subnet","windowsImage":"","workloadIdentity":"","zones":["us-central1-a","us-central1-b","us-central1-c","us-central1-f"]}}` Provider configuration for Machine Provisioner. machine\_provisioner.providers.ec2.accessKey string `""` EC2 Authentication Config (3 Options). **Option 1:** Set accessKey and secretKey here, and CircleCI will create the secret for you. **Option 2:** Leave accessKey and secretKey blank, and create the secret yourself. CircleCI will assume it exists. **Option 3:** Leave accessKey and secretKey blank, and set the irsaRole field (IAM roles for service accounts). machine\_provisioner.providers.ec2.enabled bool `false` Set to enable EC2 as a virtual machine provider machine\_provisioner.providers.gcp.enabled bool `false` Set to enable GCP Compute as a VM provider machine\_provisioner.providers.gcp.service\_account object `{"project_id":"... ...","type":"service_account"}` GCP Compute Authentication Config (3 Options). **Option 1:** Set service\_account with the service account JSON (raw JSON, not a string), and CircleCI will create the secret for you. **Option 2:** Leave the service\_account field as its default, and create the secret yourself. CircleCI will assume it exists. **Option 3:** Leave the service\_account field as its default, and set the workloadIdentityField with a service account email to use workload identities. machine\_provisioner.provisioner.replicas int `1` Number of replicas to deploy for the machine-provisioner-provisioner deployment. machine\_provisioner.provisioner.resources.limits.memory string `"512Mi"` Memory limit for the machine-provisioner-leader deployment mongodb.architecture string `"standalone"` mongodb.auth.database string `"admin"` mongodb.auth.existingSecret string `""` mongodb.auth.mechanism string `"SCRAM-SHA-1"` mongodb.auth.password string `""` mongodb.auth.rootPassword string `""` mongodb.auth.username string `"root"` mongodb.fullnameOverride string `"mongodb"` mongodb.hosts string `"mongodb:27017"` MongoDB host. This can be a comma-separated list of multiple hosts for sharded instances. mongodb.image.tag string `"3.6.22-debian-9-r38"` mongodb.injectBotToken.image.repository string `"mongo"` The Docker image repository for MongoDB used by the `inject-bottoken` Job. Note this repository is not managed by CircleCI. mongodb.injectBotToken.image.tag float `3.6` The `inject-bottoken` Job has been tested against this specific version tag of MongoDB; edit this value at your own risk. mongodb.internal bool `true` Set to false if you want to use an externalized MongoDB instance. mongodb.labels.app string `"mongodb"` mongodb.labels.layer string `"data"` mongodb.options string `""` mongodb.persistence.size string `"8Gi"` mongodb.podAnnotations.”backup.velero.io/backup-volumes” string `"datadir"` mongodb.podLabels.app string `"mongodb"` mongodb.podLabels.layer string `"data"` mongodb.ssl bool `false` mongodb.tlsInsecure bool `false` If using an SSL connection with custom CA or self-signed certs, set this to true mongodb.useStatefulSet bool `true` nginx.annotations.”service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled” string `"true"` nginx.annotations.”service.beta.kubernetes.io/aws-load-balancer-type” string `"nlb"` Use `nlb` for Network Load Balancer and `clb` for Classic Load Balancer see [https://aws.amazon.com/elasticloadbalancing/features/](https://aws.amazon.com/elasticloadbalancing/features/) for feature comparison. nginx.aws\_acm.enabled bool `false` ⚠️ WARNING: Enabling this will recreate frontend’s service which will recreate the load balancer. If you are updating your deployed settings, then you will need to route your frontend domain to the new loadbalancer. You will also need to add `service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ` to the `nginx.annotations` block. nginx.image.repository string `"nginx"` The Docker image repository for NGINX. Note this repository is not managed by CircleCI. nginx.image.tag string `"1.21.6"` Nginx has been tested against this specific version tag; edit this value at your own risk. nginx.loadBalancerIp string `""` Load Balancer IP. To use a static IP for the provisioned load balancer with GCP, set to a reserved static ipv4 address nginx.loadBalancerSourceRanges list `[]` Load Balancer Source IP CIDRs List of IP CIDRs allowed access to load balancer nginx.private\_load\_balancers bool `false` nginx.replicas int `1` nginx.resources.limits.cpu string `"3000m"` CPU limit for the nginx deployment. nginx.resources.limits.memory string `"3072Mi"` Memory limit for the nginx deployment. nginx.resources.requests.cpu string `"500m"` CPU request for the nginx deployment. nginx.resources.requests.memory string `"512Mi"` Memory request for the nginx deployment. nomad.auto\_scaler.aws.accessKey string `""` AWS Authentication Config (3 Options). **Option 1:** Set accessKey and secretKey here, and CircleCI will create the secret for you. **Option 2:** Leave accessKey and secretKey blank, and create the secret yourself. CircleCI will assume it exists. **Option 3:** Leave accessKey and secretKey blank, and set the irsaRole field (IAM roles for service accounts). nomad.auto\_scaler.aws.autoScalingGroup string `"asg-name"` nomad.auto\_scaler.aws.enabled bool `false` nomad.auto\_scaler.aws.irsaRole string `""` nomad.auto\_scaler.aws.region string `"some-region"` nomad.auto\_scaler.aws.secretKey string `""` nomad.auto\_scaler.enabled bool `false` nomad.auto\_scaler.gcp.enabled bool `false` nomad.auto\_scaler.gcp.mig\_name string `"some-managed-instance-group-name"` nomad.auto\_scaler.gcp.project\_id string `"some-project"` nomad.auto\_scaler.gcp.region string `""` nomad.auto\_scaler.gcp.service\_account object `{"project_id":"... ...","type":"service_account"}` GCP Authentication Config (3 Options). **Option 1:** Set service\_account with the service account JSON (raw JSON, not a string), and CircleCI will create the secret for you. **Option 2:** Leave the service\_account field as its default, and create the secret yourself. CircleCI will assume it exists. **Option 3:** Leave the service\_account field as its default, and set the workloadIdentity field with a service account email to use workload identities. nomad.auto\_scaler.gcp.workloadIdentity string `""` nomad.auto\_scaler.gcp.zone string `""` nomad.auto\_scaler.image.repository string `"hashicorp/nomad-autoscaler"` The Docker image repository for the Nomad Autoscaler. Note this repository is not managed by CircleCI. nomad.auto\_scaler.image.tag string `"0.3.7"` Nomad Autoscaler has been tested against this specific version tag; edit this value at your own risk. nomad.auto\_scaler.scaling.max int `5` nomad.auto\_scaler.scaling.min int `1` nomad.auto\_scaler.scaling.node\_drain\_deadline string `"5m"` nomad.buildAgentImage string `"circleci/picard"` By default, Dockerhub is assumed to be the image registry unless otherwise specified eg: registry.example.com/organization/repository nomad.clients object `{}` nomad.clusterDomain string `"cluster.local"` nomad.server.gossip.encryption.enabled bool `true` nomad.server.pdb.enabled bool `true` nomad.server.pdb.minAvailable int `2` nomad.server.replicas int `3` nomad.server.rpc.mTLS object `{"CACertificate":"","certificate":"","privateKey":""}` Nomad mTLS (3 Options), strongly suggested for RPC communication Encrypts traffic and authenticates clients to ensure no unauthenticated clients can join the cluster. **Option 1:** Leave the values blank, and don’t use mTLS (not recommended). **Option 2:** Provide the CACertificate, certificate, and privateKey values - CircleCI will create the secret for you. **Option 3:** Leave the value blank (default) and create the secret yourself. If the values are populated, CircleCI will use them. The secret must be named ‘nomad-mtls’, be in the same namespace, and have the key:values of: ca.pem: ‘base64-encoded-certificate-authority’, key.pem: ‘base64-encoded-private-key’, cert.pem: ‘base64-encoded-certificate’. nomad.server.service.unsafe\_expose\_api bool `false` object\_storage object `{"bucketName":"","expireAfter":0,"gcs":{"enabled":false,"service_account":{"project_id":"... ...","type":"service_account"},"workloadIdentity":""},"s3":{"accessKey":"","enabled":false,"endpoint":"https://s3.us-east-1.amazonaws.com","irsaRole":"","presigned":true,"region":"us-east-1","secretKey":"","storageRole":""}}` Object storage for build artifacts, audit logs, test results and more. One of object\_storage.s3.enabled or object\_storage.gcs.enabled must be true for the chart to function. object\_storage.expireAfter int `0` Number of days after which artifacts will expire from the UI object\_storage.gcs.service\_account object `{"project_id":"... ...","type":"service_account"}` GCP Storage (GCS) Authentication Config (3 Options). **Option 1:** Set `service_account` with the service account JSON (raw JSON, not a string), and CircleCI will create the secret for you. **Option 2:** Leave the `service_account` field as its default, and create the secret yourself. CircleCI will assume it exists. **Option 3:** Leave the `service_account` field as its default, and set the `workloadIdentity` field with a service account email to use workload identities. object\_storage.s3 object `{"accessKey":"","enabled":false,"endpoint":"https://s3.us-east-1.amazonaws.com","irsaRole":"","presigned":true,"region":"us-east-1","secretKey":"","storageRole":""}` S3 Configuration for Object Storage. Authentication methods: AWS Access/Secret Key, and IRSA Role object\_storage.s3.accessKey string `""` AWS Authentication Config (3 Options). **Option 1:** Set accessKey and secretKey here, and CircleCI will create the secret for you. **Option 2:** Leave accessKey and secretKey blank, and create the secret yourself. CircleCI will assume it exists. **Option 3:** Leave accessKey and secretKey blank, and set the irsaRole field (IAM roles for service accounts), also set region: “your-aws-region”. object\_storage.s3.endpoint string `"https://s3.us-east-1.amazonaws.com"` API endpoint for S3. If in AWS us-west-2, for example, this would be the regional endpoint [https://s3.us-west-2.amazonaws.com](https://s3.us-west-2.amazonaws.com). If using S3 compatible storage, specify the API endpoint of your object storage server object\_storage.s3.presigned bool `true` When true object storage will be handled with presigned URLs. When false direct bucket access will be used instead. Direct access requires storageRole to be non-empty. object\_storage.s3.storageRole string `""` A role that can be assumed to provide direct bucket access credentials. Required if presigned is false oidc\_service.isEnabled bool `false` Whether or not to enable oidc support. oidc\_service.json\_web\_keys string `""` The json web key (JWK) or key set (JWKS) used for signing ID tokens. Value should be base64 encoded. oidc\_service.replicas int `1` Number of replicas to deploy for the oidc-service deployment. oidc\_service.resources object `{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` Resource configuration for the oidc-service deployment. oidc\_service.token\_max\_ttl string `"5h"` Maximum time-to-live for newly minted ID tokens. oidc\_tasks\_service.replicas int `1` Number of replicas to deploy for the oidc-tasks-service deployment. oidc\_tasks\_service.resources object `{"limits":{"cpu":"200m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` Resource configuration for the oidc-tasks-service deployment. orb\_service.replicas int `1` Number of replicas to deploy for the orb-service deployment. orb\_service.resources.limits.cpu string `"4000m"` CPU limit for the orb-service deployment. orb\_service.resources.limits.memory string `"8Gi"` Memory limit for the orb-service deployment. output.internal.replicas string `nil` Number of replicas to deploy for the output-internal deployment. output.internal.resources.limits.memory string `"1Gi"` Memory limit for the output-internal deployment. output.public object `{"replicas":1,"resources":{"limits":{"memory":"512Mi"}}}` Number of replicas to deploy for the output-public deployment. output.public.resources.limits.memory string `"512Mi"` Memory limit for the output-public deployment. output.receiver object `{"replicas":1,"resources":{"limits":{"memory":"1Gi"}}}` Number of replicas to deploy for the output-receiver deployment. output.receiver.resources.limits.memory string `"1Gi"` Memory limit for the output-receiver deployment. permissions\_service.replicas int `1` Number of replicas to deploy for the permissions-service deployment. permissions\_service.resources.limits.cpu string `"1000m"` CPU limit for the permissions-service deployment. permissions\_service.resources.limits.memory string `"1Gi"` Memory limit for the permissions-service deployment. policy\_service.replicas int `1` Number of replicas to deploy for the policy-service deployment. policy\_service.resources.limits.cpu string `"200m"` CPU limit for the policy-service deployment. policy\_service.resources.limits.memory string `"128Mi"` Memory limit for the policy-service deployment. policy\_service\_internal.replicas int `1` Number of replicas to deploy for the policy-service-internal deployment. policy\_service\_internal.resources.limits.cpu string `"200m"` CPU limit for the policy-service-internal deployment. policy\_service\_internal.resources.limits.memory string `"128Mi"` Memory limit for the policy-service-internal deployment. postgresql.auth.existingSecret string `""` postgresql.auth.password string `""` Use only when postgresql.internal is false, this is the password of your externalized postgres user Ignored if `auth.existingSecret` with key `password` is provided postgresql.auth.postgresPassword string `""` Password for the “postgres” admin user on the internal postgres instance. Use only when postgresql.internal is true. Ignored if `auth.existingSecret` with key `postgres-password` is provided. postgresql.auth.username string `""` Use only when postgresql.internal is false, then this is the username used to connect with your externalized postgres instance postgresql.fullnameOverride string `"postgresql"` postgresql.image.pullSecrets\[0\] string `"regcred"` postgresql.image.registry string `"cciserver.azurecr.io"` postgresql.image.repository string `"server-postgres"` postgresql.image.tag string `"12.16.37-7629bfd"` postgresql.internal bool `true` postgresql.postgresqlHost string `"postgresql"` postgresql.postgresqlPort int `5432` postgresql.primary.extendedConfiguration string `"max_connections = 500\nshared_buffers = 300MB\n"` postgresql.primary.persistence.existingClaim string `""` postgresql.primary.persistence.size string `"8Gi"` postgresql.primary.podAnnotations.”backup.velero.io/backup-volumes” string `"data"` proxy.enabled bool `false` If false, all proxy settings are ignored proxy.http object `{"auth":{"enabled":false,"password":null,"username":null},"host":"proxy.example.com","port":3128}` Proxy for HTTP requests proxy.https object `{"auth":{"enabled":false,"password":null,"username":null},"host":"proxy.example.com","port":3128}` Proxy for HTTPS requests proxy.no\_proxy list `[]` List of hostnames, IP CIDR blocks exempt from proxying. Loopback and intra-service traffic is never proxied. pusher.key string `"circle"` rabbitmq.auth.erlangCookie string `""` rabbitmq.auth.existingErlangSecret string `""` rabbitmq.auth.existingPasswordSecret string `""` rabbitmq.auth.password string `""` rabbitmq.auth.username string `"circle"` rabbitmq.fullnameOverride string `"rabbitmq"` rabbitmq.host string `"rabbitmq"` When `internal: true`, this value is ‘rabbitmq’ else host of external rabbitmq instance rabbitmq.image.tag string `"3.11.16-debian-11-r0"` rabbitmq.internal bool `true` Disables this charts Internal RabbitMQ instance rabbitmq.management\_gui\_port int `15672` When `internal: true`, this value is ‘15672’ else port of external rabbitmq instance rabbitmq.podAnnotations.”backup.velero.io/backup-volumes” string `"data"` rabbitmq.podLabels.app string `"rabbitmq"` rabbitmq.podLabels.layer string `"data"` rabbitmq.port int `5672` When `internal: true`, this value is ‘5672’ else port of external rabbitmq instance rabbitmq.replicaCount int `1` rabbitmq.statefulsetLabels.app string `"rabbitmq"` rabbitmq.statefulsetLabels.layer string `"data"` redis.cluster.enabled bool `true` redis.cluster.slaveCount int `1` redis.fullnameOverride string `"redis"` redis.image.tag string `"6.2.1-debian-10-r13"` redis.master.extraEnvVars\[0\].name string `"REDIS_EXTRA_FLAGS"` redis.master.extraEnvVars\[0\].value string `"--databases 30"` redis.master.persistence.size string `"8Gi"` To increase PVC size, follow this guide: [https://circleci.com/docs/server/v4.4/operator/expanding-internal-database-volumes](https://circleci.com/docs/server/v4.4/operator/expanding-internal-database-volumes) redis.master.podAnnotations.”backup.velero.io/backup-volumes” string `"redis-data"` redis.podLabels.app string `"redis"` redis.podLabels.layer string `"data"` redis.slave.extraEnvVars\[0\].name string `"REDIS_EXTRA_FLAGS"` redis.slave.extraEnvVars\[0\].value string `"--databases 30"` redis.slave.persistence.size string `"8Gi"` To increase PVC size, follow this guide: [https://circleci.com/docs/server/v4.4/operator/expanding-internal-database-volumes](https://circleci.com/docs/server/v4.4/operator/expanding-internal-database-volumes) redis.slave.podAnnotations.”backup.velero.io/backup-volumes” string `"redis-data"` redis.statefulset.labels.app string `"redis"` redis.statefulset.labels.layer string `"data"` redis.usePassword bool `false` runner\_admin.cleaner.replicas int `1` Number of replicas to deploy for the radm-cleaner deployment. runner\_admin.cleaner.resources.limits.cpu string `"1"` CPU limit for the radm-cleaner deployment runner\_admin.cleaner.resources.limits.memory string `"512M"` Memory limit for the radm-cleaner deployment runner\_admin.cleaner.resources.requests.cpu string `"1"` CPU request for the radm-cleaner deployment runner\_admin.cleaner.resources.requests.memory string `"512M"` Memory request for the radm-cleaner deployment runner\_admin.external.launch\_agent\_base\_url string `"https://circleci-binary-releases.s3.amazonaws.com/circleci-launch-agent"` Location of the launch-agent binaries. When using an air-gapped environment, the launch-agent binaries will need to be hosted within the air gap and this value updated. runner\_admin.external.replicas int `1` Number of replicas to deploy for the radm-external deployment. runner\_admin.external.resources.limits.cpu string `"1"` CPU limit for the radm-external deployment runner\_admin.external.resources.limits.memory string `"512M"` Memory limit for the radm-external deployment runner\_admin.external.resources.requests.cpu string `"1"` CPU request for the radm-external deployment runner\_admin.external.resources.requests.memory string `"512M"` Memory request for the radm-external deployment runner\_admin.internal.replicas int `1` Number of replicas to deploy for the radm-internal deployment. runner\_admin.internal.resources.limits.cpu string `"1"` CPU limit for the radm-internal deployment runner\_admin.internal.resources.limits.memory string `"512M"` Memory limit for the radm-internal deployment runner\_admin.internal.resources.requests.cpu string `"1"` CPU request for the radm-internal deployment runner\_admin.internal.resources.requests.memory string `"512M"` Memory request for the radm-internal deployment schedulerer.replicas int `1` Number of replicas to deploy for the schedulerer deployment. serveUnsafeArtifacts bool `false` ⚠️ WARNING: Changing this to true will serve HTML artifacts instead of downloading them. This can allow specially-crafted artifacts to gain control of users’ CircleCI accounts. smtp object `{"host":"smtp.example.com","notificationUser":"builds@circleci.com","password":"secret-smtp-passphrase","port":25,"tls":true,"user":"notification@example.com"}` Email notification settings smtp.port int `25` Outbound connections on port 25 are blocked on most cloud providers. Should you select this default port, be aware that your notifications may fail to send. smtp.tls bool `true` StartTLS is used to encrypt mail by default. Only disable this if you can otherwise guarantee the confidentiality of traffic. soketi.image.repository string `"quay.io/soketi/soketi"` The Soketi image repository for NGINX. Note this repository is not managed by CircleCI. soketi.image.tag string `"0.19-16-distroless"` Soketi has been tested against this specific version tag; edit this value at your own risk. soketi.replicas int `1` Number of replicas to deploy for the soketi deployment. step.internal.replicas int `1` Number of replicas to deploy for the step-internal deployment. step.internal.resources.limits.cpu int `2` CPU limit for the step-internal deployment step.internal.resources.limits.memory string `"512Mi"` Memory limit for the step-internal deployment step.receiver.replicas int `1` Number of replicas to deploy for the step-receiver deployment. step.receiver.resources.limits.cpu int `2` CPU limit for the step-receiver deployment step.receiver.resources.limits.memory string `"512Mi"` Memory limit for the step-receiver deployment telegraf.args\[0\] string `"--config-directory"` telegraf.args\[1\] string `"/etc/telegraf/telegraf.d"` telegraf.args\[2\] string `"--watch-config"` telegraf.args\[3\] string `"poll"` telegraf.config.agent.flush\_interval string `"60s"` telegraf.config.agent.interval string `"30s"` telegraf.config.agent.omit\_hostname bool `true` telegraf.config.custom\_config\_file string `""` telegraf.config.inputs\[0\].statsd.datadog\_extensions bool `true` telegraf.config.inputs\[0\].statsd.max\_ttl string `"12h"` telegraf.config.inputs\[0\].statsd.metric\_separator string `"."` telegraf.config.inputs\[0\].statsd.percentile\_limit int `1000` telegraf.config.inputs\[0\].statsd.percentiles\[0\] int `50` telegraf.config.inputs\[0\].statsd.percentiles\[1\] int `95` telegraf.config.inputs\[0\].statsd.percentiles\[2\] int `99` telegraf.config.inputs\[0\].statsd.service\_address string `":8125"` telegraf.fullnameOverride string `"telegraf"` telegraf.mountPoints\[0\].mountPath string `"/etc/telegraf/telegraf.d"` telegraf.mountPoints\[0\].name string `"telegraf-config"` telegraf.resources.limits.memory string `"512Mi"` Memory limit for the telegraf deployment. telegraf.resources.requests.cpu string `"200m"` CPU request for the telegraf deployment. telegraf.resources.requests.memory string `"256Mi"` Memory request for the telegraf deployment. telegraf.volumes\[0\].configMap.name string `"telegraf-config"` telegraf.volumes\[0\].name string `"telegraf-config"` tink object `{"enabled":false,"keyset":""}` Tink Configuration + Tink is given precedence over vault. If tink.enabled is true, vault will not be deployed. Tink keys can be rotated (see [Rotating Tink keys in CircleCI Server](https://support.circleci.com/hc/en-us/articles/39931197265691-Rotating-Tink-keys-in-CircleCI-Server)). To migrate from Vault to Tink, see [server-scripts vault-to-tink](https://github.com/CircleCI-Public/server-scripts/tree/main/vault-to-tink). **Option 1:** Leave this blank, and create the secret yourself. CircleCI will assume it exists. The secret must be named ‘tink’ and have the key; keyset. **Option 2:** Set the values tink.keyset here and CircleCI will create the secret automatically. Generate a keyset via: `tinkey create-keyset --key-template XCHACHA20_POLY1305` tink.enabled bool `false` When enabled, Tink will be used instead of Vault for contexts encryption. tink.keyset string `""` The keyset generated the Tink CLI to be used for contexts encryption. tls.certificate string `""` Base64 encoded certificate must be provided if kong.acme.enabled is false tls.certificates list `[]` List of base64’d certificates that will be imported into the system tls.import list `[]` List of host:port from which to import certificates tls.privateKey string `""` Base64 encoded private key must be provided if kong.acme.enabled is false vault object `{"internal":true,"podAnnotations":{"backup.velero.io/backup-volumes":"data"},"token":"","transitPath":"transit","url":"http://vault:8200"}` External Services configuration vault.internal bool `true` Disables this charts Internal Vault instance vault.token string `""` This token is required when `internal: false`. **Option 1:** Leave this blank, and create the secret yourself. CircleCI will assume it exists. The secret must be named ‘vault’ and have the key; token. **Option 2:** Set the values vault.token here and CircleCI will create the secret automatically. vault.transitPath string `"transit"` When `internal: true`, this value is used for the vault transit path. web\_ui.replicas int `1` Number of replicas to deploy for the web-ui deployment. web\_ui.resources.limits.memory string `"256Mi"` Memory limit configuration for the web-ui deployment web\_ui\_404.replicas int `1` Number of replicas to deploy for the web-ui-404 deployment. web\_ui\_404.resources.limits.memory string `"256Mi"` Memory limit configuration for the web-ui-404 deployment web\_ui\_insights.replicas int `1` Number of replicas to deploy for the web-ui-insights deployment. web\_ui\_insights.resources.limits.memory string `"256Mi"` Memory limit configuration for the web-ui-insights deployment web\_ui\_onboarding.replicas int `1` Number of replicas to deploy for the web-ui-onboarding deployment. web\_ui\_onboarding.resources.limits.memory string `"512Mi"` Memory limit configuration for the web-ui-onboarding deployment web\_ui\_org\_settings.replicas int `1` Number of replicas to deploy for the web-ui-org-settings deployment. web\_ui\_org\_settings.resources.limits.memory string `"256Mi"` Memory limit configuration for the web-ui-org-settings deployment. web\_ui\_project\_settings.replicas int `1` Number of replicas to deploy for the web-ui-project-settings deployment. web\_ui\_project\_settings.resources.limits.memory string `"256Mi"` Memory limit configuration for the web-ui-project-settings deployment. web\_ui\_runners.replicas int `1` Number of replicas to deploy for the web-ui-project-settings deployment. web\_ui\_runners.resources.limits.memory string `"512Mi"` Memory limit configuration for the web-ui-project-settings deployment. web\_ui\_server\_admin.replicas int `1` Number of replicas to deploy for the web-ui-server-admin deployment. web\_ui\_server\_admin.resources.limits.memory string `"256Mi"` Memory limit configuration for the web-ui-server-admin deployment. web\_ui\_user\_settings.replicas int `1` Number of replicas to deploy for the web-ui-user-settings deployment. web\_ui\_user\_settings.resources.limits.memory string `"256Mi"` Memory limit configuration for the user-settings deployment. webhook\_service.isEnabled bool `true` webhook\_service.replicas int `1` Number of replicas to deploy for the webhook-service deployment. webhook\_service.resources.limits.cpu int `2` CPU limit configuration for the webhook-service deployment. webhook\_service.resources.limits.memory string `"3G"` Memory limit configuration for the webhook-service deployment. workflows\_conductor\_event\_consumer.replicas int `1` Number of replicas to deploy for the workflows-conductor-event-consumer deployment. workflows\_conductor\_event\_consumer.resources.limits.cpu string `"6000m"` CPU limit configuration for the workflows-conductor-event-consumer deployment. workflows\_conductor\_event\_consumer.resources.limits.memory string `"8Gi"` Memory limit configuration for the workflows-conductor-event-consumer deployment. workflows\_conductor\_grpc.replicas int `1` Number of replicas to deploy for the workflows-conductor-grpc deployment. workflows\_conductor\_grpc.resources.limits.cpu string `"4000m"` CPU limit configuration for the workflows-conductor-grpc deployment. workflows\_conductor\_grpc.resources.limits.memory string `"8Gi"` Memory limit configuration for the workflows-conductor-grpc deployment.