Overview
AosCloud's Kubernetes deployment is configured through Helm chart values files. The main AOS application chart uses a values-aws.yaml file with environment-specific values (database endpoints, Redis addresses, S3 bucket names, IAM role ARNs). Supporting infrastructure charts (autoscaler, Istio, cert-manager, etc.) each have their own aws-values.yaml file with environment-specific configuration.
This page documents the key Helm values for the AOS chart grouped by functional area, and lists the configuration variables used by each infrastructure chart.
Prerequisites
How Values Override Works
The AOS chart has two values layers:
| File | Purpose |
|---|
values.yaml | Default chart values with Helm template references (e.g., {{ .Values.global.aos.vaultAddrAppCfg }}) |
values-aws.yaml | AWS-specific overrides with environment values (endpoints, ARNs, bucket names) populated at deploy time |
The values-aws.yaml file contains placeholder variables (e.g., ${DNS_HOST}, ${ENVIRONMENT}) that must be substituted with actual infrastructure values before installation.
AOS Chart — Global Values
Domain and Identity
| Key Path | Type | Description | Template Variable | Required |
|---|
global.domainName | string | Public domain name for the deployment | ${DNS_HOST} | Yes |
global.aws.region | string | AWS region for the deployment | ${AWS_DEFAULT_REGION} | Yes |
global.aws.environment | string | Environment/namespace name | ${ENVIRONMENT} | Yes |
global.aos.projectVersion | string | AOS Cloud application version | ${AOS_CLOUD_VERSION} | Yes |
Secrets Manager Configuration
All microservices use AWS Secrets Manager for configuration and credentials. The vaultAddr* values define Secrets Manager path prefixes (named "vault" for historical reasons).
| Key Path | Type | Description | Template Variable | Required |
|---|
global.aos.secretManagerType | string | Secret backend type | "AWSSecretManager" (hardcoded) | Yes |
global.aos.vaultAddrAppCfg | string | App config secrets path | ${AWS_BASE_NAME}-appcfg | Yes |
global.aos.vaultAddrAppSec | string | App secrets path | ${AWS_BASE_NAME}-appsec | Yes |
global.aos.vaultAddrDbCfg | string | Database config path | ${AWS_BASE_NAME}-dbcfg | Yes |
global.aos.vaultAddrDbSec | string | Database secrets path | ${AWS_BASE_NAME}-dbsec | Yes |
global.aos.vaultAddrDataServices | string | Data services secrets path | ${AWS_BASE_NAME}-data-services | Yes |
global.aos.vaultAddrIngress | string | Ingress certificates path | ${AWS_BASE_NAME}-ingress | Yes |
global.aos.vaultAddrMHCfg | string | Message handler config path | ${AWS_BASE_NAME}-mhcfg | Yes |
global.aos.vaultAddrMHSec | string | Message handler secrets path | ${AWS_BASE_NAME}-mhsec | Yes |
global.aos.vaultAddrSdCfg | string | Service discovery config path | ${AWS_BASE_NAME}-sdcfg | Yes |
global.aos.vaultAddrSdSec | string | Service discovery secrets path | ${AWS_BASE_NAME}-sdsec | Yes |
global.aos.vaultAddrTaskCfg | string | Task/scheduler config path | ${AWS_BASE_NAME}-taskcfg | Yes |
global.aos.vaultAddrTaskSec | string | Task/scheduler secrets path | ${AWS_BASE_NAME}-tasksec | Yes |
global.aos.vaultAddrLanding | string | Landing page secrets path | ${AWS_BASE_NAME}-landing | Yes |
global.aos.vaultAddrBase | string | Base infrastructure secrets path | ${AWS_BASE_NAME}-base | Yes |
The ${AWS_BASE_NAME} is constructed from project name and environment (e.g., aos-prod). Each path corresponds to a secret in AWS Secrets Manager containing key-value pairs for the respective service.
Do not include actual secret values in Helm values files. The values above are path references — the application reads the actual secrets at runtime from AWS Secrets Manager using the CSI Secrets Store driver.
Storage
| Key Path | Type | Description | Template Variable | Required |
|---|
global.aos.awsStorageBucket | string | S3 bucket for backend storage (deployable items, artifacts) | ${S3_BACKEND_BUCKET} | Yes |
AOS Chart — Database Connections
Aurora PostgreSQL
PostgreSQL credentials are sourced from Secrets Manager, not passed directly as Helm values. The Istio ServiceEntry allows pods to reach the database endpoint.
| Key Path | Type | Description | Template Variable | Required |
|---|
aws.istio.externalHosts.postgresHostname | string | Aurora PostgreSQL cluster endpoint | ${PG_DB_HOST} | Yes |
aws.aos.secrets.postgres.POSTGRES_ADMIN_USER | string | Secrets Manager path for DB username | ${AWS_BASE_NAME}-base/PostgresAdminLogin | Yes |
aws.aos.secrets.postgres.POSTGRES_ADMIN_PASSWORD | string | Secrets Manager path for DB password | ${AWS_BASE_NAME}-base/PostgresAdminPassword | Yes |
DocumentDB (MongoDB-Compatible)
| Key Path | Type | Description | Template Variable | Required |
|---|
aws.docdb.endpoints[0] | string | DocumentDB primary endpoint | ${AWS_DOCDB_PRIMARY} | Yes |
aws.docdb.endpoints[1] | string | DocumentDB replica endpoint | ${AWS_DOCDB_REPLICA} | Yes |
aws.docdb.cidr | string | DocumentDB subnet CIDR (for Istio ServiceEntry) | ${AWS_DOCDB_CIDR} | Yes |
aws.docdb.port | number | DocumentDB connection port | 27017 (hardcoded) | Yes |
ElastiCache Redis
| Key Path | Type | Description | Template Variable | Required |
|---|
aws.redis.primaryEndpoint | string | Redis primary endpoint address | ${AWS_REDIS_ENDPOINT} | Yes |
aws.redis.cidr | string | Redis subnet CIDR (for Istio ServiceEntry) | ${AWS_REDIS_CIDR} | Yes |
aws.redis.port | number | Redis connection port | 6379 (hardcoded) | Yes |
aws.stunnelRedis.enabled | boolean | Whether to use stunnel for Redis TLS | false (default) | No |
InfluxDB (Time-Series)
| Key Path | Type | Description | Template Variable | Required |
|---|
influxdb2.persistence.enabled | boolean | Enable persistent storage | true (hardcoded) | Yes |
influxdb2.efs.volumeHandle | string | EFS volume handle for InfluxDB data | ${INFLUXDB_EFS_VOLUMEHANDLE} | Yes |
influxdb2.adminUser.existingSecret | string | K8s secret name for InfluxDB admin creds | ${AWS_BASE_NAME}-influxdb | Yes |
influxdb2.backup.s3.destination | string | S3 path for InfluxDB backups | s3://${S3_INFRA_BUCKET}/influxdb2/backup | Yes |
AOS Chart — Messaging
RabbitMQ
RabbitMQ is deployed via the rabbitmq-cluster-operator. Connection credentials are injected from a Kubernetes secret.
| Key Path | Type | Description | Template Variable | Required |
|---|
global.aos.rabbitmqSecretName | string | K8s secret name with RabbitMQ credentials (host, port, username, password). If empty, a RabbitmqCluster CR is deployed. | ${RABBITMQ_SECRET_NAME} | Yes |
Services that consume RabbitMQ (WebSocket API, Unit Message Handler, Queue Management) receive connection parameters via envFromSecret referencing this secret:
envFromSecret:
secretName: '<rabbitmq-secret>'
mappings:
RMQ_HOSTNAME: host
RMQ_PORT: port
RMQ_USERNAME: username
RMQ_PASSWORD: password
Background Task Queue (Redis-Based)
| Key Path | Type | Description | Template Variable | Required |
|---|
global.aos.beat.redisPassword | string | Secrets Manager path for Redis password (task queue) | ${AWS_BASE_NAME}-tasksec/AppCacheRedisPassword | Yes |
global.aos.beat.redisHostname | string | Secrets Manager path for Redis hostname (task queue) | ${AWS_BASE_NAME}-taskcfg/RedisHostname | Yes |
AOS Chart — Monitoring and Observability
Prometheus Metrics
| Key Path | Type | Description | Template Variable | Required |
|---|
global.metricsServerAddress | string | Prometheus server address for autoscaling queries | http://${AWS_BASE_NAME}-prometheus-server.monitoring.svc.cluster.local:80 | Yes |
OpenTelemetry Tracing
| Key Path | Type | Description | Default | Required |
|---|
global.otel.enabled | boolean | Enable distributed tracing | true | No |
global.otel.exporterEndpoint | string | OTLP exporter gRPC endpoint | http://alloy.grafana.svc.cluster.local:4317 | No |
global.otel.exporterProtocol | string | Export protocol | grpc | No |
global.otel.serviceNamespace | string | Trace service namespace | aos | No |
AOS Chart — Security and Certificates
TLS/mTLS Ingress Certificates
Certificates for Istio gateways are sourced from Secrets Manager. The cert-fetch job reads these paths and creates Kubernetes TLS secrets.
| Key Path | Type | Description | Required |
|---|
aws.istio.secrets.job.secretPath | string | Secrets Manager base path for ingress certs | Yes |
aws.istio.secrets.job.tlscrt | string | Key name for main TLS certificate | Yes |
aws.istio.secrets.job.tlskey | string | Key name for main TLS private key | Yes |
aws.istio.secrets.job.tlssdcrt | string | Key name for Service Discovery mTLS cert | Yes |
aws.istio.secrets.job.tlssdkey | string | Key name for Service Discovery mTLS key | Yes |
aws.istio.secrets.job.tlswscrt | string | Key name for WebSocket mTLS cert | Yes |
aws.istio.secrets.job.tlswskey | string | Key name for WebSocket mTLS key | Yes |
aws.istio.secrets.job.cacrt | string | Key name for CA certificate | Yes |
All certificate values reference Secrets Manager key names under the path ${AWS_BASE_NAME}-ingress. The actual certificate content must be stored in Secrets Manager before deployment.
Let's Encrypt (Optional)
| Key Path | Type | Description | Template Variable | Required |
|---|
letsencrypt.enable | boolean | Enable automatic cert provisioning via Let's Encrypt | ${LETSENCRYPT_ENABLE} | No |
letsencrypt.email | string | Contact email for Let's Encrypt | ${LETSENCRYPT_EMAIL} | Conditional |
letsencrypt.cloudflareApiKey | string | Cloudflare API key for DNS-01 challenge | ${LETSENCRYPT_CF_KEY} | Conditional |
CSI Secrets Store
| Key Path | Type | Description | Required |
|---|
aws.aos.extraSecretMounts[0].csi.driver | string | CSI driver name | Yes |
aws.aos.extraSecretMounts[0].csi.volumeAttributes.secretProviderClass | string | SecretProviderClass name (aos-secret-csi) | Yes |
AOS Chart — IRSA Service Accounts
Each microservice is assigned a Kubernetes ServiceAccount mapped to an IAM role via IRSA annotations.
| Key Path | IAM Role | Used By |
|---|
global.serviceAccounts.base | ${AWS_BASE_NAME}-base | InfluxDB, CMS, Landing, RMQ Metrics |
global.serviceAccounts.dataServices | ${AWS_BASE_NAME}-data-services | Alert Handler, Unit Monitoring |
global.serviceAccounts.task | ${AWS_BASE_NAME}-task | Message Handler, Unit Message Handler |
global.serviceAccounts.sd | ${AWS_BASE_NAME}-sd | Service Discovery |
global.serviceAccounts.secretsUpdater | ${AWS_BASE_NAME}-secrets-manager | Secrets Updater Job |
global.serviceAccounts.app | ${AWS_BASE_NAME}-app | API, Auth, WebSocket API, Background Tasks |
Each service account carries the annotation eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT>:role/<ROLE_NAME> enabling pods to assume the corresponding IAM role.
AOS Chart — Feature Flags and Service Toggles
| Key Path | Type | Description | Default | Required |
|---|
services.<name>.enabled | boolean | Enable/disable individual microservice | true | No |
services.<name>.autoscaling.enabled | boolean | Enable HPA-based autoscaling | varies | No |
services.<name>.autoscaling.minReplicas | number | Minimum pod count | varies | No |
services.<name>.autoscaling.maxReplicas | number | Maximum pod count | varies | No |
istio | boolean | Enable Istio integration | true | No |
influxdb2.backup.enabled | boolean | Enable InfluxDB backup CronJob | true | No |
AOS Chart — Istio Network Policy
The chart configures Istio's outbound traffic policy as REGISTRY_ONLY, requiring explicit ServiceEntry definitions for all external endpoints.
| Key Path | Type | Description | Required |
|---|
aws.istio.externalHosts.httpsHosts | list(string) | Allowed external HTTPS destinations | Yes |
aws.istio.mqVpcCidr | string | CIDR for RabbitMQ traffic (legacy, kept for compatibility) | Yes |
aws.istio.cors.enabled | boolean | Enable CORS policy on virtual services | No |
The httpsHosts list includes AWS service endpoints (Secrets Manager, EC2, CloudWatch Logs, S3, STS) and the deployment's own domain.
AOS Chart — SMTP Configuration
| Key Path | Type | Description | Template Variable | Required |
|---|
aws.istio.mail.alertMailServer | string | SMTP server hostname | ${SMTP_SERVER} | Yes |
aws.istio.mail.port | string | SMTP port | "2587" (hardcoded) | Yes |
AOS Chart — SaaS Marketplace Integration (Optional)
| Key Path | Type | Description | Template Variable | Required |
|---|
global.aos.awsSaasRegion | string | AWS SaaS region | ${AWS_SAAS_REGION} | Optional |
global.aos.awsSaasRoleArn | string | SaaS integration IAM role ARN | ${AWS_SAAS_ARN} | Optional |
global.aos.awsSaasSqsMetering | string | SQS ARN for metering events | ${AWS_SAAS_METERING_ARN} | Optional |
global.aos.awsSaasSqsEntilement | string | SQS ARN for entitlement events | ${AWS_SAAS_ENTITLEMENT_ARN} | Optional |
Infrastructure Charts — Configuration Variables
Each infrastructure Helm chart has its own aws-values.yaml override file. The following variables must be substituted with environment-specific values before installation.
Cluster Autoscaler (aws-autoscaler)
| Template Variable | Description |
|---|
AUTO_SCALE_ROLE_ARN | IAM role ARN for autoscaling |
AWS_REGION | AWS region |
CLUSTER_NAME | EKS cluster name |
IMAGE | Container image URI (ECR) |
IMAGE_TAG | Container image tag |
CSI Secrets Store Driver (secrets-store-csi-driver-provider-aws)
| Template Variable | Description |
|---|
CSI_DRIVER_IMAGE | CSI driver image |
CSI_DRIVER_TAG | CSI driver version |
CSI_REGISTRAR_IMAGE | Node registrar image |
CSI_REGISTRAR_TAG | Node registrar version |
CSI_LIVENESS_IMAGE | Liveness probe image |
CSI_LIVENESS_TAG | Liveness probe version |
AWS_CSI_DRIVER_IMAGE | AWS provider image |
AWS_CSI_DRIVER_TAG | AWS provider version |
Fluent Bit (aws-for-fluent-bit)
| Template Variable | Description |
|---|
IMAGE | Fluent Bit image URI |
IMAGE_TAG | Fluent Bit version |
LOG_GROUP_NAME | CloudWatch log group name |
APP_NAMESPACE | Namespace to filter logs for |
cert-manager
| Template Variable | Description |
|---|
IMAGE_CERT_MANAGER | cert-manager controller image |
IMAGE_CERT_MANAGER_TAG | cert-manager version |
IMAGE_CERT_MANAGER_WH | Webhook image |
IMAGE_CERT_MANAGER_CAI | CA injector image |
IMAGE_CERT_MANAGER_CTL | startupapicheck image |
Istio Discovery (istiod)
| Template Variable | Description |
|---|
ISTIO_HUB | Istio container registry prefix (ECR path) |
ISTIO_IMAGES_TAG | Istio version tag |
Key Istio configuration in the override:
- Profile:
ambient (ambient mesh mode — no sidecar injection, uses ztunnel)
- Outbound traffic policy:
REGISTRY_ONLY (explicit allow-list)
- Tracing: OpenTelemetry export to Grafana Alloy at port 4317, 10% sampling rate
Istio CNI
Deployed with profile: ambient and image references pointing to the private ECR mirror.
Istio ztunnel
Deployed with hub and tag pointing to the private ECR mirror of the Istio ztunnel image.
Prometheus
| Template Variable | Description |
|---|
AWS_ECR | ECR registry base |
IMAGE_KSM_REPO | kube-state-metrics repo path |
IMAGE_KSM_TAG | kube-state-metrics version |
IMAGE_NODE_EXPORTER | Node exporter image |
IMAGE_NODE_EXPORTER_TAG | Node exporter version |
IMAGE_PROMETHEUS | Prometheus server image |
IMAGE_PROMETHEUS_TAG | Prometheus server version |
Key Prometheus configuration:
- Alertmanager: disabled (uses managed alerting)
- Persistent volume: disabled (stateful set with emptyDir)
- Scrape interval: 30s
- Exemplar storage: enabled for metrics-to-traces correlation
Infrastructure-to-Helm Variable Mapping Summary
The following table shows how key infrastructure outputs flow into Helm values for the AOS chart:
| Infrastructure Value | Template Variable | Values Key Path |
|---|
| Aurora PostgreSQL endpoint | PG_DB_HOST | aws.istio.externalHosts.postgresHostname |
| Redis primary endpoint | AWS_REDIS_ENDPOINT | aws.redis.primaryEndpoint |
| DocumentDB primary endpoint | AWS_DOCDB_PRIMARY | aws.docdb.endpoints[0] |
| DocumentDB replica endpoint | AWS_DOCDB_REPLICA | aws.docdb.endpoints[1] |
| S3 backend bucket name | S3_BACKEND_BUCKET | global.aos.awsStorageBucket |
| S3 infra bucket name | S3_INFRA_BUCKET | influxdb2.backup.s3.destination |
| EFS volume handle | INFLUXDB_EFS_VOLUMEHANDLE | influxdb2.efs.volumeHandle |
| AWS account ID | AWS_ACCOUNT | Service account role ARN annotations |
| Domain name | DNS_HOST | global.domainName |
| AWS region | AWS_DEFAULT_REGION | global.aws.region |
| Environment name | ENVIRONMENT | global.aws.environment |
| RabbitMQ secret name | RABBITMQ_SECRET_NAME | global.aos.rabbitmqSecretName |
| SMTP server hostname | SMTP_SERVER | aws.istio.mail.alertMailServer |
Secrets Required Before Deployment
The following AWS Secrets Manager paths must be populated before the AOS Helm chart is installed. The infrastructure provisioning creates the secret paths but does not populate values — these must be set manually or via a separate automation step.
| Secrets Manager Path | Keys | Purpose |
|---|
<base-name>-base | PostgresAdminLogin, PostgresAdminPassword, InfluxdbAdminPassword, InfluxdbAdminToken, RmqMetricsRedisConnString | Core infrastructure credentials |
<base-name>-appcfg | Application config (SMTP host, ports, feature flags) | App-level configuration |
<base-name>-appsec | SMTPMailServerLogin, SMTPMailServerPassword | App-level secrets |
<base-name>-dbcfg | Database connection config (hostnames, ports) | DB config for API/Auth services |
<base-name>-dbsec | Database credentials | DB secrets for API/Auth services |
<base-name>-data-services | Config for Alert Handler, Unit Monitoring | Data services config |
<base-name>-mhcfg / <base-name>-mhsec | Message handler and DocumentDB config/secrets | Message handler credentials |
<base-name>-sdcfg / <base-name>-sdsec | Service discovery config/secrets | Service discovery credentials |
<base-name>-taskcfg | RedisHostname | Task queue config |
<base-name>-tasksec | AppCacheRedisPassword | Task queue credentials |
<base-name>-ingress | IngressCertificate, IngressKey, IngressSDCertificate, IngressSDKey, IngressWSCertificate, IngressWSKey, IngressCACertificate | TLS/mTLS certificates |
<base-name>-landing | Landing page / SaaS integration config | Landing service credentials |
Where <base-name> follows the pattern <project_name>-<environment> (e.g., aos-prod).