Skip to main content
Version: v1.1

Helm Values Reference

Overview

AosCloud's Kubernetes deployment is configured through Helm chart values files. The main AOS application chart uses a values-aws.yaml file with environment-specific values (database endpoints, Redis addresses, S3 bucket names, IAM role ARNs). Supporting infrastructure charts (autoscaler, Istio, cert-manager, etc.) each have their own aws-values.yaml file with environment-specific configuration.

This page documents the key Helm values for the AOS chart grouped by functional area, and lists the configuration variables used by each infrastructure chart.

Prerequisites

How Values Override Works

The AOS chart has two values layers:

FilePurpose
values.yamlDefault chart values with Helm template references (e.g., {{ .Values.global.aos.vaultAddrAppCfg }})
values-aws.yamlAWS-specific overrides with environment values (endpoints, ARNs, bucket names) populated at deploy time

The values-aws.yaml file contains placeholder variables (e.g., ${DNS_HOST}, ${ENVIRONMENT}) that must be substituted with actual infrastructure values before installation.


AOS Chart — Global Values

Domain and Identity

Key PathTypeDescriptionTemplate VariableRequired
global.domainNamestringPublic domain name for the deployment${DNS_HOST}Yes
global.aws.regionstringAWS region for the deployment${AWS_DEFAULT_REGION}Yes
global.aws.environmentstringEnvironment/namespace name${ENVIRONMENT}Yes
global.aos.projectVersionstringAOS Cloud application version${AOS_CLOUD_VERSION}Yes

Secrets Manager Configuration

All microservices use AWS Secrets Manager for configuration and credentials. The vaultAddr* values define Secrets Manager path prefixes (named "vault" for historical reasons).

Key PathTypeDescriptionTemplate VariableRequired
global.aos.secretManagerTypestringSecret backend type"AWSSecretManager" (hardcoded)Yes
global.aos.vaultAddrAppCfgstringApp config secrets path${AWS_BASE_NAME}-appcfgYes
global.aos.vaultAddrAppSecstringApp secrets path${AWS_BASE_NAME}-appsecYes
global.aos.vaultAddrDbCfgstringDatabase config path${AWS_BASE_NAME}-dbcfgYes
global.aos.vaultAddrDbSecstringDatabase secrets path${AWS_BASE_NAME}-dbsecYes
global.aos.vaultAddrDataServicesstringData services secrets path${AWS_BASE_NAME}-data-servicesYes
global.aos.vaultAddrIngressstringIngress certificates path${AWS_BASE_NAME}-ingressYes
global.aos.vaultAddrMHCfgstringMessage handler config path${AWS_BASE_NAME}-mhcfgYes
global.aos.vaultAddrMHSecstringMessage handler secrets path${AWS_BASE_NAME}-mhsecYes
global.aos.vaultAddrSdCfgstringService discovery config path${AWS_BASE_NAME}-sdcfgYes
global.aos.vaultAddrSdSecstringService discovery secrets path${AWS_BASE_NAME}-sdsecYes
global.aos.vaultAddrTaskCfgstringTask/scheduler config path${AWS_BASE_NAME}-taskcfgYes
global.aos.vaultAddrTaskSecstringTask/scheduler secrets path${AWS_BASE_NAME}-tasksecYes
global.aos.vaultAddrLandingstringLanding page secrets path${AWS_BASE_NAME}-landingYes
global.aos.vaultAddrBasestringBase infrastructure secrets path${AWS_BASE_NAME}-baseYes

The ${AWS_BASE_NAME} is constructed from project name and environment (e.g., aos-prod). Each path corresponds to a secret in AWS Secrets Manager containing key-value pairs for the respective service.

caution

Do not include actual secret values in Helm values files. The values above are path references — the application reads the actual secrets at runtime from AWS Secrets Manager using the CSI Secrets Store driver.

Storage

Key PathTypeDescriptionTemplate VariableRequired
global.aos.awsStorageBucketstringS3 bucket for backend storage (deployable items, artifacts)${S3_BACKEND_BUCKET}Yes

AOS Chart — Database Connections

Aurora PostgreSQL

PostgreSQL credentials are sourced from Secrets Manager, not passed directly as Helm values. The Istio ServiceEntry allows pods to reach the database endpoint.

Key PathTypeDescriptionTemplate VariableRequired
aws.istio.externalHosts.postgresHostnamestringAurora PostgreSQL cluster endpoint${PG_DB_HOST}Yes
aws.aos.secrets.postgres.POSTGRES_ADMIN_USERstringSecrets Manager path for DB username${AWS_BASE_NAME}-base/PostgresAdminLoginYes
aws.aos.secrets.postgres.POSTGRES_ADMIN_PASSWORDstringSecrets Manager path for DB password${AWS_BASE_NAME}-base/PostgresAdminPasswordYes

DocumentDB (MongoDB-Compatible)

Key PathTypeDescriptionTemplate VariableRequired
aws.docdb.endpoints[0]stringDocumentDB primary endpoint${AWS_DOCDB_PRIMARY}Yes
aws.docdb.endpoints[1]stringDocumentDB replica endpoint${AWS_DOCDB_REPLICA}Yes
aws.docdb.cidrstringDocumentDB subnet CIDR (for Istio ServiceEntry)${AWS_DOCDB_CIDR}Yes
aws.docdb.portnumberDocumentDB connection port27017 (hardcoded)Yes

ElastiCache Redis

Key PathTypeDescriptionTemplate VariableRequired
aws.redis.primaryEndpointstringRedis primary endpoint address${AWS_REDIS_ENDPOINT}Yes
aws.redis.cidrstringRedis subnet CIDR (for Istio ServiceEntry)${AWS_REDIS_CIDR}Yes
aws.redis.portnumberRedis connection port6379 (hardcoded)Yes
aws.stunnelRedis.enabledbooleanWhether to use stunnel for Redis TLSfalse (default)No

InfluxDB (Time-Series)

Key PathTypeDescriptionTemplate VariableRequired
influxdb2.persistence.enabledbooleanEnable persistent storagetrue (hardcoded)Yes
influxdb2.efs.volumeHandlestringEFS volume handle for InfluxDB data${INFLUXDB_EFS_VOLUMEHANDLE}Yes
influxdb2.adminUser.existingSecretstringK8s secret name for InfluxDB admin creds${AWS_BASE_NAME}-influxdbYes
influxdb2.backup.s3.destinationstringS3 path for InfluxDB backupss3://${S3_INFRA_BUCKET}/influxdb2/backupYes

AOS Chart — Messaging

RabbitMQ

RabbitMQ is deployed via the rabbitmq-cluster-operator. Connection credentials are injected from a Kubernetes secret.

Key PathTypeDescriptionTemplate VariableRequired
global.aos.rabbitmqSecretNamestringK8s secret name with RabbitMQ credentials (host, port, username, password). If empty, a RabbitmqCluster CR is deployed.${RABBITMQ_SECRET_NAME}Yes

Services that consume RabbitMQ (WebSocket API, Unit Message Handler, Queue Management) receive connection parameters via envFromSecret referencing this secret:

envFromSecret:
secretName: '<rabbitmq-secret>'
mappings:
RMQ_HOSTNAME: host
RMQ_PORT: port
RMQ_USERNAME: username
RMQ_PASSWORD: password

Background Task Queue (Redis-Based)

Key PathTypeDescriptionTemplate VariableRequired
global.aos.beat.redisPasswordstringSecrets Manager path for Redis password (task queue)${AWS_BASE_NAME}-tasksec/AppCacheRedisPasswordYes
global.aos.beat.redisHostnamestringSecrets Manager path for Redis hostname (task queue)${AWS_BASE_NAME}-taskcfg/RedisHostnameYes

AOS Chart — Monitoring and Observability

Prometheus Metrics

Key PathTypeDescriptionTemplate VariableRequired
global.metricsServerAddressstringPrometheus server address for autoscaling querieshttp://${AWS_BASE_NAME}-prometheus-server.monitoring.svc.cluster.local:80Yes

OpenTelemetry Tracing

Key PathTypeDescriptionDefaultRequired
global.otel.enabledbooleanEnable distributed tracingtrueNo
global.otel.exporterEndpointstringOTLP exporter gRPC endpointhttp://alloy.grafana.svc.cluster.local:4317No
global.otel.exporterProtocolstringExport protocolgrpcNo
global.otel.serviceNamespacestringTrace service namespaceaosNo

AOS Chart — Security and Certificates

TLS/mTLS Ingress Certificates

Certificates for Istio gateways are sourced from Secrets Manager. The cert-fetch job reads these paths and creates Kubernetes TLS secrets.

Key PathTypeDescriptionRequired
aws.istio.secrets.job.secretPathstringSecrets Manager base path for ingress certsYes
aws.istio.secrets.job.tlscrtstringKey name for main TLS certificateYes
aws.istio.secrets.job.tlskeystringKey name for main TLS private keyYes
aws.istio.secrets.job.tlssdcrtstringKey name for Service Discovery mTLS certYes
aws.istio.secrets.job.tlssdkeystringKey name for Service Discovery mTLS keyYes
aws.istio.secrets.job.tlswscrtstringKey name for WebSocket mTLS certYes
aws.istio.secrets.job.tlswskeystringKey name for WebSocket mTLS keyYes
aws.istio.secrets.job.cacrtstringKey name for CA certificateYes

All certificate values reference Secrets Manager key names under the path ${AWS_BASE_NAME}-ingress. The actual certificate content must be stored in Secrets Manager before deployment.

Let's Encrypt (Optional)

Key PathTypeDescriptionTemplate VariableRequired
letsencrypt.enablebooleanEnable automatic cert provisioning via Let's Encrypt${LETSENCRYPT_ENABLE}No
letsencrypt.emailstringContact email for Let's Encrypt${LETSENCRYPT_EMAIL}Conditional
letsencrypt.cloudflareApiKeystringCloudflare API key for DNS-01 challenge${LETSENCRYPT_CF_KEY}Conditional

CSI Secrets Store

Key PathTypeDescriptionRequired
aws.aos.extraSecretMounts[0].csi.driverstringCSI driver nameYes
aws.aos.extraSecretMounts[0].csi.volumeAttributes.secretProviderClassstringSecretProviderClass name (aos-secret-csi)Yes

AOS Chart — IRSA Service Accounts

Each microservice is assigned a Kubernetes ServiceAccount mapped to an IAM role via IRSA annotations.

Key PathIAM RoleUsed By
global.serviceAccounts.base${AWS_BASE_NAME}-baseInfluxDB, CMS, Landing, RMQ Metrics
global.serviceAccounts.dataServices${AWS_BASE_NAME}-data-servicesAlert Handler, Unit Monitoring
global.serviceAccounts.task${AWS_BASE_NAME}-taskMessage Handler, Unit Message Handler
global.serviceAccounts.sd${AWS_BASE_NAME}-sdService Discovery
global.serviceAccounts.secretsUpdater${AWS_BASE_NAME}-secrets-managerSecrets Updater Job
global.serviceAccounts.app${AWS_BASE_NAME}-appAPI, Auth, WebSocket API, Background Tasks

Each service account carries the annotation eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT>:role/<ROLE_NAME> enabling pods to assume the corresponding IAM role.


AOS Chart — Feature Flags and Service Toggles

Key PathTypeDescriptionDefaultRequired
services.<name>.enabledbooleanEnable/disable individual microservicetrueNo
services.<name>.autoscaling.enabledbooleanEnable HPA-based autoscalingvariesNo
services.<name>.autoscaling.minReplicasnumberMinimum pod countvariesNo
services.<name>.autoscaling.maxReplicasnumberMaximum pod countvariesNo
istiobooleanEnable Istio integrationtrueNo
influxdb2.backup.enabledbooleanEnable InfluxDB backup CronJobtrueNo

AOS Chart — Istio Network Policy

The chart configures Istio's outbound traffic policy as REGISTRY_ONLY, requiring explicit ServiceEntry definitions for all external endpoints.

Key PathTypeDescriptionRequired
aws.istio.externalHosts.httpsHostslist(string)Allowed external HTTPS destinationsYes
aws.istio.mqVpcCidrstringCIDR for RabbitMQ traffic (legacy, kept for compatibility)Yes
aws.istio.cors.enabledbooleanEnable CORS policy on virtual servicesNo

The httpsHosts list includes AWS service endpoints (Secrets Manager, EC2, CloudWatch Logs, S3, STS) and the deployment's own domain.


AOS Chart — SMTP Configuration

Key PathTypeDescriptionTemplate VariableRequired
aws.istio.mail.alertMailServerstringSMTP server hostname${SMTP_SERVER}Yes
aws.istio.mail.portstringSMTP port"2587" (hardcoded)Yes

AOS Chart — SaaS Marketplace Integration (Optional)

Key PathTypeDescriptionTemplate VariableRequired
global.aos.awsSaasRegionstringAWS SaaS region${AWS_SAAS_REGION}Optional
global.aos.awsSaasRoleArnstringSaaS integration IAM role ARN${AWS_SAAS_ARN}Optional
global.aos.awsSaasSqsMeteringstringSQS ARN for metering events${AWS_SAAS_METERING_ARN}Optional
global.aos.awsSaasSqsEntilementstringSQS ARN for entitlement events${AWS_SAAS_ENTITLEMENT_ARN}Optional

Infrastructure Charts — Configuration Variables

Each infrastructure Helm chart has its own aws-values.yaml override file. The following variables must be substituted with environment-specific values before installation.

Cluster Autoscaler (aws-autoscaler)

Template VariableDescription
AUTO_SCALE_ROLE_ARNIAM role ARN for autoscaling
AWS_REGIONAWS region
CLUSTER_NAMEEKS cluster name
IMAGEContainer image URI (ECR)
IMAGE_TAGContainer image tag

CSI Secrets Store Driver (secrets-store-csi-driver-provider-aws)

Template VariableDescription
CSI_DRIVER_IMAGECSI driver image
CSI_DRIVER_TAGCSI driver version
CSI_REGISTRAR_IMAGENode registrar image
CSI_REGISTRAR_TAGNode registrar version
CSI_LIVENESS_IMAGELiveness probe image
CSI_LIVENESS_TAGLiveness probe version
AWS_CSI_DRIVER_IMAGEAWS provider image
AWS_CSI_DRIVER_TAGAWS provider version

Fluent Bit (aws-for-fluent-bit)

Template VariableDescription
IMAGEFluent Bit image URI
IMAGE_TAGFluent Bit version
LOG_GROUP_NAMECloudWatch log group name
APP_NAMESPACENamespace to filter logs for

cert-manager

Template VariableDescription
IMAGE_CERT_MANAGERcert-manager controller image
IMAGE_CERT_MANAGER_TAGcert-manager version
IMAGE_CERT_MANAGER_WHWebhook image
IMAGE_CERT_MANAGER_CAICA injector image
IMAGE_CERT_MANAGER_CTLstartupapicheck image

Istio Discovery (istiod)

Template VariableDescription
ISTIO_HUBIstio container registry prefix (ECR path)
ISTIO_IMAGES_TAGIstio version tag

Key Istio configuration in the override:

  • Profile: ambient (ambient mesh mode — no sidecar injection, uses ztunnel)
  • Outbound traffic policy: REGISTRY_ONLY (explicit allow-list)
  • Tracing: OpenTelemetry export to Grafana Alloy at port 4317, 10% sampling rate

Istio CNI

Deployed with profile: ambient and image references pointing to the private ECR mirror.

Istio ztunnel

Deployed with hub and tag pointing to the private ECR mirror of the Istio ztunnel image.

Prometheus

Template VariableDescription
AWS_ECRECR registry base
IMAGE_KSM_REPOkube-state-metrics repo path
IMAGE_KSM_TAGkube-state-metrics version
IMAGE_NODE_EXPORTERNode exporter image
IMAGE_NODE_EXPORTER_TAGNode exporter version
IMAGE_PROMETHEUSPrometheus server image
IMAGE_PROMETHEUS_TAGPrometheus server version

Key Prometheus configuration:

  • Alertmanager: disabled (uses managed alerting)
  • Persistent volume: disabled (stateful set with emptyDir)
  • Scrape interval: 30s
  • Exemplar storage: enabled for metrics-to-traces correlation

Infrastructure-to-Helm Variable Mapping Summary

The following table shows how key infrastructure outputs flow into Helm values for the AOS chart:

Infrastructure ValueTemplate VariableValues Key Path
Aurora PostgreSQL endpointPG_DB_HOSTaws.istio.externalHosts.postgresHostname
Redis primary endpointAWS_REDIS_ENDPOINTaws.redis.primaryEndpoint
DocumentDB primary endpointAWS_DOCDB_PRIMARYaws.docdb.endpoints[0]
DocumentDB replica endpointAWS_DOCDB_REPLICAaws.docdb.endpoints[1]
S3 backend bucket nameS3_BACKEND_BUCKETglobal.aos.awsStorageBucket
S3 infra bucket nameS3_INFRA_BUCKETinfluxdb2.backup.s3.destination
EFS volume handleINFLUXDB_EFS_VOLUMEHANDLEinfluxdb2.efs.volumeHandle
AWS account IDAWS_ACCOUNTService account role ARN annotations
Domain nameDNS_HOSTglobal.domainName
AWS regionAWS_DEFAULT_REGIONglobal.aws.region
Environment nameENVIRONMENTglobal.aws.environment
RabbitMQ secret nameRABBITMQ_SECRET_NAMEglobal.aos.rabbitmqSecretName
SMTP server hostnameSMTP_SERVERaws.istio.mail.alertMailServer

Secrets Required Before Deployment

The following AWS Secrets Manager paths must be populated before the AOS Helm chart is installed. The infrastructure provisioning creates the secret paths but does not populate values — these must be set manually or via a separate automation step.

Secrets Manager PathKeysPurpose
<base-name>-basePostgresAdminLogin, PostgresAdminPassword, InfluxdbAdminPassword, InfluxdbAdminToken, RmqMetricsRedisConnStringCore infrastructure credentials
<base-name>-appcfgApplication config (SMTP host, ports, feature flags)App-level configuration
<base-name>-appsecSMTPMailServerLogin, SMTPMailServerPasswordApp-level secrets
<base-name>-dbcfgDatabase connection config (hostnames, ports)DB config for API/Auth services
<base-name>-dbsecDatabase credentialsDB secrets for API/Auth services
<base-name>-data-servicesConfig for Alert Handler, Unit MonitoringData services config
<base-name>-mhcfg / <base-name>-mhsecMessage handler and DocumentDB config/secretsMessage handler credentials
<base-name>-sdcfg / <base-name>-sdsecService discovery config/secretsService discovery credentials
<base-name>-taskcfgRedisHostnameTask queue config
<base-name>-tasksecAppCacheRedisPasswordTask queue credentials
<base-name>-ingressIngressCertificate, IngressKey, IngressSDCertificate, IngressSDKey, IngressWSCertificate, IngressWSKey, IngressCACertificateTLS/mTLS certificates
<base-name>-landingLanding page / SaaS integration configLanding service credentials

Where <base-name> follows the pattern <project_name>-<environment> (e.g., aos-prod).