Handbook - Configuration

Deployed Configuration

Deployed mode is the shared-user and enterprise Kubernetes configuration for CloudGrid.

On this page
On this page

Deployed mode is the shared-user configuration for CloudGrid. Enterprise deployments use the versioned Helm chart, verified release artifacts, private NATS and SurrealDB endpoints, SSO, and digest-pinned service images.

CLOUDGRID_DEPLOYMENT_MODE=deployed
CLOUDGRID_AUTH_MODE=sso
CLOUDGRID_AUTH_COMPANY_ID=acme
CLOUDGRID_AUTH_PROVIDERS=github
CLOUDGRID_SESSION_SECRET='<32-plus-byte-secret>'

The repository includes a Helm chart and release workflow definition. Use this page to understand required configuration and readiness boundaries before deploying shared environments; signed images, SBOMs, provenance, and the release manifest exist after the release workflow publishes them.

Required Decisions

DecisionRequirement
Public entrypointsBFF and OTLP collector are the only public candidates.
Private infrastructureNATS and SurrealDB stay private.
AuthBrowser users authenticate through BFF-owned SSO.
DistributionInstall from the versioned Helm chart and verified OCI images.
Image referencesProduction values pin image digests from release-values.yaml or release-manifest.json; do not use latest.
Company boundaryCLOUDGRID_AUTH_COMPANY_ID selects the deployed company until dynamic tenant provisioning exists.
Invitation deliveryEmail delivery uses control-plane SMTP outbox, or an explicit suppressed manual mode for private testing.
Ingest credentialsMachine ingest uses project API keys or trusted bearer JWTs, not browser SSO tokens.
Provider secretsManaged AI provider API keys require a stable CLOUDGRID_PROVIDER_SECRET_ENCRYPTION_KEY mounted only into control-plane.
Self-observabilityDisabled by default; enabling it requires explicit company, project, endpoint, and bearer token.

Service Environment Shape

diagram
Public network cloudgrid-bff cloudgrid-otlp-collector Private NATS storage-read storage-write control-plane Private SurrealDB
Mermaid diagram rendered with beautiful-mermaid.

Minimal Deployed SSO Example

CLOUDGRID_DEPLOYMENT_MODE=deployed
CLOUDGRID_AUTH_MODE=sso
CLOUDGRID_AUTH_PROVIDERS=github
CLOUDGRID_AUTH_COMPANY_ID=acme
CLOUDGRID_AUTH_GITHUB_CLIENT_ID='<client-id>'
CLOUDGRID_AUTH_GITHUB_CLIENT_SECRET='<client-secret>'
CLOUDGRID_AUTH_GITHUB_REDIRECT_URI=https://cloudgrid.example.com/auth/callback
CLOUDGRID_SESSION_SECRET='<random-session-secret>'
CLOUDGRID_PUBLIC_URL=https://cloudgrid.example.com
CLOUDGRID_PROVIDER_SECRET_ENCRYPTION_KEY='<long-random-secret>'
CLOUDGRID_INVITATION_EMAIL_MODE=smtp
CLOUDGRID_INVITATION_EMAIL_REQUIRE_DELIVERY=true
CLOUDGRID_INVITATION_EMAIL_FROM='CloudGrid <noreply@example.com>'
CLOUDGRID_INVITATION_EMAIL_SMTP_HOST=smtp.example.com
CLOUDGRID_INVITATION_EMAIL_SMTP_PORT=587
CLOUDGRID_INVITATION_EMAIL_SMTP_TLS=starttls
CLOUDGRID_NATS_URL=nats://nats.private:4222
CLOUDGRID_STORAGE_ADAPTER=surrealdb
CLOUDGRID_SURREALDB_URL=http://surrealdb.private:8000/rpc

SMTP invitation delivery is the normal deployed SSO onboarding path. The control-plane writes invitation and outbox state before returning from invite mutations, then sends and retries email asynchronously from the durable outbox.

Production-Readiness Gaps

Before public or enterprise distribution, verify:

  • signed OCI images per service;
  • SBOMs, provenance, checksums, and image signatures from the release workflow artifacts;
  • Helm chart lint/template output for the selected profile;
  • storage-maintenance retention deletion execution is wired to the intended storage adapter and scheduler;
  • alert evaluator scheduling/execution is wired to storage-read and control-plane ports;
  • production operational dashboards and load/capacity envelopes.

Deployment Guides

GoalPage
Install the enterprise chartEnterprise Helm install
Store AI provider API keys safelyProvider secrets
Configure private NATS and SurrealDBExternal NATS and SurrealDB
Customize service images and base imagesImage customization
Mirror artifacts into a private registryPrivate registry and air-gapped installs
Verify release artifacts before promotionRelease artifact verification
Upgrade or roll back a deploymentUpgrade and rollback
Select replicas and benchmark thresholdsSizing and scaling

Next Step

Start with Enterprise Helm install, then configure SSO providers and invitation email delivery.

Last updated .