Handbook - Configuration

Kubernetes And Deployment Status

CloudGrid includes a Helm chart and release workflow; enterprise installs use verified artifacts and digest-pinned image values.

On this page
On this page

CloudGrid now includes a Helm chart at charts/cloudgrid and a release workflow definition. Signed service images, pushed chart artifacts, SBOM/provenance output, and a release manifest are produced only when the release workflow runs.

Treat this page as a deployment-readiness map. For the actual install path, use Enterprise Helm install. Operators still need environment-specific values, secrets, ingress/TLS, external dependency configuration, and image digests from a completed release.

Target Service Set

ServicePublicScales horizontallyNeeds SurrealDB credentials
cloudgrid-bffYesYesNo
cloudgrid-otlp-collectorYesYesNo
cloudgrid-storage-readNoYesYes
cloudgrid-storage-writeNoProduction target uses pull mode for multiple replicasYes
cloudgrid-control-planeNoLow-volume replicasYes
cloudgrid-alert-evaluatorNoScheduler-controlled replicasNo direct SurrealDB access
cloudgrid-storage-maintenanceNoMaintenance replicasYes
cloudgrid-ai-eval-runnerNoOptionalNo SurrealDB access
NATS JetStreamNoClustered dependencyNo
SurrealDBNoDeployment-specificOwns its credentials

Production Deployment Boundary

diagram
Public network Kubernetes cluster Private data services Browser users OTLP emitters Ingress or gateway cloudgrid-bff cloudgrid-otlp-collector NATS JetStreamprivate cloudgrid-storage-readprivate cloudgrid-storage-writeprivate cloudgrid-control-planeprivate cloudgrid-alert-evaluatorprivate cloudgrid-storage-maintenanceprivate Kubernetes Secrets SurrealDB
Mermaid diagram rendered with beautiful-mermaid.

Kubernetes Boundary Rules

  • Only the BFF and OTLP collector should receive ingress.
  • NATS and SurrealDB must be private cluster services or external managed endpoints.
  • SurrealDB credentials are mounted only into storage-read, storage-write, control-plane, and storage-maintenance pods.
  • The BFF image may contain built frontend assets.
  • The collector, frontend, BFF responses, and generated assets must not expose SurrealDB credentials.
  • The chart must not add REST telemetry read endpoints, public NATS, or public SurrealDB.

Helm Values Shape

The implemented chart uses one CloudGrid Helm release with values for:

global:
  imageRegistry: ghcr.io/cloudgrid-dev

bff:
  replicas: 2
  image:
    repository: cloudgrid-bff
    digest: sha256:...
  env:
    CLOUDGRID_DEPLOYMENT_MODE: deployed
    CLOUDGRID_AUTH_MODE: sso

otlpCollector:
  replicas: 2
  service:
    otlpHttpPort: 4318
    otlpGrpcPort: 4317

storageRead:
  replicas: 2

storageWrite:
  replicas: 1

controlPlane:
  replicas: 1

alertEvaluator:
  enabled: false

storageMaintenance:
  enabled: false

nats:
  external:
    url: nats://nats.private:4222

surrealdb:
  external:
    url: http://surrealdb.private:8000/rpc
    existingSecret: cloudgrid-surrealdb

Use helm lint charts/cloudgrid and helm template with the intended profile before deployment. Profiles live under charts/cloudgrid/profiles.

Secret Handling

Kubernetes Secrets should hold:

  • CLOUDGRID_SESSION_SECRET;
  • SSO provider client secrets;
  • SurrealDB username and password;
  • CLOUDGRID_PROVIDER_SECRET_ENCRYPTION_KEY for encrypted managed AI provider secrets;
  • deployed self-observability bearer token;
  • optional AI-eval harness credentials when the relevant specs and adapters define them.

ConfigMaps can hold non-secret values such as deployment mode, ports, provider IDs, issuer URLs, and public callback URLs.

Runtime Configuration Checklist

  • Set CLOUDGRID_DEPLOYMENT_MODE=deployed.
  • Set CLOUDGRID_AUTH_MODE=sso.
  • Configure one or more SSO providers and callback URLs.
  • Set CLOUDGRID_PUBLIC_URL to the browser URL used in invitation email links.
  • Configure SMTP invitation email variables for deployed SSO onboarding.
  • Mount SurrealDB credentials only into storage-read, storage-write, control-plane, and storage-maintenance.
  • Use external managed NATS and SurrealDB for production unless a chart profile explicitly documents bundled production dependencies.

Production Profiles

The release spec defines target profiles:

ProfilePurpose
localSingle-node evaluation with bundled dependencies.
smallTeam deployment with a few replicas and private dependencies.
enterpriseHPA-ready services, external NATS and SurrealDB recommended, SSO required.

These profiles are implemented under charts/cloudgrid/profiles and are intended as starting points, not complete environment policy.

Next Step

Install with Enterprise Helm install, configure external NATS and SurrealDB, and verify artifacts with Release artifact verification.

Last updated .