Solo UI management
Review Helm values for the Solo UI management Helm chart.
Review Helm values for the Solo UI management Helm chart.
Overview
The management chart deploys the core Solo UI components for Solo Enterprise for Istio, including:
- UI frontend
- UI backend gRPC/REST API server
- Tunnel server for secure communication with workload clusters
- OpenTelemetry gateway for telemetry aggregation
- ClickHouse database for data storage
For more information, see the installation guide.
ClickHouse performance configuration
The following default values are set to optimize performance for systems with <16GB RAM. For more information, see the ClickHouse documentation.
clickhouse:
customConfig:
mark_cache_size: 524288000 # 500MB
concurrent_threads_soft_limit_num: 1
profiles:
default:
"@replace": "1"
max_block_size: 8192
max_download_threads: 1
input_format_parallel_parsing: 0
output_format_parallel_formatting: 0Values
| Key | Type | Description | Default |
|---|---|---|---|
| affinity | object | Affinity for the UI deployment pods | {} |
| agentevals.database.postgres.autoMigrate | bool | true | |
| agentevals.database.postgres.connectTimeoutSeconds | int | 600 | |
| agentevals.database.postgres.schema | string | "agentevals" | |
| agentevals.database.postgres.urlFile | string | "/usr/share/management/postgres/url" | |
| agentevals.enabled | bool | EXPERIMENTAL. Enable the agentevals service. Off by default while the integration is in development; expect breaking changes to values keys, Secret shapes, and resource names. Disable / re-enable contract: flipping this to false uninstalls the agentevals Deployment but leaves the agentevals ClickHouse database and Postgres schema in place. Re-enabling re-attaches to that data; drop it out of band first for a clean re-enable. Acceptable for experimental: an auto-drop hook is irreversible and not worth the blast radius for an opt-in feature. Cleanup tooling is on the v1 GA list. | false |
| agentevals.enterprise | object | Enterprise-only knobs (not consumed by the upstream subchart). The subchart ignores unknown keys, so this sub-namespace is safe. | {"clickhouse":{"database":"agentevals","generateConfig":true,"secretRef":"agentevals-clickhouse-config"}} |
| agentevals.enterprise.clickhouse | object | ClickHouse configuration for the agentevals ResultSink. Targets a dedicated agentevals database in the shared CH instance. address/port/username/password are inherited from ui.backend.clickhouse so the chart has one source of truth per CH instance; add username/password here later if you want a service-scoped CH user for agentevals. | {"database":"agentevals","generateConfig":true,"secretRef":"agentevals-clickhouse-config"} |
| agentevals.enterprise.clickhouse.database | string | ClickHouse database for the agentevals ResultSink. Separate from ui.backend.clickhouse.database so result rows do not collide with platformdb tables. | "agentevals" |
| agentevals.enterprise.clickhouse.generateConfig | bool | Trigger generation of the secret containing clickhouse configuration | true |
| agentevals.enterprise.clickhouse.secretRef | string | Secret reference for the agentevals clickhouse config secret | "agentevals-clickhouse-config" |
| agentevals.env[0].name | string | "AGENTEVALS_CLICKHOUSE_CONFIG_PATH" | |
| agentevals.env[0].value | string | "/usr/share/agentevals/clickhouse-config.json" | |
| agentevals.env[1].name | string | "INSECURE_MODE" | |
| agentevals.env[1].value | string | "true" | |
| agentevals.extraVolumeMounts[0].mountPath | string | "/usr/share/agentevals/clickhouse-config.json" | |
| agentevals.extraVolumeMounts[0].name | string | "agentevals-clickhouse-config" | |
| agentevals.extraVolumeMounts[0].readOnly | bool | true | |
| agentevals.extraVolumeMounts[0].subPath | string | "config.json" | |
| agentevals.extraVolumeMounts[1].mountPath | string | "/usr/share/management/postgres" | |
| agentevals.extraVolumeMounts[1].name | string | "management-postgres-dsn" | |
| agentevals.extraVolumeMounts[1].readOnly | bool | true | |
| agentevals.extraVolumes[0].name | string | "agentevals-clickhouse-config" | |
| agentevals.extraVolumes[0].secret.secretName | string | "agentevals-clickhouse-config" | |
| agentevals.extraVolumes[1].name | string | "management-postgres-dsn" | |
| agentevals.extraVolumes[1].secret.secretName | string | "management-postgres-dsn" | |
| agentevals.fullnameOverride | string | "solo-enterprise-agentevals" | |
| agentevals.image.pullPolicy | string | "" | |
| agentevals.image.registry | string | Container image registry. The agentevals subchart concatenates image.registry + image.repository + image.tag (it does NOT read .Values.global.image.*), so set these explicitly to point at the enterprise overlay image that carries the agentevals_kagent ClickHouse ResultSink wheel. | "" |
| agentevals.image.repository | string | Container image repository (org/name). Override to use upstream ghcr.io/agentevals-dev/agentevals when the sink ships via plugin discovery. | "solo-enterprise-agentevals-kagent" |
| agentevals.image.tag | string | Image tag. Required when agentevals.enabled=true and validated at install time; an empty value would otherwise resolve to the upstream subchart appVersion, which is not the enterprise overlay tag. Release pipelines should pass this explicitly to match the management chart version. | "" |
| agentevals.imagePullSecrets | list | imagePullSecrets for the agentevals subchart pod. Subchart-local; the parent chart’s global.imagePullSecrets does not flow through. | [] |
| agentevals.podLabels.“istio.io/dataplane-mode” | string | "ambient" | |
| agentevals.podSecurityContext.fsGroup | int | 1000 | |
| agentevals.resources.limits.cpu | string | "1000m" | |
| agentevals.resources.limits.memory | string | "2048Mi" | |
| agentevals.resources.requests.cpu | string | "250m" | |
| agentevals.resources.requests.memory | string | "512Mi" | |
| agentevals.securityContext.allowPrivilegeEscalation | bool | false | |
| agentevals.securityContext.capabilities.drop[0] | string | "ALL" | |
| agentevals.securityContext.readOnlyRootFilesystem | bool | true | |
| agentevals.securityContext.runAsGroup | int | 1000 | |
| agentevals.securityContext.runAsNonRoot | bool | true | |
| agentevals.securityContext.runAsUser | int | 1000 | |
| agentevals.serviceAccount.create | bool | true | |
| agentevals.serviceAccount.name | string | "solo-enterprise-agentevals" | |
| agentevals.storage.backend | string | "postgres" | |
| clickhouse.auth.enabled | bool | Enable ClickHouse authentication | true |
| clickhouse.auth.password | string | ClickHouse password | "password" |
| clickhouse.auth.skipUserSetup | bool | false | |
| clickhouse.auth.username | string | ClickHouse username | "default" |
| clickhouse.containerSecurityContext | object | Container-level security context for ClickHouse containers (passed through to the ClickHouse subchart). Subchart defaults: readOnlyRootFilesystem: true, allowPrivilegeEscalation: false, capabilities.drop: [ALL] | {} |
| clickhouse.customConfig | object | Custom ClickHouse server configuration | {"mark_cache_size":524288000,"part_log":{"ttl":"event_date + INTERVAL 7 DAY"},"query_log":{"ttl":"event_date + INTERVAL 7 DAY"},"trace_log":{"ttl":"event_date + INTERVAL 3 DAY"}} |
| clickhouse.database | object | database to create | {"name":"platformdb"} |
| clickhouse.enabled | bool | Enable ClickHouse deployment | true |
| clickhouse.image | object | ClickHouse image configuration | {"repository":"clickhouse/clickhouse-server","tag":"26.1.11.9-alpine"} |
| clickhouse.image.repository | string | ClickHouse image repository | "clickhouse/clickhouse-server" |
| clickhouse.image.tag | string | ClickHouse image tag - empty so it uses the tag used within the solo-owned clickhouse app version | "26.1.11.9-alpine" |
| clickhouse.keeper.enabled | bool | Disable ClickHouse Keeper / ZooKeeper | false |
| clickhouse.livenessProbe | object | Liveness probe for ClickHouse | {"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"tcpSocket":{"port":"http"},"timeoutSeconds":5} |
| clickhouse.livenessProbe.failureThreshold | int | Failure threshold for liveness probe | 3 |
| clickhouse.livenessProbe.initialDelaySeconds | int | Initial delay seconds for liveness probe | 10 |
| clickhouse.livenessProbe.periodSeconds | int | Period seconds for liveness probe | 10 |
| clickhouse.livenessProbe.successThreshold | int | Success threshold for liveness probe | 1 |
| clickhouse.livenessProbe.timeoutSeconds | int | Timeout seconds for liveness probe | 5 |
| clickhouse.metrics | object | Enable ClickHouse Prometheus metrics endpoint | {"enabled":true,"port":9363} |
| clickhouse.metrics.port | int | Port number for the ClickHouse Prometheus metrics endpoint | 9363 |
| clickhouse.persistentVolume.enabled | bool | Disable persistent storage | false |
| clickhouse.profiles | object | User performance profiles | {"default":{"@replace":"1","max_execution_time":60}} |
| clickhouse.readinessProbe | object | Readiness probe for ClickHouse | {"failureThreshold":3,"httpGet":{"path":"/ping","port":"http"},"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| clickhouse.readinessProbe.failureThreshold | int | Failure threshold for readiness probe | 3 |
| clickhouse.readinessProbe.initialDelaySeconds | int | Initial delay seconds for readiness probe | 10 |
| clickhouse.readinessProbe.periodSeconds | int | Period seconds for readiness probe | 10 |
| clickhouse.readinessProbe.successThreshold | int | Success threshold for readiness probe | 1 |
| clickhouse.readinessProbe.timeoutSeconds | int | Timeout seconds for readiness probe | 5 |
| clickhouse.replicasPerShard | int | Number of ClickHouse replicas | 1 |
| clickhouse.resources | object | Resource preset for ClickHouse | {"limits":{"cpu":6,"memory":"12288Mi"},"requests":{"cpu":2,"ephemeral-storage":"50Mi","memory":"3072Mi"}} |
| clickhouse.securityContext | object | Pod-level security context for ClickHouse pods (passed through to the ClickHouse subchart). Subchart defaults: runAsUser/runAsGroup/fsGroup: 101, runAsNonRoot: true, fsGroupChangePolicy: OnRootMismatch | {} |
| clickhouse.shards | int | Number of ClickHouse shards | 1 |
| cluster | string | Name of the cluster where this chart is deployed - must only contain letters, digits, hyphens (-) and dots (.), start and end with a letter or digit, and be between 1 and 253 characters | "mgmt-cluster" |
| database | object | Postgres connection used by services in this chart. Must point at the same database the kagent-enterprise chart uses; agentevals owns its own schema inside that database. | {"postgres":{"url":"","urlFile":""}} |
| database.postgres.url | string | External PostgreSQL connection string. Required when agentevals.enabled is true unless urlFile is set. | "" |
| database.postgres.urlFile | string | Path to a file containing the database URL. Takes precedence over url when set. | "" |
| global.image.registry | string | Fallback registry for all solo-owned images. Excludes third party images. Per-image registry takes precedence when set. | "us-docker.pkg.dev/solo-public" |
| global.image.repository | string | Fallback repository for all solo-owned images. Excludes third party images. Per-image repository takes precedence when set. | "solo-enterprise" |
| global.image.tag | string | Fallback tag for all solo-owned images. Excludes third party images. Per-image tag takes precedence when set; falls back to chart version if both are unset. | "" |
| global.imagePullPolicy | string | Configure image pull policy for all images in this chart | "IfNotPresent" |
| global.imagePullSecrets | list | Image pull secrets for private registries. Propagated to all subcharts. | [] |
| idp.name | string | Image name for the IDP | "solo-enterprise-autoauth" |
| idp.pullPolicy | string | Image pull policy for the IDP image | "" |
| idp.registry | string | Registry for the IDP image. | "us-docker.pkg.dev/solo-public" |
| idp.repository | string | Repository for the IDP image. | "solo-enterprise" |
| idp.securityContext | object | Container security context for idp | (uses global securityContext) |
| idp.tag | string | Image tag for the IDP image | "v0.2.1" |
| imagePullSecrets | list | Image pull secrets for private registries. @deprecated Use global.imagePullSecrets instead. This field will be removed in a future release. | [] |
| istio | object | Istio ambient mode integration. When enabled (the default), in-mesh pods are labeled with istio.io/dataplane-mode=ambient and cross-cluster Services with solo.io/service-scope=global, so ambient multi-cluster routing works without any post-install labeling. Disable when installing into a cluster that is not running ambient mode. | {"ambient":{"enabled":true}} |
| istio.ambient.enabled | bool | Apply ambient dataplane-mode and global service-scope labels automatically on install. | true |
| kubernetes.watchNamespaces | list | List of namespaces to watch for Kubernetes resources | [] |
| licensing.createSecret | bool | When true the chart creates a Secret from licenseKey. Requires secretName and licenseKey. If you use your own Secret, changing it only takes effect after a pod restart. | true |
| licensing.licenseFilePath | string | Absolute path to the license key file inside a mounted volume (e.g. CSI / Google Secret Manager). Sets LICENSE_KEY_PATH; the ui-backend reads the license key from this file at startup. You must also configure the volume source and mount via ui.backend.volumes and ui.backend.volumeMounts so the file actually exists at this path inside the container. When set, takes precedence over secretName and suppresses Secret creation (createSecret is ignored). Example: /etc/solo-enterprise/license-key | nil |
| licensing.licenseKey | string | Contact Sales if you do not have an Enterprise license key | nil |
| licensing.secretName | string | Name of the Secret containing the Solo Enterprise license key | "license-keys" |
| management-crds | object | When enabled CRDs are installed automatically | {"enabled":true} |
| nodeSelector | object | Node selector for the UI deployment pods | {} |
| oidc.additionalScopes | list | Additional client scopes to be requested during authentication | [] |
| oidc.issuer | string | OIDC identity provider issuer URL This is used to discover OIDC endpoints (authorization, token, logout, etc.) via the well-known discovery endpoint: {issuer}/.well-known/openid-configuration | "" |
| platform.multiCluster.enabled | bool | true | |
| podSecurityContext | object | Pod-level security context for the UI deployment (applies to all containers in the UI pod) | {"runAsNonRoot":true} |
| products.agentgateway | object | Agentgateway Enterprise integration configuration | {"enabled":false,"namespace":""} |
| products.agentgateway.enabled | bool | Enable the agentgateway product integration | false |
| products.agentgateway.namespace | string | Optional, default is installation namespace. If namespace is other than installation, set this to the namespace where agentgateway controller is installed. | "" |
| products.kagent | object | Kagent Enterprise integration configuration | {"enabled":false,"namespace":""} |
| products.kagent.enabled | bool | Enable the kagent product integration | false |
| products.kagent.namespace | string | Optional, default is installation namespace. If namespace is other than installation, set this to the namespace where kagent controller is installed. In multi-cluster installations, all instances of kagent controller must be in the same namespace. | "" |
| products.mesh | object | Service Mesh Enterprise integration configuration | {"enabled":false} |
| products.mesh.enabled | bool | Enable the service mesh product integration | false |
| rbac.roleMapping.roleMapper | string | CEL expression to map OIDC claims to roles. Variables: ‘claims’, ‘rolesMap’ | "claims.Groups.transformList(i, v, v in rolesMap, rolesMap[v])" |
| rbac.roleMapping.roleMappings | object | Map of IdP groups to internal roles (global.Admin, global.Writer, global.Reader) | {"admins":"global.Admin","readers":"global.Reader","writers":"global.Writer"} |
| securityContext | object | Default container-level security context applied to all containers (can be overridden per-container) | {"readOnlyRootFilesystem":true} |
| service.clusterIP | string | Cluster IP to assign to the service | "" |
| service.type | string | Type of service to create | "LoadBalancer" |
| telemetry.collector.affinity | object | Affinity for the telemetry collector pods | {} |
| telemetry.collector.livenessProbe | object | Liveness probe configuration | {"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| telemetry.collector.nodeSelector | object | Node selector for the telemetry collector pods | {} |
| telemetry.collector.podSecurityContext | object | Pod-level security context for the telemetry collector workload | {} |
| telemetry.collector.readinessProbe | object | Readiness probe configuration | {"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| telemetry.collector.replicaCount | int | Number of replicas. When telemetry.metrics.enabled=true and products.mesh.enabled=true, a single replica scrapes all Prometheus targets cluster-wide. Increase replicaCount and enable sharding to distribute scrape load across multiple replicas. | 1 |
| telemetry.collector.resources | object | Resources for the telemetry collector | {"limits":{"cpu":"1000m","memory":"2Gi"},"requests":{"cpu":"200m","memory":"512Mi"}} |
| telemetry.collector.securityContext | object | Container security context for telemetry collector | (uses global securityContext) |
| telemetry.collector.sharding | object | Sharding configuration for distributing Prometheus scrape targets across replicas. Sharding uses hashmod relabeling to ensure each target is scraped by exactly one collector. Requires metrics.enabled=true and replicaCount > 1. | {"enabled":false} |
| telemetry.collector.sharding.enabled | bool | Enable sharding of collector targets | false |
| telemetry.collector.tolerations | list | Tolerations for the telemetry collector pods | [] |
| telemetry.image | object | Shared image configuration for all telemetry collectors | {"name":"opentelemetry-collector-contrib","pullPolicy":"","registry":"docker.io","repository":"otel","tag":"0.150.1"} |
| telemetry.image.name | string | Image name | "opentelemetry-collector-contrib" |
| telemetry.image.pullPolicy | string | Image pull policy | "" |
| telemetry.image.registry | string | Image registry | "docker.io" |
| telemetry.image.repository | string | Image repository | "otel" |
| telemetry.image.tag | string | OpenTelemetry collector image tag | "0.150.1" |
| telemetry.k8sobjects.enabled | bool | Enable the k8sobjects collector | true |
| telemetry.k8sobjects.livenessProbe | object | Liveness probe configuration | {"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| telemetry.k8sobjects.readinessProbe | object | Readiness probe configuration | {"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| telemetry.k8sobjects.resources | object | Resources for the k8sobjects collector | {"limits":{"cpu":"300m","memory":"768Mi"},"requests":{"cpu":"100m","memory":"384Mi"}} |
| telemetry.k8sobjects.securityContext | object | Container security context for k8sobjects collector | (uses global securityContext) |
| telemetry.metrics.enabled | bool | Enable Prometheus metrics scraping | true |
| telemetry.selfMonitoring.enabled | bool | Enable platform self-monitoring metrics collection into ClickHouse | false |
| telemetry.selfMonitoring.verbose | bool | Enable verbose self-monitoring (disables metric filtering). When true, all scraped metrics are stored (not recommended for production). | false |
| telemetry.traces.enabled | bool | Enable OTLP trace ingestion | true |
| tolerations | list | Tolerations for the UI deployment pods | [] |
| traces.verbose | bool | Enable verbose traces (disables strict filtering) | false |
| tunnelserver.livenessProbe | object | Liveness probe for tunnel server | {"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| tunnelserver.livenessProbe.failureThreshold | int | Failure threshold for liveness probe | 3 |
| tunnelserver.livenessProbe.initialDelaySeconds | int | Initial delay seconds for liveness probe | 10 |
| tunnelserver.livenessProbe.periodSeconds | int | Period seconds for liveness probe | 10 |
| tunnelserver.livenessProbe.successThreshold | int | Success threshold for liveness probe | 1 |
| tunnelserver.livenessProbe.timeoutSeconds | int | Timeout seconds for liveness probe | 5 |
| tunnelserver.name | string | Image name for tunnel server | "solo-enterprise-tunnel-server" |
| tunnelserver.pullPolicy | string | Image pull policy for the tunnel server image | "" |
| tunnelserver.readinessProbe | object | Readiness probe for tunnel server | {"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| tunnelserver.readinessProbe.failureThreshold | int | Failure threshold for readiness probe | 3 |
| tunnelserver.readinessProbe.initialDelaySeconds | int | Initial delay seconds for readiness probe | 5 |
| tunnelserver.readinessProbe.periodSeconds | int | Period seconds for readiness probe | 10 |
| tunnelserver.readinessProbe.successThreshold | int | Success threshold for readiness probe | 1 |
| tunnelserver.readinessProbe.timeoutSeconds | int | Timeout seconds for readiness probe | 5 |
| tunnelserver.registry | string | Registry for the tunnel server image. Overrides global.registry when set. | "" |
| tunnelserver.repository | string | Repository for the tunnel server image. Overrides global.repository when set. | "" |
| tunnelserver.resources | object | Resources for tunnel server. If this is set by the user, it will override all defaults from values.yaml | {"limits":{"cpu":"500m","memory":"1024Mi"},"requests":{"cpu":"250m","memory":"512Mi"}} |
| tunnelserver.resources.limits | object | Resources for tunnel server. If this is set by the user, it will override all defaults from values.yaml. If this is set to null, it will not render the limits block. | {"cpu":"500m","memory":"1024Mi"} |
| tunnelserver.resources.limits.cpu | string | CPU limits for tunnel server | "500m" |
| tunnelserver.resources.limits.memory | string | Memory limits for tunnel server | "1024Mi" |
| tunnelserver.resources.requests | object | Resources for tunnel server. If this is set by the user, it will override all defaults from values.yaml. If this is set to null, it will not render the requests block. | {"cpu":"250m","memory":"512Mi"} |
| tunnelserver.resources.requests.cpu | string | CPU requests for tunnel server | "250m" |
| tunnelserver.resources.requests.memory | string | Memory requests for tunnel server | "512Mi" |
| tunnelserver.securityContext | object | Container security context for tunnel server | (uses global securityContext) |
| tunnelserver.tag | string | Tag for the tunnel server image. Overrides global.tag when set; falls back to chart version if both are unset. | "" |
| ui.backend.clickhouse | object | Clickhouse configuration for the UI backend | {"address":"","database":"platformdb","generateConfig":true,"maxIdleConns":16,"maxOpenConns":32,"password":"password","port":9000,"secretRef":"clickhouse-config","username":"default"} |
| ui.backend.clickhouse.address | string | clickhouse server address | "" |
| ui.backend.clickhouse.database | string | clickhouse database to connect to | "platformdb" |
| ui.backend.clickhouse.generateConfig | bool | Trigger generation of the secret containing clickhouse configuration | true |
| ui.backend.clickhouse.maxIdleConns | int | maximum number of idle connections in the ui-backend clickhouse pool | 16 |
| ui.backend.clickhouse.maxOpenConns | int | maximum number of open connections in the ui-backend clickhouse pool | 32 |
| ui.backend.clickhouse.password | string | password to use to connect to clickhouse server | "password" |
| ui.backend.clickhouse.port | int | clickhouse server port | 9000 |
| ui.backend.clickhouse.secretRef | string | Secret reference for the clickhouse config secret | "clickhouse-config" |
| ui.backend.clickhouse.username | string | username to use to connect to clickhouse server | "default" |
| ui.backend.eastWestGateway | object | Additional detection rules for self-managed east-west gateways whose Deployments do not carry the istio.io-eastwest-controller managed label. The built-in prefixes (“istio-eastwest”, “istio-remote-peer-”) are always applied; values below extend detection for custom naming. | {"namePrefixes":[],"names":[]} |
| ui.backend.eastWestGateway.namePrefixes | list | Deployment-name prefixes that mark a workload as an east-west gateway. | [] |
| ui.backend.eastWestGateway.names | list | Exact Deployment names that mark a workload as an east-west gateway. | [] |
| ui.backend.extraEnvs | object | Extra environment variables for the backend container | {} |
| ui.backend.livenessProbe | object | Liveness probe for the backend | {"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| ui.backend.livenessProbe.failureThreshold | int | Failure threshold for liveness probe | 3 |
| ui.backend.livenessProbe.initialDelaySeconds | int | Initial delay seconds for liveness probe | 10 |
| ui.backend.livenessProbe.periodSeconds | int | Period seconds for liveness probe | 10 |
| ui.backend.livenessProbe.successThreshold | int | Success threshold for liveness probe | 1 |
| ui.backend.livenessProbe.timeoutSeconds | int | Timeout seconds for liveness probe | 5 |
| ui.backend.metrics | object | Prometheus metrics endpoint configuration for ui-backend | {"port":9090} |
| ui.backend.metrics.port | int | Port for the Prometheus metrics endpoint served by the ui-backend | 9090 |
| ui.backend.metricsBackendHost | string | Metrics backend host URL | "http://localhost:8080" |
| ui.backend.name | string | Image name for the backend | "solo-enterprise-ui-backend" |
| ui.backend.oidc | object | OIDC configuration for the UI backend | {"clientId":"kagent-backend","secret":"","secretKey":"clientSecret","secretRef":"ui-backend-oidc-secret"} |
| ui.backend.oidc.clientId | string | Name of the OIDC client that you created for token validation in the UI backend | "kagent-backend" |
| ui.backend.oidc.secret | string | OIDC client secret (if secretRef is not used) | "" |
| ui.backend.oidc.secretKey | string | OIDC secret key that the secret is associated with | "clientSecret" |
| ui.backend.oidc.secretRef | string | Secret reference for the OIDC client secret | "ui-backend-oidc-secret" |
| ui.backend.pullPolicy | string | Image pull policy for the backend image | "" |
| ui.backend.readinessProbe | object | Readiness probe for the backend | {"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| ui.backend.readinessProbe.failureThreshold | int | Failure threshold for readiness probe | 3 |
| ui.backend.readinessProbe.initialDelaySeconds | int | Initial delay seconds for readiness probe | 5 |
| ui.backend.readinessProbe.periodSeconds | int | Period seconds for readiness probe | 10 |
| ui.backend.readinessProbe.successThreshold | int | Success threshold for readiness probe | 1 |
| ui.backend.readinessProbe.timeoutSeconds | int | Timeout seconds for readiness probe | 5 |
| ui.backend.registry | string | Registry for the backend image. Overrides global.registry when set. | "" |
| ui.backend.repository | string | Repository for the backend image. Overrides global.repository when set. | "" |
| ui.backend.resources | object | Resources for the backend. If this is set by the user, it will override all defaults from values.yaml | {"limits":{"cpu":"500m","memory":"1024Mi"},"requests":{"cpu":"250m","memory":"512Mi"}} |
| ui.backend.resources.limits | object | Resources for the backend. If this is set by the user, it will override all defaults from values.yaml. If this is set to null, it will not render the limits block. | {"cpu":"500m","memory":"1024Mi"} |
| ui.backend.resources.limits.cpu | string | CPU limits for the backend | "500m" |
| ui.backend.resources.limits.memory | string | Memory limits for the backend | "1024Mi" |
| ui.backend.resources.requests | object | Resources for the backend. If this is set by the user, it will override all defaults from values.yaml. If this is set to null, it will not render the requests block. | {"cpu":"250m","memory":"512Mi"} |
| ui.backend.resources.requests.cpu | string | CPU requests for the backend | "250m" |
| ui.backend.resources.requests.memory | string | Memory requests for the backend | "512Mi" |
| ui.backend.securityContext | object | Container security context for ui-backend | (uses global securityContext) |
| ui.backend.volumeMounts | list | Additional volumeMounts on the ui-backend container. Useful for mounting license keys from external secret stores (e.g. CSI / Google Secret Manager). Required when using licensing.licenseFilePath. | [] |
| ui.backend.volumes | list | Additional volumes on the Deployment. Useful for mounting license keys from external secret stores (e.g. CSI / Google Secret Manager). Required when using licensing.licenseFilePath. | [] |
| ui.frontend.enableMockUI | bool | Enable showing mock data on the frontend | false |
| ui.frontend.livenessProbe | object | Liveness probe for the frontend | {"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| ui.frontend.livenessProbe.failureThreshold | int | Failure threshold for liveness probe | 3 |
| ui.frontend.livenessProbe.initialDelaySeconds | int | Initial delay seconds for liveness probe | 10 |
| ui.frontend.livenessProbe.periodSeconds | int | Period seconds for liveness probe | 10 |
| ui.frontend.livenessProbe.successThreshold | int | Success threshold for liveness probe | 1 |
| ui.frontend.livenessProbe.timeoutSeconds | int | Timeout seconds for liveness probe | 5 |
| ui.frontend.name | string | Image name for the frontend | "solo-enterprise-ui-frontend" |
| ui.frontend.oidc | object | OIDC configuration for the frontend | {"clientId":"kagent-ui"} |
| ui.frontend.oidc.clientId | string | Name of the public-access OIDC client that you created for the frontend | "kagent-ui" |
| ui.frontend.pullPolicy | string | Image pull policy for the frontend image | "" |
| ui.frontend.readinessProbe | object | Readiness probe for the frontend | {"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5} |
| ui.frontend.readinessProbe.failureThreshold | int | Failure threshold for readiness probe | 3 |
| ui.frontend.readinessProbe.initialDelaySeconds | int | Initial delay seconds for readiness probe | 5 |
| ui.frontend.readinessProbe.periodSeconds | int | Period seconds for readiness probe | 10 |
| ui.frontend.readinessProbe.successThreshold | int | Success threshold for readiness probe | 1 |
| ui.frontend.readinessProbe.timeoutSeconds | int | Timeout seconds for readiness probe | 5 |
| ui.frontend.registry | string | Registry for the frontend image. Overrides global.registry when set. | "" |
| ui.frontend.repository | string | Repository for the frontend image. Overrides global.repository when set. | "" |
| ui.frontend.resources | object | Resources for the frontend. If this is set by the user, it will override all defaults from values.yaml | {"limits":{"cpu":"500m","memory":"1024Mi"},"requests":{"cpu":"250m","memory":"512Mi"}} |
| ui.frontend.resources.limits | object | Resources for the frontend. If this is set by the user, it will override all defaults from values.yaml. If this is set to null, it will not render the limits block. | {"cpu":"500m","memory":"1024Mi"} |
| ui.frontend.resources.limits.cpu | string | CPU limits for the frontend | "500m" |
| ui.frontend.resources.limits.memory | string | Memory limits for the frontend | "1024Mi" |
| ui.frontend.resources.requests | object | Resources for the frontend. If this is set by the user, it will override all defaults from values.yaml. If this is set to null, it will not render the requests block. | {"cpu":"250m","memory":"512Mi"} |
| ui.frontend.resources.requests.cpu | string | CPU requests for the frontend | "250m" |
| ui.frontend.resources.requests.memory | string | Memory requests for the frontend | "512Mi" |
| ui.frontend.securityContext | object | Container security context for ui-frontend | (uses global securityContext) |
| ui.frontend.uiBackendHost | string | Backend service URL (the frontend uses “{ui-frontend-url}” if the value here is “”) | "" |
| ui.frontend.volumes | object | EmptyDir volume sizes for the ui-frontend (required for readOnlyRootFilesystem) | {"uiHtml":"50Mi","uiTmp":"5Mi"} |
| ui.frontend.volumes.uiHtml | string | Size limit for the HTML content dir. dist/ is ~20Mi today (4.6Mi JS bundle + 2Mi PNGs + CSS/fonts); 50Mi gives ~2.5x headroom for growth. | "50Mi" |
| ui.frontend.volumes.uiTmp | string | Size limit for the temp directory. | "5Mi" |