Skip to main content
Version: Next 🚧

Helm Chart Reference

Epinio is configured through Helm chart values. This page documents the values you are most likely to set, grouped by area. The chart's full annotated values.yaml is the complete, authoritative reference for every value and its default. The chart lives in the epinio/helm-charts repository; for the install walkthrough, see Install Epinio.

Key values​

The only required value is global.domain. Everything else has a working default (the Quickstart installs Epinio by setting global.domain alone). The values below are the ones you are most likely to change.

ValueNotes
global.domainRequired. The wildcard (*.) domain Epinio serves on (API, UI, registry). Point it at your ingress controller.
global.tlsIssuerTLS issuer. Defaults to epinio-ca; other options are selfsigned-issuer, letsencrypt-staging, and letsencrypt-production. Use global.customTlsIssuer to name your own ClusterIssuer.
global.tlsIssuerEmailEmail for letsencrypt-production notifications. Only needed with that issuer.
api.adminPassword / api.usersThe initial users and the admin password. Defaults to admin / password; change it for anything beyond a trial.

Configuration Groups​

Every top-level key in the chart and what it configures:

GroupConfigures
serviceAccountThe Epinio server service account (creation, name, annotations).
imageContainer images and tags for Epinio components and build tools.
serverAPI server: timeouts, token expiry, tracing, replicas, autoscaling, and staging workloads.
ingressAPI/UI ingress: class, hostnames, request body size, timeouts, annotations.
serviceThe Epinio Service (port, container port, annotations).
strategyDeployment update strategy. Use RollingUpdate with maxSurge: 0 on RWO storage.
certManagercert-manager integration, plus manual certificate overrides per component.
s3External S3 connection details (endpoint, bucket, credentials).
apiAPI authentication: RBAC roles, default users, and passwords.
dexThe bundled Dex OIDC provider (image, issuer, security context).
seaweedfsThe bundled SeaweedFS S3-compatible storage.
epinioUIThe web UI (theme, URLs, CORS origins, service).
reflectorThe reflector addon that mirrors secrets and configmaps across namespaces.
s3gwAn alternative bundled S3 store (experimental).
containerregistryThe bundled container registry (image, storage, ingress class).
serviceCatalogService catalog development services.
helmControllerScheduling (resources, nodeSelector, affinity, tolerations) for the Helm controller.
globalCross-cutting values: domain, TLS issuer, external registry, Dex enablement.
rancherThe Rancher instance URL, used by the UI extension.

Server Configuration​

  • server.defaultTokenExpiry: Controls the default expiry time for auth tokens (e.g. "30s", "60s", "2m"). Use this to mitigate clock drift in environments where short-lived tokens may expire before useβ€”for example, in staging workloads or when Kubernetes hosts have time synchronization issues. The value is capped at 5 minutes for security. Default is "30s".

    server:
      defaultTokenExpiry: "60s"  # Example: increase to 1 minute for clock drift

Other notable server values: timeoutMultiplier, traceLevel, replicaCount, and the autoscaling block.

Staging Workloads​

Epinio uses staging workloads to build container images from source code. Container builds can consume varying amounts of CPU, memory, and disk depending on the application, so these workloads can specify both resource amounts and scheduling constraints to protect your running applications from build-time resource consumption (for example, scheduling builds onto a dedicated node pool).

Configure them under server.stagingWorkloads:

  • Resource consumption
    • server.stagingWorkloads.ttlSecondsAfterFinished β€” time-to-live for completed staging job resources.
    • server.stagingWorkloads.resources β€” requests/limits on CPU and memory.
    • server.stagingWorkloads.storage.cache and .sourceBlobs β€” toggle emptyDir to bypass PVC creation, or set size, accessModes, volumeMode, and storageClassName.
  • Scheduling constraints
    • server.stagingWorkloads.nodeSelector β€” constrain scheduling to nodes with the given labels.
    • server.stagingWorkloads.affinity β€” affinity rules.
    • server.stagingWorkloads.tolerations β€” tolerate matching taints.

The annotated values.yaml contains commented examples under server.stagingWorkloads.

Ingress​

The ingress section controls how the API server and UI are exposed:

  • ingress.ingressClassName β€” the IngressClass to use. Empty adds no class (relies on the cluster default).
  • ingress.proxyBodySize β€” maximum request body size (default 500m). Raise it if large application uploads fail with Entity Too Large.
  • ingress.proxyReadTimeout β€” maximum response read time (default 600s) for long-running deployments.
  • ingress.hostnameOverride / ingress.dexHostnameOverride β€” override the default epinio.<global.domain> / auth.<global.domain> hostnames.
  • ingress.annotations β€” extra annotations for the API ingress.

Authentication and Users​

  • api.rbac.enabled (default true) β€” installs the role ConfigMaps (application_manager, application_developer, view_only, system_manager) so users can be granted scoped roles. When false, only the default user and blank roles exist.
  • api.users β€” the initial users, each with a password (or passwordBcrypt), roles, and optional workspaces.
  • api.adminPassword / api.epinioPassword β€” passwords for the built-in admin and epinio users. Set these for non-trial installs.

TLS and Domain​

The global section carries the cross-cutting settings:

  • global.domain (required) β€” the wildcard domain.
  • global.tlsIssuer β€” epinio-ca, selfsigned-issuer, letsencrypt-staging, or letsencrypt-production; or set global.customTlsIssuer to your own ClusterIssuer.
  • global.registryURL / registryUsername / registryPassword / registryNamespace β€” point Epinio at an external container registry (skip when containerregistry.enabled is true).

S3 Storage​

Epinio uses an S3 compatible storage to store the application source code. This chart will install SeaweedFS when .Values.seaweedfs.enabled is true (default).

In addition to SeaweedFS, Epinio offers s3gw as another S3 compatible store. It is installed when .Values.seaweedfs.enabled is set to false and .Values.s3gw.enabled is set to true.

caution

The s3gw support is experimental. The s3gw chart is configured to use a host path volume for storage. This setup is risky, and not HA. If there is an outage of the node where s3gw's pod is currently deployed, k8s will fail trying to assign the volume on another node.

Use any external S3 compatible solution by setting .Values.seaweedfs.enabled to false (.Values.s3gw.enabled is false by default) and using the values under s3 (endpoint, bucket, region, credentials) to point to the required S3 server.

Identity Provider (Dex)​

Dex OpenID Connect Provider is installed as a subchart when .Values.global.dex.enabled is set to true (default).

If you don't need to use an identity provider, set the value to false and use only local Epinio users. OIDC Authentication has more information.

Container Registry​

When Epinio builds a container image for an application from source, it needs to store that image in a container registry. Epinio installs a container registry on the cluster when .Values.containerregistry.enabled is true (default).

Any container registry that supports basic auth authentication (e.g. gcr, dockerhub, etc) can be used instead, by setting this value to false and using the global.registry* values to point to the desired container registry.

Web UI​

The bundled dashboard is configured under epinioUI β€” set the theme (light or dark), CORS allowedOrigins, the log level, and the API/UI/Dex URLs for proxied connections. Disable it with epinioUI.enabled: false.

Complete Reference​

For every value and its default, see the chart's annotated values.yaml on the main branch.