Reference for configuring Bud-Stack via the bud Helm chart values
This page is a reference for configuring the bud Helm chart — the
platform application. It is the chart published at
oci://registry.bud.studio/charts/bud and sourced in this repo at
infra/charts/bud/.
The chart does NOT bundle the databases. Postgres, ClickHouse, Kafka,
MongoDB, Valkey and S3 (SeaweedFS/MinIO) are deployed separately — as
in-cluster addon charts (see the Installation Guide)
or as managed services you already run (see the
Deployment Guide). The bud chart only holds
connection settings for them, under externalServices (below). There are no
postgresql.* / minio.* / kafka.* / clickhouse.* subchart values.
Source of truth. Defaults drift between releases. For the authoritative,
version-exact list, dump the values from the chart you are installing:
helm show values oci://registry.bud.studio/charts/bud --version 0.14.2
The tables below describe the most commonly-set keys; they are not exhaustive.
Sensitive values — DB passwords, registry token, RSA keypair, Dapr crypto keys, OIDC client secrets, admin login. Keep out of version control (or SOPS-encrypt).
Under ArgoCD (Installation Guide) the same two files are delivered to the chart
via a $values config-repo source instead of -f flags.
The chart ships two reference secret files, secrets.bud.yaml and
secrets.demo.yaml (helm pull oci://registry.bud.studio/charts/bud --version 0.14.2 --untar to get them). Both are SOPS-encrypted — values show as
ENC[...] — so they are not drop-in templates. Use secrets.bud.yaml to
see the full set of required key paths, then author your own secrets.yaml
with plaintext values (see the Deployment Guide).
TLS mode: disabled (plain HTTP), internal (cert-manager issues + Traefik terminates in-cluster), external (terminated upstream by an LB/WAF; no certs issued in-cluster).
disabled
usecases.domain
Set to enable wildcard ingress for use-cases (e.g. usecases.bud.example.com). Empty = disabled.
""
Ingresses are pinned to ingressClassName: traefik. With https: internal the
chart annotates them kubernetes.io/tls-acme: "true", resolved by cert-manager’s
default ClusterIssuer (letsencrypt-http01, the HTTP-01 challenge — hosts
must be publicly reachable on :80).
StorageClass for the model-registry PVC. Empty = cluster default.
""
storage.budmodelRegistry.size
Model-registry PVC size. The small default is intentional — bumping it on upgrade triggers a PVC resize that fails on storage classes without allowVolumeExpansion. Set per-env (e.g. 300Gi for ~20B models).
60Gi
storage.budmodelAddDir.className / .size
Additional model directory.
"" / 20Gi
storage.budevalDataset.className / .size
Evaluation datasets (only used when microservices.budeval.enabled).
Connection settings for the databases and object storage the platform consumes.
The in-cluster defaults point at the addon charts deployed by the Installation
Guide; override the hosts (and put passwords in secrets.yaml) for managed
services.
budapp validates ID tokens via OIDC discovery and stores authorization in its own
Postgres PDP; the IdP only issues tokens.
Parameter
Description
Default
.url
Canonical OIDC issuer. For Keycloak this is https://<auth-host>/realms/bud-keycloak — must match the keycloak chart’s ingress.host.
http://auth.bud.lan/realms/bud-keycloak
.clients.mcpgateway.id / .secret
The mcpgateway OAuth client.
mcp-gateway / mcp-gateway
The bundled Keycloak admin credentials live under the top-level keycloak.auth
block (adminUser / adminPassword), consulted only when you run the sibling
keycloak chart. They are not budapp’s issuer config — that is
externalServices.oidc.url.
Every backend/frontend service lives under microservices.<name> with at least
enabled, image, and (for backends) daprid. Images default to
registry.bud.studio/runtime/<service>:<appVersion>, where <appVersion> is the
chart’s appVersion (0.14.2 at the time of writing) — except where noted
(mcpgateway and budsentinel track different tags). Backend pods run a Dapr
sidecar (expect 2/2 READY).
Service
Image tag
Enabled
Notes
budapp
<appVersion>
true
Main API: users, projects, models, endpoints, auth/redirect-flow.
budadmin
<appVersion>
true
Next.js dashboard. env.NEXT_PUBLIC_* for logo/favicon/dev-mode (build-time).
budcustomer
<appVersion>
true
Customer portal.
budplayground
<appVersion>
true
Model playground.
budgateway
<appVersion>
true
Rust inference gateway.
budcluster
<appVersion>
true
Cluster lifecycle. Holds registerDefaultCluster (auto-registers the in-cluster as default).
budmodel
<appVersion>
true
Model registry / leaderboard.
budmetrics
<appVersion>
true
Observability (ClickHouse). DB hardcoded to metrics.
budsim
<appVersion>
true
Performance simulation.
budnotify
<appVersion>
true
Notifications / pub-sub (Novu wrapper).
askbud
<appVersion>
true
Cluster/perf AI assistant.
buddoc
<appVersion>
true
Document processing.
budeval
<appVersion>
false
Model evaluation; disabled by default. Enabling it provisions a WaitForFirstConsumer dataset PVC (stays Pending until a workload binds it), so leave it off unless you run evals.
budprompt
<appVersion>
true
Prompt management.
budpipeline
<appVersion>
true
Pipeline orchestration.
budcodeinterpreter
<appVersion>
true
Code interpreter.
mcpgateway
latest
true
MCP gateway.
budsentinel
nightly
true
Sentinel.
semanticRouter
<appVersion>
true
Semantic router (embedding + intent classification for request routing). Image repo is semantic-router.
Image tags above are the chart’s published defaults; per-environment overlays
(e.g. dev) pin services to :nightly and may toggle enabled. Always confirm
against helm show values for the exact release.
daprExtra.crypto.symmetricKey / .asymmetricKey hold the Dapr crypto-component
keys used for cluster-credential encryption — generate your own (see
the Deployment Guide).