Skip to main content
This page is a reference for configuring the bud Helm chart — the platform application. It is the chart published at oci://registry.bud.studio/charts/bud and sourced in this repo at infra/charts/bud/.
The chart does NOT bundle the databases. Postgres, ClickHouse, Kafka, MongoDB, Valkey and S3 (SeaweedFS/MinIO) are deployed separately — as in-cluster addon charts (see the Installation Guide) or as managed services you already run (see the Deployment Guide). The bud chart only holds connection settings for them, under externalServices (below). There are no postgresql.* / minio.* / kafka.* / clickhouse.* subchart values.
Source of truth. Defaults drift between releases. For the authoritative, version-exact list, dump the values from the chart you are installing:
helm show values oci://registry.bud.studio/charts/bud --version 0.14.2
The tables below describe the most commonly-set keys; they are not exhaustive.

How values are supplied

The chart is installed from the OCI registry, with your configuration layered on top. Two files, merged in order (later overrides earlier):
FilePurpose
values.yamlYour non-secret cluster config — ingress root, storage class/size, externalServices.* hosts.
secrets.yamlSensitive values — DB passwords, registry token, RSA keypair, Dapr crypto keys, OIDC client secrets, admin login. Keep out of version control (or SOPS-encrypt).
# direct helm install (Deployment Guide / managed-DB path)
helm install bud oci://registry.bud.studio/charts/bud --version 0.14.2 \
  -n bud --create-namespace \
  -f values.yaml -f secrets.yaml
Under ArgoCD (Installation Guide) the same two files are delivered to the chart via a $values config-repo source instead of -f flags.
The chart ships two reference secret files, secrets.bud.yaml and secrets.demo.yaml (helm pull oci://registry.bud.studio/charts/bud --version 0.14.2 --untar to get them). Both are SOPS-encrypted — values show as ENC[...] — so they are not drop-in templates. Use secrets.bud.yaml to see the full set of required key paths, then author your own secrets.yaml with plaintext values (see the Deployment Guide).

Global Configuration

ParameterDescriptionDefault
global.ingress.hosts.rootBase public hostname. All service sub-hosts (admin., app., gateway., s3., …) derive from it via _helpers.tpl.bud.lan
global.ingress.hosts.<service>Override an individual sub-host (e.g. budadmin, budapp, budgateway, s3, mcpgateway, onyx, novuapi, novuws). Empty = auto-derive from root.""
global.nodeSelectorNode selector applied to all microservices (override per-service under microservices.<svc>.nodeSelector).{}
global.affinityAffinity applied to all microservices.{}
registries.registry.bud.studio.username / .passwordRegistry robot credentials; the chart creates the imagePullSecret every Deployment references.getmefrombud
imagePullSecretsImage pull secrets.[{name: registry.bud.studio}]
imagePullPolicyPull policy for all containers.IfNotPresent
deploymentAnnotationsAnnotations applied to all deployments (e.g. Keel auto-update triggers).{}
appApiTokenDapr APP_API_TOKEN securing internal service-to-service endpoints. Empty = auto-generated.""

Ingress Configuration

ParameterDescriptionDefault
ingress.enabledCreate Ingress resources.true
ingress.httpsTLS mode: disabled (plain HTTP), internal (cert-manager issues + Traefik terminates in-cluster), external (terminated upstream by an LB/WAF; no certs issued in-cluster).disabled
usecases.domainSet to enable wildcard ingress for use-cases (e.g. usecases.bud.example.com). Empty = disabled.""
Ingresses are pinned to ingressClassName: traefik. With https: internal the chart annotates them kubernetes.io/tls-acme: "true", resolved by cert-manager’s default ClusterIssuer (letsencrypt-http01, the HTTP-01 challenge — hosts must be publicly reachable on :80).

Storage Configuration

ParameterDescriptionDefault
storage.budmodelRegistry.classNameStorageClass for the model-registry PVC. Empty = cluster default.""
storage.budmodelRegistry.sizeModel-registry PVC size. The small default is intentional — bumping it on upgrade triggers a PVC resize that fails on storage classes without allowVolumeExpansion. Set per-env (e.g. 300Gi for ~20B models).60Gi
storage.budmodelAddDir.className / .sizeAdditional model directory."" / 20Gi
storage.budevalDataset.className / .sizeEvaluation datasets (only used when microservices.budeval.enabled)."" / 32Gi
storage.budappStaticDir.className / .sizebudapp static files."" / 20Gi

External Services

Connection settings for the databases and object storage the platform consumes. The in-cluster defaults point at the addon charts deployed by the Installation Guide; override the hosts (and put passwords in secrets.yaml) for managed services.

PostgreSQL (externalServices.postgresql)

ParameterDescriptionDefault
.hostPostgres host (pooler/primary).pooler-rw.postgres
.portPort.5432
.databases.<svc>.name / .username / .passwordOne block per service.<svc> / bud / bud
Databases (one per service): budapp, budcluster, budmetrics, budmodel, budsim, budeval, buddoc, budprompt, budask, budcodeinterpreter, mcpgateway, budpipeline, onyx.

ClickHouse (externalServices.clickhouse)

ParameterDescriptionDefault
.hostClickHouse host.clickhouse-clickhouse.clickhouse
.portNative protocol port.9000
.auth.username / .auth.passwordCredentials.bud / bud
.databases.budmetricsMust stay metrics — hardcoded in budmetrics.metrics
.databases.budeval / .databases.budgatewayPer-service DBs.bud_eval / bud_gateway

Valkey / Redis (externalServices.valkey)

ParameterDescriptionDefault
.hostValkey host.valkey-master.valkey
.portPort.6379
.passwordAuth password.valkey
.databases.<consumer>Logical DB index per consumer (config_store, state_store, novu, budgateway, mcpgateway, budprompt, global, onyx, budcodeinterpreter).311

S3 / object storage (externalServices.s3)

Works with SeaweedFS (default), MinIO, AWS S3, or Azure Blob via an S3 gateway.
ParameterDescriptionDefault
.endpointS3 endpoint host:port.seaweed-s3.seaweedfs:8333
.secureUse HTTPS to the endpoint (independent of ingress.https).false
.auth.accessKey / .auth.secretKeyCredentials.bud / bud
.buckets.modelRegistry / .modelInfo / .novuBucket names (pre-create them).bud-models-registry / bud-model-info / bud-novu

MongoDB (externalServices.mongodb)

ParameterDescriptionDefault
.endpointMongo host host:port.mongodb-rs0.mongodb:27017
.auth.username / .auth.passwordCredentials.bud_novu / bud_novu
.databases.novuNovu database name.bud_novu

Kafka (externalServices.kafka)

ParameterDescriptionDefault
.endpointBootstrap brokers host:port.kafka-kafka-brokers.kafka:9092
.auth.username / .auth.passwordSASL credentials.bud / bud
.topics.pubsub / .topics.budgatewayTopic names.bud_pubsub / bud_gateway

OIDC (externalServices.oidc)

budapp validates ID tokens via OIDC discovery and stores authorization in its own Postgres PDP; the IdP only issues tokens.
ParameterDescriptionDefault
.urlCanonical OIDC issuer. For Keycloak this is https://<auth-host>/realms/bud-keycloak — must match the keycloak chart’s ingress.host.http://auth.bud.lan/realms/bud-keycloak
.clients.mcpgateway.id / .secretThe mcpgateway OAuth client.mcp-gateway / mcp-gateway
The bundled Keycloak admin credentials live under the top-level keycloak.auth block (adminUser / adminPassword), consulted only when you run the sibling keycloak chart. They are not budapp’s issuer config — that is externalServices.oidc.url.

Microservices

Every backend/frontend service lives under microservices.<name> with at least enabled, image, and (for backends) daprid. Images default to registry.bud.studio/runtime/<service>:<appVersion>, where <appVersion> is the chart’s appVersion (0.14.2 at the time of writing) — except where noted (mcpgateway and budsentinel track different tags). Backend pods run a Dapr sidecar (expect 2/2 READY).
ServiceImage tagEnabledNotes
budapp<appVersion>trueMain API: users, projects, models, endpoints, auth/redirect-flow.
budadmin<appVersion>trueNext.js dashboard. env.NEXT_PUBLIC_* for logo/favicon/dev-mode (build-time).
budcustomer<appVersion>trueCustomer portal.
budplayground<appVersion>trueModel playground.
budgateway<appVersion>trueRust inference gateway.
budcluster<appVersion>trueCluster lifecycle. Holds registerDefaultCluster (auto-registers the in-cluster as default).
budmodel<appVersion>trueModel registry / leaderboard.
budmetrics<appVersion>trueObservability (ClickHouse). DB hardcoded to metrics.
budsim<appVersion>truePerformance simulation.
budnotify<appVersion>trueNotifications / pub-sub (Novu wrapper).
askbud<appVersion>trueCluster/perf AI assistant.
buddoc<appVersion>trueDocument processing.
budeval<appVersion>falseModel evaluation; disabled by default. Enabling it provisions a WaitForFirstConsumer dataset PVC (stays Pending until a workload binds it), so leave it off unless you run evals.
budprompt<appVersion>truePrompt management.
budpipeline<appVersion>truePipeline orchestration.
budcodeinterpreter<appVersion>trueCode interpreter.
mcpgatewaylatesttrueMCP gateway.
budsentinelnightlytrueSentinel.
semanticRouter<appVersion>trueSemantic router (embedding + intent classification for request routing). Image repo is semantic-router.
Image tags above are the chart’s published defaults; per-environment overlays (e.g. dev) pin services to :nightly and may toggle enabled. Always confirm against helm show values for the exact release.

OpenTelemetry Collector

ParameterDescriptionDefault
otelCollector.enabledDeploy the collector.true
otelCollector.image.repository / .tagCollector image.otel/opentelemetry-collector-contrib / 0.151.0
otelCollector.replicasReplicas.1
otelCollector.batchSize / .batchTimeoutExport batching.10000 / 10s
otelCollector.resources.limits.memoryMemory limit.1Gi
otelCollector.clickhouse.databaseTarget ClickHouse DB.metrics
otelCollector.clickhouse.ttlRaw OTel metric retention.720h (30 days)

Onyx (optional)

AI knowledge assistant; disabled by default.
ParameterDescriptionDefault
onyx.enabledDeploy Onyx.false
onyx.configMap.AUTH_TYPEAuth type.oidc
onyx.configMap.KEYCLOAK_REALMKeycloak realm.bud-keycloak
onyx.vespa.enabled / .replicaCountVespa search backend.true / 1
onyx.webserver.replicaCount / onyx.api.replicaCountOnyx web/API replicas.1 / 1
Onyx reuses the platform’s Postgres/Valkey/S3 via externalServices — its own bundled postgresql/valkey/minio/nginx stay disabled.

Dapr

Dapr is not bundled; install it cluster-wide before deploying Bud-Stack.
dapr init -k
# or:
helm repo add dapr https://dapr.github.io/helm-charts/
helm install dapr dapr/dapr -n dapr-system --create-namespace
daprExtra.crypto.symmetricKey / .asymmetricKey hold the Dapr crypto-component keys used for cluster-credential encryption — generate your own (see the Deployment Guide).

Secrets Management (SOPS)

For GitOps, keep secrets.yaml encrypted with SOPS + age.
# generate a key
age-keygen -o ~/.config/sops/age/keys.txt
grep -Eom1 "age1.*$" ~/.config/sops/age/keys.txt   # public key

# encrypt / edit
sops --encrypt --age <public-key> secrets.yaml > secrets.enc.yaml
sops secrets.enc.yaml

# decrypt at deploy time
sops -d secrets.enc.yaml | \
  helm upgrade --install bud oci://registry.bud.studio/charts/bud --version 0.14.2 \
    -f values.yaml -f - -n bud

Installation Guide

Full in-cluster install with bundled dependency charts (ArgoCD).

Deployment Guide

Install against managed/external databases; per-service secret reference.