# =============================================================================
# 4minds Platform — Customer Values (helm-native install template)
#
# helm install 4minds . -n 4minds -f my-values.yaml (run from the chart dir)
#
# Fill in the fields below for YOUR deployment. Everything not listed here has a
# sensible default in the chart — you only override what is specific to you.
#
# LEGEND: [REQUIRED] must set · [OPTIONAL] set only if you use that feature
#
# Cluster prerequisites (create BEFORE helm install — the chart does not).
# See INSTALL-GUIDE.md "Prerequisites checklist" (steps 1-7) for the commands:
# • EKS cluster with OIDC (needed for IRSA)
# • A default StorageClass + EBS CSI driver (EKS gp2/gp3, etc.)
# • ingress-nginx controller installed
# • Namespace 4minds (kubectl create namespace 4minds)
# • Secret frontend-tls (kubernetes.io/tls) for your hostname
# • Image pull: on AWS Marketplace the EKS node IAM role pulls from the
# Marketplace ECR — no pull secret needed. Only create one if you mirror
# images into your own private registry (see global.imagePullSecrets).
# • (kms seal only) A KMS key + IRSA role — see INSTALL-GUIDE.md prereq 7.
# =============================================================================
global:
# [REQUIRED] The public DNS name your users reach the platform on.
# EVERYTHING derives from this: backend API URL, frontend, websocket (wss),
# symi, CORS origins, cookie domain, and ALL OAuth redirect URIs.
# Set this correctly and you rarely need to touch any other URL below.
hostname: "4minds.your-company.com"
namespace: 4minds
# Image pull auth:
# On AWS Marketplace the images live in the Marketplace ECR and your EKS
# NODES pull them via their IAM role (AmazonEC2ContainerRegistryReadOnly) —
# NO imagePullSecrets needed. Leave this empty (the chart omits the field).
#
# ONLY set this if you mirror the images into your OWN private registry that
# needs a docker-registry pull secret; then create the secret first and list
# its name here:
# kubectl -n 4minds create secret docker-registry my-pull-secret ...
imagePullSecrets: []
# imagePullSecrets:
# - name: my-pull-secret
security:
allowInsecureImages: true
# -----------------------------------------------------------------------------
# Ingress + TLS (nginx). The host and the TLS block are derived automatically
# from global.hostname above — you do NOT repeat the hostname here. You only
# provide the TLS secret: create `frontend-tls` (kubernetes.io/tls) for your
# hostname before installing (see INSTALL-GUIDE.md, prereq 5).
#
# Advanced: to serve extra hosts or use a different secret per host, set an
# explicit `tls:` list here — it overrides the auto-derived single-host block.
# -----------------------------------------------------------------------------
frontend-backend:
ingress:
enabled: true
className: nginx
tlsSecretName: frontend-tls # host + TLS auto-derive from global.hostname
# -----------------------------------------------------------------------------
# OpenBao seal mode — configure it HERE, under `openbao.seal`.
# (The install/bootstrap reads ONLY `openbao.seal.mode`; there is no separate
# top-level `seal:` to keep in sync.)
# lab = Shamir keys, auto-generated & stored in-cluster (simplest)
# kms = cloud KMS auto-unseal (recommended on AWS/GCP/Azure via IRSA/WI)
# -----------------------------------------------------------------------------
openbao:
seal:
mode: lab # lab | kms
# [OPTIONAL] Fill only when mode: kms. Set the block for YOUR cloud; the
# chart renders the matching seal stanza and (AWS) wires IRSA for you.
# kms:
# provider: aws # aws | azure | gcp
# # --- AWS: KMS key + IRSA role (recommended on EKS) ---
# region: us-east-1
# keyId: alias/4minds-openbao
# roleArn: arn:aws:iam::<acct>:role/4minds-openbao-irsa # chart annotates
# # the OpenBao SA
# # --- Azure Key Vault: tenantId + vaultName + keyName ---
# # --- GCP KMS: projectId + locationId + keyRing + cryptoKey ---
# OpenBao data is persisted to a 2Gi PVC by default (needs a default
# StorageClass — INSTALL-GUIDE prereq 2). Override only if needed:
# storage:
# size: 5Gi
# storageClass: gp3
# -----------------------------------------------------------------------------
# [REQUIRED] Email — transactional email (signup verification, invites, reset).
#
# Choose the provider that fits YOUR company — all three are first-class:
# provider: smtp → any standard SMTP server (Gmail, O365, SES-SMTP, ...)
# provider: sendgrid → SendGrid API
# provider: azure → Azure Communication Services
#
# 1) set `provider` to your choice
# 2) fill the SAME-named block below (leave the others empty/removed)
# 3) set senderEmail / senderName
#
# If you do NOT want email verification at all (e.g. internal PoC), set
# disableVerification: "true" and you can leave the provider blocks empty.
# -----------------------------------------------------------------------------
email:
provider: "smtp" # smtp | sendgrid | azure
senderEmail: "noreply@your-company.com"
senderName: "Your Company"
disableVerification: "false" # "true" to skip signup email verification
# --- Option A: SMTP (standard mail server) ---
smtp:
host: "smtp.your-company.com"
port: "587"
user: "noreply@your-company.com"
password: ""
useTls: "true"
# --- Option B: SendGrid ---
sendgrid:
apiKey: ""
# --- Option C: Azure Communication Services ---
azure:
connectionString: ""
# -----------------------------------------------------------------------------
# [REQUIRED] Embedding endpoint (your BGE-M3 / embedding server). mlai uses it.
# -----------------------------------------------------------------------------
mlai:
sslVerifyCertificates: "true" # set "false" only for self-signed inference endpoints
embedding:
endpointUrl: "https://embeddings.your-company.com"
modelName: "BAAI/bge-m3"
dimension: "1024"
# [OPTIONAL] Vision OCR / Vision-Language / image-gen endpoints
visionOcr:
enabled: "true"
endpoint: "https://vlm.your-company.com/v1/chat/completions"
vlm:
enabled: "true"
endpoint: "https://vlm.your-company.com/v1/chat/completions"
flux:
apiUrl: "" # leave empty to disable image generation
# -----------------------------------------------------------------------------
# [REQUIRED] LLM endpoints (your inference stack — vLLM / any OpenAI-compatible)
# -----------------------------------------------------------------------------
llm:
historyEndpoint: "https://llm.your-company.com/v1/chat/completions"
crossEncoderEndpoint: "https://reranker.your-company.com/rerank"
summarizationEndpoint: "https://llm.your-company.com/v1/completions"
models:
# Map model keys to your served endpoints. gpt_oss_120b is used broadly
# (mlai watchdog, finetuning registry, wren-ai text-to-SQL) — set it.
# Unused ones can be left "".
gpt_oss_120b: "https://llm.your-company.com/v1"
gpt_oss_20b: ""
qwen25_72b: ""
qwen3_30b: ""
qwen3_14b: ""
gemma3_12b: ""
nemotron_3_nano: ""
llama4_scout: ""
minimax_m2: ""
# -----------------------------------------------------------------------------
# [REQUIRED] Symi gateway LLM (the assistant). Works with ANY OpenAI-compatible
# endpoint (vLLM, your own gateway, etc.).
# baseUrl — your OpenAI-compatible chat endpoint (REQUIRED for Symi)
# llmModel — the model id served there
# llmProvider — a free-form internal label (used as "<provider>/<model>");
# leave it or set to anything, e.g. "openai", "vllm". Not a vendor.
# apiKey: leave empty → Symi shares the backend's auto-generated SYMI_API_KEY.
# -----------------------------------------------------------------------------
symi-gateway:
config:
apiKey: ""
llm:
baseUrl: "https://llm.your-company.com/v1"
llmModel: "your-model"
llmProvider: "internal"
# -----------------------------------------------------------------------------
# [REQUIRED] Wren-AI (natural-language → SQL for structured/analytics queries).
# It calls an OpenAI-compatible chat endpoint to generate SQL. Point llmEndpoint
# at your LLM (the OpenAI-compatible BASE url — code appends /chat/completions;
# same endpoint as llm.models.gpt_oss_120b). Empty → text-to-SQL returns 503.
# -----------------------------------------------------------------------------
wren-ai:
config:
llmEndpoint: "https://llm.your-company.com/v1"
# -----------------------------------------------------------------------------
# [OPTIONAL] SSO + connector integrations. ALL optional — enable ONLY the ones
# you use. None is required: users can always sign up / sign in with
# email + password.
#
# To enable a provider, UNCOMMENT the `oauth:` block below AND the specific
# provider line(s) you need. Put clientId here; the clientSecret goes in the
# `secrets:` block. redirectUri auto-derives from global.hostname (leave it
# out unless you need a custom one). Register the derived URI in each provider:
# sign-in: https://<hostname>/auth/<provider>/callback
# integrations: https://<hostname>/api/v1/integrations/<provider>/oauth/callback
#
# IMPORTANT: if you uncomment `oauth:`, you MUST uncomment at least one child
# line under it (a bare `oauth:` with no children is invalid YAML/null). If you
# use NO SSO/integrations, leave this whole block commented — the chart's
# defaults apply and everything works.
# -----------------------------------------------------------------------------
# oauth:
# # --- Sign-in / SSO providers ---
# microsoft: { clientId: "" }
# google: { clientId: "" }
# github: { clientId: "" }
# okta: { clientId: "" }
# # --- Data / connector integrations ---
# sharepoint: { clientId: "", scopes: "", tenant: "" }
# office365: { clientId: "", scopes: "", tenant: "" }
# googleDrive: { clientId: "" }
# gsuite: { clientId: "" }
# bigquery: { clientId: "" }
# vertexai: { clientId: "" }
# hubspot: { clientId: "" }
# slack: { clientId: "" }
# box: { clientId: "" }
# dropbox: { clientId: "" }
# dropboxWrite: { clientId: "" }
# salesforce: { clientId: "" }
# supabase: { clientId: "" }
# servicenow: {} # client_id/secret entered per-user in UI
# gong: { clientId: "", apiBaseUrl: "" }
# databricks: { clientId: "", accountId: "", m2mClientId: "" }
# fabric: { clientId: "" }
# azureBlob: { clientId: "" }
# huggingface: { clientId: "" }
# foundry: { clientId: "", scopes: "", tenant: "" }
# -----------------------------------------------------------------------------
# Bundled datastores. Keep enabled unless you point at external services.
# -----------------------------------------------------------------------------
qdrant:
enabled: true
# -----------------------------------------------------------------------------
# [OPTIONAL] Object storage. By DEFAULT the platform uses the bundled MinIO and
# you set NOTHING here. To use EXTERNAL S3 (AWS S3 or any S3-compatible store),
# uncomment `storage:` below and add s3AccessKey/s3SecretKey to the single
# `secrets:` block further down.
# -----------------------------------------------------------------------------
# storage:
# endpoint: "https://s3.us-east-1.amazonaws.com" # empty = bundled MinIO
# region: us-east-1
# bucketName: 4minds-uploads
# useAzure: "false" # "true" for Azure Blob (set secrets.azureStorageAccountKey)
# -----------------------------------------------------------------------------
# [OPTIONAL] Secrets — ONE block for ALL of them: OAuth client secrets for the
# integrations you enabled, plus external-S3 / Azure storage keys. The
# PG/Redis/MinIO/encryption keys are AUTO-GENERATED by the chart — do NOT set
# them here. For production prefer external-secrets / sealed-secrets over
# plaintext.
#
# IMPORTANT: keep this a SINGLE `secrets:` block. YAML has no key merging — a
# second `secrets:` anywhere in the file silently overrides the first. Uncomment
# `secrets:` + at least one child (a bare `secrets:` is invalid/null YAML).
# -----------------------------------------------------------------------------
# secrets:
# # --- External object storage (only if storage.endpoint / useAzure set above) ---
# s3AccessKey: "" # external S3 access key (empty = bundled MinIO)
# s3SecretKey: "" # external S3 secret key
# azureStorageAccountKey: "" # when storage.useAzure: "true"
# # --- OAuth client secrets (only for the providers you enabled above) ---
# microsoftAuthClientSecret: ""
# googleOauthClientSecret: ""
# githubOauthClientSecret: ""
# oktaOauthClientSecret: ""
# sharepointOauthClientSecret: ""
# office365OauthClientSecret: ""
# hubspotAuthClientSecret: ""
# slackClientSecret: ""
# boxOauthClientSecret: ""
# dropboxClientSecret: ""
# dropboxWriteClientSecret: ""
# bigqueryOauthClientSecret: ""
# vertexaiOauthClientSecret: ""
# salesforceAuthClientSecret: ""
# supabaseAuthClientSecret: ""
# gongOauthClientSecret: ""
# databricksAuthClientSecret: ""
# databricksM2mClientSecret: ""
# fabricAuthClientSecret: ""
# azureBlobOauthClientSecret: ""
# hfOauthClientSecret: ""
# hfApiToken: "" # HuggingFace API token (private datasets)
# -----------------------------------------------------------------------------
# [OPTIONAL] Images — DEFAULT to the official 4minds registry (do NOT override
# for a real install). Only set this if you mirror images into your own
# registry. NOTE: this belongs under the SAME top-level `global:` block at the
# top of this file — move it there rather than adding a second `global:` key.
# -----------------------------------------------------------------------------
# global:
# imageRegistry: "your-registry.example.com/4minds"