Skip to content
Scalekit Docs
Talk to an Engineer Dashboard

Configure Scalekit

Complete values.yaml examples and field reference for a self-hosted Scalekit deployment.

You will review example values.yaml files and the complete field reference to configure your self-hosted Scalekit deployment. This helps you understand exactly what values the setup script will generate and how to customize them for external databases or production settings.

Example values.yaml files

Section titled “Example values.yaml files”

These examples show the full structure of a generated values.yaml. The setup script produces this file automatically. Refer here when reviewing or modifying values after initial setup.

Use this configuration to get Scalekit running quickly without provisioning external PostgreSQL or Redis. Setting secrets.create: true lets the chart create all required Kubernetes secrets from values in this file. No kubectl secret commands are needed.

Do not use this in production. The bundled databases have no backups, no replication, and no persistent storage guarantees. See the quick start guide for a step-by-step walkthrough.

values.yaml (quick start)
scalekit:
  config:
    app:
      domain: "<your-domain>"
    seedData:
      adminUser:
        firstName: "<firstname>"
        lastName: "<lastname>"
        email: "<admin-email>"
      emailServer:
        settings:
          fromEmail: "hi@<your-domain>"
          fromName: "Team <Your Company>"
          host: "<smtp-host>"
          port: <smtp-port>
          username: "<smtp-username>"


postgresql:
  enabled: true


redis:
  enabled: true


secrets:
  create: true
  svix:
    jwtSecret: "<jwt secret that signs your api token>"
    apiToken: "<JWT signed with the above secret>"
  registry:
    password: "<registry access token>"


gateway:
  enabled: true
  provider: "<provider>"           # gcp for GKE; other for all other clusters
  className: "<gateway-class-name>"
  annotations:
    <annotation-key>: "<annotation-value>"
  redirectToHttps: true
  healthCheckPolicy:
    enabled: true                  # GKE only

Field reference

Section titled “Field reference”

App

Section titled “App”
scalekit:
  config:
    app:
      domain: "auth.example.com"
      protocol: "https"
      region: "us"
FieldDescription
domainBase domain for your Scalekit instance. Must match your gateway hostname.
protocolUse https in production. For local HTTP dev, set to http and add oidc.allow_insecure: true.
regionData residency context. Set once. Do not change after the initial install.

Database

Section titled “Database”
scalekit:
  config:
    database:
      host: "your-db-host"
      name: "scalekit"
      user: "scalekit"
      port: 5432

When using external PostgreSQL (postgresql.enabled: false), the database password is injected via Kubernetes secret:

  • secrets.create: true: provide it under secrets.database.password in values.yaml; the chart creates the secret automatically
  • secrets.create: false: pre-create the authentication-secret with a database_password key using the setup script

Omit this section entirely when using the bundled PostgreSQL subchart (postgresql.enabled: true).

Redis

Section titled “Redis”
scalekit:
  config:
    redis:
      host: "your-redis-host"
      port: 6379
      db: 0

When using external Redis (redis.enabled: false), the Redis password and DSN are injected via Kubernetes secret:

  • secrets.create: true: provide the DSN under secrets.svix.redisDsn in values.yaml; the chart creates the secret automatically
  • secrets.create: false: pre-create the svix-secrets with a redis-dsn key using the setup script

Omit this section entirely when using the bundled Redis subchart (redis.enabled: true).

Seed data

Section titled “Seed data”

Seed data is applied once on first install. It creates the initial admin user and configures the email server.

scalekit:
  config:
    seedData:
      adminUser:
        firstName: "Admin"
        lastName: "User"
        email: "admin@example.com"
      emailServer:
        serverType: "SMTP"
        provider: "POSTMARK"      # POSTMARK, SENDGRID, or OTHER
        enabled: true
        settings:
          fromEmail: "noreply@example.com"
          fromName: "Your Company"
          host: "smtp.postmarkapp.com"
          port: 587
          username: "your-smtp-api-key-or-username"

Gateway

Section titled “Gateway”

Scalekit uses the Kubernetes Gateway API for ingress.

gateway:
  enabled: true
  className: "gke-l7-global-external-managed"
  provider: "gcp"
  redirectToHttps: true
  healthCheckPolicy:
    enabled: true   # GKE only

Set gateway.className to the GatewayClass for your cluster:

ProviderGatewayClass
GKE (external)gke-l7-global-external-managed
GKE (internal)gke-l7-regional-internal-managed
Istioistio
Envoy Gatewayeg

Set provider: "gcp" for GKE. It enables GKE-specific resources like HealthCheckPolicy. Set provider: "other" for all other clusters.

Gateway annotations

Section titled “Gateway annotations”

Annotations on the Gateway resource are how you attach TLS certificates and configure provider-specific behavior. Add them under gateway.annotations in your values.yaml:

gateway:
  annotations:
    <annotation-key>: "<annotation-value>"

Common annotations by provider:

ProviderAnnotationPurpose
GKEnetworking.gke.io/certmapAttach a GCP Certificate Manager cert map for TLS
cert-manager (any cluster)cert-manager.io/cluster-issuerProvision TLS via cert-manager
AWS (ALB)kubernetes.io/ingress.classRoute through an ALB

Example: GCP Certificate Manager

Section titled “Example: GCP Certificate Manager”
gateway:
  enabled: true
  className: "gke-l7-global-external-managed"
  provider: "gcp"
  annotations:
    networking.gke.io/certmap: "scalekit-cert-map"
  redirectToHttps: true
  healthCheckPolicy:
    enabled: true

Optional components

Section titled “Optional components”

OpenFGA (fine-grained authorization)

Section titled “OpenFGA (fine-grained authorization)”

OpenFGA is disabled by default. Enable it when you need fine-grained authorization at scale:

sidecars:
  openfga:
    enabled: true

OpenFGA requires its own PostgreSQL database (openfga). Credentials are stored in the openfga-secrets Kubernetes secret.

Directory server (SCIM)

Section titled “Directory server (SCIM)”

SCIM provisioning is disabled by default:

scalekit:
  config:
    directoryServer:
      enabled: true

Secrets reference

Section titled “Secrets reference”

Scalekit uses Kubernetes secrets to inject all sensitive values into pods. There are two ways these secrets are created:

  • secrets.create: true (quick start): the chart auto-creates all secrets from values you provide in values.yaml under the secrets.* block
  • secrets.create: false (full deployment): you pre-create the secrets using the setup script
Secret nameKey fieldsCreated by
authentication-service-tokenTOKEN: dashboard auth tokenChart or setup script
db-migrationsDATABASE_URL, DB_ADAPTERChart or setup script
authentication-secretDB password, Redis password, OIDC keys, cookie keys, email keys, webhook API keyChart or setup script
svix-secretsdb-dsn, jwt-secret, main-secret, redis-dsn, api-tokenChart or setup script
artifact-registry-secretDocker registry credentials for the Scalekit container registryChart or setup script
openfga-secretskeys, uriChart or setup script. Only when sidecars.openfga.enabled: true.

Next, Setup script will generate the values.yaml and all required Kubernetes secrets for you.