Configure Scalekit

Complete values.yaml examples and field reference for a self-hosted Scalekit deployment.

You will review example values.yaml files and the complete field reference to configure your self-hosted Scalekit deployment. This helps you understand exactly what values the setup script will generate and how to customize them for external databases or production settings.

Example values.yaml files

These examples show the full structure of a generated values.yaml. The setup script produces this file automatically. Refer here when reviewing or modifying values after initial setup.

Quick start (subcharts)
Production (external services)

Use this configuration to get Scalekit running quickly without provisioning external PostgreSQL or Redis. Setting secrets.create: true lets the chart create all required Kubernetes secrets from values in this file. No kubectl secret commands are needed.

Do not use this in production. The bundled databases have no backups, no replication, and no persistent storage guarantees. See the quick start guide for a step-by-step walkthrough.

1
scalekit:
2
  config:
3
    app:
4
      domain: "<your-domain>"
5
    seedData:
6
      adminUser:
7
        firstName: "<firstname>"
8
        lastName: "<lastname>"
9
        email: "<admin-email>"
10
      emailServer:
11
        settings:
12
          fromEmail: "hi@<your-domain>"
13
          fromName: "Team <Your Company>"
14
          host: "<smtp-host>"
15
          port: <smtp-port>
16
          username: "<smtp-username>"
17

18
postgresql:
19
  enabled: true
20

21
redis:
22
  enabled: true
23

24
secrets:
25
  create: true
26
  svix:
27
    jwtSecret: "<jwt secret that signs your api token>"
28
    apiToken: "<JWT signed with the above secret>"
29
  registry:
30
    password: "<registry access token>"
31

32
gateway:
33
  enabled: true
34
  provider: "<provider>"           # gcp for GKE; other for all other clusters
35
  className: "<gateway-class-name>"
36
  annotations:
37
    <annotation-key>: "<annotation-value>"
38
  redirectToHttps: true
39
  healthCheckPolicy:
40
    enabled: true                  # GKE only

Use this configuration for production deployments with external PostgreSQL and Redis that you manage.

1
scalekit:
2
  config:
3
    app:
4
      domain: "auth.example.com"    # your domain, without scheme or trailing slash
5
      protocol: "https"
6
      region: "us"                  # us or eu — set once, do not change after first install
7

8
    database:
9
      host: "pg.internal.example.com"
10
      name: "scalekit"
11
      user: "scalekit"
12
      port: 5432
13
      # Password is stored in the authentication-secret Kubernetes secret
14

15
    redis:
16
      host: "redis.internal.example.com"
17
      port: 6379
18
      db: 0
19
      # Password is stored in the authentication-secret Kubernetes secret
20

21
    seedData:
22
      adminUser:
23
        firstName: "Admin"
24
        lastName: "User"
25
        email: "admin@example.com"
26
      emailServer:
27
        serverType: "SMTP"
28
        provider: "POSTMARK"        # POSTMARK, SENDGRID, or OTHER
29
        enabled: true
30
        settings:
31
          fromEmail: "noreply@example.com"
32
          fromName: "Your Company"
33
          host: "smtp.postmarkapp.com"
34
          port: 587
35
          username: "your-smtp-api-key"
36

37
# External services — disable subcharts
38
postgresql:
39
  enabled: false
40

41
redis:
42
  enabled: false
43

44
gateway:
45
  enabled: true
46
  className: "gke-l7-global-external-managed"  # your GatewayClass
47
  provider: "gcp"                              # "gcp" for GKE Gateway; "other" (or omit) for most other clusters / ingress controllers
48
  redirectToHttps: true
49
  healthCheckPolicy:
50
    enabled: true                              # GKE only

Field reference

App

1
scalekit:
2
  config:
3
    app:
4
      domain: "auth.example.com"
5
      protocol: "https"
6
      region: "us"

Field	Description
`domain`	Base domain for your Scalekit instance. Must match your gateway hostname.
`protocol`	Use `https` in production. For local HTTP dev, set to `http` and add `oidc.allow_insecure: true`.
`region`	Data residency context. Set once. Do not change after the initial install.

Database

1
scalekit:
2
  config:
3
    database:
4
      host: "your-db-host"
5
      name: "scalekit"
6
      user: "scalekit"
7
      port: 5432

When using external PostgreSQL (postgresql.enabled: false), the database password is injected via Kubernetes secret:

secrets.create: true: provide it under secrets.database.password in values.yaml; the chart creates the secret automatically
secrets.create: false: pre-create the authentication-secret with a database_password key using the setup script

Omit this section entirely when using the bundled PostgreSQL subchart (postgresql.enabled: true).

Redis

1
scalekit:
2
  config:
3
    redis:
4
      host: "your-redis-host"
5
      port: 6379
6
      db: 0

When using external Redis (redis.enabled: false), the Redis password and DSN are injected via Kubernetes secret:

secrets.create: true: provide the DSN under secrets.svix.redisDsn in values.yaml; the chart creates the secret automatically
secrets.create: false: pre-create the svix-secrets with a redis-dsn key using the setup script

Omit this section entirely when using the bundled Redis subchart (redis.enabled: true).

Seed data

Seed data is applied once on first install. It creates the initial admin user and configures the email server.

1
scalekit:
2
  config:
3
    seedData:
4
      adminUser:
5
        firstName: "Admin"
6
        lastName: "User"
7
        email: "admin@example.com"
8
      emailServer:
9
        serverType: "SMTP"
10
        provider: "POSTMARK"      # POSTMARK, SENDGRID, or OTHER
11
        enabled: true
12
        settings:
13
          fromEmail: "noreply@example.com"
14
          fromName: "Your Company"
15
          host: "smtp.postmarkapp.com"
16
          port: 587
17
          username: "your-smtp-api-key-or-username"

Gateway

Scalekit uses the Kubernetes Gateway API for ingress.

1
gateway:
2
  enabled: true
3
  className: "gke-l7-global-external-managed"
4
  provider: "gcp"
5
  redirectToHttps: true
6
  healthCheckPolicy:
7
    enabled: true   # GKE only

Set gateway.className to the GatewayClass for your cluster:

Provider	GatewayClass
GKE (external)	`gke-l7-global-external-managed`
GKE (internal)	`gke-l7-regional-internal-managed`
Istio	`istio`
Envoy Gateway	`eg`

Set provider: "gcp" for GKE. It enables GKE-specific resources like HealthCheckPolicy. Set provider: "other" for all other clusters.

Gateway annotations

Annotations on the Gateway resource are how you attach TLS certificates and configure provider-specific behavior. Add them under gateway.annotations in your values.yaml:

1
gateway:
2
  annotations:
3
    <annotation-key>: "<annotation-value>"

Common annotations by provider:

Provider	Annotation	Purpose
GKE	`networking.gke.io/certmap`	Attach a GCP Certificate Manager cert map for TLS
cert-manager (any cluster)	`cert-manager.io/cluster-issuer`	Provision TLS via cert-manager
AWS (ALB)	`kubernetes.io/ingress.class`	Route through an ALB

Example: GCP Certificate Manager

1
gateway:
2
  enabled: true
3
  className: "gke-l7-global-external-managed"
4
  provider: "gcp"
5
  annotations:
6
    networking.gke.io/certmap: "scalekit-cert-map"
7
  redirectToHttps: true
8
  healthCheckPolicy:
9
    enabled: true

Optional components

OpenFGA (fine-grained authorization)

OpenFGA is disabled by default. Enable it when you need fine-grained authorization at scale:

1
sidecars:
2
  openfga:
3
    enabled: true

OpenFGA requires its own PostgreSQL database (openfga). Credentials are stored in the openfga-secrets Kubernetes secret.

Directory server (SCIM)

SCIM provisioning is disabled by default:

1
scalekit:
2
  config:
3
    directoryServer:
4
      enabled: true

Secrets reference

Scalekit uses Kubernetes secrets to inject all sensitive values into pods. There are two ways these secrets are created:

secrets.create: true (quick start): the chart auto-creates all secrets from values you provide in values.yaml under the secrets.* block
secrets.create: false (full deployment): you pre-create the secrets using the setup script

Secret name	Key fields	Created by
`authentication-service-token`	`TOKEN`: dashboard auth token	Chart or setup script
`db-migrations`	`DATABASE_URL`, `DB_ADAPTER`	Chart or setup script
`authentication-secret`	DB password, Redis password, OIDC keys, cookie keys, email keys, webhook API key	Chart or setup script
`svix-secrets`	`db-dsn`, `jwt-secret`, `main-secret`, `redis-dsn`, `api-token`	Chart or setup script
`artifact-registry-secret`	Docker registry credentials for the Scalekit container registry	Chart or setup script
`openfga-secrets`	`keys`, `uri`	Chart or setup script. Only when `sidecars.openfga.enabled: true`.

Next, Setup script will generate the values.yaml and all required Kubernetes secrets for you.