Helm Charts¶
MazeVault Helm Chart Configuration Reference
Document Version: 1.0.45
Last Updated: 2026-05-31
License Tier: Enterprise
1. Overview¶
MazeVault provides a public customer Helm chart as source in the maze-release repository under helm/mazevault-customer. The public chart exists; what does not currently exist is a separate hosted MazeVault Helm repository endpoint for helm repo add.
git clone https://github.com/MazeVault/maze-release.git
cd maze-release
helm lint ./helm/mazevault-customer
helm install mazevault ./helm/mazevault-customer -n mazevault --create-namespace -f values.yaml
Start from helm/mazevault-customer/values.yaml and place customer-specific overrides in your own values file or GitOps repository.
Image Tag Strategy and Pull Preflight¶
- Prefer explicit release tags (for example
v1.0.44) instead oflatestfor production rollouts. - Run a pull preflight before Helm upgrades so image availability is validated before deployment starts.
# Isolated Docker auth context to avoid local credential side effects
TMP_DOCKER_CFG=$(mktemp -d)
# Verify release tags resolve in GHCR
DOCKER_CONFIG="$TMP_DOCKER_CFG" docker manifest inspect ghcr.io/mazevault/mazevault-backend:v1.0.44 >/dev/null
DOCKER_CONFIG="$TMP_DOCKER_CFG" docker manifest inspect ghcr.io/mazevault/mazevault-frontend:v1.0.44 >/dev/null
DOCKER_CONFIG="$TMP_DOCKER_CFG" docker manifest inspect ghcr.io/mazevault/mazevault-docs:v1.0.44 >/dev/null
DOCKER_CONFIG="$TMP_DOCKER_CFG" docker manifest inspect ghcr.io/mazevault/mazevault-ocsp:v1.0.44 >/dev/null
rm -rf "$TMP_DOCKER_CFG"
2. Values Reference¶
Global Settings¶
global:
environment: "customer"
rolloutNonce: ""
workloadIdentity:
enabled: true
clientId: ""
keyVault:
enabled: true
secretStore:
vaultUrl: https://__SET_KEYVAULT_NAME__.vault.azure.net
tenantId: ""
ingress:
enabled: true
appHost: mazevault.example.com
docsHost: docs.mazevault.example.com
Backend (API Server)¶
backend:
replicaCount: 1 # Keep single-writer backend semantics
image:
repository: "ghcr.io/mazevault/mazevault-backend"
tag: "v1.0.44" # Prefer pinned release tags in customer environments
resources:
requests:
cpu: "500m"
memory: "1Gi"
limits:
cpu: "2000m"
memory: "4Gi"
config:
MAZEVAULT_CUSTOMER_NAME: __SET_CUSTOMER_NAME__
MAZEVAULT_CUSTOMER_EMAIL: __SET_CUSTOMER_EMAIL__
MAZEVAULT_COMPANY_ID: __SET_COMPANY_ID__
MAZEVAULT_ENV: production
LOG_LEVEL: info
# Database and Redis runtime credentials are projected through the generated runtime secret.
# Health probes
livenessProbe:
httpGet:
path: /api/v1/health
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/v1/health
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
Frontend (Web Interface)¶
frontend:
replicaCount: 1
image:
repository: "ghcr.io/mazevault/mazevault-frontend"
tag: "v1.0.44"
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
urls:
docs: "https://docs.mazevault.example.com"
domain: "mazevault.example.com"
OCSP Responder¶
ocsp:
enabled: true
replicas: 1
image:
repository: "mazevault-ocsp"
tag: "1.8.0"
resources:
requests:
cpu: "200m"
memory: "256Mi"
limits:
cpu: "1000m"
memory: "1Gi"
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 70
Ingress¶
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
hosts:
- host: vault.example.com
paths:
- path: /api
pathType: Prefix
service: backend
- path: /ocsp
pathType: Prefix
service: ocsp
- path: /
pathType: Prefix
service: frontend
tls:
- secretName: mazevault-tls
hosts:
- vault.example.com
Monitoring¶
monitoring:
serviceMonitor:
enabled: true # Requires Prometheus Operator
interval: 30s
labels:
release: prometheus
prometheusRules:
enabled: true
rules:
- alert: MazeVaultBackendDown
expr: up{job="mazevault-backend"} == 0
for: 5m
labels:
severity: critical
- alert: MazeVaultHighErrorRate
expr: rate(http_requests_total{status=~"5.."}[5m]) > 0.1
for: 10m
labels:
severity: warning
3. Environment-Specific Examples¶
Production¶
# values-production.yaml
global:
domain: "vault.company.com"
tls:
enabled: true
backend:
replicas: 1
resources:
requests:
cpu: "1000m"
memory: "2Gi"
limits:
cpu: "4000m"
memory: "8Gi"
env:
LOG_LEVEL: "warn"
frontend:
replicas: 3
autoscaling:
enabled: true
minReplicas: 3
monitoring:
serviceMonitor:
enabled: true
Staging¶
# values-staging.yaml
global:
domain: "vault-staging.company.com"
backend:
resources:
requests:
cpu: "500m"
memory: "1Gi"
limits:
cpu: "2000m"
memory: "4Gi"
frontend:
replicas: 1
autoscaling:
enabled: false
4. Upgrade Procedure¶
# Refresh chart source
git -C maze-release pull --ff-only
# Review changes
helm diff upgrade mazevault ./helm/mazevault-customer \
-n mazevault -f values-production.yaml
# Perform upgrade
helm upgrade mazevault ./helm/mazevault-customer \
-n mazevault -f values-production.yaml \
--wait --timeout 10m
# Verify
kubectl get pods -n mazevault
kubectl exec -n mazevault deploy/mazevault-backend -- \
wget -qO- http://localhost:8080/api/v1/health
Related¶
- Azure AKS Deployment — AKS cluster setup
- System Requirements — Resource sizing
- Monitoring — Monitoring configuration