Helm Chart Values and Configuration Reference
The CleanStart Helm Chart provides a complete Kubernetes deployment for the CleanStart security platform with configurable values for production environments, security scanning, monitoring, and integration.
Chart: cleanstart/cleanstart v2.1.0 Repository: https://charts.cleanstart.dev
Installation
# Add repositoryhelm repo add cleanstart https://charts.cleanstart.devhelm repo update # Install with defaultshelm install cleanstart cleanstart/cleanstart --namespace cleanstart --create-namespace # Install with custom valueshelm install cleanstart cleanstart/cleanstart \ --namespace cleanstart \ --values custom-values.yamlCore Values
Global Settings
global: image: registry: gcr.io pullPolicy: IfNotPresent pullSecrets: [] clusterName: production domain: cleanstart.example.com tls: enabled: true issuer: letsencrypt-prodScaling and Resources
replicaCount: 3 autoscaling: enabled: true minReplicas: 3 maxReplicas: 10 targetCPUUtilizationPercentage: 70 targetMemoryUtilizationPercentage: 80 resources: limits: cpu: 2000m memory: 2Gi requests: cpu: 500m memory: 512MiSecurity Context
securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 capabilities: drop: - ALL readOnlyRootFilesystem: true allowPrivilegeEscalation: false networkPolicy: enabled: true policyTypes: - Ingress - EgressIngress
ingress: enabled: true className: nginx annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/ssl-redirect: "true" hosts: - host: cleanstart.example.com paths: - path: / pathType: Prefix tls: - secretName: cleanstart-tls hosts: - cleanstart.example.comDatabase Configuration
ClickHouse
clickhouse: enabled: true external: false host: clickhouse.cleanstart.svc.cluster.local port: 9000 httpPort: 8123 database: advisory_advisories auth: username: default password: "" existingSecret: clickhouse-credentials persistence: enabled: true size: 100Gi storageClassName: fast-ssd resources: limits: cpu: 4000m memory: 8Gi requests: cpu: 2000m memory: 4GiRedis
redis: enabled: true external: false host: redis.cleanstart.svc.cluster.local port: 6379 auth: enabled: true password: "" existingSecret: redis-credentials persistence: enabled: true size: 10Gi resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 250m memory: 256MiService Configuration
service: type: LoadBalancer ports: http: port: 80 targetPort: 8080 https: port: 443 targetPort: 8443 metrics: port: 9090 targetPort: 9090 api: port: 8080 metricsPort: 9090 rateLimiting: enabled: true requestsPerSecond: 1000 timeout: read: 30s write: 30s idle: 90s cors: enabled: true origins: - "https://cleanstart.example.com"Persistence
persistence: enabled: true logs: size: 20Gi storageClassName: standard cache: size: 50Gi storageClassName: fast-ssd reports: size: 100Gi storageClassName: standard accessMode: ReadWriteManyMonitoring
metrics: enabled: true prometheus: enabled: true interval: 30s retention: 15d grafana: enabled: true persistence: enabled: true size: 5GiLogging
logging: level: info format: json fluentd: enabled: true elasticsearch: enabled: true host: elasticsearch.example.com port: 9200Authentication
auth: apiKey: enabled: true rotationDays: 90 oauth2: enabled: false provider: google clientID: "" clientSecret: "" rbac: enabled: trueIntelligence Configuration
intelligence: enabled: true schedule: nistNvd: enabled: true interval: 24h githubAdvisory: enabled: true interval: 6h github: enabled: true token: "" existingSecret: github-credentialsScanning
scanning: imageScan: enabled: true schedule: "0 2 * * *" retentionDays: 30 vulnScan: enabled: true databases: - nvd - ghsa - osv supplyChain: enabled: true checkProvenance: true checkSignatures: true requireSBOM: trueFeature Flags
features: graphql: enabled: true websocket: enabled: true maxConnections: 10000 threatIntelligence: enabled: true mlPredictions: enabled: false customPolicies: enabled: trueCommon Overrides
Development
# values-dev.yamlreplicaCount: 1autoscaling: enabled: falseresources: limits: cpu: 500m memory: 512Mipersistence: enabled: falsemetrics: enabled: falselogging: level: debugProduction
# values-prod.yamlreplicaCount: 5autoscaling: enabled: true minReplicas: 5 maxReplicas: 20resources: limits: cpu: 4000m memory: 4Gipersistence: enabled: true logs: size: 200Gi cache: size: 500GipodDisruptionBudget: enabled: true minAvailable: 3High Availability
# values-ha.yamlreplicaCount: 10autoscaling: enabled: true minReplicas: 10 maxReplicas: 50 affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: [cleanstart] topologyKey: kubernetes.io/hostnameValidation
# Validate chart syntaxhelm lint cleanstart/cleanstart # Dry-run to verifyhelm install cleanstart cleanstart/cleanstart --dry-run --debug # Verify installationhelm get values cleanstart --namespace cleanstartTroubleshooting
Enable Debug
helm upgrade cleanstart cleanstart/cleanstart \ --set logging.level=debug \ --set api.logLevel=debugOverride Resource Limits
helm upgrade cleanstart cleanstart/cleanstart \ --set resources.limits.cpu=8000m \ --set resources.limits.memory=8GiDisable Features
helm upgrade cleanstart cleanstart/cleanstart \ --set features.graphql.enabled=false \ --set features.websocket.enabled=falseSupport
Chart Repo: https://charts.cleanstart.dev, Documentation: https://docs.cleanstart.dev/helm, and Issues: https://github.com/cleanstart/helm-charts/issues.