obot-platform · iwilltry42 · Mar 7, 2025 · Mar 7, 2025
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -46,141 +46,21 @@ spec:
             - mountPath: {{ .Values.persistence.path }}
               name: data
           {{- end }}
+          {{- if .Values.extraEnv }}
           env:
-            - name: "OBOT_SERVER_ENABLE_AUTHENTICATION"
-              value: {{ .Values.config.obotServerEnableAuthentication | quote }}
-            - name: "OBOT_SERVER_ENCRYPTION_PROVIDER"
-              value: {{ .Values.config.obotServerEncryptionProvider | quote }}
-            {{- if .Values.config.awsAccessKeyID }}
-            - name: "AWS_ACCESS_KEY_ID"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: awsAccessKeyID
-            {{- end }}
-            {{- if .Values.config.awsRegion }}
-            - name: "AWS_REGION"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: awsRegion
-            {{- end }}
-            {{- if .Values.config.awsSecretAccessKey }}
-            - name: "AWS_SECRET_ACCESS_KEY"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: awsSecretAccessKey
-            {{- end }}
-            {{- if .Values.config.nahThreadiness }}
-            - name: "NAH_THREADINESS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: nahThreadiness
-            {{- end }}
-            {{- if .Values.config.knowledgeFileWorkers }}
-            - name: "OBOT_SERVER_KNOWLEDGE_FILE_WORKERS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: knowledgeFileWorkers
-            {{- end }}
-            {{- if .Values.config.kinmDBConnections }}
-            - name: "KINM_DB_CONNECTIONS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: kinmDBConnections
-            {{- end }}
-            {{- if .Values.config.ignoreInactiveObjects }}
-            - name: "OBOT_SERVER_IGNORE_INACTIVE"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: ignoreInactiveObjects
-            {{- end }}
-            {{- if .Values.config.githubAuthToken }}
-            - name: "GITHUB_AUTH_TOKEN"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: githubAuthToken
-            {{- end }}
-            {{- if .Values.config.gcpKMSKeyURI }}
-            - name: "OBOT_GCP_KMS_KEY_URI"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: gcpKMSKeyURI
-            {{- end }}
-            {{- if .Values.config.obotServerAuthAdminEmails }}
-            - name: "OBOT_SERVER_AUTH_ADMIN_EMAILS"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: obotServerAuthAdminEmails
-            {{- end }}
-            {{- if .Values.config.obotBootstrapToken }}
-            - name: "OBOT_BOOTSTRAP_TOKEN"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: obotBootstrapToken
-            {{- end }}
-            {{- if .Values.config.obotServerDSN }}
-            - name: "OBOT_SERVER_DSN"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: obotServerDSN
-            {{- end }}
-            {{- if .Values.config.obotServerHostname }}
-            - name: "OBOT_SERVER_HOSTNAME"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: obotServerHostname
-            {{- end }}
-            {{- if .Values.config.obotWorkspaceProviderType }}
-            - name: "OBOT_WORKSPACE_PROVIDER_TYPE"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: obotWorkspaceProviderType
-            {{- end }}
-            {{- if .Values.config.openaiApiKey }}
-            - name: "OPENAI_API_KEY"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: openaiApiKey
-            {{- end }}
-            {{- if .Values.config.workspaceProviderS3BaseEndpoint }}
-            - name: "WORKSPACE_PROVIDER_S3_BASE_ENDPOINT"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: workspaceProviderS3BaseEndpoint
-            {{- end }}
-            {{- if .Values.config.workspaceProviderS3Bucket }}
-            - name: "WORKSPACE_PROVIDER_S3_BUCKET"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "obot.config.secretName" . }}
-                  key: workspaceProviderS3Bucket
-            {{- end }}
-            {{- if .Values.extraEnv }}
             {{- range $key, $value := .Values.extraEnv }}
             - name: {{ $key }}
               value: {{ $value | quote }}
             {{- end }}
-            {{- end }}
+          {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ if .Values.config.existingSecret }}{{ .Values.config.existingSecret }}{{ else }}{{ include "obot.config.secretName" . }}{{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- if and (eq .Values.config.obotWorkspaceProviderType "directory") .Values.persistence.enabled }}
       volumes:
         - name: data
           persistentVolumeClaim:
             claimName: {{ ternary .Values.persistence.existingClaim (print .Release.Name "-pvc") (ne .Values.persistence.existingClaim "") }}
-      {{- end }}
+      {{- end }}
diff --git a/chart/templates/secret.yaml b/chart/templates/secret.yaml
@@ -1,61 +1,15 @@
-{{- if eq .Values.config.existingSecret "" -}}
+{{- if not .Values.config.existingSecret -}}
 apiVersion: v1
-data:
-  {{- if .Values.config.awsAccessKeyID }}
-  awsAccessKeyID: {{ .Values.config.awsAccessKeyID | b64enc }}
-  {{- end }}
-  {{- if .Values.config.awsRegion }}
-  awsRegion: {{ .Values.config.awsRegion | b64enc }}
-    {{- end }}
-  {{- if .Values.config.awsSecretAccessKey }}
-  awsSecretAccessKey: {{ .Values.config.awsSecretAccessKey | b64enc }}
-    {{- end }}
-  {{- if .Values.config.nahThreadiness }}
-  nahThreadiness: {{ .Values.config.nahThreadiness | b64enc }}
-    {{- end }}
-  {{- if .Values.config.knowledgeFileWorkers }}
-  knowledgeFileWorkers: {{ .Values.config.knowledgeFileWorkers | b64enc }}
-    {{- end }}
-  {{- if .Values.config.kinmDBConnections }}
-  kinmDBConnections: {{ .Values.config.kinmDBConnections | b64enc }}
-    {{- end }}
-  {{- if .Values.config.ignoreInactiveObjects }}
-  ignoreInactiveObjects: {{ .Values.config.ignoreInactiveObjects | b64enc }}
-    {{- end }}
-  {{- if .Values.config.gcpKMSKeyURI }}
-  gcpKMSKeyURI: {{ .Values.config.gcpKMSKeyURI | b64enc }}
-    {{- end }}
-  {{- if .Values.config.githubAuthToken }}
-  githubAuthToken: {{ .Values.config.githubAuthToken | b64enc }}
-    {{- end }}
-  {{- if .Values.config.obotServerAuthAdminEmails }}
-  obotServerAuthAdminEmails: {{ .Values.config.obotServerAuthAdminEmails | b64enc }}
-    {{- end }}
-  {{- if .Values.config.obotServerDSN }}
-  obotServerDSN: {{ .Values.config.obotServerDSN | b64enc }}
-    {{- end }}
-  {{- if .Values.config.obotBootstrapToken }}
-  obotBootstrapToken: {{ .Values.config.obotBootstrapToken | b64enc }}
-    {{- end }}
-  {{- if .Values.config.obotServerHostname }}
-  obotServerHostname: {{ .Values.config.obotServerHostname | b64enc }}
-    {{- end }}
-  {{- if .Values.config.obotWorkspaceProviderType }}
-  obotWorkspaceProviderType: {{ .Values.config.obotWorkspaceProviderType | b64enc }}
-    {{- end }}
-  {{- if .Values.config.openaiApiKey }}
-  openaiApiKey: {{ .Values.config.openaiApiKey | b64enc }}
-    {{- end }}
-  {{- if .Values.config.workspaceProviderS3BaseEndpoint }}
-  workspaceProviderS3BaseEndpoint: {{ .Values.config.workspaceProviderS3BaseEndpoint | b64enc }}
-    {{- end }}
-  {{- if .Values.config.workspaceProviderS3Bucket }}
-  workspaceProviderS3Bucket: {{ .Values.config.workspaceProviderS3Bucket | b64enc }}
-    {{- end }}
 kind: Secret
+type: Opaque
 metadata:
   labels:
     {{- include "obot.labels" . | nindent 4 }}
   name: {{ include "obot.config.secretName" . }}
-type: Opaque
-{{- end -}}
+data:
+  {{- range $key, $value := .Values.config }}
+  {{- if $value }}
+  {{ $key }}: {{ $value | quote | b64enc }}
+  {{- end }}
+  {{- end }}
+{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -50,54 +50,54 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-# config - A key/value object containing configuration variables to configure on the obot deployment
+# config - A key/value object containing configuration variables to configure on the obot deployment. Will be converted to a secret and used via envFrom.
 config:
-  # config.existingSecret -- The name of an existing secret to use for config instead of creating a new one
+  # config.existingSecret -- The name of an existing secret to use for config instead of creating a new one. Must contain keys in env format, just like below.
   existingSecret: ""
 
-  # config.awsAccessKeyID -- An AWS access key with permissions for AWS KMS, used for encryption
-  awsAccessKeyID: ""
-  # config.awsRegion -- An AWS region, used to access AWS KMS
-  awsRegion: ""
-  # config.awsAccessKeyID -- An AWS secret access key with permissions for AWS KMS, used for encryption
-  awsSecretAccessKey: ""
-
-  # config.gcpKMSKeyURI -- The URI of a Google Cloud KMS key, used for encryption
-  gcpKMSKeyURI: ""
-
-  # config.nahThreadiness -- Advanced - sets the number of concurrent threads that can run in the Obot controller
-  nahThreadiness: "10000"
-  # config.knowledgeFileWorkers -- Advanced - sets the number of workers for knowledge
-  knowledgeFileWorkers: "5"
-
-  # config.kinmDBConnections -- Advanced - the number of connections in the database pool for kinm
-  kinmDBConnections: "5"
-
-  # config.ignoreInactiveObjects -- whether the controller objects that have been marked as inactive
-  ignoreInactiveObjects: false
-
-  # config.githubAuthToken -- A github PAT, used to authenticate tool pulls to avoid github ratelimiting
-  githubAuthToken: ""
-  # config.obotServerEnableAuthentication -- Enables authentication for Obot
-  obotServerEnableAuthentication: true
-  # config.obotServerEncryptionProvider -- Configures an encryption provider for credentials in Obot
-  obotServerEncryptionProvider: "None" # "None", "AWS", "GCP"
-  # config.obotBootstrapToken -- Sets a bootstrap token. If authentication is enabled, one will be autogenerated for you if this is not set.
-  obotBootstrapToken: ""
-  # config.obotServerAuthAdminEmails -- A comma separated list of email addresses that will have the Admin role in Obot.
-  obotServerAuthAdminEmails: ""
-  # config.obotServerDSN -- The DSN for your database. For example: postgres://<username>:<password>@<hostname>/<db_name>
-  obotServerDSN: ""
-  # config.obotServerHostname -- The hostname of your Obot instance, including protocol
-  obotServerHostname: ""
-  # config.obotWorkspaceProviderType -- Configures the storage backend for workspaces in Obot. Can be 's3' or 'directory'
-  obotWorkspaceProviderType: "directory"
-  # config.openaiApiKey -- An OpenAI API Key used to configure access to OpenAI models, which are the default in Obot.
-  openaiApiKey: ""
-  # config.workspaceProviderS3BaseEndpoint -- If config.obotWorkspaceProviderType is 's3' and you are not using AWS S3, this needs to be set to the S3 api endpoint of your provider.
-  workspaceProviderS3BaseEndpoint: ""
-  # config.workspaceProviderS3Bucket -- The name of the S3 bucket to store workspaces in. Only used if config.obotWorkspaceProviderType is 's3'
-  workspaceProviderS3Bucket: ""
+  # config.AWS_ACCESS_KEY_ID -- An AWS access key with permissions for AWS KMS, used for encryption
+  AWS_ACCESS_KEY_ID: ""
+  # config.AWS_REGION -- An AWS region, used to access AWS KMS
+  AWS_REGION: ""
+  # config.AWS_SECRET_ACCESS_KEY -- An AWS secret access key with permissions for AWS KMS, used for encryption
+  AWS_SECRET_ACCESS_KEY: ""
+
+  # config.OBOT_GCP_KMS_KEY_URI -- The URI of a Google Cloud KMS key, used for encryption
+  OBOT_GCP_KMS_KEY_URI: ""
+
+  # config.NAH_THREADINESS -- Advanced - sets the number of concurrent threads that can run in the Obot controller
+  NAH_THREADINESS: "10000"
+  # config.OBOT_SERVER_KNOWLEDGE_FILE_WORKERS -- Advanced - sets the number of workers for knowledge
+  OBOT_SERVER_KNOWLEDGE_FILE_WORKERS: "5"
+
+  # config.KINM_DB_CONNECTIONS -- Advanced - the number of connections in the database pool for kinm
+  KINM_DB_CONNECTIONS: "5"
+
+  # config.OBOT_SERVER_IGNORE_INACTIVE -- whether the controller processes objects that have been marked as inactive
+  OBOT_SERVER_IGNORE_INACTIVE: false
+
+  # config.GITHUB_AUTH_TOKEN -- A github PAT, used to authenticate tool pulls to avoid github ratelimiting
+  GITHUB_AUTH_TOKEN: ""
+  # config.OBOT_SERVER_ENABLE_AUTHENTICATION -- Enables authentication for Obot
+  OBOT_SERVER_ENABLE_AUTHENTICATION: true
+  # config.OBOT_SERVER_ENCRYPTION_PROVIDER -- Configures an encryption provider for credentials in Obot
+  OBOT_SERVER_ENCRYPTION_PROVIDER: "None" # "None", "AWS", "GCP"
+  # config.OBOT_BOOTSTRAP_TOKEN -- Sets a bootstrap token. If authentication is enabled, one will be autogenerated for you if this is not set.
+  OBOT_BOOTSTRAP_TOKEN: ""
+  # config.OBOT_SERVER_AUTH_ADMIN_EMAILS -- A comma separated list of email addresses that will have the Admin role in Obot.
+  OBOT_SERVER_AUTH_ADMIN_EMAILS: ""
+  # config.OBOT_SERVER_DSN -- The DSN for your database. For example: postgres://<username>:<password>@<hostname>/<db_name>
+  OBOT_SERVER_DSN: ""
+  # config.OBOT_SERVER_HOSTNAME -- The hostname of your Obot instance, including protocol
+  OBOT_SERVER_HOSTNAME: ""
+  # config.OBOT_WORKSPACE_PROVIDER_TYPE -- Configures the storage backend for workspaces in Obot. Can be 's3' or 'directory'
+  OBOT_WORKSPACE_PROVIDER_TYPE: "directory"
+  # config.OPENAI_API_KEY -- An OpenAI API Key used to configure access to OpenAI models, which are the default in Obot.
+  OPENAI_API_KEY: ""
+  # config.WORKSPACE_PROVIDER_S3_BASE_ENDPOINT -- If config.obotWorkspaceProviderType is 's3' and you are not using AWS S3, this needs to be set to the S3 api endpoint of your provider.
+  WORKSPACE_PROVIDER_S3_BASE_ENDPOINT: ""
+  # config.WORKSPACE_PROVIDER_S3_BUCKET -- The name of the S3 bucket to store workspaces in. Only used if config.obotWorkspaceProviderType is 's3'
+  WORKSPACE_PROVIDER_S3_BUCKET: ""
 
 # extraEnv -- A map of additional environment variables to set
 extraEnv: { }
@@ -129,4 +129,4 @@ serviceAccount:
   annotations: { }
   # serviceAccount.name - The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
-  name: ""
+  name: ""