Helm Configuration

In Falcone is configured through the umbrella chart charts/in-falcone. This page covers the structure of values.yaml and how to compose it. For full install walkthroughs see Installation.

Top-level value sections

Key	Controls
global	Cross-cutting: environment, namespace, airgap, private registry, image pull secrets
publicSurface	Hostnames, bindings, ingress/route exposure, TLS mode
environmentProfile	Named environment defaults
deployment	Active sizing profile + valuesLayers ordering
platform	target (kubernetes/openshift), network.exposureKind, securityProfile
config	ConfigMap names + secretRefs (existing-secret references) + inheritance order
bootstrap	Reconcile payload (gateway routes, realm), lock/marker ConfigMaps
apisix, keycloak, postgresql, mongodb, kafka, openwhisk, storage, observability, controlPlane, controlPlaneExecutor, webConsole	Per-component config (each toggled by <component>.enabled)
gatewayPolicy	Gateway routing/scope/rate-limit policy
eso, vault	Secret management (External Secrets Operator + Vault)

Composing values

Layer files in the order the chart recommends (later wins):

common → environment → customer → platform → airgap → localOverride → secretRefs

helm dependency build charts/in-falcone

helm upgrade --install falcone charts/in-falcone \
  -n falcone --create-namespace \
  -f charts/in-falcone/values/prod.yaml \              # environment
  -f charts/in-falcone/values/customer-reference.yaml \ # customer
  -f charts/in-falcone/values/platform-kubernetes.yaml \# platform
  -f charts/in-falcone/values/profiles/standard.yaml    # sizing

config.inheritanceOrder records this layering; deployment.profile selects the sizing profile.

Enabling / disabling components

Point a component at an external managed service by disabling its in-cluster copy:

postgresql:
  enabled: false        # use an external Postgres instead
config:
  secretRefs:
    postgresCredentials:
      existingSecret: my-external-postgres   # supply username/password/database

The AI-native capabilities are off by default and are enabled by their own component toggles (set the matching runtime env from Environment Variables):

temporal:        { enabled: true }   # Flows engine — also set TEMPORAL_ADDRESS on the executor
workflowWorker:  { enabled: true }   # the DSL interpreter worker
mcp:             { enabled: true }   # MCP server hosting (RBAC + internal-only NetworkPolicy);
                                     # set MCP_ENABLED=true on the executor to serve /v1/mcp

Object storage is the storage component (MinIO, S3-compatible) and the document API is the mongodb component; the SeaweedFS / FerretDB+DocumentDB alternatives on the Roadmap are not yet implemented in the chart.

Exposure & TLS

platform:
  target: kubernetes          # or openshift
  network:
    exposureKind: Ingress     # or Route
publicSurface:
  hostnames:
    api: api.example.test
    identity: id.example.test
    realtime: rt.example.test
    console: console.example.test
  tls:
    mode: <your-tls-mode>

Schema validation

The chart ships a strict values.schema.json, validated on helm install/upgrade. When iterating on a partial values set, bypass it with --skip-schema-validation.

Inspecting a render

helm template falcone charts/in-falcone -f <your values> | less

This is the fastest way to confirm exposure objects, bootstrap payload and image references before applying.