Helm Chart¶
The OpenDepot Helm chart is published to a GitHub Pages Helm repository:
The chart source is also available at chart/opendepot/ in the repository.
See Installation for the full Helm values reference and deployment instructions.
Server Configuration¶
OIDC Authentication¶
The server.oidc section enables OIDC JWT validation for production-ready single sign-on. See Authenticating with OpenDepot for detailed setup and examples.
| Value | Type | Description |
|---|---|---|
server.oidc.enabled | bool | When true, enables OIDC JWT validation and advertises the login.v1 service discovery endpoint. Default: false |
server.oidc.issuerUrl | string | OIDC issuer URL (e.g., https://dex.example.com/dex). When blank and dex.enabled: true, auto-derives the in-cluster Dex service URL. |
server.oidc.clientId | string | OIDC client ID. Must match the Dex static client id. Default: "opendepot" |
server.oidc.clientSecretName | string | Name of a Kubernetes Secret containing the clientSecret key. When blank, the chart creates a Secret from server.oidc.clientSecret. |
server.oidc.clientSecret | string | Dex client secret (only used if clientSecretName is blank). In production, use an external secret operator instead of storing plaintext here. |
server.oidc.groupsClaim | string | JWT claim name containing the user's groups, used for GroupBinding evaluation. When blank, defaults to groups. Set to cognito:groups, roles, etc. for non-standard IdPs. |
server.oidc.allowServiceAccountFallback | bool | When true, Kubernetes ServiceAccount bearer tokens with a non-OIDC issuer are authenticated via the bearer-token path using the SA's own RBAC. GroupBinding is bypassed for SA tokens. Requires server.oidc.enabled: true. Default: false |
server.oidc.allowClientCredentials | bool | When true, Dex tokens whose audience does not match the primary client ID are accepted. The token's sub claim is mapped to a virtual group "client:<sub>" and evaluated against GroupBinding resources. Requires a Dex staticClient with grantTypes: ["client_credentials"]. Default: false |
server.oidc.authzUrl | string | Overrides the authorization URL advertised in login.v1 of /.well-known/terraform.json. Leave blank to use the URL from the OIDC provider discovery document. Use this when the server discovers Dex via an in-cluster address but CLI clients must reach Dex at a different address (e.g. a port-forwarded URL during local Kind testing). |
server.oidc.tokenUrl | string | Overrides the token URL advertised in login.v1 of /.well-known/terraform.json. Same use-case as authzUrl. |
Example:
server:
oidc:
enabled: true
issuerUrl: https://dex.example.com/dex
clientId: opendepot
clientSecret: $(openssl rand -base64 32)
clientSecretName: "" # Use the above value; or set to "my-secret" to use external secret
Warning
When both dex.enabled and server.oidc.enabled are true, the Helm render fails if neither server.oidc.clientSecret nor server.oidc.clientSecretName is set. For production, pre-create a Kubernetes Secret and reference it via server.oidc.clientSecretName.
Dex Configuration¶
The dex section deploys Dex as an OIDC identity provider. Dex federates upstream IdPs (GitHub, Entra ID, Okta, LDAP, etc.) and issues JWTs that the server validates locally.
| Value | Type | Description |
|---|---|---|
dex.enabled | bool | When true, deploys Dex as a subchart. Default: false |
dex.config.issuer | string | Public issuer URL. In-cluster: http://opendepot-dex.opendepot-system.svc.cluster.local:5556/dex. External: https://dex.example.com/dex |
dex.config.connectors | array | Array of upstream IdP connector configurations. See examples below. Default: [] |
dex.config.enablePasswordDB | bool | When true, enables local username/password authentication (testing only). Default: false |
dex.config.staticPasswords | array | Array of test users for local auth. Never enable in production. Default: [] |
Basic Example (GitHub):
dex:
enabled: true
config:
issuer: https://dex.example.com/dex
connectors:
- type: github
id: github
name: GitHub
config:
clientID: <github-oauth-app-client-id>
clientSecret: <github-oauth-app-secret>
redirectURI: https://dex.example.com/dex/callback
org: my-org # (optional) restrict to an org
Entra ID (Azure AD) Example:
dex:
enabled: true
config:
issuer: https://dex.example.com/dex
connectors:
- type: microsoft
id: microsoft
name: "Azure AD"
config:
clientID: <azure-app-id>
clientSecret: <azure-app-secret>
redirectURI: https://dex.example.com/dex/callback
tenant: <azure-tenant-id>
For connector configuration details, refer to the Dex Connector Documentation.
Warning
Never set enablePasswordDB: true or staticPasswords in production. Use real IdP connectors instead.
UI Configuration¶
The ui section deploys the Registry Explorer frontend. See Registry Explorer UI for setup details and the Registry Explorer guide for enabling public visibility and browse access.
| Value | Type | Description |
|---|---|---|
ui.enabled | bool | When true, deploys the Registry Explorer UI and NGINX proxy. Also suppresses server-ingress.yaml — migrate traffic to ui.ingress before enabling. Default: false |
ui.replicaCount | int | Number of UI pod replicas. Default: 1 |
ui.image.repository | string | UI container image repository. Default: ghcr.io/tonedefdev/opendepot/ui |
ui.image.tag | string | Image tag. Defaults to global.image.tag, then the chart appVersion. |
ui.serverHost | string | Upstream host:port that NGINX proxies registry requests to. Defaults to server.<namespace>.svc.cluster.local:80 when blank. |
ui.sessionPasswordSecretName | string | Name of a Kubernetes Secret with a sessionPassword key (min 32 chars). Required when ui.enabled: true. |
ui.oidc.enabled | bool | Enables OIDC authorization code login in the UI. Default: false |
ui.oidc.issuerUrl | string | Public OIDC issuer URL (must be reachable from browsers). |
ui.oidc.clientId | string | OIDC client ID for the UI. Default: "opendepot-ui". When ui.oidc.enabled: true and non-empty, the chart also passes --oidc-ui-client-id to the server so UI-issued tokens are accepted on browse and stats endpoints. See Registry Explorer UI OIDC. |
ui.oidc.clientSecretName | string | Name of a Kubernetes Secret with a clientSecret key for the OIDC confidential client. |
ui.oidc.scopes | string | Space-separated OIDC scopes. Default: "openid profile email groups" |
ui.oidc.callbackPath | string | OIDC redirect URI path registered with the identity provider. Default: "/auth/callback" |
ui.auth.devTokenInput.enabled | bool | When true, shows a developer bearer-token input in the UI. Must be false in production. Default: false |
ui.ingress.enabled | bool | Creates a Kubernetes Ingress for the UI with split-path routing rules. Default: false |
ui.ingress.className | string | Ingress class name. |
ui.ingress.annotations | map | Annotations applied to the Ingress resource. |
ui.ingress.hosts | list | Host and path rules. |
ui.ingress.tls | list | TLS configuration for the Ingress. |
Valkey Stats Store¶
Download statistics are persisted in a bundled Valkey (Redis-compatible) instance deployed automatically alongside the server. No additional setup is required — Valkey is always deployed as part of the chart.
| Value | Type | Description |
|---|---|---|
valkey.resources | map | Resource requests and limits for the Valkey pod |
valkey.dataStorage.enabled | bool | Create a PVC for Valkey data. Default: true |
valkey.dataStorage.className | string | StorageClass for the PVC. Leave blank for the cluster default. Default: "" |
valkey.dataStorage.requestedSize | string | PVC storage size. Default: 1Gi |
valkey.auth.enabled | bool | Enable Valkey ACL password authentication. Default: false |
valkey.auth.usersExistingSecret | string | Name of a pre-existing Secret whose keys are ACL usernames and values are plaintext passwords. Required when valkey.auth.enabled: true. Default: "" |
valkey.auth.aclUsers.default.permissions | string | ACL permissions string for the default user. The default is scoped to stats:* keys and the exact commands used by the server (e.g. ~stats:* &* -@all +HSET +HINCRBY +HGET +HGETALL +INCR +GET +ZINCRBY +ZREVRANGEBYSCORE +ZREVRANGE +EXPIREAT). Do not widen to +@all in production. |
server.stats.valkeyPasswordSecretName | string | Name of the Secret injected as OPENDEPOT_VALKEY_PASSWORD into the server pod. Must match valkey.auth.usersExistingSecret when auth is enabled. Default: "" |
valkey.nodeSelector | map | Node selector for the Valkey pod |
valkey.tolerations | list | Tolerations for the Valkey pod |
valkey.affinity | map | Affinity rules for the Valkey pod |
When valkey.dataStorage.enabled: true (the default), a PVC is created and mounted at /data in the Valkey pod. Set valkey.dataStorage.enabled: false to use ephemeral in-pod storage — suitable for local development or Kind clusters where no StorageClass is available. Stats are lost on pod restart when persistence is disabled.
Production Security
Valkey ACL authentication is disabled by default. For production deployments, create a Kubernetes Secret containing the password, then configure valkey.auth.enabled: true, valkey.auth.usersExistingSecret, and server.stats.valkeyPasswordSecretName to point at it. For regulated environments, use External Secrets Operator or HashiCorp Vault to provision the Secret rather than storing the password in values.yaml.
See Download Tracking for details on how stats are recorded and surfaced in the Registry Explorer UI.
Scanning Values¶
The scanning section controls Trivy-based provider vulnerability scanning. See Vulnerability Scanning for full details.