Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/jonwiggins/optio/llms.txt

Use this file to discover all available pages before exploring further.

The Optio Helm chart (helm/optio/, chart version 0.1.0) deploys the full stack — API server, web UI, PostgreSQL, Redis, RBAC, and Ingress — to any Kubernetes cluster.
All values can be passed via --set key=value on the command line or via a custom values.yaml file passed with -f my-values.yaml. For production deployments, a values file is recommended to keep configuration under version control.

API server

ValueTypeDefaultDescription
api.image.repositorystringoptio-apiContainer image repository for the API server. Override with a registry path for production (e.g. ghcr.io/your-org/optio-api).
api.image.tagstringlatestImage tag. Pin to a specific version for reproducible deployments.
api.image.pullPolicystringIfNotPresentImage pull policy. Use Never for local development (images loaded into containerd locally). Use IfNotPresent or Always for registry images.
api.replicasnumber1Number of API server replicas. Multiple replicas are safe — BullMQ workers use Redis-backed leader election so each job is delivered to exactly one worker.
api.portnumber4000Container port the API server listens on.
api.service.typestringClusterIPKubernetes service type. Set to NodePort for local development (Docker Desktop, kind, minikube).
api.service.nodePortstring""Fixed NodePort number when api.service.type=NodePort. Example: 30400.
api.resources.requests.cpustring250mCPU request for the API pod.
api.resources.requests.memorystring512MiMemory request for the API pod.
api.resources.limits.cpustring1CPU limit for the API pod.
api.resources.limits.memorystring1GiMemory limit for the API pod.
api.env.LOG_LEVELstringinfoLog verbosity. Accepts debug, info, warn, error.
api.antiAffinitystringsoftPod anti-affinity for spreading replicas across nodes. soft = preferred scheduling, hard = required scheduling, "" = disabled.

Web UI

ValueTypeDefaultDescription
web.image.repositorystringoptio-webContainer image repository for the web UI. Override with a registry path for production.
web.image.tagstringlatestImage tag.
web.image.pullPolicystringIfNotPresentImage pull policy. Use Never for local development.
web.replicasnumber1Number of web UI replicas.
web.portnumber3000Container port the Next.js server listens on.
web.service.typestringClusterIPKubernetes service type. Set to NodePort for local development.
web.service.nodePortstring""Fixed NodePort number when web.service.type=NodePort. Example: 30310.
web.resources.requests.cpustring100mCPU request for the web pod.
web.resources.requests.memorystring256MiMemory request for the web pod.
web.resources.limits.cpustring500mCPU limit for the web pod.
web.resources.limits.memorystring512MiMemory limit for the web pod.
web.antiAffinitystringsoftPod anti-affinity. Same options as api.antiAffinity.

Agent containers

Agent containers are the Kubernetes pods provisioned per repository by the API server. They are not deployed as a Deployment — the API creates them dynamically.
ValueTypeDefaultDescription
agent.image.repositorystringoptio-baseImage repository for agent pods. For production, use a registry path (e.g. ghcr.io/your-org/optio-agent-base). Individual repos can override this with a different preset (optio-node, optio-python, optio-go, optio-rust, optio-full).
agent.image.tagstringlatestImage tag for agent pods.
agent.image.pullPolicystringNeverImage pull policy for the agent.image setting.
agent.imagePullPolicystringNeverPrimary pull policy applied to dynamically created agent pods. Set to IfNotPresent or Always for registry images. Do not use Never in production.
agent.pvc.storageClassstring""Storage class for agent pod PersistentVolumeClaims. Empty string uses the cluster default storage class.
agent.pvc.sizestring10GiPVC size per agent pod instance. Each pod instance gets its own PVC.
agent.pvc.accessModeslist[ReadWriteOnce]PVC access modes.
agent.imagePullPolicy=Never is the default for local development. If left as Never in a production cluster, agent pods will fail to start because the images are not present in the node’s local container store. Always set this to IfNotPresent or Always in production.

PostgreSQL

The chart includes an in-cluster PostgreSQL deployment for development convenience. For production, disable it and use a managed database.
ValueTypeDefaultDescription
postgresql.enabledbooleantrueDeploy an in-cluster PostgreSQL instance. Set to false for production — use externalDatabase.url instead.
postgresql.image.repositorystringpostgresPostgreSQL image repository.
postgresql.image.tagstring16PostgreSQL version. Optio requires PostgreSQL 16+.
postgresql.storage.sizestring5GiPVC size for the PostgreSQL data volume.
postgresql.auth.databasestringoptioDatabase name.
postgresql.auth.usernamestringoptioDatabase username.
postgresql.auth.passwordstring""Database password. Required when postgresql.enabled=true and auth.disabled=false. The chart will fail to install if this is left empty with auth enabled. Generate with: openssl rand -hex 16.
postgresql.resources.requests.cpustring100mCPU request.
postgresql.resources.requests.memorystring256MiMemory request.
postgresql.resources.limits.cpustring500mCPU limit.
postgresql.resources.limits.memorystring512MiMemory limit.
In-cluster PostgreSQL is not recommended for production. It has no replication, no automated backups, and no HA. Use a managed service (RDS, Cloud SQL, Supabase, Neon) and set postgresql.enabled=false.

Redis

The chart includes an in-cluster Redis deployment for development convenience. For production, disable it and use a managed Redis service.
ValueTypeDefaultDescription
redis.enabledbooleantrueDeploy an in-cluster Redis instance. Set to false for production — use externalRedis.url instead.
redis.image.repositorystringredisRedis image repository.
redis.image.tagstring7-alpineRedis version. Optio requires Redis 7+.
redis.resources.requests.cpustring50mCPU request.
redis.resources.requests.memorystring128MiMemory request.
redis.resources.limits.cpustring250mCPU limit.
redis.resources.limits.memorystring256MiMemory limit.
In-cluster Redis is not recommended for production. Use a managed service (ElastiCache, Upstash, Redis Cloud) and set redis.enabled=false.

External database and Redis

Used when the in-cluster deployments are disabled.
ValueTypeDefaultDescription
externalDatabase.urlstring""PostgreSQL connection URL. Required when postgresql.enabled=false. Format: postgres://user:pass@host:5432/dbname.
externalRedis.urlstring""Redis connection URL. Required when redis.enabled=false. Format: redis://host:6379 or rediss://host:6380 for TLS.

Authentication

Optio uses multi-provider OAuth for web UI and API authentication. At least one provider must be configured unless auth.disabled=true.
ValueTypeDefaultDescription
auth.disabledbooleanfalseSkip all authentication checks. Do not set to true in production. Intended only for local development.
auth.github.clientIdstring""GitHub OAuth application client ID.
auth.github.clientSecretstring""GitHub OAuth application client secret.
auth.google.clientIdstring""Google OAuth application client ID.
auth.google.clientSecretstring""Google OAuth application client secret.
auth.gitlab.clientIdstring""GitLab OAuth application client ID.
auth.gitlab.clientSecretstring""GitLab OAuth application client secret.
To enable a provider, set both its clientId and clientSecret. A provider with either field empty is treated as not configured.For self-hosted GitLab, add GITLAB_OAUTH_BASE_URL as an environment variable on the API deployment pointing to your GitLab instance URL.OAuth callback URLs to register with each provider:
ProviderCallback URL
GitHub{API_PUBLIC_URL}/api/auth/github/callback
Google{API_PUBLIC_URL}/api/auth/google/callback
GitLab{API_PUBLIC_URL}/api/auth/gitlab/callback

Encryption

ValueTypeDefaultDescription
encryption.keystring""Required. AES-256-GCM encryption key for secrets stored in the database (API keys, OAuth tokens, webhook secrets). Generate with: openssl rand -hex 32. Store this value securely — losing it means stored secrets cannot be decrypted.
The chart will not function without encryption.key. If the key changes between deployments, all previously stored secrets will be unreadable and will need to be re-entered.

GitHub webhook

ValueTypeDefaultDescription
webhook.githubSecretstring""Shared secret for validating GitHub webhook signatures. Must match the secret configured in your GitHub webhook settings. Generate with: openssl rand -hex 32.

Ingress

ValueTypeDefaultDescription
ingress.enabledbooleanfalseCreate a Kubernetes Ingress resource. Required for production to expose the web UI and API externally.
ingress.classNamestringnginxIngress class name. Matches the kubernetes.io/ingress.class annotation or ingressClassName field.
ingress.annotationsobject{}Additional annotations added to the Ingress resource.
ingress.certManager.enabledbooleanfalseAutomatically add the cert-manager.io/cluster-issuer annotation and generate TLS blocks for each host.
ingress.certManager.clusterIssuerstringletsencrypt-prodcert-manager ClusterIssuer name to use for certificate provisioning.
ingress.hostslistsee belowList of host rules. Each entry has host and paths. Default paths route / to the web service and /api + /ws to the API service.
ingress.tlslist[]Manual TLS configuration. Only needed when certManager.enabled=false. Each entry has secretName and hosts.
Default host configuration:
ingress:
  hosts:
    - host: optio.example.com
      paths:
        - path: /
          pathType: Prefix
          service: web
        - path: /api
          pathType: Prefix
          service: api
        - path: /ws
          pathType: Prefix
          service: api
The /ws path must route to the API service — it is required for live log streaming and real-time event delivery.

Namespace, resource quotas, and service account

ValueTypeDefaultDescription
namespacestringoptioKubernetes namespace for all Optio resources.
resourceQuota.enabledbooleanfalseApply a ResourceQuota to the namespace. Recommended for production to cap the resources that rogue or runaway agent pods can consume.
resourceQuota.hard.requests.cpustring20Namespace-level CPU request limit.
resourceQuota.hard.requests.memorystring40GiNamespace-level memory request limit.
resourceQuota.hard.limits.cpustring40Namespace-level CPU usage limit.
resourceQuota.hard.limits.memorystring80GiNamespace-level memory usage limit.
resourceQuota.hard.podsstring50Maximum number of pods allowed in the namespace.
resourceQuota.hard.persistentvolumeclaimsstring30Maximum number of PVCs allowed in the namespace.
serviceAccount.createbooleantrueCreate a Kubernetes ServiceAccount for the API server. Required for pod management.
serviceAccount.namestringoptioName of the ServiceAccount.
serviceAccount.annotationsobject{}Annotations on the ServiceAccount. Useful for IAM role binding (e.g. EKS IRSA).

Image pull secrets

ValueTypeDefaultDescription
imagePullSecretslist[]List of existing Kubernetes secrets of type kubernetes.io/dockerconfigjson to use when pulling images from private registries. Each entry must have a name key.
Example:
imagePullSecrets:
  - name: my-registry-secret
Create the secret with:
kubectl create secret docker-registry my-registry-secret \
  --docker-server=ghcr.io \
  --docker-username=your-username \
  --docker-password=your-token \
  -n optio

Example configurations

# Minimal production values file
# Pass with: helm install optio helm/optio -f production-values.yaml -n optio --create-namespace

encryption:
  key: "<output of: openssl rand -hex 32>"

postgresql:
  enabled: false

externalDatabase:
  url: "postgres://optio:password@your-db.example.com:5432/optio"

redis:
  enabled: false

externalRedis:
  url: "redis://your-redis.example.com:6379"

auth:
  github:
    clientId: "your-github-client-id"
    clientSecret: "your-github-client-secret"

agent:
  image:
    repository: ghcr.io/your-org/optio-agent-base
    tag: latest
  imagePullPolicy: IfNotPresent

ingress:
  enabled: true
  className: nginx
  certManager:
    enabled: true
    clusterIssuer: letsencrypt-prod
  hosts:
    - host: optio.example.com
      paths:
        - path: /
          pathType: Prefix
          service: web
        - path: /api
          pathType: Prefix
          service: api
        - path: /ws
          pathType: Prefix
          service: api

resourceQuota:
  enabled: true

Build docs developers (and LLMs) love

Get started for freeTalk to us