Helm Chart

Helm Chart installations deploy Helm Chart services to environments. Configure service-specific settings, secrets, and resources for your Kubernetes applications.

# yaml-language-server: $schema=https://api.ryvn.app/v1/schemas/resources.json
kind: ServiceInstallation
metadata:
  name: workers-production
spec:
  service: workers
  environment: production
  config: |
    replicaCount: 2
    resources:
      requests:
        memory: 2Gi
    db:
      password:
        secretKeyRef:
          name: '{{ k8sSecretName "db-credentials" }}'
          key: password

Properties

`service`

string — required Name of the Helm Chart service to install.

service: postgresql

`environment`

string — required Target environment for this installation.

environment: production

`name`

string — optional Custom name for this installation. If not specified, uses the service name.

name: postgres-primary

`namespace`

string — optional Kubernetes namespace to install into. If not provided, uses the environment’s default namespace.

namespace: databases

`releaseChannel`

string — optional Release channel to follow for this installation. If not specified, uses the environment’s channel.

releaseChannel: stable

Variable Groups

All variable groups in the environment are automatically available to Helm Chart installations as Kubernetes secrets — no explicit linking required. Use the k8sSecretName template function to get the Kubernetes secret name for a variable group, then reference individual keys within it:

config: |
  db:
    password:
      secretKeyRef:
        name: '{{ k8sSecretName "db-credentials" }}'
        key: password

The k8sSecretName function returns a deterministic Kubernetes secret name derived from the variable group name. Each key in the variable group becomes a key in the Kubernetes secret. Reference them in your Helm chart templates using standard secretKeyRef or envFrom.secretRef syntax.

Unlike server and job installations, Helm Chart installations do not use the variableGroups field. Any variable group created in the environment is automatically accessible as a Kubernetes secret.

`config`

string or array — optional Service configuration. For Helm charts, this is the values.yaml content passed to the chart.

# As string
config: |
  replicaCount: 3
  persistence:
    enabled: true
    size: 100Gi
  resources:
    limits:
      cpu: 2000m
      memory: 4Gi

# As array with file path
config:
  - path: config/production.yaml

`secrets`

array — optional Secrets to be passed to the Helm chart. Each secret can be generated, reference an organization secret, or get values from blueprint inputs.

secrets:
  - name: db-credentials
    values:
      - key: password
        valueFromInput:
          name: dbPassword

`secrets[].name`

string — required Name of the secret.

secrets:
  - name: db-credentials

`secrets[].generated`

object — optional Configuration for generating a secret automatically. Cannot be used with values or orgSecret.

secrets:
  - name: api-key
    generated:
      type: random-string
      length: 32

`secrets[].generated.type`

string — required Type of secret to generate. Valid values: random-string, random-bytes, rsa-key, ec-key.

generated:
  type: random-string

`secrets[].generated.length`

integer — optional Length of the random string or bytes to generate. Only valid for random-string and random-bytes types.

generated:
  type: random-string
  length: 64

`secrets[].values`

array — optional Key-value pairs for the secret. Cannot be used with generated or orgSecret.

secrets:
  - name: credentials
    values:
      - key: username
        valueFromInput:
          name: dbUser
      - key: password
        valueFromInput:
          name: dbPassword

`secrets[].values[].key`

string — required Secret key name.

values:
  - key: password

`secrets[].values[].valueFromInput`

object — optional Reference to a blueprint input for the value. If the referenced input has a condition that evaluates to false, this secret key is automatically omitted.

values:
  - key: password
    valueFromInput:
      name: dbPassword

`secrets[].values[].valueFromInput.name`

string — required Name of the blueprint input to get the value from.

valueFromInput:
  name: dbPassword

`secrets[].orgSecret`

string — optional Name of organization-level secret to get values from. Cannot be used with values or generated.

Prefer using variable groups instead of orgSecret. All environment variable groups are automatically available to Helm Chart installations as Kubernetes secrets and can be referenced in config via k8sSecretName.

secrets:
  - name: aws-credentials
    orgSecret: prod-aws-creds

Examples

kind: ServiceInstallation
metadata:
  name: postgresql-production
spec:
  service: postgresql
  environment: production
  namespace: databases
  releaseChannel: stable
  config: |
    replicaCount: 2
    persistence:
      enabled: true
      size: 100Gi
    resources:
      limits:
        cpu: 2000m
        memory: 4Gi
      requests:
        cpu: 1000m
        memory: 2Gi
  secrets:
    - name: postgres-credentials
      values:
        - key: postgres-password
          valueFromInput:
            name: dbPassword

With generated secrets:

kind: ServiceInstallation
metadata:
  name: redis-production
spec:
  service: redis
  environment: production
  config: |
    auth:
      enabled: true
    replica:
      replicaCount: 3
  secrets:
    - name: redis-password
      generated:
        type: random-string
        length: 32

With variable groups (automatically available, no explicit linking needed):

kind: ServiceInstallation
metadata:
  name: vault-production
spec:
  service: vault
  environment: production
  config: |
    seal:
      key:
        secretKeyRef:
          # All environment variable groups are available as K8s secrets
          name: '{{ k8sSecretName "prod-vault-keys" }}'
          key: seal-key

Multiple secrets:

kind: ServiceInstallation
metadata:
  name: app-production
spec:
  service: app
  environment: production
  secrets:
    - name: database
      values:
        - key: host
          valueFromInput:
            name: dbHost
        - key: password
          valueFromInput:
            name: dbPassword
    - name: api-keys
      generated:
        type: random-string
        length: 64

Services

Environments

Installations

Blueprints

Releases

Properties

`service`

`environment`

`name`

`namespace`

`releaseChannel`

Variable Groups

`config`

`secrets`

`secrets[].name`

`secrets[].generated`

`secrets[].generated.type`

`secrets[].generated.length`

`secrets[].values`

`secrets[].values[].key`

`secrets[].values[].valueFromInput`

`secrets[].values[].valueFromInput.name`

`secrets[].orgSecret`

Examples

Services

Environments

Installations

Blueprints

Releases

​Properties

​service

​environment

​name

​namespace

​releaseChannel

​Variable Groups

​config

​secrets

​secrets[].name

​secrets[].generated

​secrets[].generated.type

​secrets[].generated.length

​secrets[].values

​secrets[].values[].key

​secrets[].values[].valueFromInput

​secrets[].values[].valueFromInput.name

​secrets[].orgSecret

​Examples

Properties

`service`

`environment`

`name`

`namespace`

`releaseChannel`

Variable Groups

`config`

`secrets`

`secrets[].name`

`secrets[].generated`

`secrets[].generated.type`

`secrets[].generated.length`

`secrets[].values`

`secrets[].values[].key`

`secrets[].values[].valueFromInput`

`secrets[].values[].valueFromInput.name`

`secrets[].orgSecret`

Examples