BoltMCP Installation Docs

Configuration Reference

Complete reference for all Helm chart values.

All parameters can be set in your values-prod.yaml file.

BoltMCP reads passwords from three user-managed Kubernetes Secrets — the chart never creates them. See Cluster Prep → Application Secrets for the full key list and supported approaches. Only the Secret names are configurable through values (see the Secrets section below); the keys within each Secret are fixed.

Secrets

ParameterTypeDefaultDescription
secrets.database.namestring<release>-databaseName of the user-managed Secret holding database passwords
secrets.oidc.namestring<release>-oidcName of the user-managed Secret holding OIDC client secrets
secrets.auth.namestring<release>-authName of the user-managed Secret holding auth tokens, the master-realm Keycloak admin password (keycloak-admin-password), the BoltMCP-realm first-user password (boltmcp-admin-password), the MCP Inspector token, and the optional OpenAI key

Global

ParameterTypeDefaultDescription
global.domainstring""Apex domain that hosts BoltMCP. Used to derive per-service hostnames as web.<domain>, auth.<domain>, playground.<domain>, server.<domain>, inspector.<domain>. Required unless every per-service URL/hostname override is set explicitly (see below).
global.imageRegistrystringeurope-west2-docker.pkg.dev/boltmcp-platform/boltmcp-alpha/imagesDefault image registry for BoltMCP images
global.imagePullSecretsarray[{ name: boltmcp-pull-secret }]Image pull secrets for private registries. Matches the Secret name created in Cluster Prep → Image Pull Secret. Set to [] if your images come from a registry that doesn't require auth.
global.storageClassstring""Storage class for persistent volumes (empty uses cluster default)
nameOverridestring""Override the release name
fullnameOverridestring""Override the full release name

The chart does not create an Ingress. It emits the public URLs above to the workloads as env vars and expects you to provision your own ingress / gateway / load balancer that terminates TLS and routes those hostnames to the BoltMCP services. See Ingress & TLS for a reference setup, or charts/boltmcp/examples/ingress in the chart for copy-pasteable manifests.

Database

ParameterTypeDefaultDescription
database.internal.enabledbooltrueDeploy internal PostgreSQL. Set false for external DB
database.image.repositorystringpostgresPostgreSQL image repository
database.image.tagstring15-alpinePostgreSQL image tag
database.namestringboltmcpDatabase name
database.hoststring""External database host (when internal.enabled=false)
database.portint5432Database port
database.superuser.usernamestringpostgresSuperuser username (password lives in the database Secret as superuser-password)
database.users.web.usernamestringboltmcp_webPlatform DB user (password lives in the database Secret as web-password)
database.users.mcpServer.usernamestringboltmcp_mcp_serverMCP Server DB user (password: mcp-server-password)
database.users.playground.usernamestringboltmcp_playgroundPlayground DB user (password: playground-password)
database.users.playground.schemastringboltmcp_playgroundPlayground schema name
database.users.keycloak.usernamestringboltmcp_keycloakKeycloak DB user (password: keycloak-password)
database.users.keycloak.schemastringboltmcp_keycloakKeycloak schema name
database.persistence.enabledbooltrueEnable persistent storage
database.persistence.sizestring10GiPVC size
database.persistence.storageClassstring""Storage class (falls back to global.storageClass)
database.persistence.accessModesarray[ReadWriteOnce]PVC access modes
database.resourcesobject{}CPU/memory resource limits and requests
database.nodeSelectorobject{}Node selector
database.tolerationsarray[]Tolerations
database.affinityobject{}Affinity rules

Keycloak

ParameterTypeDefaultDescription
keycloak.enabledbooltrueEnable Keycloak deployment
keycloak.image.repositorystringquay.io/keycloak/keycloakKeycloak image
keycloak.image.tagstring26.4.1-0Keycloak image tag
keycloak.production.enabledbooltrueRun in production mode (start vs start-dev). Set false only for evaluation installs without an Ingress / TLS-terminating proxy
keycloak.hostnamestring""Explicit hostname. If empty, defaults to auth.<global.domain>
keycloak.service.typestringClusterIPService type
keycloak.service.portint8080Service port
keycloak.service.healthPortint9000Health check port
keycloak.resourcesobject{}CPU/memory resource limits and requests
keycloak.nodeSelectorobject{}Node selector
keycloak.tolerationsarray[]Tolerations
keycloak.affinityobject{}Affinity rules

OIDC

ParameterTypeDefaultDescription
oidc.providerstringkeycloakOIDC provider type
oidc.issuerUrlstring""OIDC issuer URL. If empty, defaults to https://<keycloak.hostname>/realms/boltmcp
oidc.web.clientIdstringboltmcp-webPlatform client ID (secret lives in the OIDC Secret as web-client-secret)
oidc.mcpServer.clientIdstringboltmcp-mcp-serverMCP Server client ID (secret: mcp-server-client-secret)
oidc.mcpClient.clientIdstringboltmcp-mcp-clientMCP Client (Playground) client ID (secret: mcp-client-client-secret)
oidc.adminUser.emailstring""Required. Email for the first user in the boltmcp Keycloak realm. Provisioned on first install via --import-realm (username boltmcp_admin, firstName Admin, emailVerified true, granted realm-management/realm-admin). Password lives in the auth Secret as boltmcp-admin-password.

Platform

ParameterTypeDefaultDescription
web.enabledbooltrueEnable web deployment
web.image.repositorystring""Image repository (defaults to global.imageRegistry/boltmcp-web)
web.image.tagstring""Image tag (defaults to .Chart.AppVersion if empty)
web.image.pullPolicystringAlwaysImage pull policy
web.replicaCountint1Number of replicas
web.baseUrlstring""Base URL. If empty, defaults to https://web.<global.domain>
web.service.typestringClusterIPService type
web.service.portint3000Service port
web.resourcesobject{}CPU/memory resource limits and requests
web.nodeSelectorobject{}Node selector
web.tolerationsarray[]Tolerations
web.affinityobject{}Affinity rules
web.extraEnvarray[]Additional environment variables

MCP Server

ParameterTypeDefaultDescription
mcpServer.enabledbooltrueEnable MCP Server deployment
mcpServer.image.repositorystring""Image repository (defaults to global.imageRegistry/boltmcp-mcp-server)
mcpServer.image.tagstring""Image tag (defaults to .Chart.AppVersion if empty)
mcpServer.image.pullPolicystringAlwaysImage pull policy
mcpServer.replicaCountint1Number of replicas
mcpServer.baseUrlstring""Base URL. If empty, defaults to https://server.<global.domain>
mcpServer.service.typestringClusterIPService type
mcpServer.service.portint3001Service port
mcpServer.resourcesobject{}CPU/memory resource limits and requests
mcpServer.nodeSelectorobject{}Node selector
mcpServer.tolerationsarray[]Tolerations
mcpServer.affinityobject{}Affinity rules
mcpServer.extraEnvarray[]Additional environment variables

Playground

ParameterTypeDefaultDescription
playground.enabledbooltrueEnable Playground deployment
playground.image.repositorystring""Image repository (defaults to global.imageRegistry/boltmcp-playground)
playground.image.tagstring""Image tag (defaults to .Chart.AppVersion if empty)
playground.image.pullPolicystringAlwaysImage pull policy
playground.replicaCountint1Number of replicas
playground.baseUrlstring""Base URL. If empty, defaults to https://playground.<global.domain>
playground.service.typestringClusterIPService type
playground.service.portint3002Service port
playground.resourcesobject{}CPU/memory resource limits and requests
playground.nodeSelectorobject{}Node selector
playground.tolerationsarray[]Tolerations
playground.affinityobject{}Affinity rules
playground.extraEnvarray[]Additional environment variables

MCP Inspector (Optional)

When mcpInspector.enabled=true, the auth Secret must include the mcp-inspector-proxy-auth-token key.

ParameterTypeDefaultDescription
mcpInspector.enabledbooltrueEnable MCP Inspector
mcpInspector.image.repositorystringghcr.io/modelcontextprotocol/inspectorImage repository
mcpInspector.image.tagstring0.21.1Image tag
mcpInspector.baseUrlstring""Base URL. If empty, defaults to https://inspector.<global.domain>
mcpInspector.service.typestringClusterIPService type
mcpInspector.service.webPortint6274Web UI port
mcpInspector.service.proxyPortint6277Proxy port
mcpInspector.resourcesobject{}CPU/memory resource limits and requests
mcpInspector.nodeSelectorobject{}Node selector
mcpInspector.tolerationsarray[]Tolerations
mcpInspector.affinityobject{}Affinity rules

Vault (Optional — Dev Mode Only)

ParameterTypeDefaultDescription
vault.enabledboolfalseEnable Vault (dev mode — not for production)
vault.image.repositorystringhashicorp/vaultImage repository
vault.image.tagstring1.21Image tag
vault.devRootTokenstringrootDev root token
vault.service.typestringClusterIPService type
vault.service.portint8200Service port
vault.resourcesobject{}CPU/memory resource limits and requests
vault.nodeSelectorobject{}Node selector
vault.tolerationsarray[]Tolerations
vault.affinityobject{}Affinity rules

Migrations

ParameterTypeDefaultDescription
migrations.webMigrateImage.repositorystring""Platform migration image (defaults to global.imageRegistry/boltmcp-web-migrate)
migrations.webMigrateImage.tagstring""Tag (inherits from web.image.tag)
migrations.playgroundMigrateImage.repositorystring""Playground migration image (defaults to global.imageRegistry/boltmcp-playground-migrate)
migrations.playgroundMigrateImage.tagstring""Tag (inherits from playground.image.tag)
migrations.backoffLimitint3Job retry limit
migrations.ttlSecondsAfterFinishedint300Cleanup delay after job completion

Service Account & Pod

ParameterTypeDefaultDescription
serviceAccount.createbooltrueCreate a service account
serviceAccount.annotationsobject{}Service account annotations
serviceAccount.namestring""Service account name (defaults to release name)
podAnnotationsobject{}Pod annotations
podSecurityContextobject{}Pod security context
securityContextobject{}Container security context

Manual Upgrade

Upgrade BoltMCP to a new chart release with helm upgrade.

Troubleshooting

Common issues and diagnostic commands.

On this page

SecretsGlobalDatabaseKeycloakOIDCPlatformMCP ServerPlaygroundMCP Inspector (Optional)Vault (Optional — Dev Mode Only)MigrationsService Account & Pod