All parameters can be set in your values-prod.yaml file.
BoltMCP reads passwords from three user-managed Kubernetes Secrets — the chart never creates them. See Cluster Prep → Application Secrets for the full key list and supported approaches. Only the Secret names are configurable through values (see the Secrets section below); the keys within each Secret are fixed.
Name of the user-managed Secret holding database passwords
secrets.oidc.name
string
<release>-oidc
Name of the user-managed Secret holding OIDC client secrets
secrets.auth.name
string
<release>-auth
Name of the user-managed Secret holding auth tokens, the master-realm Keycloak admin password (keycloak-admin-password), the BoltMCP-realm first-user password (boltmcp-admin-password), and the MCP Inspector token
Apex domain that hosts BoltMCP. Used to derive per-service hostnames as web.<domain>, auth.<domain>, server.<domain>, inspector.<domain>. Required unless every per-service URL/hostname override is set explicitly (see below).
Image pull secrets for private registries. Matches the Secret name created in Cluster Prep → Image Pull Secret. Set to [] if your images come from a registry that doesn't require auth.
global.storageClass
string
""
Storage class for all BoltMCP persistent volumes. Empty uses the cluster default (fine on GKE/AKS). On EKS set it to a class you created — see Cluster Prep → StorageClass. Overridable per-volume by database.persistence.storageClass.
nameOverride
string
""
Override the release name
fullnameOverride
string
""
Override the full release name
The chart does not create an Ingress. It emits the public URLs above to the workloads as env vars and expects you to provision your own ingress / gateway / load balancer that terminates TLS and routes those hostnames to the BoltMCP services. See Ingress & TLS for a reference setup, or charts/boltmcp/examples/ingress in the chart for copy-pasteable manifests.
Schema holding the shared application tables. The ltree extension is namespaced here and the schema is owned by the migrate-core user; application roles have no dependency on public.
database.superuser.username
string
postgres
Superuser username (password lives in the database Secret as superuser-password)
database.users.migrateCore.username
string
boltmcp_migrate_core
Migration DB user — owns the core schema and is the only role that runs DDL/migrations (password: migrate-core-password)
database.users.web.username
string
boltmcp_web
Web app DB user, read/write on the core schema (password lives in the database Secret as web-password)
database.users.restApi.username
string
boltmcp_rest_api
REST API DB user, read/write on the core schema (password: rest-api-password)
database.users.mcpServer.username
string
boltmcp_mcp_server
MCP Server DB user, read-only on the core schema (password: mcp-server-password)
database.users.keycloak.username
string
boltmcp_keycloak
Keycloak DB user (password: keycloak-password)
database.users.keycloak.schema
string
boltmcp_keycloak
Keycloak schema name
database.users.vault.username
string
boltmcp_vault
Vault storage DB user; owns the pre-created vault_kv_store table (password: vault-password)
OIDC issuer URL. If empty, defaults to https://<keycloak.hostname>/realms/boltmcp
oidc.web.clientId
string
boltmcp-web
Platform client ID (secret lives in the OIDC Secret as web-client-secret)
oidc.mcpServer.clientId
string
boltmcp-mcp-server
MCP Server client ID (secret: mcp-server-client-secret)
oidc.mcpServerToRestApi.clientId
string
boltmcp-mcp-server-to-rest-api
Client used by the MCP server to obtain user tokens for the REST API (secret: mcp-server-to-rest-api-client-secret). PKCE-aware, audience-mapped to REST_API_BASE_URL.
oidc.restApiResourceServer.clientId
string
boltmcp-rest-api-resource-server
Client used by the REST API to authenticate to Keycloak's introspection endpoint (secret: rest-api-resource-server-client-secret).
oidc.adminUser.email
string
""
Required. Email for the first user in the boltmcp Keycloak realm. Provisioned on first install via --import-realm (username boltmcp_admin, firstName Admin, emailVerified true, granted realm-management/realm-admin). Password lives in the auth Secret as boltmcp-admin-password.
The REST API is internal-only — its Service is always ClusterIP and is never exposed via Ingress. It is reached by boltmcp-web (via the BFF proxy at /api/v1/*) and by boltmcp-mcp-server over the in-cluster network. There is no restApi.baseUrl value: the URL is derived from the Service name as http://<release>-rest-api:<restApi.service.port>. The REST API is always deployed — there is no restApi.enabled toggle.
Parameter
Type
Default
Description
restApi.image.repository
string
""
Image repository (defaults to global.imageRegistry/boltmcp-rest-api)
restApi.image.tag
string
""
Image tag (defaults to .Chart.AppVersion if empty)
HashiCorp Vault using the shared PostgreSQL for storage (schema boltmcp_vault). It runs in server mode (not dev), so it boots sealed and uninitialized — initialize and unseal it out-of-band (kubectl exec ... -- vault operator init / ... unseal). It is ClusterIP-only (never exposed outside the cluster) with the UI disabled, single-replica (non-HA), and uses no SSL (in-cluster only). boltmcp-rest-api consumes it (KV v2 secret storage) via Vault's Kubernetes auth method, after a one-time operator bootstrap — see the Vault page for the init / unseal / bootstrap procedure and auto-unseal options. This bundled Vault is unrelated to any external Vault you might use as an External Secrets Operator source.
Enabling Vault requires a vault-password key in the boltmcp-database Secret (see Cluster Prep).
Parameter
Type
Default
Description
vault.enabled
bool
true
Deploy the bundled Vault
vault.image.repository
string
hashicorp/vault
Image repository
vault.image.tag
string
1.21.4
Image tag
vault.service.type
string
ClusterIP
Service type (ClusterIP only)
vault.service.port
int
8200
Service port
vault.kubernetesAuth.enabled
bool
true
Wire boltmcp-rest-api to Vault via Kubernetes auth (ServiceAccount + projected token + env)
vault.kubernetesAuth.authMountPath
string
kubernetes
Mount path of Vault's Kubernetes auth method
vault.kubernetesAuth.role
string
boltmcp-rest-api
Vault role bound to the REST API ServiceAccount
vault.kubernetesAuth.policy
string
boltmcp-rest-api
Vault policy for the secret prefix
vault.kubernetesAuth.kvMount
string
secret
KV v2 secrets engine mount
vault.kubernetesAuth.kvPathPrefix
string
boltmcp/dummy
Logical prefix the REST API stores secrets under
vault.kubernetesAuth.audience
string
vault
Projected-token audience (must match the Vault role)
vault.seal.type
string
""
Seal type — "" is Shamir/manual unseal; awskms/gcpckms/azurekeyvault/transit enable auto-unseal
vault.seal.config
object
{}
Key/value pairs rendered into the seal stanza (e.g. region, kms_key_id)
vault.seal.extraEnv
array
[]
Extra Vault container env for the seal (e.g. KMS credentials)