BoltMCP Installation Docs

Configuration Reference

Complete reference for all Helm chart values.

All parameters can be set in your values-prod.yaml file.

BoltMCP reads passwords from three user-managed Kubernetes Secrets — the chart never creates them. See Cluster Prep → Application Secrets for the full key list and supported approaches. Only the Secret names are configurable through values (see the Secrets section below); the keys within each Secret are fixed.

Secrets

ParameterTypeDefaultDescription
secrets.database.namestring<release>-databaseName of the user-managed Secret holding database passwords
secrets.oidc.namestring<release>-oidcName of the user-managed Secret holding OIDC client secrets
secrets.auth.namestring<release>-authName of the user-managed Secret holding auth tokens, the master-realm Keycloak admin password (keycloak-admin-password), the BoltMCP-realm first-user password (boltmcp-admin-password), and the MCP Inspector token

Global

ParameterTypeDefaultDescription
global.domainstring""Apex domain that hosts BoltMCP. Used to derive per-service hostnames as web.<domain>, auth.<domain>, server.<domain>, inspector.<domain>. Required unless every per-service URL/hostname override is set explicitly (see below).
global.imageRegistrystringeurope-west2-docker.pkg.dev/boltmcp-platform/boltmcp-alpha/imagesDefault image registry for BoltMCP images
global.imagePullSecretsarray[{ name: boltmcp-pull-secret }]Image pull secrets for private registries. Matches the Secret name created in Cluster Prep → Image Pull Secret. Set to [] if your images come from a registry that doesn't require auth.
global.storageClassstring""Storage class for all BoltMCP persistent volumes. Empty uses the cluster default (fine on GKE/AKS). On EKS set it to a class you created — see Cluster Prep → StorageClass. Overridable per-volume by database.persistence.storageClass.
nameOverridestring""Override the release name
fullnameOverridestring""Override the full release name

The chart does not create an Ingress. It emits the public URLs above to the workloads as env vars and expects you to provision your own ingress / gateway / load balancer that terminates TLS and routes those hostnames to the BoltMCP services. See Ingress & TLS for a reference setup, or charts/boltmcp/examples/ingress in the chart for copy-pasteable manifests.

Database

ParameterTypeDefaultDescription
database.internal.enabledbooltrueDeploy internal PostgreSQL. Set false for external DB
database.image.repositorystringpostgresPostgreSQL image repository
database.image.tagstring15-alpinePostgreSQL image tag
database.namestringboltmcpDatabase name
database.hoststring""External database host (when internal.enabled=false)
database.portint5432Database port
database.coreSchemastringboltmcp_coreSchema holding the shared application tables. The ltree extension is namespaced here and the schema is owned by the migrate-core user; application roles have no dependency on public.
database.superuser.usernamestringpostgresSuperuser username (password lives in the database Secret as superuser-password)
database.users.migrateCore.usernamestringboltmcp_migrate_coreMigration DB user — owns the core schema and is the only role that runs DDL/migrations (password: migrate-core-password)
database.users.web.usernamestringboltmcp_webWeb app DB user, read/write on the core schema (password lives in the database Secret as web-password)
database.users.restApi.usernamestringboltmcp_rest_apiREST API DB user, read/write on the core schema (password: rest-api-password)
database.users.mcpServer.usernamestringboltmcp_mcp_serverMCP Server DB user, read-only on the core schema (password: mcp-server-password)
database.users.keycloak.usernamestringboltmcp_keycloakKeycloak DB user (password: keycloak-password)
database.users.keycloak.schemastringboltmcp_keycloakKeycloak schema name
database.users.vault.usernamestringboltmcp_vaultVault storage DB user; owns the pre-created vault_kv_store table (password: vault-password)
database.users.vault.schemastringboltmcp_vaultVault storage schema name
database.persistence.enabledbooltrueEnable persistent storage
database.persistence.sizestring10GiPVC size
database.persistence.storageClassstring""Storage class (falls back to global.storageClass)
database.persistence.accessModesarray[ReadWriteOnce]PVC access modes
database.resourcesobject{}CPU/memory resource limits and requests
database.nodeSelectorobject{}Node selector
database.tolerationsarray[]Tolerations
database.affinityobject{}Affinity rules

Keycloak

ParameterTypeDefaultDescription
keycloak.enabledbooltrueEnable Keycloak deployment
keycloak.image.repositorystringquay.io/keycloak/keycloakKeycloak image
keycloak.image.tagstring26.4.1-0Keycloak image tag
keycloak.production.enabledbooltrueRun in production mode (start vs start-dev). Set false only for evaluation installs without an Ingress / TLS-terminating proxy
keycloak.hostnamestring""Explicit hostname. If empty, defaults to auth.<global.domain>
keycloak.service.typestringClusterIPService type
keycloak.service.portint8080Service port
keycloak.service.healthPortint9000Health check port
keycloak.resourcesobject{}CPU/memory resource limits and requests
keycloak.nodeSelectorobject{}Node selector
keycloak.tolerationsarray[]Tolerations
keycloak.affinityobject{}Affinity rules

OIDC

ParameterTypeDefaultDescription
oidc.providerstringkeycloakOIDC provider type
oidc.issuerUrlstring""OIDC issuer URL. If empty, defaults to https://<keycloak.hostname>/realms/boltmcp
oidc.web.clientIdstringboltmcp-webPlatform client ID (secret lives in the OIDC Secret as web-client-secret)
oidc.mcpServer.clientIdstringboltmcp-mcp-serverMCP Server client ID (secret: mcp-server-client-secret)
oidc.mcpServerToRestApi.clientIdstringboltmcp-mcp-server-to-rest-apiClient used by the MCP server to obtain user tokens for the REST API (secret: mcp-server-to-rest-api-client-secret). PKCE-aware, audience-mapped to REST_API_BASE_URL.
oidc.restApiResourceServer.clientIdstringboltmcp-rest-api-resource-serverClient used by the REST API to authenticate to Keycloak's introspection endpoint (secret: rest-api-resource-server-client-secret).
oidc.adminUser.emailstring""Required. Email for the first user in the boltmcp Keycloak realm. Provisioned on first install via --import-realm (username boltmcp_admin, firstName Admin, emailVerified true, granted realm-management/realm-admin). Password lives in the auth Secret as boltmcp-admin-password.

Platform

ParameterTypeDefaultDescription
web.enabledbooltrueEnable web deployment
web.image.repositorystring""Image repository (defaults to global.imageRegistry/boltmcp-web)
web.image.tagstring""Image tag (defaults to .Chart.AppVersion if empty)
web.image.pullPolicystringAlwaysImage pull policy
web.replicaCountint1Number of replicas
web.baseUrlstring""Base URL. If empty, defaults to https://web.<global.domain>
web.service.typestringClusterIPService type
web.service.portint3000Service port
web.resourcesobject{}CPU/memory resource limits and requests
web.nodeSelectorobject{}Node selector
web.tolerationsarray[]Tolerations
web.affinityobject{}Affinity rules
web.extraEnvarray[]Additional environment variables

MCP Server

ParameterTypeDefaultDescription
mcpServer.enabledbooltrueEnable MCP Server deployment
mcpServer.image.repositorystring""Image repository (defaults to global.imageRegistry/boltmcp-mcp-server)
mcpServer.image.tagstring""Image tag (defaults to .Chart.AppVersion if empty)
mcpServer.image.pullPolicystringAlwaysImage pull policy
mcpServer.replicaCountint1Number of replicas
mcpServer.baseUrlstring""Base URL. If empty, defaults to https://server.<global.domain>
mcpServer.service.typestringClusterIPService type
mcpServer.service.portint3001Service port
mcpServer.resourcesobject{}CPU/memory resource limits and requests
mcpServer.nodeSelectorobject{}Node selector
mcpServer.tolerationsarray[]Tolerations
mcpServer.affinityobject{}Affinity rules
mcpServer.extraEnvarray[]Additional environment variables

REST API

The REST API is internal-only — its Service is always ClusterIP and is never exposed via Ingress. It is reached by boltmcp-web (via the BFF proxy at /api/v1/*) and by boltmcp-mcp-server over the in-cluster network. There is no restApi.baseUrl value: the URL is derived from the Service name as http://<release>-rest-api:<restApi.service.port>. The REST API is always deployed — there is no restApi.enabled toggle.

ParameterTypeDefaultDescription
restApi.image.repositorystring""Image repository (defaults to global.imageRegistry/boltmcp-rest-api)
restApi.image.tagstring""Image tag (defaults to .Chart.AppVersion if empty)
restApi.image.pullPolicystringAlwaysImage pull policy
restApi.replicaCountint1Number of replicas
restApi.service.typestringClusterIPService type (internal-only — leave as ClusterIP)
restApi.service.portint3003Service port
restApi.resourcesobject{}CPU/memory resource limits and requests
restApi.nodeSelectorobject{}Node selector
restApi.tolerationsarray[]Tolerations
restApi.affinityobject{}Affinity rules
restApi.extraEnvarray[]Additional environment variables

MCP Inspector (Optional)

When mcpInspector.enabled=true, the auth Secret must include the mcp-inspector-proxy-auth-token key.

ParameterTypeDefaultDescription
mcpInspector.enabledbooltrueEnable MCP Inspector
mcpInspector.image.repositorystringghcr.io/modelcontextprotocol/inspectorImage repository
mcpInspector.image.tagstring0.21.1Image tag
mcpInspector.baseUrlstring""Base URL. If empty, defaults to https://inspector.<global.domain>
mcpInspector.service.typestringClusterIPService type
mcpInspector.service.webPortint6274Web UI port
mcpInspector.service.proxyPortint6277Proxy port
mcpInspector.resourcesobject{}CPU/memory resource limits and requests
mcpInspector.nodeSelectorobject{}Node selector
mcpInspector.tolerationsarray[]Tolerations
mcpInspector.affinityobject{}Affinity rules

Vault

HashiCorp Vault using the shared PostgreSQL for storage (schema boltmcp_vault). It runs in server mode (not dev), so it boots sealed and uninitialized — initialize and unseal it out-of-band (kubectl exec ... -- vault operator init / ... unseal). It is ClusterIP-only (never exposed outside the cluster) with the UI disabled, single-replica (non-HA), and uses no SSL (in-cluster only). boltmcp-rest-api consumes it (KV v2 secret storage) via Vault's Kubernetes auth method, after a one-time operator bootstrap — see the Vault page for the init / unseal / bootstrap procedure and auto-unseal options. This bundled Vault is unrelated to any external Vault you might use as an External Secrets Operator source.

Enabling Vault requires a vault-password key in the boltmcp-database Secret (see Cluster Prep).

ParameterTypeDefaultDescription
vault.enabledbooltrueDeploy the bundled Vault
vault.image.repositorystringhashicorp/vaultImage repository
vault.image.tagstring1.21.4Image tag
vault.service.typestringClusterIPService type (ClusterIP only)
vault.service.portint8200Service port
vault.kubernetesAuth.enabledbooltrueWire boltmcp-rest-api to Vault via Kubernetes auth (ServiceAccount + projected token + env)
vault.kubernetesAuth.authMountPathstringkubernetesMount path of Vault's Kubernetes auth method
vault.kubernetesAuth.rolestringboltmcp-rest-apiVault role bound to the REST API ServiceAccount
vault.kubernetesAuth.policystringboltmcp-rest-apiVault policy for the secret prefix
vault.kubernetesAuth.kvMountstringsecretKV v2 secrets engine mount
vault.kubernetesAuth.kvPathPrefixstringboltmcp/dummyLogical prefix the REST API stores secrets under
vault.kubernetesAuth.audiencestringvaultProjected-token audience (must match the Vault role)
vault.seal.typestring""Seal type — "" is Shamir/manual unseal; awskms/gcpckms/azurekeyvault/transit enable auto-unseal
vault.seal.configobject{}Key/value pairs rendered into the seal stanza (e.g. region, kms_key_id)
vault.seal.extraEnvarray[]Extra Vault container env for the seal (e.g. KMS credentials)
vault.resourcesobject{}CPU/memory resource limits and requests
vault.nodeSelectorobject{}Node selector
vault.tolerationsarray[]Tolerations
vault.affinityobject{}Affinity rules

Migrations

ParameterTypeDefaultDescription
migrations.coreMigrateImage.repositorystring""Core schema migration image (defaults to global.imageRegistry/boltmcp-migrate-core)
migrations.coreMigrateImage.tagstring""Tag (inherits from web.image.tag)
migrations.backoffLimitint3Job retry limit
migrations.ttlSecondsAfterFinishedint300Cleanup delay after job completion

Service Account & Pod

ParameterTypeDefaultDescription
serviceAccount.createbooltrueCreate a service account
serviceAccount.annotationsobject{}Service account annotations
serviceAccount.namestring""Service account name (defaults to release name)
podAnnotationsobject{}Pod annotations
podSecurityContextobject{}Pod security context
securityContextobject{}Container security context

On this page