Skip to main content
Direct secret values (used when externalSecret.enabled: false).
Never commit actual secret values to version control. Use secure secret management practices:
  • Store in separate, gitignored values file
  • Use Helm --set flags from CI/CD secrets
  • Use encrypted secret management (SOPS, sealed-secrets, etc.)
  • Prefer external secret stores for production

Automatic Pod Restarts

When you update secret values in your Helm values file and run helm upgrade, all affected pods (web, worker, OAuth, registry, MinIO) automatically restart to pick up the new credentials. This ensures your deployment always uses the latest secret values without requiring manual intervention. What triggers automatic restarts:
  • Changes to any value in the secrets section
  • Changes to OAuth provider credentials in oauth.secrets
  • Changes to Replicated license fields (if using Replicated distribution)
Example workflow: 
# 1. Update secrets in your values file
vim my-values.yaml  # Change DB_PASSWORD or other secrets

# 2. Apply the changes
helm upgrade crewai-platform oci://registry.crewai.com/crewai/stable/crewai-platform \
  --values my-values.yaml

# 3. Pods automatically restart with new credentials (rolling restart - no downtime)
kubectl get pods -w  # Watch pods restart
This behavior ensures credential rotation and secret updates are applied automatically without manual pod deletions.

Database Secrets

secrets.DB_USER
string
default:""
Database username (optional override).Default Behavior: If not set, the value from envVars.DB_USER is used (default: "postgres").When to Use: Set this when the database username should be treated as sensitive information, or when you need to override the username configured in envVars.DB_USER.Example:
secrets:
  DB_USER: "crewai_prod_user"
  DB_PASSWORD: "your-secure-password"
Related Configuration: See envVars.DB_USER in Environment Variables - Database Configuration for the non-sensitive username configuration.
secrets.DB_PASSWORD
string
default:""
Database password.Required: Yes (for database access)Security: Use strong, unique passwords. Rotate regularly.

GitHub Integration Secrets

secrets.GITHUB_TOKEN
string
default:""
GitHub personal access token or OAuth token.Auto-Populated: From Replicated license fieldPurpose: Required to pull crewai enterprise repositories.
secrets.GITHUB_CREW_STUDIO_TOKEN
string
default:""
GitHub token for Crew Studio integration.
secrets.GITHUB_CLIENT_SECRET
string
default:""
GitHub App client secret for user authorization during installation.Required For: GitHub App OAuth flow.Obtaining: GitHub App Settings > Generate a new client secret.Related Configuration:
  • Configure envVars.GITHUB_CLIENT_ID with your GitHub App client ID
  • Configure envVars.GITHUB_APP_ID with your GitHub App ID
  • Configure envVars.GITHUB_APP_URL with your GitHub App installation URL
  • Configure secrets.GITHUB_APP_PRIVATE_KEY with your GitHub App private key
Setup Guide: See GitHub App Setup Guide for detailed instructions.
secrets.GITHUB_WEBHOOK_SECRET_TOKEN
string
default:""
Secret token for validating GitHub webhook payloads.Purpose: Ensures webhooks are from GitHub.
secrets.GITHUB_APP_PRIVATE_KEY
string
default:""
Private key for GitHub App server-to-server authentication.Format: PEM-encoded RSA private key as a single-line string with literal \n characters replacing each line break. The value must start with -----BEGIN RSA PRIVATE KEY----- — do not use the key fingerprint (the short hex string shown in the GitHub UI).Obtaining: GitHub App Settings > Private keys > Generate a private key. The .pem key file downloads automatically and cannot be retrieved again.Required For: GitHub App API authentication and operations.Security: Store securely and never commit to version control.Converting the .pem file to single-line format:
openssl rsa -in /path/to/your-key.pem -check -noout && \
  awk 'NF {sub(/\r/, ""); printf "%s\\n", $0}' /path/to/your-key.pem
Example:
secrets:
  GITHUB_APP_PRIVATE_KEY: "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA...\n...\n-----END RSA PRIVATE KEY-----\n"
Setup Guide: See GitHub App Setup Guide for detailed instructions.

Rails Application Secrets

Do not set RAILS_MASTER_KEY: The chart uses a different Rails configuration approach and does not require RAILS_MASTER_KEY. If you include this in your configuration, you will receive a warning during installation. Remove RAILS_MASTER_KEY from both envVars and secrets sections.
secrets.SECRET_KEY_BASE
string
Rails secret key base for session signing and encryption.Default: Auto-generatedAuto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.Upgrade Behavior: Once generated, the value persists across Helm upgrades to maintain session continuity.
secrets.CREWAI_PLUS_INTERNAL_API_KEY
string
default:""
Internal API key for service-to-service authentication.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ENCRYPTION_KEY
string
default:""
Application-level encryption key for sensitive data at rest.Auto-Generation: If not provided, automatically generated and persisted across upgrades via lookup function.Format: Hexadecimal string (recommended: 64 characters).Manual Generation:
openssl rand -hex 32
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
string
default:""
Primary encryption key for Rails Active Record Encryption.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
string
default:""
Deterministic encryption key for Rails Active Record Encryption. Used for attributes that need to be queried by encrypted value.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
string
default:""
Salt used for key derivation in Rails Active Record Encryption.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.
secrets.REGISTRY_HTTP_SECRET
string
default:""
Shared secret for the internal container registry’s HTTP authentication.Auto-Generation: If not provided, automatically generated using randAlphaNum 32 and persisted across upgrades via lookup function.Manual Generation:
openssl rand -base64 24 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.

SSL/TLS Secrets

secrets.SSL_PRIVATE_KEY
string
PEM-encoded private key for application-level TLS.Default: Auto-generated (if web.tls.autoGenerate: true)Auto-Generation: When web.tls.autoGenerate: true, a self-signed certificate and key are generated and persisted across upgrades.Manual Provision:
secrets:
  SSL_PRIVATE_KEY: |
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----
secrets.SSL_CERTIFICATE
string
PEM-encoded certificate for application-level TLS.Default: Auto-generated (if web.tls.autoGenerate: true)Format: Can include certificate chain (server cert + intermediates).
secrets.CREW_SSL_CERT
string
SSL certificate for crew service communication.Default: Auto-generated (if web.tls.autoGenerate: true)
secrets.CREW_SSL_KEY
string
SSL private key for crew service communication.Default: Auto-generated (if web.tls.autoGenerate: true)

AWS Secrets (Optional)

secrets.AWS_ACCESS_KEY_ID
string
default:""
AWS access key ID for S3 and other AWS services.When Required:
  • STORAGE_SERVICE: amazon with static credentials
  • Not using IAM roles (IRSA)
Production Recommendation: Use IAM roles (IRSA) instead of static credentials.
secrets.AWS_SECRET_ACCESS_KEY
string
default:""
AWS secret access key.

Azure Secrets (Optional)

secrets.AZURE_STORAGE_ACCESS_KEY
string
default:""
Azure Storage account access key.When Required: STORAGE_SERVICE: microsoft
secrets.AZURE_CLIENT_SECRET
string
default:""
Azure service principal client secret.

Built-in LLM Secrets (Optional)

secrets.BUILT_IN_LLM_API_KEY
string
default:""
API key for built-in LLM provider.Purpose: Provides authentication for internal LLM calls used by the CrewAI Platform, including:
  • Improving Studio prompts
  • Generating automation descriptions
  • Chatting with flows
  • Other platform AI-assisted features
When Required: When using built-in LLM features (optional)Provider-Specific Requirements:OpenAI:Anthropic:Related Configuration:
  • Configure envVars.BUILT_IN_LLM_PROVIDER to specify the LLM provider
  • Configure envVars.BUILT_IN_LLM_MODEL to specify the model
Example:
secrets:
  BUILT_IN_LLM_API_KEY: "sk-proj-abc123..."

envVars:
  BUILT_IN_LLM_PROVIDER: "openai"
  BUILT_IN_LLM_MODEL: "gpt-4o-mini"

Python Package Registry

secrets.UV_DEFAULT_INDEX
string
PyPI registry URL for enterprise Python packages.Default: Auto-generated (in Replicated deployments)Auto-Generation (Replicated): Automatically built from license credentials:
  • Customer ID from: global.replicated.licenseFields.replicated_customer_id
  • Password from: global.replicated.dockerconfigjson (registry.crewai.com entry)
  • Generated URL format: https://customer_id:password@pypi.crewaifactory.com/simple/
Manual Configuration (Non-Replicated):
secrets:
  UV_DEFAULT_INDEX: "https://username:password@pypi.crewaifactory.com/simple/"
Requirements:
  • Must use HTTPS protocol
  • Must include authentication credentials in format username:password@host
  • Must end with /simple/ for PyPI compatibility
  • Automatically base64-encoded by the chart
Purpose: Provides access to CrewAI Enterprise Python packages for crew execution and platform functionality.Validation: The Helm test suite verifies proper URL format and structure.

Authentication Provider Secrets

Most authentication provider configuration values have moved to envVars (non-sensitive). Client secrets and API keys remain in secrets for authentication providers.For complete authentication setup, see the Environment Variables Authentication Configuration section.
secrets.ENTRA_ID_CLIENT_SECRET
string
default:""
Microsoft Entra ID (Azure AD) application client secret for web application authentication.When Required: AUTH_PROVIDER: entra_idObtaining: Azure Portal > App Registrations > Your App > Certificates & Secrets > Client secrets.Example:
envVars:
  AUTH_PROVIDER: "entra_id"
  ENTRA_ID_CLIENT_ID: "12345678-1234-1234-1234-123456789012"
  ENTRA_ID_TENANT_ID: "87654321-4321-4321-4321-210987654321"

secrets:
  ENTRA_ID_CLIENT_SECRET: "your-client-secret"
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.
secrets.OKTA_CLIENT_SECRET
string
default:""
Okta application client secret for web application authentication.When Required: AUTH_PROVIDER: oktaObtaining: Okta Admin Console > Applications > Your App > General Settings > Client Credentials.Example:
envVars:
  AUTH_PROVIDER: "okta"
  OKTA_SITE: "https://company.okta.com"
  OKTA_CLIENT_ID: "0oa1234567890abcdef"
  OKTA_AUTHORIZATION_SERVER: "default"
  OKTA_AUDIENCE: "api://default"

secrets:
  OKTA_CLIENT_SECRET: "your-client-secret"
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.
secrets.WORKOS_API_KEY
string
default:""
WorkOS API key for authentication.When Required: AUTH_PROVIDER: workosObtaining: WorkOS Dashboard > Main Page > API Keys.Format: Typically starts with sk_live_ for production or sk_test_ for testing.Example:
envVars:
  AUTH_PROVIDER: "workos"
  WORKOS_CLIENT_ID: "client_01HXYZ123ABC456"
  WORKOS_AUTHKIT_DOMAIN: "company.authkit.com"
  WORKOS_COOKIE_PASSWORD: "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"

secrets:
  WORKOS_API_KEY: "sk_live_abc123..."
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.
secrets.KEYCLOAK_CLIENT_SECRET
string
default:""
Keycloak client secret for web application authentication.When Required: AUTH_PROVIDER: keycloakObtaining: Keycloak Admin Console > Clients > Your Client > Credentials tab.Example:
envVars:
  AUTH_PROVIDER: "keycloak"
  KEYCLOAK_CLIENT_ID: "crewai-factory"
  KEYCLOAK_SITE: "https://keycloak.company.com"
  KEYCLOAK_REALM: "crewai"

secrets:
  KEYCLOAK_CLIENT_SECRET: "55oahEeruNQGWxqzleWy02cRfW3wLf2c"
Security: Keep this value secure. Rotate regularly according to your organization’s security policy.Setup Guide: See Keycloak SSO Configuration Guide for detailed setup instructions.

Built-in Integrations Secrets

OAuth secrets are used when oauth.enabled: true. These secrets enable secure communication between the Built-in Integrations service and the Rails application for third-party integrations (Gmail, Google Calendar, Microsoft Outlook, etc.).
secrets.OAUTH_COOKIE_SECRET
string
default:""
Secret key for signing OAuth session cookies.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Purpose: Secures OAuth flow session data.Manual Generation:
openssl rand -base64 64
secrets.OAUTH_DB_ENCRYPTION_KEY
string
default:""
Encryption key for OAuth tokens stored in the database.Auto-Generation: If not provided, automatically generated as a 64-character hexadecimal string and persisted across upgrades.Format: Hexadecimal string (64 characters).Purpose: Encrypts sensitive OAuth tokens (access tokens, refresh tokens) at rest.Manual Generation:
openssl rand -hex 32
secrets.OAUTH_INTERNAL_API_KEY
string
default:""
Internal API key for authentication between the Built-in Integrations service and Rails application.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades.Important: This value is automatically duplicated as CREWAI_OAUTH_API_KEY for the Rails application. Both keys will always have the same value.Purpose: Enables secure service-to-service communication for OAuth operations.Manual Generation:
openssl rand -base64 64 | tr -d '\n'
Note: When set manually, both OAUTH_INTERNAL_API_KEY (used by Built-in Integrations service) and CREWAI_OAUTH_API_KEY (used by Rails) will use this value automatically.

OAuth Provider Secrets

OAuth provider secrets are optional and only required if you want to enable specific OAuth integrations. Each provider requires a client ID and client secret obtained from the provider’s developer console.
Configuration: OAuth provider credentials are configured via oauth.secrets.* values in your Helm values file, which support provider-level defaults and product-specific overrides. See the CrewAI Built-in Integrations Reference - OAuth Secrets Configuration for detailed configuration examples.For example, to configure Google OAuth for all Google products:
oauth:
  secrets:
    google:
      clientId: "123456789-abcdefg.apps.googleusercontent.com"
      clientSecret: "GOCSPX-abc123..."
The secrets documented below are the Kubernetes secret keys that are automatically generated from your oauth.secrets.* configuration.
Google OAuth Providers:
secrets.GOOGLE_GMAIL_CLIENT_ID
string
default:""
Google OAuth client ID for Gmail integration.
secrets.GOOGLE_GMAIL_CLIENT_SECRET
string
default:""
Google OAuth client secret for Gmail integration.
secrets.GOOGLE_CAL_CLIENT_ID
string
default:""
Google OAuth client ID for Google Calendar integration.
secrets.GOOGLE_CAL_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Calendar integration.
secrets.GOOGLE_DRIVE_CLIENT_ID
string
default:""
Google OAuth client ID for Google Drive integration.
secrets.GOOGLE_DRIVE_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Drive integration.
secrets.GOOGLE_CONTACTS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Contacts integration.
secrets.GOOGLE_CONTACTS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Contacts integration.
secrets.GOOGLE_SHEETS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Sheets integration.
secrets.GOOGLE_SHEETS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Sheets integration.
secrets.GOOGLE_SLIDES_CLIENT_ID
string
default:""
Google OAuth client ID for Google Slides integration.
secrets.GOOGLE_SLIDES_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Slides integration.
secrets.GOOGLE_DOCS_CLIENT_ID
string
default:""
Google OAuth client ID for Google Docs integration.
secrets.GOOGLE_DOCS_CLIENT_SECRET
string
default:""
Google OAuth client secret for Google Docs integration.
Microsoft OAuth Providers:
secrets.MICROSOFT_OUTLOOK_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Outlook integration.
secrets.MICROSOFT_OUTLOOK_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Outlook integration.
secrets.MICROSOFT_ONEDRIVE_CLIENT_ID
string
default:""
Microsoft OAuth client ID for OneDrive integration.
secrets.MICROSOFT_ONEDRIVE_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for OneDrive integration.
secrets.MICROSOFT_TEAMS_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Teams integration.
secrets.MICROSOFT_TEAMS_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Teams integration.
secrets.MICROSOFT_SHAREPOINT_CLIENT_ID
string
default:""
Microsoft OAuth client ID for SharePoint integration.
secrets.MICROSOFT_SHAREPOINT_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for SharePoint integration.
secrets.MICROSOFT_EXCEL_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Excel integration.
secrets.MICROSOFT_EXCEL_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Excel integration.
secrets.MICROSOFT_WORD_CLIENT_ID
string
default:""
Microsoft OAuth client ID for Word integration.
secrets.MICROSOFT_WORD_CLIENT_SECRET
string
default:""
Microsoft OAuth client secret for Word integration.
Other OAuth Providers:
secrets.HUBSPOT_CLIENT_ID
string
default:""
HubSpot OAuth client ID.
secrets.HUBSPOT_CLIENT_SECRET
string
default:""
HubSpot OAuth client secret.
secrets.NOTION_CLIENT_ID
string
default:""
Notion OAuth client ID.
secrets.NOTION_CLIENT_SECRET
string
default:""
Notion OAuth client secret.

Wharf Secrets

Wharf secrets are used when wharf.enabled: true. These secrets enable secure communication between the Wharf OTLP trace collector and the Rails application for distributed tracing.
secrets.WHARF_JWT_SECRET
string
default:""
JWT secret for authenticating trace submissions to the Wharf service.Auto-Generation: If not provided, automatically generated using randAlphaNum 64 and persisted across upgrades via lookup function.Purpose: Shared secret between the Wharf service and Rails application for authenticating OTLP trace submissions.Manual Generation:
openssl rand -base64 48 | tr -d '\n'
ArgoCD Users: Must be set explicitly — see ArgoCD Deployment Guide.Important: This value is automatically shared with both the Wharf service and the Rails application. Both components will use the same value for authentication.Related Configuration:
secrets.WHARF_POSTGRES_URL
string
default:""
PostgreSQL connection string for the Wharf OTLP trace collector database.Auto-Generated: Automatically constructed from database configuration values and not directly user-configurable.Format: postgres://username:password@host:port/databaseComponents Used:
  • Host: envVars.DB_HOST or postgres.fullnameOverride (if internal PostgreSQL enabled)
  • Port: envVars.DB_PORT (default: “5432”)
  • User: envVars.DB_USER
  • Password: secrets.DB_PASSWORD
  • Database: postgres.wharfDatabase (default: “wharf”)
SSL Mode: Uses PostgreSQL default SSL mode (prefer). To enforce SSL connections on external databases, configure SSL enforcement at the database server level (e.g., AWS RDS parameter rds.force_ssl=1).Purpose: Provides Wharf service with connection credentials to its dedicated PostgreSQL database for storing OTLP trace data.Related Configuration: