Skip to main content
web.name
string
default:"web"
Name identifier for web component. Used in labels and resource names.
web.useHttps
boolean
default:"true"
Enable HTTPS protocol for external access.When Enabled:
  • Application is accessed via HTTPS URL
  • Must be set to true when using web.enableSslFromPuma: true
  • Required for proper protocol detection in URLs
When to Disable:
  • Ingress handles TLS termination and application accessed via HTTP
  • Internal cluster-only access without encryption
web.enableSslFromPuma
boolean
default:"true"
Enable SSL/TLS at the application level (Puma web server).When Enabled:
  • Puma serves HTTPS directly with TLS certificates
  • Automatically sets APPLICATION_INTERNAL_URL to use https://
  • Automatically sets NGINX backend-protocol to HTTPS
  • Requires SSL certificate configuration (via web.tls.autoGenerate or secrets.SSL_*)
When to Disable:
  • Ingress or load balancer handles TLS termination
  • Application serves HTTP only
  • Using external TLS proxy
Note: This is different from web.useHttps which controls the external protocol, while enableSslFromPuma controls whether Puma itself handles TLS encryption.
web.port
integer
default:"443"
Port where the web application listens.Default Behavior:
  • 443 when web.enableSslFromPuma: true (HTTPS)
  • Typically 80 or 3000 when TLS is disabled
Note: This is the container port. Service port is auto-configured based on this value and ingress settings.
web.replicaCount
integer
default:"1"
Number of web application replicas.High Availability Recommendations:
  • Development: 1 replica
  • Staging: 2 replicas
  • Production: 3+ replicas across multiple availability zones
Scaling Considerations:
  • Each replica needs full resource allocation (6 CPU / 12Gi by default)
  • Database connections scale with replicas
  • Session management requires sticky sessions or external session store
web.service.type
string
default:""
Kubernetes service type for web application.Auto-Detection: When empty:
  • "ClusterIP" if ingress is enabled
  • "LoadBalancer" if ingress is disabled
Valid Values:
  • "ClusterIP" - Internal cluster access only
  • "LoadBalancer" - Expose via cloud load balancer
  • "NodePort" - Expose on node ports
Production Recommendation: Use "ClusterIP" with ingress for production deployments.

web.tls.*

Application-level TLS configuration.
web.tls.autoGenerate
boolean
default:"false"
Automatically generate self-signed TLS certificate.When Enabled:
  • Certificate generated during Helm deployment
  • Persisted across upgrades using lookup function
  • Includes all hostnames from hosts array
Use Cases:
  • Development environments
  • Testing HTTPS functionality
  • Environments without proper certificate management
Production Recommendation: Use ingress TLS with proper certificates instead.
web.tls.duration
integer
default:"365"
Certificate validity period in days (for auto-generated certificates).
web.tls.hosts
array
default:"[\"localhost\", \"127.0.0.1\"]"
Additional hostnames to include in auto-generated certificate.Example:
web:
  tls:
    autoGenerate: true
    hosts:
      - localhost
      - crewai.local
      - 10.0.0.100

web.resources.*

Resource limits and requests for web application container.
web.resources.limits.cpu
string
default:"6"
CPU limit for web pod.
web.resources.limits.memory
string
default:"12Gi"
Memory limit for web pod.
web.resources.requests.cpu
string
default:"500m"
Guaranteed CPU allocation for web pod.
web.resources.requests.memory
string
default:"6Gi"
Guaranteed memory allocation for web pod.
web.terminationGracePeriodSeconds
integer
default:"30"
Seconds to allow for graceful pod shutdown.Purpose: Allows in-flight requests to complete before pod termination.Production Recommendation: Set to 60-120 seconds for production to handle long-running requests.
web.nodeSelector
object
default:"{}"
Node selector for web pod placement.Example:
web:
  nodeSelector:
    node-role.kubernetes.io/frontend: "true"
    topology.kubernetes.io/zone: us-west-2a
Use Cases:
  • Ensure web pods run on nodes with specific capabilities
  • Separate web workload from database or worker workload
  • Control pod placement across availability zones

web.readinessProbe.*

Readiness probe configuration for web pods.
web.readinessProbe.initialDelaySeconds
integer
default:"10"
Seconds to wait before first readiness check.Tuning: Increase if application takes longer to start.
web.readinessProbe.periodSeconds
integer
default:"10"
Seconds between readiness checks.
web.readinessProbe.timeoutSeconds
integer
default:"5"
Readiness probe timeout.
web.readinessProbe.successThreshold
integer
default:"1"
Consecutive successes required.
web.readinessProbe.failureThreshold
integer
default:"3"
Consecutive failures before pod marked not ready.Purpose: Removes pod from service load balancing during failures, preventing request failures.

web.ingress.*

Ingress configuration for external web access.
web.ingress.enabled
boolean
default:"false"
Enable ingress for web application.Production Recommendation: Enable for production deployments.
web.ingress.className
string
default:"nginx"
Ingress class name.Common Values:
  • "nginx" - NGINX Ingress Controller
  • "alb" - AWS Application Load Balancer Controller
  • "traefik" - Traefik Ingress
  • "istio" - Istio Virtual Service (see virtualService.*)
web.ingress.host
string
default:""
Hostname for ingress routing.Example: "crewai.company.com"Required: Must be set when ingress is enabled.
web.ingress.path
string
default:"/"
URL path for ingress routing.Use Cases:
  • Root path: "/" (most common)
  • Subpath deployment: "/crewai"
web.ingress.pathType
string
default:"Prefix"
Path matching type.Valid Values:
  • "Prefix" - Match path prefix
  • "Exact" - Exact path match
  • "ImplementationSpecific" - Controller-specific
web.ingress.annotations
object
default:"{}"
Custom annotations for the Ingress resource.Purpose: Add ingress controller-specific annotations not covered by the built-in configuration options.Example:
web:
  ingress:
    annotations:
      cert-manager.io/cluster-issuer: "letsencrypt-prod"
      nginx.ingress.kubernetes.io/rate-limit: "100"
      external-dns.alpha.kubernetes.io/hostname: "crewai.example.com"
Note: These annotations are applied in addition to the controller-specific annotations (ALB, NGINX) that are automatically generated based on other configuration values like web.ingress.alb.* and web.ingress.nginx.*.

web.ingress.alb.*

AWS Application Load Balancer specific configuration.
web.ingress.alb.scheme
string
default:"internet-facing"
ALB scheme.Valid Values:
  • "internet-facing" - Public internet access
  • "internal" - VPC-internal only
web.ingress.alb.targetType
string
default:"ip"
ALB target type.Valid Values:
  • "ip" - Direct pod IP routing (recommended for EKS)
  • "instance" - NodePort routing
web.ingress.alb.certificateArn
string
default:""
ACM certificate ARN for HTTPS.Example: "arn:aws:acm:us-west-2:123456789012:certificate/abc-def-ghi"Required: For HTTPS access via ALB.
web.ingress.alb.sslPolicy
string
default:"ELBSecurityPolicy-TLS-1-2-2017-01"
ALB SSL/TLS policy.Common Policies:
  • "ELBSecurityPolicy-TLS-1-2-2017-01" - TLS 1.2+ (recommended)
  • "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" - Extended TLS 1.2+
  • "ELBSecurityPolicy-FS-1-2-Res-2020-10" - Forward secrecy enforced

web.ingress.nginx.*

NGINX Ingress Controller specific configuration.
web.ingress.nginx.sslRedirect
boolean
default:"false"
Automatically redirect HTTP to HTTPS.Production Recommendation: Enable when TLS is configured.
web.ingress.nginx.proxyBodySize
string
default:"50m"
Maximum allowed size for client request body.Use Cases:
  • File uploads
  • Large API payloads
Syntax: "<number>m" for megabytes, "<number>g" for gigabytes, "0" for unlimited.
web.ingress.nginx.enableCors
boolean
default:"true"
Enable Cross-Origin Resource Sharing (CORS).Purpose: Allow browser-based applications from different origins to access the API.
web.ingress.nginx.corsAllowMethods
string
default:"GET, PUT, POST, DELETE, PATCH, OPTIONS"
Allowed HTTP methods for CORS.
web.ingress.nginx.corsAllowHeaders
string
Allowed HTTP headers for CORS preflight.
web.ingress.nginx.corsAllowOrigin
string
default:"*"
Allowed origins for CORS.Production Recommendation: Specify exact origins instead of "*":
web:
  ingress:
    nginx:
      corsAllowOrigin: "https://app.company.com,https://admin.company.com"
web.ingress.nginx.corsAllowCredentials
boolean
default:"true"
Allow credentials (cookies, authorization headers) in CORS requests.
web.ingress.nginx.sessionAffinity
boolean
default:"true"
Enable sticky sessions (session affinity).Purpose: Routes requests from the same client to the same backend pod.When Needed:
  • In-memory session storage
  • WebSocket connections
  • Application-specific caching
web.ingress.nginx.sessionCookieName
string
default:"_session_id"
Cookie name for session affinity.
web.ingress.nginx.sessionCookiePath
string
default:"/"
Cookie path for session affinity.
web.ingress.nginx.whitelistSourceRange
string
default:""
IP CIDR ranges allowed to access ingress.Default Behavior: When empty (default), no IP restrictions are applied.Example - Multiple Ranges:
web:
  ingress:
    nginx:
      whitelistSourceRange: "10.0.0.0/8,172.16.0.0/12,203.0.113.0/24"
Production Recommendation: Restrict to known corporate IP ranges or VPN endpoints for enhanced security.
web.ingress.nginx.backendProtocol
string
default:""
Backend protocol for NGINX to use when communicating with the web pods.Auto-Detection: When empty (default), automatically sets based on web.enableSslFromPuma:
  • "HTTPS" if web.enableSslFromPuma is true
  • "HTTP" if web.enableSslFromPuma is false
Valid Values:
  • "" - Auto-detect (recommended)
  • "HTTP" - Force HTTP backend communication
  • "HTTPS" - Force HTTPS backend communication
Use Cases:
  • Most deployments should use auto-detection (leave empty)
  • Override only when custom TLS termination or protocol handling is needed
Note: Corresponds to the nginx.ingress.kubernetes.io/backend-protocol annotation.
web.ingress.nginx.tls.enabled
boolean
default:"true"
Enable TLS for NGINX ingress.
web.ingress.nginx.tls.secretName
string
default:""
Name of Kubernetes TLS secret.Create Secret:
kubectl create secret tls crewai-tls \
  --cert=tls.crt \
  --key=tls.key

web.virtualService.*

Istio Virtual Service configuration (alternative to standard ingress).
web.virtualService.enabled
boolean
default:"false"
Enable Istio Virtual Service instead of standard ingress.
web.virtualService.host
string
default:""
Hostname for virtual service routing.
web.virtualService.gateway
string
default:""
Istio Gateway resource name.Example:
web:
  virtualService:
    enabled: true
    host: "crewai.company.com"
    gateway: "istio-system/public-gateway"