Skip to content

Configuration

Full reference for chart/values.yaml, grouped by area. See Installation for how these combine into the three auth modes and the NebariApp integration.

Image

KeyDefaultDescription
image.repositoryghcr.io/nebari-dev/nebari-framesImage repository.
image.tag""Image tag. Empty defaults to the chart appVersion.
image.pullPolicyIfNotPresentImage pull policy.

Replicas

KeyDefaultDescription
replicaCount1Pod replicas. SQLite is single-writer - do not raise this.

Persistence

KeyDefaultDescription
persistence.enabledtrueUse a PersistentVolumeClaim for the database. If false, storage is ephemeral and data is lost on pod restart.
persistence.mountPath/dataMount path for the data volume.
persistence.dbFilenebari-frames.dbSQLite filename under the mount path.
persistence.size1GiPVC size.
persistence.storageClass""StorageClass for the PVC. Empty uses the cluster default; set explicitly in production.
persistence.accessModeReadWriteOncePVC access mode.

Seed (first org and admin)

KeyDefaultDescription
seed.orgSlug""Slug for the seeded organization.
seed.orgDisplayName""Display name for the seeded organization.
seed.adminEmail""Email of the first admin, reconciled to their OIDC subject on first login.

Auth modes

Auth mode is selected fail-closed (mirrors the backend’s own startup check):

nebariapp.enabled && nebariapp.auth.enabled -> OIDC env from the operator-provisioned secret
else auth.devMode == true -> FRAMES_DEV_MODE=true (no auth)
else -> auth.oidc.* (self-managed OIDC)
KeyDefaultDescription
auth.devModefalseWhen true (and NebariApp auth is off), disables auth and uses a fixed dev identity. Local use only.
auth.oidc.issuerUrl""OIDC issuer URL for self-managed auth.
auth.oidc.clientId""OIDC client id for the SPA.
auth.oidc.deviceClientId""OIDC client id for the device-code flow (CLI login).

NebariApp

KeyDefaultDescription
nebariapp.enabledfalseCreate a NebariApp so the nebari-operator provisions routing, TLS, and OIDC.
nebariapp.hostname""Hostname the operator routes to the app.
nebariapp.gatewaypublicGateway the operator attaches the route to.
nebariapp.routing.routes[{pathPrefix: /, pathType: PathPrefix}]Routes the operator creates the HTTPRoute from. Without this the operator reports RoutingNotConfigured and the hostname is unreachable.
nebariapp.routing.tls.enabledtrueWhether the operator provisions a certificate for the hostname. Without this the operator reports TLSDisabled.
nebariapp.landingPage.enabledtrueShow a tile on the Nebari landing page.
nebariapp.landingPage.displayNameFramesTile display name.
nebariapp.landingPage.descriptionReusable context Frames for AI assistants, with a remote MCP endpoint.Tile description.
nebariapp.landingPage.categoryPlatformTile category.
nebariapp.auth.enabledtrueWhen true, the operator provisions OIDC clients and the app uses them (see Auth modes above).
nebariapp.auth.scopes[openid, profile, email]OIDC scopes requested.

MCP

KeyDefaultDescription
mcp.enabledtrueMount the /mcp endpoint when a public URL is derivable.
mcp.publicUrl""Override the MCP public URL. Defaults to https://<nebariapp.hostname> when nebariapp.enabled is true.