Install Bud-Stack from the OCI Helm chart against managed (external) databases and object storage
This guide installs Bud-Stack from the published OCI Helm chart and points it
at managed services you already operate (e.g. Azure Database for PostgreSQL,
Cosmos DB for MongoDB, Azure Cache for Redis, Azure Blob via an S3-compatible
gateway, an external Kafka and ClickHouse). It lists only the configuration
that is mandatory for a new setup — defaults are fine for everything else.
If you want an all-in-one cluster with bundled Postgres/Mongo/Valkey/SeaweedFS,
follow the Installation Guide instead.
Chart Ingresses are pinned to ingressClassName: traefik.
TLS strategy
ingress.https: disabled (plain HTTP), internal (Traefik/cert-manager in-cluster certs), or external (terminated upstream by a LB/WAF).
OIDC identity provider
Any OIDC-compliant IdP works (Keycloak, Auth0, Okta, Azure AD, Google, etc.). Authorization is owned by budapp’s Postgres-backed PDP — the IdP only needs to issue ID tokens. The sibling keycloak chart (also published at oci://registry.bud.studio/charts/keycloak) is a convenient default if you don’t already run one.
Registry credentials
Robot account for registry.bud.studio (request from sinan@bud.studio)
bud/secrets.bud.yaml enumerates the full set of secret key paths the
platform needs (externalServices.*, microservices.*, daprExtra.crypto,
novu.*); secrets.demo.yaml is a minimal example that carries only the
registry pull credentials. Both shipped files are SOPS-encrypted (values
appear as ENC[...]), so they are not drop-in templates — use
secrets.bud.yaml for the key structure and supply your own plaintext values
in a separate secrets.yaml, following the references in Steps 3–4. Keep
secrets.yaml out of version control (or SOPS-encrypt it).
All managed services are configured under externalServices in values.yaml
and the matching credential blocks live in secrets.yaml. Provision the
resources below first, then fill in the values.
A single Redis instance, multiplexed by logical DB index.
Configure in values.yaml
Configure in secrets.yaml
externalServices.valkey.host
externalServices.valkey.password
externalServices.valkey.port
externalServices.valkey.databases.* (numeric index per consumer)
novu.externalRedis.host
The novu.externalRedis block references the same instance; only the host is
restated — the password is shared from externalServices.valkey.password
via the <release>-novu-externalredis Secret.
Any OIDC-compliant IdP is supported — budapp validates ID tokens via
OIDC discovery and stores all authorization state in its own Postgres PDP.
If you don’t already operate one, the sibling keycloak chart
(oci://registry.bud.studio/charts/keycloak) gives you a working Keycloak in one
install.You must pre-create the OAuth clients that the redirect-flow uses
(budadmin-web, budcustomer-web, budplayground-web, plus the
mcpgateway client) in your IdP and copy the client secrets into
secrets.yaml (see Application secrets).
Configure in values.yaml
Configure in secrets.yaml
externalServices.oidc.url (full issuer URL, incl. the realm segment)
externalServices.oidc.clients.mcpgateway.secret
externalServices.oidc.clients.mcpgateway.id (the mcpgateway client id)
The issuer is set directly on externalServices.oidc.url. As of chart 0.14.0
budapp uses externalServices.oidc.url as its OIDC issuer verbatim — for a
default Keycloak that is https://<auth-host>/realms/bud-keycloak (the realm
segment is part of the URL). It must match the keycloak chart’s ingress.host.
The oidc.clients.mcpgateway.* keys configure the mcpgateway OAuth client
specifically; they do not change budapp’s issuer.
Using a non-Keycloak IdP. Any OIDC-compliant IdP works, but the defaults are
Keycloak-shaped. To point budapp at Auth0 / Authentik / Cognito / Azure AD,
override these in microservices.budapp.env rather than just setting .url:
OIDC_ISSUER (your provider’s full issuer URL) and OIDC_ROLES_CLAIM_PATH
(where the IdP encodes roles — Keycloak realm_access.roles, Auth0
https://yourapp/roles, Cognito cognito:groups). The legacy
keycloak.auth.adminUser / adminPassword fields are only consulted when you
run the bundled Keycloak chart.
Redirect-flow clients must exist in the realm before the budapp pod
boots, otherwise the login flow returns invalid_client.
registries.registry.bud.studio credentials are required even for
airgapped clusters that already mirrored the images — the chart still
creates the imagePullSecret referenced by every Deployment.