Helm Configuration Reference
All Tiers
Calabi is deployed and configured via Helm charts. All platform behavior — which modules are enabled, resource sizes, feature flags, integration endpoints, and security settings — is controlled through a layered values.yaml hierarchy. This page documents the three-tier configuration model, every major configuration section, and common patterns for customizing your deployment.
Three-Tier Configuration Hierarchy
Calabi's Helm configuration uses a layered merge strategy:
base/values.yaml ← Calabi defaults (do not modify)
↓
tier/values.yaml ← Tier-specific defaults (professional.yaml / enterprise.yaml)
↓
client/values.yaml ← Your organization's overrides (the file you edit)
Values in client/values.yaml override tier/values.yaml, which override base/values.yaml. You only need to specify values you want to change from the defaults.
Applying Configuration Changes
# Preview the merged values without deploying
helm template calabi ./calabi-chart \
-f base/values.yaml \
-f tier/professional.yaml \
-f client/values.yaml
# Deploy / upgrade with your client values
helm upgrade calabi ./calabi-chart \
-f base/values.yaml \
-f tier/professional.yaml \
-f client/values.yaml \
--namespace calabi-tenant-<id> \
--atomic \
--timeout 10m
Use --atomic
The --atomic flag automatically rolls back to the previous release if any deployment step fails. Always use it for production upgrades.
Global Settings
global:
# Your organization's unique tenant identifier
tenantId: "acme-corp"
# The base domain for all Calabi services
domain: "calabi.acme.com"
# Platform tier: starter | professional | enterprise
tier: "professional"
# AWS region where Calabi is deployed
awsRegion: "us-east-1"
# Docker image registry (ECR repository)
imageRegistry: "123456789.dkr.ecr.us-east-1.amazonaws.com/calabi"
# Image tag — corresponds to a Calabi platform release version
imageTag: "2.4.1"
# TLS configuration
tls:
enabled: true
certArn: "arn:aws:acm:us-east-1:123456789:certificate/abc-123"
# Timezone for all scheduled jobs
timezone: "America/New_York"
Enabling and Disabling Modules
Each Calabi module can be independently enabled or disabled. Disabled modules have their pods scaled to zero and their UI menu items hidden.
modules:
catalogue:
enabled: true
calabiiq:
enabled: true
aiAgent:
enabled: true
connect:
enabled: true
pipelines:
enabled: true # Professional and Enterprise only
transform:
enabled: true # Professional and Enterprise only
automate:
enabled: true # Professional and Enterprise only
ml:
enabled: false # Enterprise only
aiBuilder:
enabled: false # Enterprise only
ollama:
enabled: false # Enterprise only — local LLM runtime
CalabiIQ Configuration
calabiiq:
enabled: true
webserverReplicas: 2
workerReplicas: 4
features:
alerting: true
embeddedCharts: true
sqlLab: true
explore: true
rowLevelSecurity: true
cache:
defaultTimeout: 86400 # 24 hours in seconds
metadataDatabase:
# Override only if using an external database
host: ""
port: 5432
database: "calabi_calabiiq"
resources:
webserver:
requests:
cpu: "500m"
memory: "1Gi"
limits:
cpu: "2"
memory: "4Gi"
worker:
requests:
cpu: "500m"
memory: "1Gi"
limits:
cpu: "2"
memory: "4Gi"
Calabi Catalogue Configuration
catalogue:
enabled: true
replicas: 2
search:
managedSearch: true
externalHost: ""
indexName: "calabi_catalogue"
dataQuality:
enabled: true
schedulerReplicas: 1
lineage:
enabled: true
resources:
server:
requests:
cpu: "1"
memory: "2Gi"
limits:
cpu: "4"
memory: "8Gi"
Calabi Pipelines Configuration
pipelines:
enabled: true
schedulerReplicas: 2
workerReplicas: 4
# KubernetesExecutor (default) | CeleryExecutor | LocalExecutor
executor: "KubernetesExecutor"
dagStorage:
type: "s3"
bucket: "calabi-dags-acme-corp"
prefix: "dags/"
syncIntervalSeconds: 30
webserver:
replicas: 2
authBackend: "calabi"
# Pre-configured connections (passwords sourced from Kubernetes secrets)
connections:
- id: "redshift_default"
connType: "redshift"
host: "acme-corp.us-east-1.redshift.amazonaws.com"
schema: "public"
port: 5439
resources:
scheduler:
requests:
cpu: "500m"
memory: "2Gi"
limits:
cpu: "2"
memory: "4Gi"
worker:
requests:
cpu: "1"
memory: "2Gi"
limits:
cpu: "4"
memory: "8Gi"
Calabi Automate Configuration
automate:
enabled: true
replicas: 2
# Kubernetes secret containing the AES-256 encryption key for credential vault
encryptionKeySecretName: "calabi-automate-encryption"
webhookBaseUrl: "https://automate.calabi.acme.com"
# Delete workflow execution logs older than N days
executionDataRetentionDays: 30
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "2"
memory: "2Gi"
Calabi AI Builder Configuration
aiBuilder:
enabled: true
replicas: 2
encryptionKeySecretName: "calabi-aibuilder-encryption"
rateLimits:
requestsPerMinute: 100
requestsPerDay: 10000
resources:
requests:
cpu: "500m"
memory: "1Gi"
limits:
cpu: "4"
memory: "8Gi"
Local Models Configuration
ollama:
enabled: false # Set to true on Enterprise tier with sufficient node capacity
# Models to pre-pull at deployment time
models:
- llama3.1:8b
- mistral:7b
- nomic-embed-text
keepAlive: "15m"
numParallel: 2
gpu:
enabled: false
count: 1
type: "nvidia" # nvidia | amd
resources:
requests:
cpu: "4"
memory: "16Gi"
limits:
cpu: "8"
memory: "32Gi"
gpuResources:
limits:
nvidia.com/gpu: "1" # Only used when gpu.enabled: true
persistence:
enabled: true
size: "100Gi"
storageClass: "gp3"
Database Configuration
database:
# true = Calabi provisions and manages an RDS instance
# false = You supply an existing database connection
managedRds: true
external:
host: ""
port: 5432
name: "calabi"
secretName: "calabi-db-credentials"
rds:
instanceClass: "db.r6g.xlarge"
allocatedStorageGb: 100
maxAllocatedStorageGb: 1000
multiAz: true
backupRetentionDays: 7
deletionProtection: true
snapshotOnDelete: true
Redis Configuration
redis:
managedElastiCache: true
external:
host: ""
port: 6379
secretName: "calabi-redis-credentials"
elastiCache:
nodeType: "cache.r6g.large"
numCacheNodes: 2
automaticFailoverEnabled: true
Networking and Ingress
ingress:
enabled: true
className: "alb"
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:123456789:certificate/abc-123"
alb.ingress.kubernetes.io/ssl-redirect: "443"
hosts:
- host: "calabi.acme.com"
service: "calabi-frontend"
- host: "api.calabi.acme.com"
service: "calabi-api"
- host: "automate.calabi.acme.com"
service: "calabi-automate"
- host: "ai-builder.calabi.acme.com"
service: "calabi-ai-builder"
Monitoring Configuration
monitoring:
prometheus:
enabled: true
serviceMonitor: true
cloudwatch:
enabled: true
region: "us-east-1"
namespace: "Calabi/acme-corp"
logRetentionDays: 90
auditLogRetentionDays: 2555
alertChannels:
slack:
enabled: true
webhookSecretName: "calabi-slack-webhook"
channel: "#platform-alerts"
pagerduty:
enabled: false
integrationKeySecretName: "calabi-pagerduty-key"
Backup Configuration
backup:
enabled: true
schedule:
metadata: "0 2 * * *" # 2:00 AM UTC daily
pipelineState: "0 2 * * *"
mlArtifacts: "0 3 * * *" # 3:00 AM UTC daily
destination:
s3:
bucket: "calabi-backups-acme-corp"
prefix: "backups/"
region: "us-east-1"
kmsKeyArn: "arn:aws:kms:us-east-1:123456789:key/abc-123"
retention:
dailyBackups: 30
weeklyBackups: 12
monthlyBackups: 24
Common Configuration Patterns
Scaling for High-Volume Workloads (> 500 daily active users)
calabiiq:
webserverReplicas: 4
workerReplicas: 8
pipelines:
workerReplicas: 8
database:
rds:
instanceClass: "db.r6g.2xlarge"
allocatedStorageGb: 500
Internal-Only Deployment (No Public Internet)
ingress:
annotations:
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/inbound-cidrs: "10.0.0.0/8"
Enabling All Enterprise Modules
modules:
ml:
enabled: true
aiBuilder:
enabled: true
ollama:
enabled: true
models:
- llama3.1:8b
- nomic-embed-text
Cost-Optimized Starter Configuration
calabiiq:
webserverReplicas: 1
workerReplicas: 2
resources:
webserver:
requests:
cpu: "250m"
memory: "512Mi"
database:
rds:
instanceClass: "db.t3.medium"
multiAz: false
redis:
elastiCache:
nodeType: "cache.t3.small"
numCacheNodes: 1
automaticFailoverEnabled: false
Related Pages
- Deployment Guide — Initial Helm deployment procedure
- Multi-Tenancy — Per-tenant Helm values organization
- Backup & Recovery — Backup settings and restore procedures
- Platform Monitoring — Monitoring and alerting configuration