Skip to content

Latest commit

 

History

History
702 lines (568 loc) · 64.8 KB

File metadata and controls

702 lines (568 loc) · 64.8 KB

platform

A Helm chart to deploy Seqera Platform (also referred to as Tower) on Kubernetes.

Version: 0.35.0 Type: application AppVersion: v26.1.3

Some basic familiarity with Helm is assumed. If you are new to Helm, please refer to the Helm documentation. We recommend reading through the values.yaml file to understand the configuration options available for the chart. Each entry is documented with # -- comments describing its purpose and usage. Other annotations are used to automatically generate the README files and can be ignored:

  • # @section — groups related values under a heading in the generated README
  • # @default — documents a default value that is computed in the templates rather than set literally in values.yaml

Requirements and configuration

For an overview of the Seqera Platform architecture and its requirements, refer to the Seqera documentation.

Note that the Seqera charts do not automatically set cr.seqera.io as the registry where to pull images from, as we want to encourage users to use their own registries to improve reliability: instructions are available to vendor the Seqera container images to your private registry. We also recommend vendoring the Seqera charts.

The required values to set in order to have a working installation are:

  • The domain where Seqera Platform is accessible, set under .global.platformExternalDomain.
  • The .image section under the .backend, .frontend, .cron and .cron.dbMigrationInitContainer components to point to your container registry.
  • Container registry credentials under the .global.imageCredentials section (can be the credentials for cr.seqera.io or your private registry where you vendored the images to). Alternatively, to avoid storing sensitive credentials in the values file, you can create a Kubernetes Secret containing the credentials and reference it in the .global.imageCredentialsSecrets value. Refer to the Kubernetes docs to create a Kubernetes Secret to store image pull credentials.
    • These credentials will be used by all the subcharts unless overridden in the specific subchart.
    • Multiple credentials can be specified to cover different registries or repositories within the same registry, e.g. you can set credentials for cr.seqera.io/enterprise (where Platform images are located) and cr.seqera.io/ai (where Seqera AI products are located).
    • Additional pull secrets can be defined in each .image section to extend the global credentials, if that image is located in a different registry.
    • Image pull secrets defined in the specific .image section will be added to the global ones, they won't replace them.
  • The database connection details for the Platform MySQL database under the .platformDatabase section.
  • The redis connection details under the .redis section.
  • The Seqera license key under the .platform.licenseString value, or the name of an existing Secret containing the license key under the .platform.licenseSecretName value.
  • Other sensitive values are automatically generated by the Helm chart if not provided (e.g. database encryption keys, initial access tokens), but we recommend setting them to known values to avoid losing access to the Platform installation in case of a Helm chart reinstallation.
    • When setting the Platform OIDC client registration token to an existing secret, make sure to set the same secret in the following subchart values .studios.proxy.oidcClientRegistrationTokenSecretName and .mcp.oidcToken.existingSecretName.

The Helm chart comes with several requirement checks that will validate the provided configuration before proceeding with the installation.

By default the chart selects the Platform application images defined in the appVersion field of the Chart.yaml file, currently set as v26.1.3.

Note

The Platform chart requires the unprivileged version of the Seqera Platform frontend image (shipped with -unprivileged suffix until Platform v25.3, without any suffix starting from v26.1).

When a sensitive value is required (e.g. the database password, the Seqera license key), you can either provide it directly in the values file or reference an existing Kubernetes Secret containing the value. The key names to use in the provided Secret are specified in the values file comments. Sensitive values provided as plain text by the user are always stored in a Kubernetes Secret created by the chart. When an external Secret is used instead, the chart instructs the components to read the sensitive value from the external Secret directly, without further storing copies of the sensitive value in the chart-created Secret. Refer to this example for a demonstration of how to create a Kubernetes Secret to store sensitive values.

Installing the chart

To install the chart:

  1. Download the default values file:
    helm show values oci://public.cr.seqera.io/charts/platform --version 0.35.0 > values.yaml
  2. Edit values.yaml to match your environment. We recommend removing entries whose defaults you don't need to override — this keeps your configuration file focused and easier to maintain across upgrades.
  3. Install the chart with the release name my-release:
    helm install my-release oci://public.cr.seqera.io/charts/platform \
      --version 0.35.0 \
      --namespace my-namespace \
      --create-namespace \
      -f values.yaml

For a list of available chart versions, see the chart repository: https://public.cr.seqera.io/repo/charts/platform

Alternative: installing from the Helm repository

Charts are also published to a traditional Helm repository. This can be useful in environments where pulling from OCI registries is restricted:

helm repo add seqeralabs https://seqeralabs.github.io/helm-charts
helm repo update
helm install my-release seqeralabs/platform \
  --version 0.35.0 \
  --namespace my-namespace \
  --create-namespace \
  -f values.yaml

Examples

Refer to the examples directory for different scenarios of installing the Platform chart. The examples provided are showcasing possible configurations of the Helm chart, and are not representative of a full installation. Please refer to the Seqera Platform documentation for complete installation instructions.

Upgrading the chart

When upgrading between versions, please refer to the CHANGELOG.md for breaking changes and migration instructions.

Requirements

Repository Name Version
file://../seqera-common seqera-common 3.x.x
file://charts/agent-backend agent-backend 1.x.x
file://charts/mcp mcp 0.5.x
file://charts/pipeline-optimization pipeline-optimization 2.x.x
file://charts/portal-web portal-web 0.4.x
file://charts/studios studios 1.x.x
file://charts/wave wave 0.3.x
oci://registry-1.docker.io/bitnamicharts common 2.x.x

Values

Global

Key Type Default Description
global.platformExternalDomain string "example.com" Domain where Seqera Platform listens
global.contentDomain string "{{ printf \"user-data.%s\" .Values.global.platformExternalDomain }}" Domain where user-created Platform reports are exposed, to avoid Cross-Site Scripting (XSS) attacks. If unset, data is served through the main domain .global.platformExternalDomain. Evaluated as a template
global.platformServiceAddress string ``"{{ printf "%s-backend" (include "common.names.fullname" .) lower }}"``
global.platformServicePort int 8080 Seqera Platform Service port
global.studiosDomain string "{{ printf \"studios.%s\" .Values.global.platformExternalDomain }}" Domain where the Studios service listens. Make sure the TLS certificate covers this and its wildcard subdomains. Evaluated as a template
global.studiosConnectionUrl string "{{ printf \"https://connect.%s\" (tpl .Values.global.studiosDomain $) }}" Base URL for Studios connections: can be any value, since each session will use a unique subdomain under .global.studiosDomain anyway to connect. Evaluated as a template
global.waveDomain string "{{ printf \"wave.%s\" .Values.global.platformExternalDomain }}" Domain where Wave listens. Evaluated as a template
global.mcpDomain string "{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}" Domain where Seqera MCP listens. Evaluated as a template
global.agentBackendDomain string "{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}" Domain where the Agent Backend service listens. Evaluated as a template
global.portalWebDomain string "{{ printf \"ai.%s\" .Values.global.platformExternalDomain }}" Domain where the Portal Web frontend listens. Evaluated as a template

Global: Ingress

Key Type Default Description
global.ingress.enabled bool false Enable Ingress for the parent chart and every subchart that exposes one. Each chart's local ingress.enabled is OR'd with this — set this to true to turn on all Ingresses in one switch
global.ingress.path string "/" Default path applied to ingress rules when a chart's local ingress.path is not set. AWS ALB users should override to /*.
global.ingress.defaultPathType string "Prefix" Default path type applied to ingress rules when a chart's local ingress.defaultPathType is not set. Prefix works for nginx, traefik, AWS ALB, and most modern controllers. Override to ImplementationSpecific only if your controller requires it (e.g. older GKE).
global.ingress.ingressClassName string "" Default ingress class name applied to ingress rules when a chart's local ingress.ingressClassName is not set. Replaces the deprecated kubernetes.io/ingress.class annotation
global.ingress.annotations object {} Annotations merged into every chart's Ingress (e.g. cert-manager issuer, NGINX proxy-body-size, ALB SSL config). Local ingress.annotations wins on key collision. Evaluated as a template
global.ingress.extraLabels object {} Extra labels merged into every chart's Ingress. Local ingress.extraLabels wins on key collision. Evaluated as a template
global.ingress.tls list [] TLS entries concatenated with each chart's local ingress.tls. Useful for a single wildcard cert that covers all services. Evaluated as a template

Global: Image Credentials

Key Type Default Description
global.imageCredentials list [] Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically
global.imageCredentialsSecrets list [] Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically

Platform Database

Key Type Default Description
platformDatabase.host string "" Platform MySQL database hostname
platformDatabase.port int 3306 Platform MySQL database port
platformDatabase.name string "" Platform MySQL database name
platformDatabase.username string "" Platform MySQL database username
platformDatabase.password string "" Platform MySQL database password
platformDatabase.existingSecretName string "" Name of an existing Secret containing credentials for the Platform MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment
platformDatabase.existingSecretKey string "TOWER_DB_PASSWORD" Key in the existing Secret containing the password for the Platform MySQL database
platformDatabase.driver string "mariadb" Database driver. Possible options: "mariadb" (or its alias "mysql")
platformDatabase.connectionOptions object {"mariadb":["permitMysqlScheme=true"]} Connection options to compose in the driver URL according to the driver used. The only driver that can be set is 'mariadb'
platformDatabase.connectionOptions.mariadb list ["permitMysqlScheme=true"] Connection options to use with the MariaDB driver. For the full list of supported options see: https://mariadb.com/docs/connectors/mariadb-connector-j/about-mariadb-connector-j
platformDatabase.dialect string "mysql-8" Hibernate dialect to use, depending on the database version. Possible options: mysql-8 (default), mariadb-10
platformDatabase.minPoolSize string "2" Connection pool minimum size
platformDatabase.maxPoolSize string "10" Connection pool maximum size
platformDatabase.maxLifetime string "180000" Connection pool maximum lifetime

Platform

Key Type Default Description
platform.YAMLConfigFileContent string "" Content to insert into the tower.yml file (you can use |- YAML multilines). See https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview
platform.contactEmail string "support@example.com" Sender email address for user support

Platform: JWT Seed

Key Type Default Description
platform.jwtSeedString string "" JWT seed, defined as string, used to sign authentication tokens. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random 35-character string. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade
platform.jwtSeedSecretName string "" Name of an existing Secret containing the JWT seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment
platform.jwtSeedSecretKey string "TOWER_JWT_SECRET" Key in the existing Secret containing the JWT seed

Platform: Crypto Seed

Key Type Default Description
platform.cryptoSeedString string "" Crypto seed, defined as string, used to encrypt sensitive data in the database. Note: this needs to be a stable value that doesn't change between deployments, otherwise encrypted data in the database will become inaccessible. Either define the value as a String or a Secret, not both at the same time. If neither is defined, a random 35 characters long string will be generated by Helm WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade
platform.cryptoSeedSecretName string "" Name of an existing Secret containing the crypto seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment
platform.cryptoSeedSecretKey string "TOWER_CRYPTO_SECRETKEY" Key in the existing Secret containing the crypto seed

Platform: Execution Backends

Key Type Default Description
platform.executionBackends list ["altair-platform","awsbatch-platform","awscloud-platform","azbatch-platform","azcloud-platform","eks-platform","gke-platform","googlebatch-platform","googlecloud-platform","k8s-platform","lsf-platform","moab-platform","slurm-platform","uge-platform"] List of execution backends to enable. At least one is required. See https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#compute-environments

Platform: License

Key Type Default Description
platform.licenseString string "" Platform license key. A license key is a long alphanumeric string provided by your Seqera account manager. Define the value as a String or a Secret, not both at the same time
platform.licenseSecretName string "" Name of an existing Secret containing the Platform license key, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment
platform.licenseSecretKey string "TOWER_LICENSE" Key in the existing Secret containing the Platform license key

Platform: OIDC

Key Type Default Description
platform.oidcPrivateKeyBase64 string "" OIDC private key in PEM format, base64-encoded. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random private key. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade
platform.oidcPrivateKeySecretName string "" Name of an existing Secret containing the OIDC private key in PEM format, as an alternative to the base64-encoded string field. Note: the Secret must already exist in the same namespace at the time of deployment
platform.oidcPrivateKeySecretKey string "oidc.pem" Key in the existing Secret containing the OIDC private key in PEM format
platform.oidcClientRegistrationToken string "" OIDC client registration token as a string. Used by Studios and MCP to dynamically register OAuth clients with Seqera Platform's OIDC provider. If neither this nor oidcClientRegistrationTokenSecretName is set, a random value is generated. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade
platform.oidcClientRegistrationTokenSecretName string "" Name of an existing Secret containing the OIDC client registration token, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment
platform.oidcClientRegistrationTokenSecretKey string "OIDC_CLIENT_REGISTRATION_TOKEN" Key in the existing Secret containing the OIDC client registration token

Platform: SMTP

Key Type Default Description
platform.smtp.host string "" SMTP server hostname to let users authenticate through email, and to send email notifications for events
platform.smtp.port string "" SMTP server port
platform.smtp.user string "" SMTP server username
platform.smtp.password string "" SMTP server password
platform.smtp.existingSecretName string "" Name of an existing secret containing the SMTP password
platform.smtp.existingSecretKey string "TOWER_SMTP_PASSWORD" Key in the existing Secret containing the SMTP password

Platform: Wave & Data Explorer

Key Type Default Description
platform.waveServerUrl string "https://wave.seqera.io" URL of the Wave service Platform uses. Evaluated as a template. The Wave service provided by Seqera is https://wave.seqera.io
platform.dataExplorer.enabled bool false Enable the Data Explorer feature: https://docs.seqera.io/platform-enterprise/data/data-explorer

Platform: Studios

Key Type Default Description
platform.studios.customImageRegistry string "" Image registry where Wave (defined at .platform.waveServerUrl) will push custom Studios images built for user sessions. Credentials to the registry/repository must be defined in each Platform Workspace. Example: myregistry.example.com
platform.studios.customImageRepository string "" Image repository where Wave (defined at .platform.waveServerUrl) will push custom Studios images built for user sessions. Example: myteam/studios-container-repo
platform.studios.tools object {"jupyter":{"deprecated":"public.cr.seqera.io/platform/data-studio-jupyter:4.2.5-0.11","recommended":"public.cr.seqera.io/platform/data-studio-jupyter:4.2.5-0.12","tool":"jupyter"},"ride":{"deprecated":"public.cr.seqera.io/platform/data-studio-ride:2025.04.1-0.11","recommended":"public.cr.seqera.io/platform/data-studio-ride:2026.01.2-0.12","tool":"ride"},"vscode":{"deprecated":"public.cr.seqera.io/platform/data-studio-vscode:1.101.2-0.11","recommended":"public.cr.seqera.io/platform/data-studio-vscode:1.101.2-0.12","tool":"vscode"},"xpra":{"deprecated":"public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.11","recommended":"public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.12","tool":"xpra"}} Map of tools to make available in Studios. Recommended and deprecated versions can be specified for each tool to allow upgrading from an older version. Refer to the documentation for more details: https://docs.seqera.io/platform-enterprise/studios/managing#migrate-a-studio-from-an-earlier-container-image-template

Platform: Labels & Annotations

Key Type Default Description
platform.configMapLabels object {} Additional labels for the ConfigMap objects. Evaluated as a template
platform.secretLabels object {} Additional labels for the Secret objects. Evaluated as a template
platform.serviceLabels object {} Additional labels for the Service objects. Evaluated as a template
platform.configMapAnnotations object {} Additional annotations for the ConfigMap objects. Evaluated as a template
platform.secretAnnotations object {} Additional annotations for the Secret objects. Evaluated as a template
platform.serviceAnnotations object {} Additional annotations for the Service objects. Evaluated as a template

Redis

Key Type Default Description
redis.host string "" Redis hostname
redis.port int 6379 Redis port
redis.password string "" Redis password if the installation requires it
redis.existingSecretName string "" Name of an existing Secret containing credentials for Redis, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment
redis.existingSecretKey string "TOWER_REDIS_PASSWORD" Key in the existing Secret containing the password for Redis
redis.enableTls bool false Enable TLS when connecting to Redis

Backend: Image

Key Type Default Description
backend.image.registry string "" Backend container image registry
backend.image.repository string "enterprise/platform/backend" Backend container image repository
backend.image.tag string "{{ .chart.AppVersion }}" Backend container image tag
backend.image.digest string "" Backend container image digest in the format sha256:1234abcdef
backend.image.pullPolicy string "IfNotPresent" imagePullPolicy for the backend container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
backend.image.pullSecrets list [] List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
backend.micronautEnvironments list ["prod","redis","ha"] List of Micronaut Environments to enable on the backend pod

Backend: Service

Key Type Default Description
backend.service.type string "ClusterIP" Backend Service type. Note: ingresses using AWS ALB require the service to be NodePort
backend.service.http.name string "http" Service name to use
backend.service.http.targetPort int 8080 Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port). Platform v25.3+ only; previous versions were hardcoded to 8080
backend.service.http.nodePort int 0 Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default
backend.service.extraServices list [] Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
backend.service.extraOptions object {} Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template

Backend: Pod

Key Type Default Description
backend.initContainers list [] Additional init containers for the backend pod. Evaluated as a template
backend.command list [] Override default container command (useful when using custom images)
backend.args list [] Override default container args (useful when using custom images)
backend.podLabels object {} Additional labels for the backend pod. Evaluated as a template
backend.podAnnotations object {} Additional annotations for the backend pod. Evaluated as a template
backend.extraOptionsSpec object {"replicas":3} Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template
backend.extraOptionsTemplateSpec object {} Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template
backend.extraEnvVars list [] Extra environment variables to set on the backend pod
backend.extraEnvVarsCMs list [] List of ConfigMaps containing extra env vars
backend.extraEnvVarsSecrets list [] List of Secrets containing extra env vars
backend.extraVolumes list [] List of volumes to add to the deployment (evaluated as template). Requires setting extraVolumeMounts
backend.extraVolumeMounts list [] List of volume mounts to add to the container (evaluated as template). Normally used with extraVolumes

Backend: Security Context

Key Type Default Description
backend.podSecurityContext.enabled bool true Enable pod Security Context
backend.podSecurityContext.fsGroup int 101 Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access
backend.containerSecurityContext.enabled bool true Enable container Security Context
backend.containerSecurityContext.runAsUser int 101 UID the container processes run as (overrides container image default)
backend.containerSecurityContext.runAsNonRoot bool true Boolean that requires the container to run as a non-root UID (prevents starting if UID 0)
backend.containerSecurityContext.readOnlyRootFilesystem bool true Mounts the container root filesystem read-only to prevent in-place writes or tampering
backend.containerSecurityContext.capabilities object {"drop":["ALL"]} Fine-grained Linux kernel privileges to add or drop for the container

Backend: Resources

Key Type Default Description
backend.resources object {} Container requests and limits for different resources like CPU or memory

Backend: Startup Probe

Key Type Default Description
backend.startupProbe.enabled bool false Enable startup probe
backend.startupProbe.httpGet.path string "/health" HTTP GET path for startup probe
backend.startupProbe.httpGet.port string "{{ .Values.backend.service.http.targetPort }}" HTTP GET port for startup probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080
backend.startupProbe.initialDelaySeconds int 5 Longer initial wait to accommodate slow-starting apps
backend.startupProbe.periodSeconds int 10 Often set longer to avoid frequent checks while starting
backend.startupProbe.timeoutSeconds int 3 Can be longer to allow slow initialization responses
backend.startupProbe.failureThreshold int 5 Consecutive failures during startup before killing the container (instead of immediate restarts)
backend.startupProbe.successThreshold int 1 Number of consecutive successes required to consider startup complete and enable liveness/readiness

Backend: Readiness Probe

Key Type Default Description
backend.readinessProbe.enabled bool true Enable readiness probe
backend.readinessProbe.httpGet.path string "/health" HTTP GET path for readiness probe
backend.readinessProbe.httpGet.port string "{{ .Values.backend.service.http.targetPort }}" HTTP GET port for readiness probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080
backend.readinessProbe.initialDelaySeconds int 5 Delay before first check (normal start timing)
backend.readinessProbe.periodSeconds int 5 Regular check interval during normal operation
backend.readinessProbe.timeoutSeconds int 3 Short timeout to detect unresponsive containers for readiness
backend.readinessProbe.failureThreshold int 5 Consecutive failures before marking the container Unready (no restart)
backend.readinessProbe.successThreshold int 1 Number of consecutive successes required to mark the container Ready after failures

Backend: Liveness Probe

Key Type Default Description
backend.livenessProbe.enabled bool true Enable liveness probe
backend.livenessProbe.httpGet.path string "/health" HTTP GET path for liveness probe
backend.livenessProbe.httpGet.port string "{{ .Values.backend.service.http.targetPort }}" HTTP GET port for liveness probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080
backend.livenessProbe.initialDelaySeconds int 5 Delay before first check (normal start timing)
backend.livenessProbe.periodSeconds int 10 Regular check interval during normal operation
backend.livenessProbe.timeoutSeconds int 3 Short timeout to detect hung containers quickly
backend.livenessProbe.failureThreshold int 10 Consecutive failures before restarting the container
backend.livenessProbe.successThreshold int 1 Typically 1 (usually ignored)

Frontend: Image

Key Type Default Description
frontend.image.registry string "" Frontend container image registry
frontend.image.repository string "enterprise/platform/frontend" Frontend container image repository
frontend.image.tag string "{{ .chart.AppVersion }}-unprivileged" Specify a tag to override the version defined in .Chart.appVersion
frontend.image.digest string "" Frontend container image digest in the format sha256:1234abcdef
frontend.image.pullPolicy string "IfNotPresent" imagePullPolicy for the frontend container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
frontend.image.pullSecrets list [] List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Frontend: Service

Key Type Default Description
frontend.service.type string "ClusterIP" Frontend Service type. Note: ingresses using AWS ALB require the service to be NodePort
frontend.service.http.name string "http" Service name to use
frontend.service.http.port int 80 Service port
frontend.service.http.targetPort int 8083 Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port)
frontend.service.http.nodePort int 0 Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default
frontend.service.extraServices list [] Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
frontend.service.extraOptions object {} Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template

Frontend: Pod

Key Type Default Description
frontend.initContainers list [] Additional init containers for the frontend pod. Evaluated as a template
frontend.command list [] Override default container command (useful when using custom images)
frontend.args list [] Override default container args (useful when using custom images)
frontend.podLabels object {} Additional labels for the frontend pod. Evaluated as a template
frontend.podAnnotations object {} Additional annotations for the frontend pod. Evaluated as a template
frontend.extraOptionsSpec object {} Extra options to place under .spec (e.g. revisionHistoryLimit, etc). Evaluated as a template. Note: the cron deployment can only run a single replica and use Recreate strategy
frontend.extraOptionsTemplateSpec object {} Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, restartPolicy). Evaluated as a template
frontend.extraEnvVars list [] Extra environment variables to set on the frontend pod
frontend.extraEnvVarsCMs list [] List of ConfigMaps containing extra env vars
frontend.extraEnvVarsSecrets list [] List of Secrets containing extra env vars
frontend.extraVolumes list [] Extra volumes to add to the deployment (evaluated as template). Requires setting extraVolumeMounts
frontend.extraVolumeMounts list [] List of volume mounts to add to the container (evaluated as template). Normally used with extraVolumes

Frontend: Security Context

Key Type Default Description
frontend.podSecurityContext.enabled bool true Enable pod Security Context
frontend.podSecurityContext.fsGroup int 101 GID that Kubernetes applies to mounted volumes and created files so processes in the pod can share group-owned access
frontend.containerSecurityContext.enabled bool true Enable container Security Context
frontend.containerSecurityContext.runAsUser int 101 UID the container processes run as (overrides container image default)
frontend.containerSecurityContext.runAsNonRoot bool true Require the container to run as a non-root UID (prevents starting if UID 0)
frontend.containerSecurityContext.readOnlyRootFilesystem bool true Mount the container root filesystem read-only to prevent in-place writes or tampering
frontend.containerSecurityContext.capabilities object {"drop":["ALL"]} Fine-grained Linux kernel privileges to add or drop for the container

Frontend: Resources

Key Type Default Description
frontend.resources object {} Container requests and limits for different resources like CPU or memory

Frontend: Startup Probe

Key Type Default Description
frontend.startupProbe.enabled bool false Enable startup probe
frontend.startupProbe.httpGet.path string "/health" HTTP GET path for startup probe
frontend.startupProbe.httpGet.port string "{{ .Values.frontend.service.http.targetPort }}" HTTP GET port for startup probe. Evaluated as a template
frontend.startupProbe.initialDelaySeconds int 5 Longer initial wait to accommodate slow-starting apps
frontend.startupProbe.periodSeconds int 10 Often set longer to avoid frequent checks while starting
frontend.startupProbe.timeoutSeconds int 3 Can be longer to allow slow initialization responses
frontend.startupProbe.failureThreshold int 5 Consecutive failures during startup before killing the container (instead of immediate restarts)
frontend.startupProbe.successThreshold int 1 Number of consecutive successes required to consider startup complete and enable liveness/readiness

Frontend: Readiness Probe

Key Type Default Description
frontend.readinessProbe.enabled bool true Enable readiness probe
frontend.readinessProbe.httpGet.path string "/health" HTTP GET path for readiness probe
frontend.readinessProbe.httpGet.port string "{{ .Values.frontend.service.http.targetPort }}" HTTP GET port for readiness probe. Evaluated as a template
frontend.readinessProbe.initialDelaySeconds int 5 Delay before first check (normal start timing)
frontend.readinessProbe.periodSeconds int 5 Regular check interval during normal operation
frontend.readinessProbe.timeoutSeconds int 3 Short timeout to detect unresponsive containers for readiness
frontend.readinessProbe.failureThreshold int 5 Consecutive failures before marking the container Unready (no restart)
frontend.readinessProbe.successThreshold int 1 Number of consecutive successes required to mark the container Ready after failures

Frontend: Liveness Probe

Key Type Default Description
frontend.livenessProbe.enabled bool true Enable liveness probe
frontend.livenessProbe.httpGet.path string "/health" HTTP GET path for liveness probe
frontend.livenessProbe.httpGet.port string "{{ .Values.frontend.service.http.targetPort }}" HTTP GET port for liveness probe. Evaluated as a template
frontend.livenessProbe.initialDelaySeconds int 5 Delay before first check (normal start timing)
frontend.livenessProbe.periodSeconds int 10 Regular check interval during normal operation
frontend.livenessProbe.timeoutSeconds int 3 Short timeout to detect hung containers quickly
frontend.livenessProbe.failureThreshold int 10 Consecutive failures before restarting the container
frontend.livenessProbe.successThreshold int 1 Typically 1 (usually ignored)

Cron: Image

Key Type Default Description
cron.image.registry string "" Cron container image registry
cron.image.repository string "enterprise/platform/backend" Cron container image repository
cron.image.tag string "{{ .chart.AppVersion }}" Cron container image tag
cron.image.digest string "" Cron container image digest in the format sha256:1234abcdef
cron.image.pullPolicy string "IfNotPresent" imagePullPolicy for the cron container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
cron.image.pullSecrets list [] List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Cron: Service

Key Type Default Description
cron.micronautEnvironments list ["prod","redis","cron"] List of Micronaut Environments to enable on the cron pod
cron.service.type string "ClusterIP" Cron Service type. Note: ingresses using AWS ALB require the service to be NodePort
cron.service.http.name string "http" Service name to use
cron.service.http.port int 8080 Service port
cron.service.http.targetPort int 8082 Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port)
cron.service.http.nodePort int 0 Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default
cron.service.extraServices list [] Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service
cron.service.extraOptions object {} Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template

Cron: Pod

Key Type Default Description
cron.initContainers list [] Additional init containers for the cron pod. Evaluated as a template
cron.command list [] Override default container command (useful when using custom images)
cron.args list [] Override default container args (useful when using custom images)
cron.podLabels object {} Additional labels for the cron pod. Evaluated as a template
cron.podAnnotations object {} Additional annotations for the cron pod. Evaluated as a template
cron.extraOptionsSpec object {} Extra options to place under .spec (for example, revisionHistoryLimit). Evaluated as a template Note that cron deployment needs to have a single replica with Recreate strategy
cron.extraOptionsTemplateSpec object {} Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, restartPolicy) Evaluated as a template
cron.extraEnvVars list [] Extra environment variables to set on the cron pod
cron.extraEnvVarsCMs list [] List of ConfigMaps containing extra env vars
cron.extraEnvVarsSecrets list [] List of Secrets containing extra env vars
cron.extraVolumes list [] Extra volumes to add to the deployment (evaluated as template). Requires setting extraVolumeMounts
cron.extraVolumeMounts list [] List of volume mounts to add to the container (evaluated as template). Normally used with extraVolumes

Cron: Security Context

Key Type Default Description
cron.podSecurityContext.enabled bool true Enable pod Security Context
cron.podSecurityContext.fsGroup int 101 GID that Kubernetes applies to mounted volumes and created files so processes in the pod can share group-owned access
cron.containerSecurityContext.enabled bool true Enable container Security Context
cron.containerSecurityContext.runAsUser int 101 UID the container processes run as (overrides container image default)
cron.containerSecurityContext.runAsNonRoot bool true Require the container to run as a non-root UID (prevents starting if UID 0)
cron.containerSecurityContext.readOnlyRootFilesystem bool true Mount the container root filesystem read-only to prevent in-place writes or tampering
cron.containerSecurityContext.capabilities object {"drop":["ALL"]} Fine-grained Linux kernel privileges to add or drop for the container

Cron: Resources

Key Type Default Description
cron.resources object {} Container requests and limits for different resources like CPU or memory

Cron: Startup Probe

Key Type Default Description
cron.startupProbe.enabled bool false Enable startup probe
cron.startupProbe.httpGet.path string "/health" HTTP GET path for startup probe
cron.startupProbe.httpGet.port string "{{ .Values.cron.service.http.targetPort }}" HTTP GET port for startup probe. Evaluated as a template
cron.startupProbe.initialDelaySeconds int 5 Longer initial wait to accommodate slow-starting apps
cron.startupProbe.periodSeconds int 10 Often set longer to avoid frequent checks while starting
cron.startupProbe.timeoutSeconds int 3 Can be longer to allow slow initialization responses
cron.startupProbe.failureThreshold int 5 Consecutive failures during startup before killing the container (instead of immediate restarts)
cron.startupProbe.successThreshold int 1 Number of consecutive successes required to consider startup complete and enable liveness/readiness

Cron: Readiness Probe

Key Type Default Description
cron.readinessProbe.enabled bool true Enable readiness probe
cron.readinessProbe.httpGet.path string "/health" HTTP GET path for readiness probe
cron.readinessProbe.httpGet.port string "{{ .Values.cron.service.http.targetPort }}" HTTP GET port for readiness probe. Evaluated as a template
cron.readinessProbe.initialDelaySeconds int 5 Delay before first check (normal start timing)
cron.readinessProbe.periodSeconds int 5 Regular check interval during normal operation
cron.readinessProbe.timeoutSeconds int 3 Short timeout to detect unresponsive containers for readiness
cron.readinessProbe.failureThreshold int 5 Consecutive failures before marking the container Unready (no restart)
cron.readinessProbe.successThreshold int 1 Number of consecutive successes required to mark the container Ready after failures

Cron: Liveness Probe

Key Type Default Description
cron.livenessProbe.enabled bool true Enable liveness probe
cron.livenessProbe.httpGet.path string "/health" HTTP GET path for liveness probe
cron.livenessProbe.httpGet.port string "{{ .Values.cron.service.http.targetPort }}" HTTP GET port for liveness probe. Evaluated as a template
cron.livenessProbe.initialDelaySeconds int 5 Delay before first check (normal start timing)
cron.livenessProbe.periodSeconds int 10 Regular check interval during normal operation
cron.livenessProbe.timeoutSeconds int 3 Short timeout to detect hung containers quickly
cron.livenessProbe.failureThreshold int 10 Consecutive failures before restarting the container
cron.livenessProbe.successThreshold int 1 Typically 1 (usually ignored)

Cron: DB Migration Init Container

Key Type Default Description
cron.dbMigrationInitContainer.image.registry string "" Database migration container image registry
cron.dbMigrationInitContainer.image.repository string "enterprise/platform/migrate-db" Database migration container image repository
cron.dbMigrationInitContainer.image.tag string "{{ .chart.AppVersion }}" Specify a tag to override the version defined in .Chart.appVersion
cron.dbMigrationInitContainer.image.digest string "" Database migration container image digest in the format sha256:1234abcdef
cron.dbMigrationInitContainer.image.pullPolicy string "IfNotPresent" imagePullPolicy for the database migration init container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
cron.dbMigrationInitContainer.image.pullSecrets list [] List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
cron.dbMigrationInitContainer.command list ["/bin/sh","-c","/migrate-db.sh"] Override default container command (useful when using custom images)
cron.dbMigrationInitContainer.args list [] Override default container args (useful when using custom images)
cron.dbMigrationInitContainer.extraEnvVars list [] Extra environment variables to set on the cron pod
cron.dbMigrationInitContainer.extraEnvVarsCMs list [] List of ConfigMaps containing extra env vars
cron.dbMigrationInitContainer.extraEnvVarsSecrets list [] List of Secrets containing extra env vars
cron.dbMigrationInitContainer.extraVolumes list [] Extra volumes to add to the deployment (evaluated as template). Requires setting extraVolumeMounts
cron.dbMigrationInitContainer.extraVolumeMounts list [] List of volume mounts to add to the container (evaluated as template). Normally used with extraVolumes
cron.dbMigrationInitContainer.containerSecurityContext.enabled bool true Enable container Security Context
cron.dbMigrationInitContainer.containerSecurityContext.runAsUser int 101 UID the container processes run as (overrides container image default)
cron.dbMigrationInitContainer.containerSecurityContext.runAsNonRoot bool true Require the container to run as a non-root UID (prevents starting if UID 0)
cron.dbMigrationInitContainer.containerSecurityContext.readOnlyRootFilesystem bool true Mount the container root filesystem read-only to prevent in-place writes or tampering
cron.dbMigrationInitContainer.containerSecurityContext.capabilities object {"drop":["ALL"]} Fine-grained Linux kernel privileges to add or drop for the container
cron.dbMigrationInitContainer.resources object {} Container requests and limits for different resources like CPU or memory

Init Container Dependencies

Key Type Default Description
initContainerDependencies.enabled bool true Enable init containers that coordinate startup dependencies between Platform components (for example, wait for database readiness before cron starts, wait for cron before backend starts, etc)

Init Container Dependencies: Wait For MySQL

Key Type Default Description
initContainerDependencies.waitForMySQL.enabled bool true Enable wait for MySQL init container before starting backend and cron
initContainerDependencies.waitForMySQL.image.registry string "" Override default wait for MySQL init container image
initContainerDependencies.waitForMySQL.image.repository string "mysql" Init container image repository
initContainerDependencies.waitForMySQL.image.tag string "9" Init container image tag
initContainerDependencies.waitForMySQL.image.digest string "" Init container image digest in the format sha256:1234abcdef
initContainerDependencies.waitForMySQL.image.pullPolicy string "IfNotPresent" imagePullPolicy for the init container
initContainerDependencies.waitForMySQL.securityContext.runAsUser int 101 UID the container processes run as (overrides container image default)
initContainerDependencies.waitForMySQL.securityContext.runAsNonRoot bool true Require the container to run as a non-root UID (prevents starting if UID 0)
initContainerDependencies.waitForMySQL.securityContext.readOnlyRootFilesystem bool true Mount the container root filesystem read-only to prevent in-place writes or tampering
initContainerDependencies.waitForMySQL.securityContext.capabilities object {"drop":["ALL"]} Fine-grained Linux kernel privileges to add or drop for the container
initContainerDependencies.waitForMySQL.resources object {"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}} Container requests and limits for different resources like CPU or memory
initContainerDependencies.waitForMySQL.extraEnvVars list [] Additional environment variables for the init container. The special variable MYSQL_EXTRA_ARGS is appended verbatim to the mysql readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with extraVolumeMounts to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY"
initContainerDependencies.waitForMySQL.extraVolumeMounts list [] Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that MYSQL_EXTRA_ARGS can reference them.

Init Container Dependencies: Wait For Redis

Key Type Default Description
initContainerDependencies.waitForRedis.enabled bool true Enable wait for Redis init container before starting backend and cron
initContainerDependencies.waitForRedis.image.registry string "" Override default wait for Redis init container image
initContainerDependencies.waitForRedis.image.repository string "redis" Init container image repository
initContainerDependencies.waitForRedis.image.tag string "7-alpine" Init container image tag
initContainerDependencies.waitForRedis.image.digest string "" Init container image digest in the format sha256:1234abcdef
initContainerDependencies.waitForRedis.image.pullPolicy string "IfNotPresent" imagePullPolicy for the init container
initContainerDependencies.waitForRedis.securityContext.runAsUser int 101 UID the container processes run as (overrides container image default)
initContainerDependencies.waitForRedis.securityContext.runAsNonRoot bool true Require the container to run as a non-root UID (prevents starting if UID 0)
initContainerDependencies.waitForRedis.securityContext.readOnlyRootFilesystem bool true Mount the container root filesystem read-only to prevent in-place writes or tampering
initContainerDependencies.waitForRedis.securityContext.capabilities object {"drop":["ALL"]} Fine-grained Linux kernel privileges to add or drop for the container
initContainerDependencies.waitForRedis.resources object {"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}} Container requests and limits for different resources like CPU or memory
initContainerDependencies.waitForRedis.extraEnvVars list [] Additional environment variables for the init container
initContainerDependencies.waitForRedis.extraVolumeMounts list [] Additional volume mounts for the init container (e.g. to mount a CA certificate)

Init Container Dependencies: Wait For Cron

Key Type Default Description
initContainerDependencies.waitForCron.enabled bool true Enable wait for Platform cron init container before starting backend
initContainerDependencies.waitForCron.image.registry string "" Override default wait for cron init container image
initContainerDependencies.waitForCron.image.repository string "curlimages/curl" Init container image repository
initContainerDependencies.waitForCron.image.tag string "latest" Init container image tag
initContainerDependencies.waitForCron.image.digest string "" Init container image digest in the format sha256:1234abcdef
initContainerDependencies.waitForCron.image.pullPolicy string "IfNotPresent" imagePullPolicy for the init container
initContainerDependencies.waitForCron.securityContext.runAsUser int 101 UID the container processes run as (overrides container image default)
initContainerDependencies.waitForCron.securityContext.runAsNonRoot bool true Require the container to run as a non-root UID (prevents starting if UID 0)
initContainerDependencies.waitForCron.securityContext.readOnlyRootFilesystem bool true Mount the container root filesystem read-only to prevent in-place writes or tampering
initContainerDependencies.waitForCron.securityContext.capabilities object {"drop":["ALL"]} Fine-grained Linux kernel privileges to add or drop for the container
initContainerDependencies.waitForCron.resources object {"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}} Container requests and limits for different resources like CPU or memory
initContainerDependencies.waitForCron.extraEnvVars list [] Additional environment variables for the init container
initContainerDependencies.waitForCron.extraVolumeMounts list [] Additional volume mounts for the init container (e.g. to mount a CA certificate)

Service Account

Key Type Default Description
serviceAccount.name string "" Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on the release name
serviceAccount.annotations object {} Additional annotations for the ServiceAccount to generate
serviceAccount.imagePullSecretNames list [] Names of Secrets containing credentials to pull images from registries
serviceAccount.automountServiceAccountToken bool false Automount service account token when the service account is generated

Ingress

Key Type Default Description
ingress.enabled bool false Enable ingress for Platform
ingress.path string "" Path for the main ingress rule. When empty, falls back to global.ingress.path
ingress.contentPath string "" Path for the content domain ingress rule. When empty, falls back to ingress.path
ingress.defaultPathType string "" Default path type for the Ingress. When empty, falls back to global.ingress.defaultPathType
ingress.defaultBackend object {} Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems
ingress.extraHosts list [] Additional hosts you want to include. Evaluated as a template
ingress.annotations object {} Ingress annotations specific to your load balancer. Evaluated as a template
ingress.extraLabels object {} Additional labels for the ingress object. Evaluated as a template
ingress.ingressClassName string "" Name of the ingress class (replaces the deprecated annotation kubernetes.io/ingress.class). When empty, falls back to global.ingress.ingressClassName
ingress.tls list [] TLS configuration. Evaluated as a template

Common

Key Type Default Description
extraDeploy list [] Array of extra objects to deploy with the release
commonAnnotations object {} Annotations to add to all deployed objects
commonLabels object {} Labels to add to all deployed objects

Subcharts: Studios

Key Type Default Description
studios.enabled bool true Enable Studios feature. Refer to the subchart README for more details and the full list of configuration options
studios.proxy.oidcClientRegistrationTokenSecretName string "{{ printf \"%s-backend\" (include \"common.names.dependency.fullname\" (dict \"chartName\" \"platform\" \"chartValues\" .Values \"context\" .)) }}" studios needs to pass a client registration token to the platform backend so that it can register studios clients to the platform OIDC provider. If the platform oidc registration token is coming from a separate secret, you need to update it here too. common.names.dependency.fullname is used (rather than common.names.fullname) because this value is tpl-evaluated inside the studios subchart context where .Chart.Name is studios, not platform; passing chartName: platform explicitly reproduces the parent's fullname. Name of the existing Secret containing the OIDC client registration token to share with the Studios proxy. Evaluated as a template
studios.proxy.oidcClientRegistrationTokenSecretKey string "OIDC_CLIENT_REGISTRATION_TOKEN" Key in the existing Secret containing the OIDC client registration token

Subcharts: Pipeline Optimization

Key Type Default Description
pipeline-optimization.enabled bool true Enable pipeline optimization feature. Refer to the subchart README for more details and the full list of configuration options

Subcharts: MCP

Key Type Default Description
mcp.enabled bool true Enable the Seqera Model Context Protocol (MCP) service. Refer to the subchart README for more details and the full list of configuration options
mcp.oidcToken.existingSecretName string "{{ printf \"%s-backend\" (include \"common.names.dependency.fullname\" (dict \"chartName\" \"platform\" \"chartValues\" .Values \"context\" .)) }}" mcp needs to pass a client registration token to the platform backend so that it can register mcp clients to the platform OIDC provider. If the platform oidc registration token is coming from a separate secret, you need to update it here too. common.names.dependency.fullname is used (rather than common.names.fullname) because this value is tpl-evaluated inside the mcp subchart context where .Chart.Name is mcp, not platform; passing chartName: platform explicitly reproduces the parent's fullname. Name of the existing Secret containing the OIDC client registration token to share with MCP. Evaluated as a template
mcp.oidcToken.existingSecretKey string "OIDC_CLIENT_REGISTRATION_TOKEN" Key in the existing Secret containing the OIDC client registration token

Subcharts: Agent Backend

Key Type Default Description
agent-backend.enabled bool true Enable agent backend feature used by seqera cli ai command. Refer to the subchart README for more details and the full list of configuration options

Subcharts: Portal Web

Key Type Default Description
portal-web.enabled bool true Enable portal web frontend. Refer to the subchart README for more details and the full list of configuration options

Licensing

Seqera® and Nextflow® are registered trademarks of Seqera Labs.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.