Configuration
Environment variables, plugin toggles, auth providers. Everything the core platform accepts at runtime — all ITOPS_ prefixed.
Environment variables
Set via Helm env: (non-secret) or secretEnv: (sensitive). Overrides values from the bundled config.yaml.
| Variable | Default | Notes |
|---|---|---|
ITOPS_DATABASE_HOST | postgresql | DB hostname |
ITOPS_DATABASE_PORT | 5432 | |
ITOPS_DATABASE_NAME | itops | |
ITOPS_DATABASE_USER | itops | |
ITOPS_DATABASE_PASSWORD * | — | Required |
ITOPS_DATABASE_SSLMODE | disable | disable / require / verify-full |
ITOPS_SERVER_PORT | 8080 | |
ITOPS_SERVER_ENVIRONMENT | production | development / production |
ITOPS_LOGGING_LEVEL | info | debug / info / warn / error |
ITOPS_LOGGING_FORMAT | json | json / text |
ITOPS_JWT_SECRET * | — | 32+ char random string |
ITOPS_SECURITY_OPERATOR_API_KEY * | — | Shared with agent and push clients |
ITOPS_SECURITY_CORS_ALLOWED_ORIGINS | — | CSV of UI origins |
ITOPS_FEATURE_LOCAL_AUTH | true | Username/password login |
ITOPS_FEATURE_LDAP_AUTH | false | LDAP via auth provider |
ITOPS_FEATURE_OPERATOR_API | true | Agent discovery endpoints |
ITOPS_LICENSE_KEY * | — | Ed25519 JWT, unlocks plugins |
ITOPS_SLA_PORTAL_URL | — | Enables push to standalone status page |
ITOPS_SLA_PORTAL_API_KEY * | — | Matches portal's own key |
* = required. Put in secretEnv, not env.
Plugin toggles
Ticketing and SLA are plugins — loaded from the license key. Toggle live from the admin UI at Admin → Modules & License. The togglePlugin GraphQL mutation persists the state in the system_settings table, so toggles survive pod restarts.
Auth providers
Managed via GitOps in the same itops: values block. LDAP, SAML (roadmap), OIDC (roadmap) are configured as list entries. Each provider is validated at startup and its config stashed in the auth_providers table; stale providers not in the current config are pruned automatically on restart (authoritative reconciliation).
License
Generate a license from the core repo:
go run ./cmd/license-gen --customer "Acme Corp" \
--plugins "ticketing,sla" --max-users 999 --valid-days 365Paste the JWT into secretEnv.ITOPS_LICENSE_KEY. The platform validates signature + expiry at startup and unlocks the declared plugins. Without a license, core + agent features stay usable — ticketing and SLA plugins just don't load.
Full reference
helm show values itops/itops