A Helm chart is provided for deploying Strøm on Kubernetes with proper secret management, RBAC, and optional container runners.
- Kubernetes 1.26+
- Helm 3.8+
- PostgreSQL database (external)
helm install stroem oci://ghcr.io/fremvaerk/charts/stroem
# Install specific version
helm install stroem oci://ghcr.io/fremvaerk/charts/stroem --version 1.0.0
# Install with values file
helm install stroem oci://ghcr.io/fremvaerk/charts/stroem -f values.yaml
helm upgrade stroem oci://ghcr.io/fremvaerk/charts/stroem --version 1.1.0
The chart uses a config pass-through pattern:
server.config and worker.config contain the full YAML config passed as-is to ConfigMaps- Secrets are injected via
extraSecretEnv as STROEM__ environment variables that override config values at runtime
- No init containers or sed templating — clean and debuggable
| Env Var | Overrides YAML key |
|---|
STROEM__DB__URL | db.url |
STROEM__WORKER_TOKEN | worker_token |
STROEM__AUTH__JWT_SECRET | auth.jwt_secret |
STROEM__LISTEN | listen |
| Key | Description | Default |
|---|
server.image.repository | Server image repository | stroem-server |
server.image.tag | Server image tag | latest |
server.replicas | Number of server replicas | 1 |
server.service.type | Kubernetes service type | ClusterIP |
server.service.port | Service port | 8080 |
server.config | Full server-config.yaml content | See values.yaml |
server.extraSecretEnv | Secret env vars for overrides | {} |
server.extraEnv | Plain env vars | {} |
server.resources | CPU/memory resource limits | {} |
| Key | Description | Default |
|---|
worker.image.repository | Worker image repository | stroem-worker |
worker.image.tag | Worker image tag | latest |
worker.replicas | Number of worker replicas | 2 |
worker.config | Full worker-config.yaml content | See values.yaml |
worker.extraSecretEnv | Secret env vars for overrides | {} |
worker.extraEnv | Plain env vars | {} |
worker.dind.enabled | Enable Docker-in-Docker sidecar | false |
worker.dind.image | DinD image | docker:27-dind |
worker.resources | CPU/memory resource limits | {} |
server_url and worker_name are automatically injected — server_url is derived from the Helm release name, and worker_name is set to the pod name.
| Key | Description | Default |
|---|
rbac.create | Create RBAC resources | true |
serviceAccount.create | Create service account | true |
serviceAccount.name | Service account name override | "" |
| Key | Description | Default |
|---|
ingress.enabled | Enable ingress | false |
ingress.className | Ingress class name | "" |
ingress.annotations | Ingress annotations | {} |
ingress.hosts | Ingress host rules | See values.yaml |
ingress.tls | TLS configuration | [] |
url: "postgres://stroem:stroem@postgres:5432/stroem"
local_dir: /var/stroem/logs
worker_token: "dev-token"
local_dir: /var/stroem/logs
worker_token: "placeholder"
STROEM__DB__URL: "postgres://real-user:real-pass@rds:5432/stroem"
STROEM__WORKER_TOKEN: "production-secret-token"
STROEM__WORKER_TOKEN: "production-secret-token"
jwt_secret: "placeholder"
refresh_secret: "placeholder"
STROEM__AUTH__JWT_SECRET: "real-jwt-secret"
STROEM__AUTH__REFRESH_SECRET: "real-refresh-secret"
STROEM__AUTH__INITIAL_USER__PASSWORD: "real-admin-password"
- host: stroem.example.com
helm install stroem ./helm/stroem \
--set database.url="postgres://stroem:pw@postgres:5432/stroem" \
--set workerToken="my-secure-token"
helm install stroem ./helm/stroem \
--set worker.kubernetes.enabled=true \
--set worker.kubernetes.namespace=stroem-jobs
helm install stroem ./helm/stroem \
--set worker.dind.enabled=true