Configuration Reference

Environment Variables

Core

VariableDefaultDescription
REDIS_HOSTlocalhostRedis hostname
REDIS_PORT6379Redis port
API_GATEWAY_PORT3001API Gateway listen port
CORS_ORIGINhttp://localhost:3000Allowed CORS origin
NODE_ENVdevelopmentNode environment
WEB_PORT3000Next.js dev server port
API_GATEWAY_URLhttp://localhost:3001Gateway URL used by Next.js rewrites to proxy /auth/* and /graphql

Keycloak (api-gateway)

VariableDefaultDescription
KEYCLOAK_ISSUERKeycloak realm issuer URL. Must match the iss claim in tokens. e.g. http://localhost:8080/realms/luckyplans
KEYCLOAK_JWKS_URIKeycloak JWKS endpoint for verifying id_tokens. e.g. http://localhost:8080/realms/luckyplans/protocol/openid-connect/certs
KEYCLOAK_CLIENT_IDluckyplans-frontendKeycloak client ID (confidential, ROPC + service account enabled)
KEYCLOAK_CLIENT_SECRETClient secret from Keycloak Admin → Clients → luckyplans-frontend → Credentials. Local dev uses dev-client-secret (pre-configured in realm export). See Deployment Guide.
KEYCLOAK_ADMIN_URLhttp://localhost:8080Keycloak base URL for Admin REST API (user registration)

Session Management (api-gateway)

VariableDefaultDescription
SESSION_SECRETSecret for signing session cookies. Generate with openssl rand -base64 32
SESSION_TTL_SECONDS36000Session time-to-live in seconds (default: 10 hours)

Database (service-core)

VariableDefaultDescription
DATABASE_URLPostgreSQL connection string for Prisma ORM. Format: postgresql://user:password@host:port/database. Local dev: postgresql://luckyplans:luckyplans@localhost:5433/luckyplans

MinIO (File Uploads)

VariableDefaultDescription
MINIO_ENDPOINTlocalhostMinIO server hostname
MINIO_PORT9000MinIO API port
MINIO_ACCESS_KEYminioadminMinIO root user (S3 access key). Secret — managed via Sealed Secrets in production
MINIO_SECRET_KEYminioadminMinIO root password (S3 secret key). Secret — managed via Sealed Secrets in production
MINIO_BUCKETluckyplans-uploadsMinIO bucket name
MINIO_USE_SSLfalseUse SSL for MinIO connection

Observability

VariableDefaultDescription
OTEL_EXPORTER_OTLP_ENDPOINThttp://localhost:4317OpenTelemetry Collector gRPC endpoint for traces, metrics, and logs
LOG_LEVELinfo (prod) / debug (dev)Pino log level (debug, info, warn, error)

Environment variables are accessed via getEnvVar(key, defaultValue?) from @luckyplans/shared. This throws on missing required variables. See .env.example for the full template.

Note: The frontend no longer requires any auth-related environment variables. Apollo Client uses a relative /graphql URL and session cookies are managed entirely by the gateway.

Helm Values

Helm values are defined in infrastructure/helm/luckyplans/values.yaml.

Key Sections

SectionPurpose
config.*Application config rendered into ConfigMap (incl. Keycloak vars, session TTL)
secretsPlain-text dev secrets rendered into K8s Secret (local dev only)
sealedSecrets.*Encrypted production secrets rendered as SealedSecret CRD (prod only)
image.*Container registry and pull policy
ingress.*Traefik ingress configuration (routes /auth/*, /graphql, /realms/*)
certManager.*Let’s Encrypt TLS automation
redis.*Redis deployment config
postgresql.*PostgreSQL deployment config (Keycloak database)
keycloak.*Keycloak deployment config (enabled by default)
apiGateway.*API gateway deployment config
serviceCore.*Core service deployment config
web.*Frontend deployment config

Production Overrides

Production-specific values are in infrastructure/helm/luckyplans/values.prod.yaml. Image tags are automatically updated by the CI/CD pipeline via .github/workflows/update-tags.yml.

Production Secrets (Sealed Secrets)

Production secrets are encrypted via Bitnami Sealed Secrets and stored in values.prod.yaml under sealedSecrets.encryptedData. The sealed-secrets-controller in the cluster decrypts them at runtime. See Deployment Guide for setup and rotation.

Example: scaling in production

# values.prod.yaml
apiGateway:
  replicas: 3
  resources:
    requests:
      memory: '512Mi'
      cpu: '500m'
    limits:
      memory: '1Gi'
      cpu: '1000m'
 
web:
  replicas: 2

Commit and push — ArgoCD auto-syncs the change.