We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.

By clicking "Accept", you agree to our use of cookies.
Learn more.

Self-HostingConfiguring the Helm Chart
Add to CursorAdd to ClaudeCopy for LLMView as MD

Configuring the Helm Chart

Shared Config

For the hatchet-stack and hatchet-ha Helm charts, the sharedConfig object in the values.yaml file allows you to configure shared settings for all backend services. The default values are:

sharedConfig:
  # you can disable shared config by setting this to false
  enabled: true
 
  # these are the most commonly configured values
  serverUrl: "http://localhost:8080"
  serverAuthCookieDomain: "localhost:8080" # the domain for the auth cookie
  serverAuthCookieInsecure: "t" # allows cookies to be set over http
  serverAuthSetEmailVerified: "t" # automatically sets email_verified to true for all users
  serverAuthBasicAuthEnabled: "t" # allows login via basic auth (email/password)
  grpcBroadcastAddress: "localhost:7070" # the endpoint for the gRPC server, exposed via the `grpc` service
  grpcInsecure: "true" # allows gRPC to be served over http
  defaultAdminEmail: "admin@example.com" # in exposed/production environments, change this to a valid email
  defaultAdminPassword: "Admin123!!" # in exposed/production environments, change this to a secure password
 
  # you can set additional environment variables here, which will override any defaults
  env: {}

Networking

  • sharedConfig.serverUrl (default: "http://localhost:8080"): specifies the base URL for the server. This URL should be the public-facing URL of the Hatchet API server (which is typically bundled behind a reverse proxy with the Hatchet frontend).

  • sharedConfig.grpcBroadcastAddress (default: "localhost:7070"): defines the address for the gRPC server endpoint, which is exposed via the grpc service.

  • sharedConfig.grpcInsecure (default: "true"): when set to true, allows the gRPC server to be served over HTTP instead of HTTPS. Use this in non-production environments only.

Authentication

  • sharedConfig.serverAuthCookieDomain (default: "localhost:8080"): specifies the domain for the authentication cookie. Should be set to the appropriate domain when deploying to production.

  • sharedConfig.serverAuthCookieInsecure (default: "t"): if set to "t", allows authentication cookies to be set over HTTP, useful for local development. In production, use a secure setting.

  • sharedConfig.serverAuthSetEmailVerified (default: "t"): automatically sets email_verified to true for all users. This is useful for testing environments where email verification is not necessary.

  • sharedConfig.serverAuthBasicAuthEnabled (default: "t"): enables basic authentication (using email and password) for users. Should be enabled if the system needs to support user logins via email/password.

  • sharedConfig.defaultAdminEmail (default: "admin@example.com"): specifies the email for the default administrator account. Change this to a valid email when deploying to production environments.

  • sharedConfig.defaultAdminPassword (default: "Admin123!!"): defines the password for the default administrator account. This should be changed to a strong password for production deployments.

Additional Env Variables

You can set additional environment variables for the backend services using the env object. For example:

sharedConfig:
  env:
    MY_ENV_VAR: "my-value"

This will set the environment variable MY_ENV_VAR to "my-value" for all backend services. These values will override any default environment settings for the services.

Credentials and Key Generation

Setup Job

The quickstartJob bootstraps Hatchet’s encryption and auth secrets into a Kubernetes Secret (hatchet-config):

quickstartJob:
  enabled: true

Worker Token Job

The worker token job generates a client token after the engine is running:

workerTokenJob:
  enabled: true

The token is stored as HATCHET_CLIENT_TOKEN in the hatchet-client-config secret. Alternatively, navigate to the Settings tab in the Hatchet frontend and click on the API Tokens tab to generate a token manually.

Generating Keys Manually

For GitOps or pre-configured deployments, generate keys using the hatchet-admin image:

docker run --rm ghcr.io/hatchet-dev/hatchet/hatchet-admin:latest \
  /hatchet/hatchet-admin keyset create-local-keys

Generate cookie secrets via openssl - these must be two space-separated random strings:

echo "$(openssl rand -hex 16) $(openssl rand -hex 16)"

Supply all values in your values.yaml:

sharedConfig:
  env:
    SERVER_ENCRYPTION_MASTER_KEYSET: "<master-keyset>"
    SERVER_ENCRYPTION_JWT_PRIVATE_KEYSET: "<private-keyset>"
    SERVER_ENCRYPTION_JWT_PUBLIC_KEYSET: "<public-keyset>"
    SERVER_AUTH_COOKIE_SECRETS: "<secret1> <secret2>"

For all available options, see Encryption Configuration and Authentication Configuration.

Seeding Data

The sharedConfig object also allows you to seed the database with a default tenant and user. The following environment variables are used for seeding:

seed:
  defaultAdminEmail: "admin@example.com" # in exposed/production environments, change this to a valid email
  defaultAdminPassword: "Admin123!!" # in exposed/production environments, change this to a secure password
  env:
    ADMIN_NAME: "Admin User"
    DEFAULT_TENANT_NAME: "Default"
    DEFAULT_TENANT_SLUG: "default"
    DEFAULT_TENANT_ID: "707d0855-80ab-4e1f-a156-f1c4546cbf52"
NetworkingSetting up an External Database