Configuration Reference
Categories below reflect chart 1.2.0+ surface area. Older chart versions may expose additional or fewer fields.
After Plexicus is running on your cluster, you need to wire up the external provider integrations that power its features. This page is the index — per-provider walkthroughs are linked below as they are published.
Detailed per-provider guides are being added incrementally as the umbrella Helm chart stabilizes. Until each guide is live, the Source of truth column links to the canonical reference (the chart's secrets-management.md or the provider's own documentation), which is enough to configure a working deployment today.
What Is Documented Here
Plexicus integrations fall into three categories. Only the first two are documented for self-hosted deployments.
✅ Customer-facing (documented)
Integrations where you bring your own credentials and your own external service. Self-hosted Plexicus connects to the endpoints you specify, using the keys you provide.
| Integration | Purpose | Required? | Source of truth |
|---|---|---|---|
| GitHub App | Scan GitHub repositories | Conditional — required if you scan GitHub | coming soon — see docs/secrets-management.md bundled with the chart artifact |
| GitHub OAuth | "Login with GitHub" for end users | Optional | coming soon |
| GitLab OAuth | Scan GitLab repositories + login | Optional | coming soon |
| Bitbucket OAuth | Scan Bitbucket repositories + login | Optional | coming soon |
| Gitea OAuth | Scan self-hosted Gitea repositories + login | Optional | coming soon |
| Google OAuth | "Login with Google" for end users | Optional | coming soon |
| AI Piloting (Azure OpenAI / OpenAI) | AI-powered remediation and enrichment | Required for AI features; degraded gracefully without | coming soon |
| SMTP | Email verification, invitations, password resets | Required | coming soon |
| Cloudflare Turnstile | Bot protection on public signup forms | Optional — leave empty to disable | coming soon |
| Object storage | Artifacts, scan reports, AI inputs/outputs | Required (bundled MinIO works out-of-the-box) | coming soon |
| Image registry mirror | Mirror all custom images from your own registry — required for air-gapped or restricted networks | Optional | docs/image-registry.md (bundled with the chart artifact) |
| Infrastructure prerequisites (MongoDB, Redis, Temporal, MinIO, PostgreSQL) | Five infra services that the Plexicus chart depends on. Install each as a separate Helm release in the same namespace before installing the umbrella chart. Customers running their own already-managed instances can skip the corresponding install and point Plexicus at the existing endpoint. | Required (chart 1.2.0+ no longer bundles them — bundling exceeded the 1 MB Helm release Secret limit) | getting-started.md and secrets-management.md (bundled with the chart artifact) |
🟡 Chart-internal (no setup needed)
Credentials that exist purely for service-to-service communication inside your cluster. Generate a strong random value once and use the same value across the relevant Kubernetes Secrets — no external provider account is involved.
| Credential | Used by | Action |
|---|---|---|
PLEXALYZER_TOKEN, PLEXALYZER_SECRET_KEY | Internal Plexalyzer scanning service | Generate any 32+ character random string |
SECRET_KEY (Django/FastAPI) | Session signing | Generate any 32+ character random string |
NUXT_SECRET_KEY | Frontend session signing | Generate any 32+ character random string |
| Bundled subchart passwords (MongoDB, Redis, MinIO, Temporal PostgreSQL) | Bundled databases | Generate strong passwords; reuse across the services that connect to each |
Chart 1.2.0+ ships restrictive NetworkPolicies and PodDisruptionBudgets per service. They have sensible defaults — no customer action needed unless you want to tighten further.
🔒 Plexicus-internal (intentionally not documented)
Some integrations exist in the platform code because Plexicus uses them on the managed SaaS offering at plexicus.ai. They are not relevant to self-hosted deployments and the chart ships with them disabled or empty by default.
Categories of integrations that fall under this policy:
- Commercial / billing systems
- Marketing automation
- Product analytics and telemetry
- Customer feedback platforms
- Application performance monitoring
- Push-notification services
- Marketplace listings
- Public-funnel URLs that point at
plexicus.ai
These are not documented for self-hosted, will not appear in any guide, and should remain unset. If you encounter env vars in the chart values that look related to any of the categories above, leave them empty — the chart is designed to behave correctly when these are unset.
Where to Look in the Meantime
Until each per-provider guide is published, the canonical references ship inside the chart artifact. After authenticating to the registry and pulling the chart with --untar, the bundled documentation is available locally:
helm pull oci://europe-west3-docker.pkg.dev/plexicus-registry/charts/plexicus \
--version $CHART_VERSION --untar
ls plexicus/docs/
The bundled files most relevant to configuration:
docs/secrets-management.md— every sensitive key per service, theexistingSecretpattern, and examplekubectl create secretcommands you can adapt directly.docs/image-registry.md— image mirroring procedure, air-gapped deployments, registry auth.values-customer.yaml.example— the canonical ~30-line starter overlay with inline comments for every customer knob.
These ship with the version of the chart you pulled and stay in sync with it.
Reporting Gaps
If you discover an environment variable that is not categorized here, or a feature that requires configuration not yet covered, open an issue at github.com/plexicus/docs — those reports prioritize which per-provider guide is published next.