Skip to main content
Red Hat Certified Helm Chart Production-ready Helm chart to deploy Alquimia Studio — the no-code/low-code platform to build, deploy, and manage enterprise AI agents — on Kubernetes and OpenShift. The chart is aligned with Red Hat Helm Chart Certification best practices: non-root containers, read-only root filesystem, dropped capabilities, liveness/readiness probes, configurable resources, recommended labels, and built-in Helm tests.
Available in the Red Hat OpenShift Helm Catalog as a Partner chart, provided by Alquimia AI US Corp. — install it directly from the OpenShift web console or via the CLI. See Red Hat OpenShift Helm Catalog.

Table of Contents

TL;DR

helm repo add alquimia https://example.com/alquimia-charts
helm repo update

helm install studio alquimia/alquimia-studio \
  --set image.repository=alquimiaai/studio \
  --set image.tag=v1.0.0

Red Hat OpenShift Helm Catalog

This chart is published as a Red Hat certified Partner chart in the official OpenShift Helm Charts catalog (https://charts.openshift.io/), maintained by Alquimia AI US Corp. It is available out-of-the-box on every OpenShift cluster (4.15+) under Software Catalog → Helm Charts, ready to be installed with a single click from the web console.

Install from the OpenShift web console

  1. Log in to the OpenShift web console.
  2. Navigate to Developer → Add → Helm Chart (or Administrator → Software Catalog → Helm Charts).
  3. Filter by Chart Repositories: OpenShift Helm Charts and search for Alquimia Studio.
  4. Click Create, choose the namespace, and provide your values.yaml (or use the form view).
  5. Click Install — the console will render the chart and create the resources.

Install from the CLI (using the OpenShift catalog repo)

The OpenShift catalog is exposed as a standard Helm repository, so you can install the chart from any client: 
helm repo add openshift-helm-charts https://charts.openshift.io/
helm repo update

# Browse available versions
helm search repo openshift-helm-charts/alquimia-studio --versions

# Install a specific version
helm install studio openshift-helm-charts/alquimia-studio \
  --version 0.2.0 \
  -n alquimia-studio --create-namespace \
  -f values-prod.yaml
The published chart includes the Red Hat certification annotations (charts.openshift.io/name, charts.openshift.io/providerType: partner, charts.openshift.io/supportedOpenShiftVersions: ">=4.15") and has passed the Red Hat Helm Chart Verifier checks.

Prerequisites

ComponentVersion
Kubernetes>= 1.26
OpenShift>= 4.15 (if deploying on OCP)
Helm>= 3.9
Container imageA published image of Alquimia Studio
MongoDBRequired when DB_STRATEGY=mongo (default)
KeycloakRequired when AUTH_STRATEGY=keycloak (recommended)
Alquimia RuntimeRequired for inference orchestration
Alquimia TWYDRequired if RAG / document indexing is enabled

Installation

1) Basic install (Service only)

helm install studio ./alquimia-studio \
  --set image.repository=alquimiaai/studio \
  --set image.tag=v1.0.0

2) With Kubernetes Ingress

helm install studio ./alquimia-studio \
  --set ingress.enabled=true \
  --set ingress.className=nginx \
  --set ingress.hosts[0].host=studio.example.com

helm install studio ./alquimia-studio \
  --set openshift.route.enabled=true \
  --set openshift.route.host=studio.apps.example.openshift.com
If both ingress.enabled and openshift.route.enabled are true, the chart prefers Ingress and skips the Route.

Upgrading

helm upgrade studio ./alquimia-studio --set image.tag=v1.2.3

Uninstalling

helm uninstall studio

Configuration

Alquimia Studio is configured almost entirely through environment variables, sourced from a ConfigMap (non-sensitive) and a Secret (sensitive). The chart supports two patterns:
  1. Bring your own existing ConfigMap / Secret (recommended for production).
  2. Let the chart create them from values.yaml (handy for dev/staging).

Required Environment Variables (Studio)

These variables are consumed by Alquimia Studio at runtime. Place non-sensitive values in the ConfigMap and secrets in the Secret.

Database

VariableRequiredTypeDescriptionExample
DB_STRATEGYYesConfigPersistence strategy. mongo (default, requires MongoDB) or lite (embedded NeDB, no DB).mongo
DATABASE_URLIf DB_STRATEGY=mongoSecretMongoDB connection string. Treated as a Secret because it usually contains user/password.mongodb+srv://user:pass@cluster.mongodb.net/alquimia-studio

Authentication (Keycloak / NextAuth)

Studio supports two strategies via AUTH_STRATEGY: keycloak (enterprise SSO) or lite (self-contained, file/JSON-based users).
VariableRequiredTypeDescription
AUTH_STRATEGYYesConfigkeycloak (recommended) or lite.
NEXT_PUBLIC_AUTH_STRATEGYYesConfigSame value as AUTH_STRATEGY, exposed to the browser.
AUTH_KEYCLOAK_ISSUERIf AUTH_STRATEGY=keycloakConfigKeycloak issuer URL (…/auth/realms/<realm>).
AUTH_KEYCLOAK_IDIf AUTH_STRATEGY=keycloakConfigOIDC client ID registered in Keycloak.
AUTH_KEYCLOAK_SECRETIf AUTH_STRATEGY=keycloakSecretOIDC client secret.
NEXTAUTH_URLYesConfigPublic URL of Studio (must match Keycloak redirect URIs in keycloak mode).
NEXTAUTH_SECRETYesSecretRandom string used to sign NextAuth.js sessions/JWTs.
AUTH_LITE_USERSIf AUTH_STRATEGY=lite (one of these two)SecretInline JSON array of users with email, name, password_hash (bcrypt).
AUTH_LITE_USERS_FILEIf AUTH_STRATEGY=lite (one of these two)ConfigPath to a JSON file with the users list (mounted via volume).

Alquimia Runtime

VariableRequiredTypeDescription
ASSISTANT_BASEURLYesConfigBase URL of the Alquimia Runtime service.
ALQUIMIA_ASSISTANT_API_KEYYesSecretAPI key used by Studio to authenticate against Runtime.

Alquimia TWYD (Knowledge Base)

VariableRequiredTypeDescription
TWYD_BASEURLIf RAG is enabledConfigBase URL of the Alquimia TWYD (Knowledge Base) service.
TWYD_API_KEYIf RAG is enabledSecretAPI key for TWYD.

Metrics (Prometheus / Grafana)

VariableRequiredTypeDescription
METRICS_API_URLNoConfigPrometheus / Grafana metrics API URL (e.g. https://metrics.example.com/api/).
METRICS_API_TOKENNoSecretBearer token (or username:password for Basic auth) for the metrics API.

OpenTelemetry & logging (optional)

VariableRequiredTypeDescription
OTEL_ALQUIMIA_SERVICE_NAMENoConfigLogical service name reported to OTel.
OTEL_COLLECTOR_ENDPOINT_TRACESNoConfigOTLP traces endpoint (e.g. …/v1/traces).
OTEL_COLLECTOR_ENDPOINTNoConfigOTLP metrics endpoint (e.g. …/v1/metrics).
OTEL_COLLECTOR_ENDPOINT_LOGSNoConfigOTLP logs endpoint (e.g. …/v1/logs).
OTEL_EXPORTER_INTERNAL_MILISNoConfigExport interval in milliseconds.
OTEL_EXPORTER_TIMEOUT_MILISNoConfigExport timeout in milliseconds.
LOG_LEVELNoConfigLog level: debug, info, warn, error.

Misc / UI

VariableRequiredTypeDescription
EXTERNAL_REGISTRY_URLNoConfigExternal OCI registry URL used by the Discover feed. Leave empty to disable.
NEXT_PUBLIC_ONBOARDINGNoConfigtrue/false. Enables the onboarding tour for new users.

Using existing ConfigMap and Secret

If you already manage alquimia-studio-config and alquimia-studio-secrets (e.g. via GitOps, Sealed Secrets, External Secrets Operator): 
envFrom:
  existingConfigMap: "alquimia-studio-config"
  existingSecret: "alquimia-studio-secrets"

createConfig:
  enabled: false
createSecret:
  enabled: false
Example ConfigMap you might apply separately: 
apiVersion: v1
kind: ConfigMap
metadata:
  name: alquimia-studio-config
data:
  # Database
  DB_STRATEGY: "mongo"

  # Auth
  AUTH_STRATEGY: "keycloak"
  NEXT_PUBLIC_AUTH_STRATEGY: "keycloak"
  AUTH_KEYCLOAK_ISSUER: "https://keycloak.example.com/auth/realms/alquimia"
  AUTH_KEYCLOAK_ID: "alquimia-studio"
  NEXTAUTH_URL: "https://studio.example.com"

  # Alquimia services
  ASSISTANT_BASEURL: "https://runtime.example.com"
  TWYD_BASEURL: "https://twyd.example.com/"

  # Observability
  OTEL_ALQUIMIA_SERVICE_NAME: "alquimia-studio"
  OTEL_COLLECTOR_ENDPOINT_TRACES: "http://otel-collector:4318/v1/traces"
  OTEL_COLLECTOR_ENDPOINT: "http://otel-collector:4318/v1/metrics"
  OTEL_COLLECTOR_ENDPOINT_LOGS: "http://otel-collector:4318/v1/logs"
  OTEL_EXPORTER_INTERNAL_MILIS: "5000"
  OTEL_EXPORTER_TIMEOUT_MILIS: "5000"
  LOG_LEVEL: "info"

  # Metrics (optional)
  METRICS_API_URL: "https://metrics.example.com/api/"

  # Misc (optional)
  EXTERNAL_REGISTRY_URL: ""
  NEXT_PUBLIC_ONBOARDING: "true"
Example Secret: 
apiVersion: v1
kind: Secret
metadata:
  name: alquimia-studio-secrets
type: Opaque
stringData:
  DATABASE_URL: "mongodb+srv://user:pass@cluster.mongodb.net/alquimia-studio?retryWrites=true&w=majority&appName=alquimia-studio"
  AUTH_KEYCLOAK_SECRET: "replace-me"
  NEXTAUTH_SECRET: "replace-me"
  ALQUIMIA_ASSISTANT_API_KEY: "replace-me"
  TWYD_API_KEY: "replace-me"
  METRICS_API_TOKEN: "replace-me"

Creating ConfigMap and Secret with the chart

For dev/staging environments you can let the chart render them from values.yaml: 
envFrom:
  existingConfigMap: ""
  existingSecret: ""

createConfig:
  enabled: true
  config:
    DB_STRATEGY: "mongo"
    AUTH_STRATEGY: "keycloak"
    NEXT_PUBLIC_AUTH_STRATEGY: "keycloak"
    AUTH_KEYCLOAK_ISSUER: "https://keycloak.example.com/auth/realms/alquimia"
    AUTH_KEYCLOAK_ID: "alquimia-studio"
    NEXTAUTH_URL: "https://studio.example.com"
    ASSISTANT_BASEURL: "https://runtime.example.com"
    TWYD_BASEURL: "https://twyd.example.com/"
    LOG_LEVEL: "info"

createSecret:
  enabled: true
  stringData:
    DATABASE_URL: "mongodb+srv://user:pass@cluster.mongodb.net/alquimia-studio"
    AUTH_KEYCLOAK_SECRET: "xxxxx"
    NEXTAUTH_SECRET: "xxxxx"
    ALQUIMIA_ASSISTANT_API_KEY: "xxxxx"
    TWYD_API_KEY: "xxxxx"
Then install with: 
helm install studio ./alquimia-studio -f values.yaml
Tip: for production, prefer existingSecret populated by an external secret manager (Vault, AWS Secrets Manager, Sealed Secrets, ESO, etc.) instead of inlining secrets in values.yaml.

Parameters

Image

KeyTypeDefaultDescription
replicaCountint1Number of replicas
image.repositorystringalquimiaai/studioImage repository
image.tagstringlatestImage tag (pin via CI/CD)
image.pullPolicystringIfNotPresentImage pull policy
image.pullSecretslist[]List of imagePullSecrets names

Service & Networking

KeyTypeDefaultDescription
service.typestringClusterIPService type
service.portint80Service port
service.targetPortint3000Container port
ingress.enabledboolfalseEnable Kubernetes Ingress
ingress.classNamestring""IngressClass name
ingress.hosts[0].hoststringstudio.example.comHostname
ingress.tlslist[]TLS entries for hosts
openshift.route.enabledbooltrueEnable OpenShift Route
openshift.route.hoststring""Route host (optional)
openshift.route.tls.enabledbooltrueTLS on Route
networkPolicy.enabledbooltrueEnable NetworkPolicy
networkPolicy.ingressNamespaceslist[]Namespaces allowed to ingress (empty = same namespace)

Resources & Scheduling

KeyTypeDefaultDescription
resources.requests.cpustring100mCPU request
resources.requests.memorystring256MiMemory request
resources.limits.cpustring500mCPU limit
resources.limits.memorystring512MiMemory limit
nodeSelectormap{}Node selector
tolerationslist[]Tolerations
affinitymap{}Affinity rules

Configuration & Secrets

KeyTypeDefaultDescription
env.varslist[]Inline environment variables
envFrom.existingConfigMapstringalquimia-studio-configUse existing ConfigMap
envFrom.existingSecretstringalquimia-studio-secretsUse existing Secret
createConfig.enabledboolfalseCreate ConfigMap from values
createConfig.configmap{}Key/values for ConfigMap
createSecret.enabledboolfalseCreate Secret from values
createSecret.stringDatamap{}Secret key/values

Security

KeyTypeDefaultDescription
serviceAccount.createbooltrueCreate ServiceAccount
serviceAccount.namestring""ServiceAccount name
podSecurityContextmapsee valuesPod security context
containerSecurityContextmapsee valuesContainer security context

Probes

KeyTypeDefaultDescription
probes.liveness.pathstring/health/livenessLiveness probe path
probes.readiness.pathstring/health/readinessReadiness probe path
probes.liveness.periodSecondsint10Liveness probe period
probes.readiness.periodSecondsint10Readiness probe period

Example values.yaml

replicaCount: 2

image:
  repository: alquimiaai/studio
  tag: "v1.0.0"
  pullPolicy: IfNotPresent

openshift:
  route:
    enabled: true
    host: studio.apps.dev.example.com
    tls:
      enabled: true
      termination: edge
      insecureEdgeTerminationPolicy: Redirect

envFrom:
  existingConfigMap: "alquimia-studio-config"
  existingSecret: "alquimia-studio-secrets"

resources:
  requests:
    cpu: 200m
    memory: 256Mi
  limits:
    cpu: "1"
    memory: 512Mi

networkPolicy:
  enabled: true
  ingressNamespaces: []

Security

This chart follows container hardening best practices:
  • runAsNonRoot: true
  • readOnlyRootFilesystem: true
  • allowPrivilegeEscalation: false
  • All Linux capabilities dropped (drop: ["ALL"])
  • seccompProfile: RuntimeDefault
If your app needs write access (e.g. cache or temporary files), mount an emptyDir at the required path or extend the chart to add a writable volume.

Network Policy (opt-in)

Restrict inbound traffic to the service namespace (or specific namespaces): 
networkPolicy:
  enabled: true
  ingressNamespaces: []  # same-namespace only
To allow specific namespaces: 
networkPolicy:
  enabled: true
  ingressNamespaces:
    - alquimia-runtime
    - ingress-nginx

OpenShift Notes

  • Prefer Route over Ingress (openshift.route.enabled: true).
  • Ensure the default SCC allows runAsNonRoot. If your cluster injects a random UID, this chart already sets non-root compatible options.
  • For TLS, you can attach a custom certificate to the Route or rely on router defaults.
  • The chart declares charts.openshift.io/supportedOpenShiftVersions: ">=4.15" for Red Hat certification.

Troubleshooting

Pods stuck in CrashLoopBackOff complaining about missing env vars Verify that the referenced ConfigMap and Secret exist and contain all required keys listed in Required Environment Variables. 
kubectl get cm alquimia-studio-config -o yaml
kubectl get secret alquimia-studio-secrets -o yaml
NextAuth callback errors / login redirect loops Ensure that:
  • NEXTAUTH_URL matches the public URL exposed by the Ingress/Route.
  • The Keycloak client has the correct Valid Redirect URIs (e.g. https://studio.example.com/api/auth/callback/keycloak).
  • NEXTAUTH_SECRET is set and consistent across replicas.
Cannot connect to MongoDB Check the DATABASE_URL value (it usually contains user/password and should live in the Secret) and that the MongoDB service is reachable from the pod’s namespace. As a quick alternative for testing, set DB_STRATEGY=lite to use the embedded NeDB store. AUTH_STRATEGY=lite users cannot log in When using lite auth, provide either:
  • AUTH_LITE_USERS — inline JSON array (kept in the Secret), or
  • AUTH_LITE_USERS_FILE — absolute path to a JSON file (mount it via a volume).
The JSON shape is [{ "email": "...", "name": "...", "password_hash": "$2b$..." }] (bcrypt hash). Read-only filesystem errors The chart enables readOnlyRootFilesystem. Mount an emptyDir if Studio (or a sidecar) needs to write to disk. Run the chart’s smoke tests 
helm test studio