Configuration Reference

Complete reference for values.yaml in the watchlight-beacon umbrella chart. All values can be overridden with --set flags or custom values files.

Global Settings

Key	Default	Description
global.imageRegistry	ghcr.io/watchlight-ai-beacon	Container image registry
global.imageTag	0.3.0-preview	Default image tag for all services
global.imagePullPolicy	IfNotPresent	Image pull policy
global.imagePullSecrets	[]	List of image pull secret names
global.namespace	watchlight	Target namespace
global.createNamespace	true	Create namespace if it does not exist
global.storageClass	""	Default storage class (empty = cluster default)
global.externalDatabase.url	""	BYO database connection string
global.ingress.className	""	Default ingress class
global.ingress.annotations	{}	Default ingress annotations

Subchart Toggles

Control which services are deployed. These map to the three deployment tiers.

Key	Default	Tier	Description
wl-registry.enabled	true	1	AI Agent and MCP Registry backend
wl-registry-frontend.enabled	true	1	Registry dashboard
wl-discover.enabled	true	1	MCP/agent discovery DaemonSet
postgresql.enabled	true	1	Built-in PostgreSQL (disable for BYO)
wl-apdp.enabled	false	2	Cedar authorization engine
wl-apdp-frontend.enabled	false	2	Authorization dashboard
wl-proxy.enabled	false	3	Agent governance proxy
wl-secrets-broker.enabled	false	3	Secret management broker

---

wl-registry

The registry backend API service.

Image

Key	Default	Description
wl-registry.image.repository	wl-registry	Image name (appended to global.imageRegistry)
wl-registry.image.tag	0.3.0-preview	Image tag (falls back to global.imageTag)
wl-registry.image.pullPolicy	IfNotPresent	Pull policy

Deployment

Key	Default	Description
wl-registry.replicaCount	2	Number of replicas
wl-registry.resources.requests.cpu	100m	CPU request
wl-registry.resources.requests.memory	256Mi	Memory request
wl-registry.resources.limits.cpu	500m	CPU limit
wl-registry.resources.limits.memory	512Mi	Memory limit
wl-registry.deploymentStrategy.type	RollingUpdate	Update strategy
wl-registry.terminationGracePeriodSeconds	30	Shutdown grace period

Service and Ingress

Key	Default	Description
wl-registry.service.type	ClusterIP	Service type
wl-registry.service.port	8080	Service port
wl-registry.ingress.enabled	false	Enable ingress
wl-registry.ingress.className	""	Ingress class
wl-registry.ingress.hosts	[]	Ingress host rules
wl-registry.ingress.tls	[]	TLS configuration

Database

Key	Default	Description
wl-registry.database.url	""	Direct database URL (stored in chart-managed Secret)
wl-registry.database.urlSecret	""	Name of existing Secret containing DATABASE_URL

Environment

Key	Default	Description
wl-registry.env.HOST	0.0.0.0	Bind address
wl-registry.env.PORT	8080	Listen port
wl-registry.env.LOG_LEVEL	info	Log level (trace, debug, info, warn, error)
wl-registry.env.CORS_ORIGINS	*	Allowed CORS origins
wl-registry.env.AGENT_REGISTRATION_MODE	open	Agent registration mode (open, token_required, disabled)

Scaling and Availability

Key	Default	Description
wl-registry.hpa.enabled	false	Enable Horizontal Pod Autoscaler
wl-registry.hpa.minReplicas	2	Minimum replicas
wl-registry.hpa.maxReplicas	10	Maximum replicas
wl-registry.hpa.targetCPUUtilizationPercentage	80	CPU target for scaling
wl-registry.hpa.targetMemoryUtilizationPercentage	80	Memory target for scaling
wl-registry.pdb.enabled	true	Enable Pod Disruption Budget
wl-registry.pdb.minAvailable	1	Minimum available pods
wl-registry.podAntiAffinity.enabled	true	Spread pods across nodes
wl-registry.podAntiAffinity.type	preferred	Anti-affinity type (preferred or required)

TLS

Key	Default	Description
wl-registry.tls.enabled	false	Enable TLS termination at the pod
wl-registry.tls.cert	""	TLS certificate (PEM)
wl-registry.tls.key	""	TLS private key (PEM)
wl-registry.tls.port	8443	HTTPS port

Monitoring

Key	Default	Description
wl-registry.serviceMonitor.enabled	false	Create Prometheus ServiceMonitor
wl-registry.serviceMonitor.interval	30s	Scrape interval
wl-registry.serviceMonitor.scrapeTimeout	10s	Scrape timeout

---

wl-registry-frontend

Nginx-based frontend serving the registry dashboard.

Key	Default	Description
wl-registry-frontend.replicaCount	1	Number of replicas
wl-registry-frontend.image.repository	wl-registry-frontend	Image name
wl-registry-frontend.image.tag	""	Tag (defaults to global.imageTag)
wl-registry-frontend.service.type	ClusterIP	Service type
wl-registry-frontend.service.port	80	Service port
wl-registry-frontend.ingress.enabled	false	Enable ingress
wl-registry-frontend.ingress.hosts	[]	Ingress host rules
wl-registry-frontend.ingress.tls	[]	TLS configuration
wl-registry-frontend.backend.serviceName	""	Override backend service name
wl-registry-frontend.backend.port	8080	Backend service port
wl-registry-frontend.resources.requests.cpu	50m	CPU request
wl-registry-frontend.resources.requests.memory	32Mi	Memory request
wl-registry-frontend.resources.limits.cpu	200m	CPU limit
wl-registry-frontend.resources.limits.memory	128Mi	Memory limit

---

wl-discover

MCP server and AI agent discovery daemon. Deployed as a DaemonSet.

Discovery Configuration

Key	Default	Description
wl-discover.config.registryUrl	""	Registry endpoint URL (required)
wl-discover.config.agentId	""	Discovery agent ID (required)
wl-discover.config.agentKey.secretName	""	Secret containing the agent key
wl-discover.config.agentKey.secretKey	agent-key	Key within the Secret

Discovery Modes

Key	Default	Description
wl-discover.ebpf.enabled	true	eBPF network observation (requires Linux 5.8+ with BTF)
wl-discover.kubernetes.enabled	true	Kubernetes API discovery
wl-discover.kubernetes.passiveDiscovery	true	Enumerate pod ports and probe for MCP servers
wl-discover.docker.enabled	false	Docker socket discovery

Security Context

Key	Default	Description
wl-discover.securityContext.runAsUser	0	Must be root for eBPF capabilities
wl-discover.securityContext.capabilities.add	[BPF, PERFMON, SYS_RESOURCE]	Required Linux capabilities
wl-discover.hostNetwork	true	Required for eBPF network observation
wl-discover.hostPID	true	Required for eBPF process correlation

Resources

Key	Default	Description
wl-discover.resources.requests.cpu	50m	CPU request
wl-discover.resources.requests.memory	64Mi	Memory request
wl-discover.resources.limits.cpu	200m	CPU limit
wl-discover.resources.limits.memory	256Mi	Memory limit

TLS

Key	Default	Description
wl-discover.tls.caCertPath	""	CA certificate path for registry TLS verification

---

wl-apdp

Agentic Policy Decision Point (Tier 2).

Deployment

Key	Default	Description
wl-apdp.image.repository	wl-apdp	Image name
wl-apdp.image.tag	0.2.0	Image tag
wl-apdp.replicaCount	2	Number of replicas
wl-apdp.resources.requests.cpu	100m	CPU request
wl-apdp.resources.requests.memory	128Mi	Memory request
wl-apdp.resources.limits.cpu	500m	CPU limit
wl-apdp.resources.limits.memory	512Mi	Memory limit

Service and Ingress

Key	Default	Description
wl-apdp.service.type	ClusterIP	Service type
wl-apdp.service.port	8081	Service port
wl-apdp.ingress.enabled	false	Enable ingress

Environment

Key	Default	Description
wl-apdp.env.HOST	0.0.0.0	Bind address
wl-apdp.env.PORT	8081	Listen port
wl-apdp.env.LOG_LEVEL	info	Log level
wl-apdp.env.POLICY_VALIDATION	true	Validate Cedar policy syntax on create
wl-apdp.env.AUDIT_LOGGING	true	Enable authorization audit logs

Scaling and Availability

Key	Default	Description
wl-apdp.hpa.enabled	false	Enable HPA
wl-apdp.hpa.minReplicas	2	Min replicas
wl-apdp.hpa.maxReplicas	10	Max replicas
wl-apdp.pdb.enabled	true	Enable PDB
wl-apdp.pdb.minAvailable	1	Min available

Monitoring

Key	Default	Description
wl-apdp.serviceMonitor.enabled	false	Create Prometheus ServiceMonitor
wl-apdp.serviceMonitor.interval	30s	Scrape interval

---

wl-proxy

Agent Runtime Enforcement Proxy (Tier 3).

Deployment

Key	Default	Description
wl-proxy.image.repository	wl-proxy	Image name
wl-proxy.replicaCount	2	Number of replicas
wl-proxy.resources.requests.cpu	200m	CPU request
wl-proxy.resources.requests.memory	256Mi	Memory request
wl-proxy.resources.limits.cpu	1000m	CPU limit
wl-proxy.resources.limits.memory	1Gi	Memory limit

Proxy Configuration

Key	Default	Description
wl-proxy.config.mode	gateway	Deployment mode: gateway, sidecar, or forward_proxy
wl-proxy.config.failClosed	true	Deny requests on policy evaluation errors
wl-proxy.config.apdpEndpoint	""	WL-APDP authorization endpoint
wl-proxy.config.wsbEndpoint	""	WL Secrets Broker endpoint
wl-proxy.config.listenAddr	0.0.0.0:8080	Proxy listen address
wl-proxy.config.healthAddr	0.0.0.0:8079	Health endpoint listen address
wl-proxy.config.routes	[]	Upstream route definitions
wl-proxy.config.scrubbing.enabled	true	Enable response scrubbing
wl-proxy.config.scrubbing.removeFields	[]	JSON fields to strip from responses
wl-proxy.config.scrubbing.piiPatterns	[]	PII detection regex patterns

Service

Key	Default	Description
wl-proxy.service.type	ClusterIP	Service type
wl-proxy.service.port	8080	Proxy port
wl-proxy.service.healthPort	8079	Health check port

---

wl-secrets-broker

Secrets management broker for credential injection (Tier 3).

Key	Default	Description
wl-secrets-broker.image.repository	wl-secrets-broker	Image name
wl-secrets-broker.replicaCount	2	Number of replicas
wl-secrets-broker.service.port	8082	Service port
wl-secrets-broker.config.port	8082	Listen port
wl-secrets-broker.config.apdpEndpoint	""	WL-APDP endpoint for authorization
wl-secrets-broker.config.backendType	env	Backend type: env, vault, or kubernetes
wl-secrets-broker.config.vaultEndpoint	""	Vault endpoint (required when backendType=vault)
wl-secrets-broker.config.enforcementMode	observe	Mode: enforce or observe
wl-secrets-broker.resources.requests.cpu	100m	CPU request
wl-secrets-broker.resources.requests.memory	128Mi	Memory request
wl-secrets-broker.resources.limits.cpu	500m	CPU limit
wl-secrets-broker.resources.limits.memory	512Mi	Memory limit

---

postgresql

Built-in PostgreSQL 16 database. Disable this when using a managed database service.

Key	Default	Description
postgresql.enabled	true	Deploy built-in PostgreSQL
postgresql.image.repository	postgres	Image name
postgresql.image.tag	16-alpine	Image tag
postgresql.auth.database	beacon	Database name
postgresql.auth.username	beacon	Database username
postgresql.auth.existingSecret	""	Existing Secret with postgres-password key
postgresql.persistence.enabled	true	Enable persistent storage
postgresql.persistence.size	10Gi	Volume size
postgresql.persistence.storageClass	""	Storage class (empty = global.storageClass or cluster default)
postgresql.service.port	5432	PostgreSQL port
postgresql.resources.requests.cpu	250m	CPU request
postgresql.resources.requests.memory	256Mi	Memory request
postgresql.resources.limits.cpu	1000m	CPU limit
postgresql.resources.limits.memory	1Gi	Memory limit

---

Cloud-Specific Values Files

Pre-configured overrides are available for each major cloud provider:

File	Ingress Class	Storage Class	Notes
values-aws.yaml	alb	gp3	AWS ALB Controller, ACM certificate support
values-gcp.yaml	gce	standard	GKE ingress, Google-managed certificates
values-azure.yaml	azure/application-gateway	managed-premium	App Gateway ingress

Usage:

helm install beacon ./deploy/helm/watchlight-beacon \
  -f ./deploy/helm/watchlight-beacon/values-aws.yaml \
  --namespace watchlight

Override individual values on top of a cloud file:

helm install beacon ./deploy/helm/watchlight-beacon \
  -f ./deploy/helm/watchlight-beacon/values-aws.yaml \
  --set wl-registry.replicaCount=3 \
  --set wl-apdp.enabled=true \
  --namespace watchlight