Environment Variables

This section documents every environment variable used across the MATIH Enterprise Platform. Variables are organized by concern (database, cache, messaging, security, LLM, etc.) and then by service-specific variables. In production, all sensitive values are provided via Kubernetes Secrets, never hardcoded.

Secret Management Principle

Environment variables containing sensitive data (passwords, API keys, tokens) are never stored in values.yaml, values-dev.yaml, or any file committed to version control. They are injected into pods via Kubernetes secretKeyRef:

env:
  - name: DATABASE_PASSWORD
    valueFrom:
      secretKeyRef:
        name: ai-service-db-credentials
        key: password

In development, secrets are created by scripts/lib/k8s/dev-secrets.sh. In production, secrets are synced from cloud key vaults (Azure Key Vault, AWS Secrets Manager, GCP Secret Manager) via the External Secrets Operator (ESO).

Database Configuration

PostgreSQL Connection Variables

Every service that connects to PostgreSQL uses the following variables. The exact values differ per service and environment.

Variable	Type	Default	Description
`DATABASE_HOST`	string	`postgresql.matih-data-plane.svc.cluster.local`	PostgreSQL server hostname (FQDN within Kubernetes)
`DATABASE_PORT`	integer	`5432`	PostgreSQL server port
`DATABASE_NAME`	string	(service-specific)	Database name (e.g., `ai_service`, `iam`, `tenant`, `catalog`)
`DATABASE_USER`	string	(service-specific)	Database username
`DATABASE_PASSWORD`	string	(from Secret)	Database password; always injected via `secretKeyRef`
`DATABASE_URL`	string	(constructed)	Full connection string: `postgresql://{user}:{password}@{host}:{port}/{name}`
`DATABASE_POOL_MIN_SIZE`	integer	`5`	Minimum connections in the connection pool
`DATABASE_POOL_MAX_SIZE`	integer	`20`	Maximum connections in the connection pool
`DATABASE_POOL_MAX_OVERFLOW`	integer	`10`	Extra connections allowed beyond pool max (Python asyncpg)
`DATABASE_SSL_MODE`	string	`require` (prod), `prefer` (dev)	PostgreSQL SSL mode
`DATABASE_CONNECT_TIMEOUT`	integer	`10`	Connection timeout in seconds
`DATABASE_STATEMENT_TIMEOUT`	integer	`30000`	Statement timeout in milliseconds
`DATABASE_IDLE_TIMEOUT`	integer	`600000`	Idle connection timeout in milliseconds (Java HikariCP)

Per-Service Database Names

Service	Database Name	Migration Tool
iam-service	`iam`	Flyway
tenant-service	`tenant`	Flyway
config-service	`config`	Flyway
audit-service	`audit`	Flyway
billing-service	`billing`	Flyway
notification-service	`notification`	Flyway
infrastructure-service	`infrastructure`	Flyway
platform-registry	`registry`	Flyway
query-engine	`query`	Flyway
catalog-service	`catalog`	Flyway
semantic-layer	`semantic`	Flyway
bi-service	`bi`	Flyway
pipeline-service	`pipeline`	Flyway
ai-service	`ai_service`	Alembic
ml-service	`ml`	Alembic
data-quality-service	`quality`	Alembic
governance-service	`governance`	Alembic
ontology-service	`ontology`	Alembic
ops-agent-service	`ops_agent`	Alembic

Cache Configuration

Redis Connection Variables

Variable	Type	Default	Description
`REDIS_HOST`	string	`redis-master.matih-data-plane.svc.cluster.local`	Redis server hostname
`REDIS_PORT`	integer	`6379`	Redis server port
`REDIS_PASSWORD`	string	(from Secret)	Redis password; injected via `secretKeyRef` from the `redis` secret
`REDIS_DB`	integer	`0`	Redis database number
`REDIS_URL`	string	(constructed)	Full Redis URL: `redis://:{password}@{host}:{port}/{db}`
`REDIS_SSL`	boolean	`false` (dev), `true` (prod)	Enable TLS for Redis connections
`REDIS_TTL_SECONDS`	integer	`3600`	Default cache TTL in seconds
`REDIS_MAX_CONNECTIONS`	integer	`50`	Maximum connections in the Redis pool
`REDIS_CONNECT_TIMEOUT`	integer	`5`	Connection timeout in seconds
`REDIS_READ_TIMEOUT`	integer	`3`	Read timeout in seconds

Messaging Configuration

Kafka Connection Variables

Variable	Type	Default	Description
`KAFKA_BOOTSTRAP_SERVERS`	string	`strimzi-kafka-kafka-bootstrap.matih-data-plane.svc.cluster.local:9093`	Kafka broker addresses (comma-separated for multiple brokers)
`KAFKA_SECURITY_PROTOCOL`	string	`SSL`	Security protocol (`PLAINTEXT`, `SSL`, `SASL_SSL`)
`KAFKA_SSL_TRUSTSTORE_LOCATION`	string	`/etc/kafka/certs/ca.crt`	Path to the CA certificate for TLS
`KAFKA_SSL_KEYSTORE_LOCATION`	string	`/etc/kafka/certs/user.p12`	Path to the user keystore for mTLS
`KAFKA_SSL_KEYSTORE_PASSWORD`	string	(from Secret)	Keystore password
`KAFKA_GROUP_ID`	string	(service-specific)	Consumer group ID
`KAFKA_AUTO_OFFSET_RESET`	string	`earliest`	Consumer offset reset behavior (`earliest`, `latest`)
`KAFKA_MAX_POLL_RECORDS`	integer	`500`	Maximum records per poll
`KAFKA_SESSION_TIMEOUT_MS`	integer	`30000`	Consumer session timeout
`KAFKA_ENABLE_AUTO_COMMIT`	boolean	`false`	Auto-commit offsets (false for at-least-once semantics)

Kafka Topic Names

Variable	Default Value	Description
`KAFKA_TOPIC_STATE_CHANGES`	`matih.ai.state-changes`	AI agent state transition events
`KAFKA_TOPIC_AGENT_TRACES`	`matih.ai.agent-traces`	Agent execution trace events
`KAFKA_TOPIC_EVALUATIONS`	`matih.ai.evaluations`	Model evaluation results
`KAFKA_TOPIC_LLM_OPS`	`matih.ai.llm-ops`	LLM operation metrics
`KAFKA_TOPIC_FEEDBACK`	`matih.ai.feedback`	User feedback events
`KAFKA_TOPIC_TENANT_EVENTS`	`matih.tenant.events`	Tenant lifecycle events
`KAFKA_TOPIC_AUDIT_EVENTS`	`matih.audit.events`	Audit trail events
`KAFKA_TOPIC_BILLING_EVENTS`	`matih.billing.events`	Billing and metering events
`KAFKA_TOPIC_QUERY_EVENTS`	`matih.query.events`	Query execution events
`KAFKA_TOPIC_PIPELINE_EVENTS`	`matih.pipeline.events`	Pipeline run state changes

Authentication and Security

JWT Configuration

Variable	Type	Default	Description
`JWT_SECRET_KEY`	string	(from Secret)	HMAC secret for JWT signing (dev only; prod uses RSA)
`JWT_PRIVATE_KEY`	string	(from Secret)	RSA private key for JWT signing (PEM format)
`JWT_PUBLIC_KEY`	string	(from Secret)	RSA public key for JWT verification (PEM format)
`JWT_ISSUER`	string	`matih-iam`	JWT issuer claim
`JWT_AUDIENCE`	string	`matih-platform`	JWT audience claim
`JWT_ACCESS_TOKEN_TTL`	integer	`3600`	Access token time-to-live in seconds
`JWT_REFRESH_TOKEN_TTL`	integer	`604800`	Refresh token time-to-live in seconds (7 days)
`JWT_KEY_ID`	string	`key-2026-01`	Key ID for RSA key rotation (`kid` header in JWT)

OAuth2 / SSO Configuration

Variable	Type	Default	Description
`OAUTH2_GOOGLE_CLIENT_ID`	string	(from Secret)	Google OAuth2 client ID
`OAUTH2_GOOGLE_CLIENT_SECRET`	string	(from Secret)	Google OAuth2 client secret
`OAUTH2_AZURE_AD_CLIENT_ID`	string	(from Secret)	Azure AD client ID
`OAUTH2_AZURE_AD_CLIENT_SECRET`	string	(from Secret)	Azure AD client secret
`OAUTH2_AZURE_AD_TENANT_ID`	string	(from Secret)	Azure AD tenant ID
`OAUTH2_OKTA_CLIENT_ID`	string	(from Secret)	Okta client ID
`OAUTH2_OKTA_CLIENT_SECRET`	string	(from Secret)	Okta client secret
`OAUTH2_OKTA_ISSUER_URL`	string	(from Secret)	Okta issuer URL
`OAUTH2_REDIRECT_BASE_URL`	string	`https://platform.matih.ai`	Base URL for OAuth2 callback redirects

LLM Provider Configuration

General LLM Variables

Variable	Type	Default	Description
`LLM_DEFAULT_PROVIDER`	string	`azure`	Default LLM provider (`openai`, `anthropic`, `azure`, `vertexai`, `bedrock`, `vllm`)
`LLM_DEFAULT_MODEL`	string	`gpt-4o`	Default model name for the chosen provider
`LLM_TEMPERATURE`	float	`0.0`	Default temperature for LLM generation (0.0 = deterministic)
`LLM_MAX_TOKENS`	integer	`4096`	Maximum tokens for LLM response
`LLM_TIMEOUT`	integer	`60`	LLM request timeout in seconds

OpenAI Configuration

Variable	Type	Default	Description
`OPENAI_API_KEY`	string	(from Secret)	OpenAI API key
`OPENAI_ORG_ID`	string	(optional)	OpenAI organization ID
`OPENAI_DEFAULT_MODEL`	string	`gpt-4-turbo-preview`	Default OpenAI model
`OPENAI_BASE_URL`	string	`https://api.openai.com/v1`	OpenAI API base URL

Anthropic Configuration

Variable	Type	Default	Description
`ANTHROPIC_API_KEY`	string	(from Secret)	Anthropic API key
`ANTHROPIC_DEFAULT_MODEL`	string	`claude-3-5-sonnet-20241022`	Default Anthropic model

Azure OpenAI Configuration

Variable	Type	Default	Description
`AZURE_OPENAI_API_KEY`	string	(from Secret)	Azure OpenAI API key
`AZURE_OPENAI_ENDPOINT`	string	(from Secret)	Azure OpenAI endpoint URL
`AZURE_OPENAI_API_VERSION`	string	`2024-08-01-preview`	Azure OpenAI API version
`AZURE_OPENAI_DEPLOYMENT`	string	`gpt-4o`	Primary deployment name
`AZURE_OPENAI_DEPLOYMENT_MINI`	string	`gpt-4o-mini`	Fast/cheap deployment name
`AZURE_OPENAI_DEPLOYMENT_EMBEDDING`	string	`text-embedding-3-large`	Embedding deployment name

Google Vertex AI Configuration

Variable	Type	Default	Description
`VERTEXAI_PROJECT_ID`	string	(required)	Google Cloud project ID
`VERTEXAI_LOCATION`	string	`us-central1`	Google Cloud region
`VERTEXAI_DEFAULT_MODEL`	string	`gemini-1.5-pro`	Default Vertex AI model
`VERTEXAI_CREDENTIALS_JSON`	string	(from Secret or Workload Identity)	Service account JSON credentials
`VERTEXAI_USE_WORKLOAD_IDENTITY`	boolean	`true`	Use GKE Workload Identity (no static credentials)

AWS Bedrock Configuration

Variable	Type	Default	Description
`BEDROCK_REGION`	string	`us-east-1`	AWS region for Bedrock
`BEDROCK_DEFAULT_MODEL`	string	`anthropic.claude-3-5-sonnet-20241022-v2:0`	Default Bedrock model ID
`BEDROCK_ACCESS_KEY_ID`	string	(from Secret or IRSA)	AWS access key ID
`BEDROCK_SECRET_ACCESS_KEY`	string	(from Secret or IRSA)	AWS secret access key
`BEDROCK_USE_IRSA`	boolean	`true`	Use EKS IRSA (no static credentials)
`BEDROCK_ROLE_ARN`	string	(optional)	IAM role ARN for IRSA

vLLM (Self-Hosted) Configuration

Variable	Type	Default	Description
`VLLM_BASE_URL`	string	`http://vllm:8000`	vLLM server URL
`VLLM_API_KEY`	string	(from Secret)	vLLM API key (if authentication is enabled)
`VLLM_DEFAULT_MODEL`	string	`default`	Default model served by vLLM

Service Discovery Variables

Variable	Type	Default	Description
`QUERY_ENGINE_URL`	string	`http://query-engine.matih-data-plane.svc.cluster.local:8080`	Query Engine service URL
`SEMANTIC_LAYER_URL`	string	`http://semantic-layer.matih-data-plane.svc.cluster.local:8086`	Semantic Layer service URL
`CATALOG_SERVICE_URL`	string	`http://catalog-service.matih-data-plane.svc.cluster.local:8086`	Catalog Service URL
`IAM_SERVICE_URL`	string	`http://iam-service.matih-control-plane.svc.cluster.local:8081`	IAM Service URL (cross-namespace)
`BILLING_SERVICE_URL`	string	`http://billing-service.matih-control-plane.svc.cluster.local:8087`	Billing Service URL
`NOTIFICATION_SERVICE_URL`	string	`http://notification-service.matih-control-plane.svc.cluster.local:8085`	Notification Service URL
`OPENMETADATA_URL`	string	`http://openmetadata.matih-data-plane.svc.cluster.local:8585`	OpenMetadata API URL
`POLARIS_URL`	string	`http://polaris.matih-data-plane.svc.cluster.local:8181`	Polaris Iceberg Catalog URL

Compute Engine Variables

Trino Configuration

Variable	Type	Default	Description
`TRINO_HOST`	string	`trino.matih-data-plane.svc.cluster.local`	Trino coordinator hostname
`TRINO_PORT`	integer	`8080`	Trino coordinator port
`TRINO_USER`	string	`matih`	Trino user name
`TRINO_CATALOG`	string	`iceberg`	Default Trino catalog
`TRINO_SCHEMA`	string	`default`	Default Trino schema
`TRINO_SSL`	boolean	`false`	Enable TLS for Trino connections

ClickHouse Configuration

Variable	Type	Default	Description
`CLICKHOUSE_HOST`	string	`clickhouse.matih-data-plane.svc.cluster.local`	ClickHouse hostname
`CLICKHOUSE_PORT`	integer	`8123`	ClickHouse HTTP port
`CLICKHOUSE_USER`	string	`default`	ClickHouse user
`CLICKHOUSE_PASSWORD`	string	(from Secret)	ClickHouse password
`CLICKHOUSE_DATABASE`	string	`default`	Default ClickHouse database

Spark Connect Configuration

Variable	Type	Default	Description
`SPARK_CONNECT_HOST`	string	`spark-connect.matih-data-plane.svc.cluster.local`	Spark Connect server hostname
`SPARK_CONNECT_PORT`	integer	`15002`	Spark Connect server port
`SPARK_CONNECT_TIMEOUT_MS`	integer	`10000`	Connection timeout in milliseconds
`SPARK_CONNECT_REQUEST_TIMEOUT_MS`	integer	`300000`	Request timeout in milliseconds

Vector Store and Embedding Variables

Variable	Type	Default	Description
`QDRANT_HOST`	string	`qdrant.matih-data-plane.svc.cluster.local`	Qdrant vector store hostname
`QDRANT_PORT`	integer	`6333`	Qdrant HTTP API port
`QDRANT_COLLECTION`	string	`schema_embeddings`	Default collection name
`QDRANT_VECTOR_SIZE`	integer	`1536`	Embedding vector dimension
`CHROMADB_HOST`	string	`chromadb.matih-system.svc.cluster.local`	ChromaDB hostname
`CHROMADB_PORT`	integer	`8000`	ChromaDB HTTP API port

Application Configuration Variables

General Application Variables

Variable	Type	Default	Description
`ENVIRONMENT`	string	`production`	Environment name (`development`, `staging`, `production`)
`DEBUG`	boolean	`false`	Enable debug mode (never true in production)
`LOG_LEVEL`	string	`INFO`	Logging level (`DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`)
`API_PREFIX`	string	`/api/v1`	API path prefix for all endpoints
`CORS_ORIGINS`	string	`https://*.matih.ai`	Allowed CORS origins (comma-separated)
`MAX_REQUEST_SIZE`	string	`50m`	Maximum request body size
`GRACEFUL_SHUTDOWN_TIMEOUT`	integer	`30`	Seconds to wait for graceful shutdown

Module Feature Flags (AI Service)

Variable	Type	Default	Description
`MODULE_CORE_ENABLED`	boolean	`true`	Enable core agents, LLM, guardrails, runtime
`MODULE_BI_ENABLED`	boolean	`true`	Enable BI analytics and semantic routes
`MODULE_ML_ENABLED`	boolean	`true`	Enable ML training and serving features
`MODULE_DATA_ENABLED`	boolean	`true`	Enable dbt, quality, pipeline, observability
`MODULE_CONTEXT_GRAPH_ENABLED`	boolean	`true`	Enable context graph, ontology, SHACL
`MODULE_ENTERPRISE_ENABLED`	boolean	`true`	Enable security, performance, multi-cloud
`MODULE_SUPPLEMENTARY_ENABLED`	boolean	`true`	Enable FDME, search, DNN builder

SQL Generation Variables

Variable	Type	Default	Description
`SQL_MAX_RETRIES`	integer	`3`	Maximum SQL generation retry attempts
`SQL_DEFAULT_DIALECT`	string	`trino`	Default SQL dialect
`SQL_CACHE_ENABLED`	boolean	`true`	Enable SQL generation caching
`SQL_CACHE_TTL_SECONDS`	integer	`3600`	SQL cache TTL in seconds

WebSocket Configuration (AI Service)

Variable	Type	Default	Description
`WS_ENABLED`	boolean	`true`	Enable WebSocket endpoints
`WS_PING_INTERVAL_SECONDS`	integer	`30`	WebSocket keepalive ping interval
`WS_CONNECTION_TIMEOUT_SECONDS`	integer	`300`	WebSocket connection idle timeout
`WS_MAX_CONNECTIONS_PER_USER`	integer	`5`	Maximum concurrent WebSocket connections per user
`WS_MAX_MESSAGE_SIZE_KB`	integer	`1024`	Maximum WebSocket message size

DNN Builder Configuration (AI Service)

Variable	Type	Default	Description
`DNN_BUILDER_ENABLED`	boolean	`true`	Enable DNN Builder feature
`DNN_DEFAULT_FRAMEWORK`	string	`pytorch`	Default code generation framework
`DNN_SESSION_TIMEOUT_SECONDS`	integer	`1800`	Studio session timeout (30 min)
`DNN_MAX_LAYERS`	integer	`500`	Maximum layers per architecture
`DNN_LANGGRAPH_ENABLED`	boolean	`true`	Use LangGraph orchestrator
`DNN_MAX_RECURSION_DEPTH`	integer	`25`	LangGraph max recursion depth

Billing Configuration (AI Service)

Variable	Type	Default	Description
`BILLING_ENABLED`	boolean	`true`	Enable billing integration
`BILLING_DEFAULT_BUDGET_USD`	float	`1000.0`	Default monthly budget per tenant
`BILLING_ALERT_THRESHOLD_PERCENT`	float	`80.0`	Budget alert threshold percentage

Store Backend Configuration

Variable	Type	Default	Description
`STORE_BACKEND`	string	`memory`	Store backend type: `memory` (ephemeral) or `postgres` (durable)
`RUN_MIGRATIONS`	boolean	`true`	Run database migrations on startup (Alembic for Python services)

Observability Variables

Variable	Type	Default	Description
`OTEL_EXPORTER_OTLP_ENDPOINT`	string	`http://otel-collector.matih-monitoring.svc.cluster.local:4317`	OpenTelemetry collector gRPC endpoint
`OTEL_EXPORTER_OTLP_PROTOCOL`	string	`grpc`	OTLP transport protocol
`OTEL_SERVICE_NAME`	string	(service-specific)	Service name reported in traces and metrics
`OTEL_RESOURCE_ATTRIBUTES`	string	`service.namespace=matih,deployment.environment=production`	Additional resource attributes
`PROMETHEUS_PORT`	integer	(service port)	Port for Prometheus metrics scraping
`PROMETHEUS_PATH`	string	`/metrics`	Path for Prometheus metrics endpoint

Environment-Specific Overrides

Development Environment

In development, the following variables typically differ from production:

Variable	Development Value	Production Value
`ENVIRONMENT`	`development`	`production`
`DEBUG`	`true`	`false`
`LOG_LEVEL`	`DEBUG`	`INFO`
`DATABASE_SSL_MODE`	`prefer`	`require`
`REDIS_SSL`	`false`	`true`
`KAFKA_SECURITY_PROTOCOL`	`PLAINTEXT`	`SSL`
`CORS_ORIGINS`	`http://localhost:3000,http://localhost:3001,...`	`https://*.matih.ai`
`STORE_BACKEND`	`memory`	`postgres`
`BILLING_ENABLED`	`false`	`true`
`LLM_DEFAULT_PROVIDER`	`openai` or `azure`	`azure`
`VERTEXAI_USE_WORKLOAD_IDENTITY`	`false`	`true`
`BEDROCK_USE_IRSA`	`false`	`true`
`WS_MAX_CONNECTIONS_PER_USER`	`10`	`5`

Staging Environment

Staging mirrors production configuration with the following exceptions:

Variable	Staging Value	Production Value
`ENVIRONMENT`	`staging`	`production`
`LOG_LEVEL`	`DEBUG`	`INFO`
`BILLING_DEFAULT_BUDGET_USD`	`100.0`	`1000.0`
`CORS_ORIGINS`	`https://*.staging.matih.ai`	`https://*.matih.ai`

OpenLineage Configuration

Variable	Type	Default	Description
`OPENLINEAGE_ENABLED`	boolean	`true`	Enable OpenLineage lineage tracking
`OPENLINEAGE_BACKEND_URL`	string	`http://openmetadata.matih-data-plane.svc.cluster.local:8585/api/v1/lineage/openlineage`	OpenLineage backend endpoint
`OPENLINEAGE_NAMESPACE`	string	`matih-ai`	Namespace for lineage events
`OPENLINEAGE_TRANSPORT`	string	`http`	Transport type (`http` or `kafka`)
`OPENLINEAGE_KAFKA_TOPIC`	string	`openlineage.events`	Kafka topic for lineage events (when transport is `kafka`)

Polaris Iceberg Catalog Configuration

Variable	Type	Default	Description
`POLARIS_ENABLED`	boolean	`true`	Enable Polaris Iceberg catalog integration
`POLARIS_HOST`	string	`polaris.matih-data-plane.svc.cluster.local`	Polaris server hostname
`POLARIS_PORT`	integer	`8181`	Polaris server port
`POLARIS_WAREHOUSE`	string	`matih`	Default warehouse name
`POLARIS_CREDENTIAL_VENDING`	boolean	`true`	Enable credential vending for data access
`POLARIS_CLIENT_ID`	string	(from Secret)	OAuth2 client ID for Polaris authentication
`POLARIS_CLIENT_SECRET`	string	(from Secret)	OAuth2 client secret for Polaris authentication
`POLARIS_TOKEN_ENDPOINT`	string	`http://polaris:8181/api/catalog/v1/oauth/tokens`	OAuth2 token endpoint

Context Graph Configuration

Variable	Type	Default	Description
`CONTEXT_GRAPH_ENABLED`	boolean	`true`	Enable the Context Graph module
`DGRAPH_HOST`	string	`dgraph-alpha.matih-data-plane.svc.cluster.local`	Dgraph Alpha server hostname
`DGRAPH_GRPC_PORT`	integer	`9080`	Dgraph gRPC port
`DGRAPH_HTTP_PORT`	integer	`8080`	Dgraph HTTP port
`CONTEXT_GRAPH_CACHE_TTL`	integer	`300`	Cache TTL for graph queries in seconds
`THINKING_EMBEDDINGS_ENABLED`	boolean	`true`	Enable agent thinking trace embeddings
`THINKING_EMBEDDINGS_MODEL`	string	`text-embedding-3-large`	Embedding model for thinking traces

Java Spring Boot Specific Variables

These variables are specific to Java Spring Boot services and follow Spring Boot conventions:

Variable	Type	Default	Description
`SPRING_PROFILES_ACTIVE`	string	(environment)	Active Spring profile (`dev`, `staging`, `prod`)
`SPRING_DATASOURCE_URL`	string	(constructed from DATABASE_* vars)	JDBC connection URL
`SPRING_DATASOURCE_USERNAME`	string	(from DATABASE_USER)	JDBC username
`SPRING_DATASOURCE_PASSWORD`	string	(from Secret)	JDBC password
`SPRING_DATASOURCE_HIKARI_MAXIMUM_POOL_SIZE`	integer	`20`	HikariCP maximum pool size
`SPRING_DATASOURCE_HIKARI_MINIMUM_IDLE`	integer	`5`	HikariCP minimum idle connections
`SPRING_REDIS_HOST`	string	(from REDIS_HOST)	Spring Redis host
`SPRING_REDIS_PORT`	integer	`6379`	Spring Redis port
`SPRING_REDIS_PASSWORD`	string	(from Secret)	Spring Redis password
`SPRING_KAFKA_BOOTSTRAP_SERVERS`	string	(from KAFKA_BOOTSTRAP_SERVERS)	Spring Kafka bootstrap servers
`SPRING_FLYWAY_ENABLED`	boolean	`true`	Enable Flyway migrations on startup
`SPRING_FLYWAY_BASELINE_ON_MIGRATE`	boolean	`true`	Baseline database on first migration
`SERVER_PORT`	integer	(service-specific)	HTTP server port
`MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE`	string	`health,info,prometheus`	Actuator endpoints to expose
`MANAGEMENT_ENDPOINT_HEALTH_SHOW_DETAILS`	string	`when_authorized`	Health endpoint detail level

Python FastAPI Specific Variables

These variables are specific to Python FastAPI services:

Variable	Type	Default	Description
`UVICORN_HOST`	string	`0.0.0.0`	Uvicorn bind host
`UVICORN_PORT`	integer	(service-specific)	Uvicorn bind port
`UVICORN_WORKERS`	integer	`4`	Number of Uvicorn worker processes
`UVICORN_LOG_LEVEL`	string	`info`	Uvicorn log level
`ASYNCPG_POOL_MIN_SIZE`	integer	`5`	asyncpg minimum pool size
`ASYNCPG_POOL_MAX_SIZE`	integer	`20`	asyncpg maximum pool size
`ALEMBIC_CONFIG`	string	`alembic.ini`	Alembic configuration file path
`ALEMBIC_AUTO_UPGRADE`	boolean	`true`	Run Alembic migrations on startup

Troubleshooting Environment Variables

Common Issues

Issue	Cause	Solution
Service fails to start with "connection refused"	Incorrect `DATABASE_HOST` or service not running	Verify FQDN resolves within the cluster and target service is healthy
"SSL certificate verify failed"	`DATABASE_SSL_MODE=require` but no valid certificate	Set `DATABASE_SSL_MODE=prefer` in dev or provision proper certificates
"Kafka SASL authentication failed"	Wrong `KAFKA_SECURITY_PROTOCOL`	Verify protocol matches broker configuration (`PLAINTEXT` for dev, `SSL` for prod)
"Token validation failed"	Mismatched `JWT_SECRET_KEY` between IAM and consuming service	Ensure all services reference the same Kubernetes secret
"Redis AUTH required"	`REDIS_PASSWORD` not set or incorrect	Verify secret reference and key name in the Helm values
"LLM provider timeout"	`LLM_TIMEOUT` too low for complex queries	Increase to 120 seconds for complex analytical queries
"Rate limit exceeded"	Default rate limits too restrictive for testing	Adjust rate limit configuration in the API Gateway values

Verifying Environment Variables in a Running Pod

To verify that environment variables are correctly set in a running pod, use the platform status script:

./scripts/tools/platform-status.sh

This script checks all services for health, connectivity, and configuration consistency without requiring direct kubectl access.

Port Assignments Keyboard Shortcuts