{"id":47730647,"url":"https://github.com/radiusmethod/citadel-helm","last_synced_at":"2026-04-02T21:27:01.247Z","repository":{"id":341749874,"uuid":"1171305973","full_name":"radiusmethod/citadel-helm","owner":"radiusmethod","description":"Helm chart for Citadel AI Gateway. Big Bang ready.","archived":false,"fork":false,"pushed_at":"2026-03-03T05:24:18.000Z","size":12,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-03T09:21:58.367Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go Template","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/radiusmethod.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-03T04:45:39.000Z","updated_at":"2026-03-03T05:24:21.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/radiusmethod/citadel-helm","commit_stats":null,"previous_names":["radiusmethod/citadel-helm"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/radiusmethod/citadel-helm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radiusmethod%2Fcitadel-helm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radiusmethod%2Fcitadel-helm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radiusmethod%2Fcitadel-helm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radiusmethod%2Fcitadel-helm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/radiusmethod","download_url":"https://codeload.github.com/radiusmethod/citadel-helm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/radiusmethod%2Fcitadel-helm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31316740,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-02T21:27:00.129Z","updated_at":"2026-04-02T21:27:01.238Z","avatar_url":"https://github.com/radiusmethod.png","language":"Go Template","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Citadel Helm Chart\n\nHelm chart for [Citadel AI Gateway](https://github.com/radiusmethod/citadel) — a zero-trust AI gateway with spend tracking, guardrails, and OpenAI-compatible API.\n\nWorks as a standalone Kubernetes install **and** as a Big Bang package.\n\n## Quick Start\n\n```bash\nhelm install citadel oci://ghcr.io/radiusmethod/citadel-helm/citadel-chart \\\n  --set citadel.secretKey=\"$(openssl rand -hex 32)\" \\\n  --set citadel.environment=development \\\n  --set citadel.devLoginEnabled=true \\\n  --set providers.openrouter.apiKey=\"sk-or-xxx\"\n```\n\n\u003e **Note**: The flags above enable evaluation mode (development environment with dev login). See [Evaluation Mode](#evaluation-mode) for details.\n\nPort-forward and open the UI:\n\n```bash\nkubectl port-forward svc/citadel 8000:8000\nopen http://localhost:8000/ui\n```\n\nClick **Dev Login** to get started immediately — no OIDC setup required.\n\n## Prerequisites\n\n- Kubernetes 1.23+\n- Helm 3.10+\n\n## Documentation\n\n- **[Getting Started Guide](docs/GETTING_STARTED.md)** — End-to-end deployment walkthrough\n- **[Configuration Reference](docs/CONFIGURATION.md)** — Complete values.yaml parameter reference\n- **[Architecture Overview](docs/ARCHITECTURE_OVERVIEW.md)** — System design for operators\n\n## Installation\n\n### Evaluation Mode\n\nFor trying out Citadel before production deployment. Enables the dev login UI so you can create users and API keys without configuring OIDC.\n\n```bash\nhelm install citadel oci://ghcr.io/radiusmethod/citadel-helm/citadel-chart \\\n  --set citadel.secretKey=\"change-me\" \\\n  --set citadel.environment=development \\\n  --set citadel.devLoginEnabled=true \\\n  --set providers.openrouter.apiKey=\"sk-or-xxx\"\n```\n\nThis deploys Citadel with the bundled PostgreSQL, development mode, and dev login enabled.\n\n### Production (external database)\n\n```bash\nhelm install citadel oci://ghcr.io/radiusmethod/citadel-helm/citadel-chart \\\n  --set citadel.secretKey=\"$(openssl rand -hex 32)\" \\\n  --set citadel.okta.enabled=true \\\n  --set citadel.okta.domain=\"company.okta.com\" \\\n  --set citadel.okta.clientId=\"0oaXXX\" \\\n  --set citadel.okta.clientSecret=\"secret\" \\\n  --set citadel.okta.sessionSecret=\"$(openssl rand -hex 32)\" \\\n  --set postgresql.enabled=false \\\n  --set externalDatabase.url=\"postgresql://user:pass@db-host:5432/citadel\" \\\n  --set providers.openrouter.apiKey=\"sk-or-xxx\"\n```\n\n### Big Bang\n\n```yaml\n# In your Big Bang values override:\naddons:\n  citadel:\n    enabled: true\n    values:\n      istio:\n        enabled: true\n        citadel:\n          gateways:\n            - \"istio-system/public\"\n          hosts:\n            - \"citadel.bigbang.dev\"\n      citadel:\n        secretKey: \"change-me\"\n      providers:\n        openrouter:\n          apiKey: \"sk-or-xxx\"\n```\n\n### Using an Existing Secret\n\nIf you manage secrets externally (Vault, Sealed Secrets, ESO), create a Kubernetes Secret with the expected keys and reference it:\n\n```bash\nhelm install citadel oci://ghcr.io/radiusmethod/citadel-helm/citadel-chart \\\n  --set existingSecret=my-citadel-secrets\n```\n\nRequired keys in your secret: `DATABASE_URL`, `SECRET_KEY`. Optional: `OPENROUTER_API_KEY`, `ANTHROPIC_API_KEY`, etc.\n\n## Configuration\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `image.repository` | Container image | `ghcr.io/radiusmethod/citadel` |\n| `image.tag` | Image tag (defaults to appVersion) | `\"\"` |\n| `citadel.secretKey` | Session signing key (**required**) | `\"\"` |\n| `citadel.environment` | `development`, `staging`, or `production` | `production` |\n| `citadel.devLoginEnabled` | Enable dev login bypass | `false` |\n| `citadel.logLevel` | Log level | `INFO` |\n| `citadel.autoProvisionUsers` | Auto-create users from headers | `true` |\n| `citadel.guardrails.enabled` | Enable guardrails | `true` |\n| `citadel.passthrough.enabled` | Enable API key passthrough | `true` |\n| `citadel.plugins.enabled` | Enable plugin system | `true` |\n| `citadel.okta.enabled` | Enable Okta OIDC | `false` |\n| `providers.openrouter.apiKey` | OpenRouter API key | `\"\"` |\n| `providers.anthropic.apiKey` | Anthropic API key | `\"\"` |\n| `providers.vertexai.projectId` | GCP project ID | `\"\"` |\n| `providers.bedrock.enabled` | Enable AWS Bedrock | `false` |\n| `postgresql.enabled` | Deploy bundled PostgreSQL | `true` |\n| `postgresql.auth.password` | PostgreSQL password | `\"citadel\"` |\n| `externalDatabase.url` | External PostgreSQL URL | `\"\"` |\n| `redis.enabled` | Deploy bundled Redis | `false` |\n| `istio.enabled` | Enable Istio VirtualService | `false` |\n| `ingress.enabled` | Enable Kubernetes Ingress | `false` |\n| `autoscaling.enabled` | Enable HPA | `false` |\n| `existingSecret` | Use external Secret | `\"\"` |\n\nFor the complete configuration reference, see [docs/CONFIGURATION.md](docs/CONFIGURATION.md).\n\n## Client Configuration\n\n### Claude Code\n\n```bash\nclaude config set --global apiBaseUrl http://\u003ccitadel-host\u003e:8000/v1\n```\n\n### OpenAI SDK / Python\n\n```python\nfrom openai import OpenAI\nclient = OpenAI(\n    base_url=\"http://\u003ccitadel-host\u003e:8000/v1\",\n    api_key=\"\u003cyour-citadel-api-key\u003e\",\n)\n```\n\n### curl\n\n```bash\ncurl http://\u003ccitadel-host\u003e:8000/v1/chat/completions \\\n  -H \"Authorization: Bearer \u003cyour-citadel-api-key\u003e\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"model\": \"or-claude-sonnet-4.5 [EXTERNAL]\", \"messages\": [{\"role\": \"user\", \"content\": \"Hello\"}]}'\n```\n\n## Database Migrations\n\nMigrations run automatically inside the application on startup via the app's lifespan handler. The init container only waits for database connectivity before the main container starts — it does not run migrations.\n\nThe migration runner is idempotent and tracks state in a `schema_migrations` table.\n\n## Uninstall\n\n```bash\nhelm uninstall citadel\n```\n\nNote: The bundled PostgreSQL PVC is **not** deleted automatically. To fully clean up:\n\n```bash\nkubectl delete pvc data-citadel-postgresql-0\n```\n\n## License\n\nMIT License — see [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fradiusmethod%2Fcitadel-helm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fradiusmethod%2Fcitadel-helm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fradiusmethod%2Fcitadel-helm/lists"}