Skip to content

Apheris Hub Kubernetes Deployment🔗

This guide covers deploying and configuring Apheris Hub on Kubernetes using Helm.

If you need the Hub to submit into a customer-owned queueing or orchestration layer instead of directly to an Apheris wrapper, see External Async Wrapper on Kubernetes for more information.

Prerequisites🔗

  • A Kubernetes cluster in a recent version (>= 1.30)
  • Helm CLI (>= v3)
  • A PostgreSQL database
  • A Storage Provisioner that supports ReadWriteMany and ReadWriteOnce accessModes
  • An Ingress or Gateway Controller that enables network access to the Kubernetes cluster
  • NVIDIA GPU support for GPU workloads on the Kubernetes cluster (required to run OpenFold3, Boltz-2, and Protenix)

1. Create a Namespace for the Apheris Hub🔗

kubectl create namespace apheris-hub

2. Request the Apheris Hub API Key🔗

You need the Apheris Hub API Key to pull model images from the Apheris image registry.

You can skip this step if you host the Apheris model images in private repositories.

Request your Apheris Hub API Key from https://www.apheris.com/applications/apherisfold or contact support@apheris.com and set it to your Helm values file:

apherisApiKey: "your-apheris-api-key"

hub:
  msa:
    enabled: true

3. Add a secret with a PostgreSQL DSN🔗

You can add a DSN for an existing PostgreSQL database with:

kubectl create secret generic hub-db-dsn --from-literal=dsn=<existing_dsn> \
  --namespace=apheris-hub

We recommend using the managed database offering of your cloud provider in its PostgreSQL flavor, for instance Amazon RDS for PostgreSQL (AWS), Google Cloud SQL for PostgreSQL (GCP) or Azure Database for PostgreSQL (Microsoft Azure).

4. Create apheris-hub-values.yaml with values for the helm release🔗

Find the complete values reference at Helm Chart Values Reference.

The following are lightly annotated values with placeholders:

# refer to section `2.` for the apherisApiKey
apherisApiKey: "your-apheris-api-key"

hub:
  postgresDsnSecretName: hub-db-dsn

  ingress:
    className: <ingress_class_name>
    hostname: <ingress_hostname>

    # TLS Termination at the ingress controller level.
    tls:
      enabled: <true|false>

      # Name of a secret that contains the certificate material in the
      # format documented in https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
      secretName: <tls_secret_name>

models:
  persistence:

    # The provisioner for this `storageClass` needs to
    # support `ReadWriteMany` `accessMode`.
    #
    storageClass: <storage_class_that_supports_read_write_many>

    # This is the space available for
    # persisting prediction results.
    #
    # `50Gi` is the minimum size (and default)
    # we recommend `500Gi` if you can make that happen.
    #
    size: 50Gi

  # The `mock` model is the only default model that the chart
  # deploys with the default values.
  #
  # You can enable deployment of other default models by setting
  # `deploy.enabled=true`, so for instance
  # `models.instances.boltz2.deploy.enabled=true` or
  # `models.instances.openfold3.deploy.enabled=true` or
  # `models.instances.protenix.deploy.enabled=true`.
  #
  instances:
    boltz2:
      deploy:
        enabled: <true|false>
    mock:
      deploy:
        enabled: <true|false>
    openfold3:
      deploy:
        enabled: <true|false>
    protenix:
      deploy:
        enabled: <true|false>

Deployed weights storage🔗

If models.persistence.enabled=true, the chart uses the shared models PVC for model inputs, outputs, and deployed weights. For each deployed model instance, the chart creates a directory on that shared volume and mounts it into both the Hub coordinator and the model container.

  • Hub container: /apheris/weights/<instance-name>
  • Model container: /weights/<instance-name>

The Hub-visible path is published through model discovery as weightsPath for deployed model instances. This is the path Hub uses for checkpoint deployment operations. The chart also sets APH_WEIGHTS_DISCOVERY_DIR=/weights/<instance-name> in deployed wrapper containers so dynamically deployed weights can be discovered from the shared mount.

Checkpoint deployment requires shared model persistence to be enabled. If models.persistence.enabled=false, the chart does not mount deployed weights storage and does not publish a weightsPath.

For Hub-driven checkpoint deployment, dynamic discovery from the shared weights directory is the chart-managed path.

/weights/<instance-name> is reserved for this chart-managed mount inside model containers. Do not reuse that exact path in models.instances.<name>.deploy.extraVolumeMounts.

Volume ownership requirement🔗

The Hub coordinator and model containers run as UID/GID 65534. The weights/ subdirectories on the shared PVC must be owned by that user before checkpoint deployment can write staging directories into them.

When using a dynamically provisioned PVC backed by an EFS Access Point with OwnerUid: 65534 / OwnerGid: 65534, the CSI driver creates the root directory with the correct ownership and no further action is needed.

When binding to an existing PV (via models.persistence.existingVolumeName) or a statically provisioned EFS filesystem, the weights/ directories on the volume may be owned by root. Set the following flag and the chart runs a one-time Helm hook Job on the next install or upgrade to correct ownership:

models:
  persistence:
    initWeightsVolume: true

The Job runs as root with only CHOWN/FOWNER capabilities added, chowns weights/ and each enabled model instance subdirectory to 65534:65534, then deletes itself on success. Once ownership is correct you can remove the flag — it is safe to leave enabled but unnecessary after the first run.

Admission policy requirement

This hook requires runAsUser: 0 with CHOWN and FOWNER. If your cluster blocks that, fix the volume ownership with an administrative workflow that is permitted in your environment, then rerun the Helm upgrade.

This is a one-time step. Once the ownership is correct, the Hub creates and manages subdirectories within weights/ on its own.

Biochem Server🔗

biochemServer.enabled=true deploys the optional biochem-server as an internal-only Kubernetes service. It creates a pod and ClusterIP Service, but it does not expose the service publicly and does not yet wire Hub API traffic to it. The container listener and probes remain on port 8000; biochemServer.service.port controls only the Service exposure port.

Capabilities and scopes🔗

models.instances.<name>.deploy.capabilities sets the scopes available for that model deployment. Supported values are inference, which covers prediction and benchmarking, finetuning, and affinity for affinity prediction support.

OpenFold3 can support inference, finetuning, and affinity, Boltz-2 can support inference and affinity, and Protenix supports inference only. For custom weights, set model_scope on each weight entry so the Hub can determine whether that weight supports inference (prediction and benchmarking), finetuning, affinity, or a combination of those scopes. Omit affinity for weights that do not support affinity prediction.

Deploying different instances of a model with different scopes🔗

If you wish, you can deploy different instances of a model with different scopes. This allows for separation of concerns and avoiding having fine-tuning runs block the prediction or benchmarking jobs.

To do that, add a new entry under models.instances that points to an existing model. For example, if you would like to have an instance of OpenFold 3 for fine-tuning and another for inference, do:

models:
  # ...
  instances:
    openfold3:
      deploy:
        enabled: true
      capabilities:
        - inference
    openfold3-ft:
      id: openfold3-ft
      model: openfold3 # same value as models.instances.openfold3.model
      deploy:
        enabled: true
        port: 8000 # same value as models.instances.openfold3.deploy.port, unless you choose otherwise
        capabilities:
          - finetuning
        image: ... # same value as models.instances.openfold3.deploy.image, unless you choose otherwise
      # ... include also the other properties that are set by default for models.instances.openfold3 (see Helm Chart Values Reference)

Authentication and Identity Providers🔗

Set the hub.auth.* values to match your identity provider and frontend configuration. The Authentication Setup guide explains the requirements for Auth0, Microsoft Entra, and Dex and shows how those settings map back to Helm values.

Custom CA Certificates🔗

If your identity provider or external services use TLS certificates signed by a custom Certificate Authority, configure the Hub to trust those certificates. The file will be mounted to /etc/ssl/certs/custom-ca.crt in the Hub container and automatically trusted alongside system CAs.

Create the ConfigMap🔗

Create or update a ConfigMap with your CA certificate (safe to re-run):

kubectl create configmap custom-ca-certs \
  --from-file=ca.crt=/path/to/your-ca.crt \
  -n apheris-hub --dry-run=client -o yaml | kubectl apply -f -

Mount the certificate🔗

Add to your values file to mount the custom CA into the Hub container:

hub:
  extraVolumes:
    - name: custom-ca
      configMap:
        name: custom-ca-certs

  extraVolumeMounts:
    - name: custom-ca
      mountPath: /etc/ssl/certs/custom-ca.crt
      subPath: ca.crt
      readOnly: true

Apply the Helm upgrade🔗

Re-run your helm upgrade command so the pod picks up the new mount.

Verify the ConfigMap🔗

The Hub Docker image is based on scratch, so kubectl exec and kubectl cp will not work but you can always validate that the CA data stored in the ConfigMap:

# Read the CA data from the ConfigMap into a local file
kubectl get configmap custom-ca-certs -n apheris-hub -o jsonpath='{.data.ca\.crt}' > /tmp/custom-ca.crt
# Inspect the certificate content
openssl x509 -in /tmp/custom-ca.crt -noout -subject -issuer

This confirms the CA content that will be mounted into the Hub pod.

Verify the live mount (optional)🔗

If your cluster allows ephemeral debug containers, you can examine the mounted file without changing the pod:

# Print container name(s) in the Hub pod (needed for --target)
kubectl get pod -n apheris-hub <hub-pod-name> -o jsonpath='{.spec.containers[*].name}'
# Start a debug container and read the mounted CA from the target container's root
kubectl debug -n apheris-hub -it pod/<hub-pod-name> --image=alpine:3.19 --target=<container-name> -- \
  sh -c "cat /proc/1/root/etc/ssl/certs/custom-ca.crt" > /tmp/custom-ca.crt
# Inspect the certificate content copied from the pod
openssl x509 -in /tmp/custom-ca.crt -noout -subject -issuer

If debug containers are blocked by policy, rely on the ConfigMap check above and look for certificate-related errors in logs:

# Print container name(s) in the Hub pod (needed for -c)
kubectl get pod -n apheris-hub <hub-pod-name> -o jsonpath='{.spec.containers[*].name}'
# Print Hub container logs and filter for TLS/certificate errors
kubectl logs -n apheris-hub deployment/<hub-deployment-name> -c <container-name> | \
  grep -i "certificate\|tls\|x509"

MSA Server Configuration🔗

MSA servers are deployment-managed and global. Administrators define them in Helm values, and users can only select one of the configured servers (or opt out and upload .a3m files manually).

Supported MSA server types:

Provider Type identifier Notes
ColabFold colabfold Supports self-hosted deployments and public servers
NVIDIA NIM ColabFold nvidia-colabfold Requires a deployed NVIDIA NIM MSA Search service

The hub.msa.* timeout values only affect ColabFold and NVIDIA NIM ColabFold deployments:

hub:
  msa:
    enabled: true
    # How often to check if the job is done (PENDING → RUNNING → COMPLETE)
    pollInterval: "10s"   # Lower = faster feedback, more API calls
    # Per-request HTTP timeout for submit/status/download calls
    requestTimeout: "10m" # Increase for slow networks or large downloads

When hub.msa.enabled=true, you must configure hub.msa.servers with at least one server. Use defaultActive: true on exactly one server to define the deployment-level fallback server:

hub:
  msa:
    enabled: true
    servers:
      - name: "Public ColabFold"
        type: colabfold
        url: "https://api.colabfold.com"
        defaultActive: true
        config: {}
      - name: "NVIDIA ColabFold"
        type: nvidia-colabfold
        url: "https://api.nim.example.com"
        defaultActive: false
        config:
          numberOfSequences: "500"
          eValue: "0.0001"
          databases:
            - "Uniref30_2302"
        headers:
          - name: "X-Api-Key"
            valueFrom:
              secretKeyRef:
                name: "msa-auth"
                key: "api-key"
          - name: "X-Client-Id"
            valueFrom:
              configMapKeyRef:
                name: "msa-shared-config"
                key: "client-id"
          - name: "X-Source"
            value: "hub"

defaultActive is not a per-user preference. It is used by default for new users, and as fallback when a stored active selection cannot be resolved (for example after server removal or URL-identity change during deployment sync).

If a user explicitly disabled MSA usage, fallback is not applied for that user.

MSA Server Headers🔗

Use hub.msa.servers[].headers to send provider-specific headers (for example API keys, client IDs, or metadata) with every request to that server.

When possible, source sensitive values from Kubernetes Secrets:

hub:
  msa:
    enabled: true
    servers:
      - name: "NVIDIA ColabFold"
        type: nvidia-colabfold
        url: "https://api.nim.example.com"
        config:
          numberOfSequences: "500"
        headers:
          - name: "X-Api-Key"
            valueFrom:
              secretKeyRef:
                name: "msa-auth"
                key: "api-key"
          - name: "X-Client-Id"
            valueFrom:
              configMapKeyRef:
                name: "msa-shared-config"
                key: "client-id"
          - name: "X-Source"
            value: "hub"

Troubleshooting ColabFold:

  • "Failed to check job status" errors → Increase requestTimeout
  • Want faster progress updates → Decrease pollInterval (minimum ~3s recommended)

5. Install the helm release🔗

helm install apheris-hub oci://quay.io/apheris/hub-chart \
  --namespace=apheris-hub \
  --values=apheris-hub-values.yaml \
  --wait \
  --timeout=15m

6. Access the Apheris Hub installation🔗

You can now access your Apheris Hub installation via the configured ingress. For most setups, the external hostname will be the value you configured under hub.ingress.hostname.

Please do not hesitate to contact Apheris via e-mail in case you encounter any problems.

Helm Chart Values Reference🔗

Key Type Default Description
apherisApiKey string nil Apheris API key for queries to Apheris hosted MSA servers and access to Apheris hosted container images
biochemServer.affinity object {} Affinity rules
biochemServer.enabled bool false Enable biochem-server deployment
biochemServer.env list [] Additional environment variables
biochemServer.extraVolumeMounts list [] Extra volume mounts
biochemServer.extraVolumes list [] Extra volumes
biochemServer.image.digest string nil Image digest (sha256).
biochemServer.image.pullPolicy string "IfNotPresent" Image pull policy
biochemServer.image.repository string "quay.io/apheris/biochem-server" Container image repository
biochemServer.image.tag string "0.6.0" Container image tag
biochemServer.imagePullSecrets list [] Image pull secrets for private registries
biochemServer.livenessProbe.failureThreshold int 3
biochemServer.livenessProbe.initialDelaySeconds int 30
biochemServer.livenessProbe.periodSeconds int 10
biochemServer.livenessProbe.successThreshold int 1
biochemServer.livenessProbe.tcpSocket.port string "http"
biochemServer.livenessProbe.timeoutSeconds int 5
biochemServer.nodeSelector object {} Node selector
biochemServer.podAnnotations object {} Pod annotations
biochemServer.podLabels object {} Pod labels
biochemServer.podSecurityContext.fsGroup int 1000
biochemServer.podSecurityContext.runAsGroup int 1000
biochemServer.podSecurityContext.runAsNonRoot bool true
biochemServer.podSecurityContext.runAsUser int 1000
biochemServer.podSecurityContext.seccompProfile.type string "RuntimeDefault"
biochemServer.readinessProbe.failureThreshold int 3
biochemServer.readinessProbe.initialDelaySeconds int 10
biochemServer.readinessProbe.periodSeconds int 5
biochemServer.readinessProbe.successThreshold int 1
biochemServer.readinessProbe.tcpSocket.port string "http"
biochemServer.readinessProbe.timeoutSeconds int 3
biochemServer.resources object {} Resource requests and limits
biochemServer.securityContext.allowPrivilegeEscalation bool false
biochemServer.securityContext.capabilities.drop[0] string "ALL"
biochemServer.securityContext.readOnlyRootFilesystem bool true
biochemServer.securityContext.runAsGroup int 1000
biochemServer.securityContext.runAsNonRoot bool true
biochemServer.securityContext.runAsUser int 1000
biochemServer.service.annotations object {} Service annotations
biochemServer.service.port int 8000 Service exposure port. The biochem-server container listener and probes remain on port 8000.
biochemServer.service.type string "ClusterIP" Service type
biochemServer.terminationGracePeriodSeconds int 30 Termination grace period in seconds
biochemServer.tolerations list [] Tolerations
hub.affinity object {} Affinity rules
hub.auth object {"audience":"","browserUrl":"","clientId":"","domain":"","enabled":false,"extraScopes":"","issuer":"","providerType":""} Authentication configuration (OIDC/Auth0/ForgeRock)
hub.auth.providerType string "" Provider type (supported values: "auth0", "forgerock", or empty string for generic OIDC)
hub.enabled bool true Enable Hub deployment (set to false for models-only release)
hub.env list [] Additional environment variables
hub.extraVolumeMounts list [] Extra volume mounts (e.g., for custom CA certificates)
hub.extraVolumes list [] Extra volumes (e.g., for custom CA certificates)
hub.finetuningHeartbeatTimeout string "5m" Finetuning heartbeat timeout. Example values: "5m", "300s".
hub.image.digest string nil Image digest (sha256).
hub.image.pullPolicy string "IfNotPresent" Image pull policy
hub.image.repository string "quay.io/apheris/hub" Container image repository
hub.image.tag string nil Overrides the image tag whose default is the chart appVersion
hub.imagePullSecrets list [] Image pull secrets for private registries
hub.ingress object {"annotations":{},"className":"","enabled":true,"existingGatewayName":"","gatewayNamespace":"","hostname":"","ingressPath":"/","tls":{"enabled":false,"secretName":""},"type":"ingress"} Ingress configuration (common for both Gateway API and Ingress resources)
hub.ingress.annotations object {} Additional annotations
hub.ingress.className string "" Ingress/Gateway class name
hub.ingress.enabled bool true Enable ingress (Gateway API or Ingress resource)
hub.ingress.existingGatewayName string "" Existing gateway name (if not set, a new gateway will be created)
hub.ingress.gatewayNamespace string "" Gateway namespace (if different from release namespace)
hub.ingress.hostname string "" Hostname for ingress
hub.ingress.ingressPath string "/" Ingress path
hub.ingress.tls object {"enabled":false,"secretName":""} TLS configuration
hub.ingress.tls.enabled bool false Enable TLS
hub.ingress.tls.secretName string "" TLS certificate secret name
hub.ingress.type string "ingress" Networking type (gateway, ingress)
hub.msa object {"enabled":false,"pollInterval":"5s","requestTimeout":"5m","servers":[]} MSA server configuration
hub.msa.enabled bool false Enable MSA server configuration
hub.msa.pollInterval string "5s" How frequently the application checks the status of a submitted MSA job on the ColabFold server (e.g., "5s", "10s").
hub.msa.requestTimeout string "5m" The timeout for each individual HTTP request made to the ColabFold server (e.g., "5m", "10m").
hub.msa.servers list [] Globally configured MSA servers. At least one server is required when MSA is enabled. defaultActive: true marks the deployment-level fallback server used for new users and when a stored active selection no longer resolves (for example after server removal or URL-identity change). At most one server can be marked defaultActive: true.
hub.nodeSelector object {} Node selector
hub.persistence object {"accessMode":"ReadWriteOnce","annotations":{},"enabled":true,"existingVolumeName":null,"size":"5Gi","storageClass":""} Persistence configuration
hub.persistence.accessMode string "ReadWriteOnce" Access mode for state PVC
hub.persistence.annotations object {} Annotations for state PVC
hub.persistence.enabled bool true Enable state persistence
hub.persistence.existingVolumeName string nil Existing PersistentVolume to bind to. If null, a new one will be dynamically created.
hub.persistence.size string "5Gi" Size of state PVC
hub.persistence.storageClass string "" Storage class for state PVC
hub.podAnnotations object {} Pod annotations
hub.podLabels object {} Pod labels
hub.podSecurityContext object {"fsGroup":65534,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} Pod security context
hub.postgresDsnSecretName string nil Name of a kubernetes secret containing a postgres DSN, needs a key dsn
hub.replicaCount int 1 Number of replicas for the Hub deployment
hub.requestsPollInterval string "250ms" Request watcher poll interval. Example values: "250ms", "1s".
hub.securityContext object {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534} Container security context
hub.service object {"annotations":{},"port":8080,"type":"ClusterIP"} Service configuration
hub.service.annotations object {} Service annotations
hub.service.port int 8080 Service port
hub.service.type string "ClusterIP" Service type
hub.serviceAccount object {"annotations":{},"automount":false,"create":true,"name":""} Service account configuration for the coordinator
hub.serviceAccount.annotations object {} Annotations to add to the service account
hub.serviceAccount.automount bool false Automatically mount a ServiceAccount's API credentials
hub.serviceAccount.create bool true Specifies whether a service account should be created
hub.serviceAccount.name string "" The name of the service account to use. If not set and create is true, a name is generated using the release name.
hub.terminationGracePeriodSeconds int 30 Termination grace period in seconds
hub.tolerations list [] Tolerations
labels object {}
models.imagePullRegistry string "quay.io/apheris" Registry for image pulls
models.imagePullSecrets list [] Secrets for image pulls
models.instances.boltz2.deploy.affinity object {}
models.instances.boltz2.deploy.capabilities list ["inference"] Model scopes for this deployment. Supported values: inference, affinity.
models.instances.boltz2.deploy.enabled bool false enable boltz2 with enabled: true
models.instances.boltz2.deploy.env list [] Additional environment variables
models.instances.boltz2.deploy.extraVolumeMounts list [] Extra volume mounts
models.instances.boltz2.deploy.extraVolumes list [] Extra volumes
models.instances.boltz2.deploy.image string "quay.io/apheris/hub-apps:0.61.0-boltz2-by-file"
models.instances.boltz2.deploy.nodeSelector object {}
models.instances.boltz2.deploy.podSecurityContext.fsGroup int 65534
models.instances.boltz2.deploy.podSecurityContext.runAsGroup int 65534
models.instances.boltz2.deploy.podSecurityContext.runAsNonRoot bool true
models.instances.boltz2.deploy.podSecurityContext.runAsUser int 65534
models.instances.boltz2.deploy.podSecurityContext.seccompProfile.type string "RuntimeDefault"
models.instances.boltz2.deploy.port int 8000
models.instances.boltz2.deploy.resources.limits."nvidia.com/gpu" int 1
models.instances.boltz2.deploy.resources.limits.cpu string "8"
models.instances.boltz2.deploy.resources.limits.memory string "64Gi"
models.instances.boltz2.deploy.resources.requests."nvidia.com/gpu" int 1
models.instances.boltz2.deploy.resources.requests.cpu string "8"
models.instances.boltz2.deploy.resources.requests.memory string "64Gi"
models.instances.boltz2.deploy.securityContext.allowPrivilegeEscalation bool false
models.instances.boltz2.deploy.securityContext.capabilities.drop[0] string "ALL"
models.instances.boltz2.deploy.securityContext.readOnlyRootFilesystem bool true
models.instances.boltz2.deploy.securityContext.runAsGroup int 65534
models.instances.boltz2.deploy.securityContext.runAsNonRoot bool true
models.instances.boltz2.deploy.securityContext.runAsUser int 65534
models.instances.boltz2.deploy.shmSize string "16Gi"
models.instances.boltz2.deploy.tolerations[0].effect string "NoSchedule"
models.instances.boltz2.deploy.tolerations[0].key string "nvidia.com/gpu"
models.instances.boltz2.deploy.tolerations[0].operator string "Equal"
models.instances.boltz2.deploy.tolerations[0].value string "true"
models.instances.boltz2.id string "boltz2"
models.instances.boltz2.model string "boltz2"
models.instances.boltz2.submissionMode string "admission"
models.instances.mock object {"deploy":{"affinity":{},"capabilities":["inference","finetuning"],"enabled":true,"env":[],"extraVolumeMounts":[],"extraVolumes":[],"image":"quay.io/apheris/hub-apps:0.61.0-mock-by-file","nodeSelector":{},"podSecurityContext":{"fsGroup":65534,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"port":8000,"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534}},"id":"mock","model":"mock","submissionMode":"admission"} lightweight mock model that does not require a GPU, enabled by default
models.instances.mock.deploy.capabilities list ["inference","finetuning"] Model scopes for this deployment. Supported values: inference, finetuning, affinity.
models.instances.mock.deploy.env list [] Additional environment variables
models.instances.mock.deploy.extraVolumeMounts list [] Extra volume mounts
models.instances.mock.deploy.extraVolumes list [] Extra volumes
models.instances.openfold3.deploy.affinity object {}
models.instances.openfold3.deploy.capabilities list ["inference","finetuning"] Model scopes for this deployment. Supported values: inference, finetuning, affinity.
models.instances.openfold3.deploy.enabled bool false enable openfold3 with enabled: true
models.instances.openfold3.deploy.env list [] Additional environment variables
models.instances.openfold3.deploy.extraVolumeMounts list [] Extra volume mounts
models.instances.openfold3.deploy.extraVolumes list [] Extra volumes
models.instances.openfold3.deploy.image string "quay.io/apheris/hub-apps:0.61.0-openfold3-by-file"
models.instances.openfold3.deploy.nodeSelector object {}
models.instances.openfold3.deploy.podSecurityContext.fsGroup int 65534
models.instances.openfold3.deploy.podSecurityContext.runAsGroup int 65534
models.instances.openfold3.deploy.podSecurityContext.runAsNonRoot bool true
models.instances.openfold3.deploy.podSecurityContext.runAsUser int 65534
models.instances.openfold3.deploy.podSecurityContext.seccompProfile.type string "RuntimeDefault"
models.instances.openfold3.deploy.port int 8000
models.instances.openfold3.deploy.resources.limits."nvidia.com/gpu" int 1
models.instances.openfold3.deploy.resources.limits.cpu string "8"
models.instances.openfold3.deploy.resources.limits.memory string "64Gi"
models.instances.openfold3.deploy.resources.requests."nvidia.com/gpu" int 1
models.instances.openfold3.deploy.resources.requests.cpu string "8"
models.instances.openfold3.deploy.resources.requests.memory string "64Gi"
models.instances.openfold3.deploy.securityContext.allowPrivilegeEscalation bool false
models.instances.openfold3.deploy.securityContext.capabilities.drop[0] string "ALL"
models.instances.openfold3.deploy.securityContext.readOnlyRootFilesystem bool true
models.instances.openfold3.deploy.securityContext.runAsGroup int 65534
models.instances.openfold3.deploy.securityContext.runAsNonRoot bool true
models.instances.openfold3.deploy.securityContext.runAsUser int 65534
models.instances.openfold3.deploy.shmSize string "16Gi"
models.instances.openfold3.deploy.tolerations[0].effect string "NoSchedule"
models.instances.openfold3.deploy.tolerations[0].key string "nvidia.com/gpu"
models.instances.openfold3.deploy.tolerations[0].operator string "Equal"
models.instances.openfold3.deploy.tolerations[0].value string "true"
models.instances.openfold3.id string "openfold3"
models.instances.openfold3.model string "openfold3"
models.instances.openfold3.submissionMode string "admission"
models.instances.protenix.deploy.affinity object {}
models.instances.protenix.deploy.capabilities list ["inference"] Model scopes for this deployment. Supported values: inference.
models.instances.protenix.deploy.enabled bool false enable protenix with enabled: true
models.instances.protenix.deploy.env list [] Additional environment variables
models.instances.protenix.deploy.extraVolumeMounts list [] Extra volume mounts
models.instances.protenix.deploy.extraVolumes list [] Extra volumes
models.instances.protenix.deploy.image string "quay.io/apheris/hub-apps:0.61.0-protenix-by-file"
models.instances.protenix.deploy.nodeSelector object {}
models.instances.protenix.deploy.podSecurityContext.fsGroup int 65534
models.instances.protenix.deploy.podSecurityContext.runAsGroup int 65534
models.instances.protenix.deploy.podSecurityContext.runAsNonRoot bool true
models.instances.protenix.deploy.podSecurityContext.runAsUser int 65534
models.instances.protenix.deploy.podSecurityContext.seccompProfile.type string "RuntimeDefault"
models.instances.protenix.deploy.port int 8000
models.instances.protenix.deploy.resources.limits."nvidia.com/gpu" int 1
models.instances.protenix.deploy.resources.limits.cpu string "8"
models.instances.protenix.deploy.resources.limits.memory string "64Gi"
models.instances.protenix.deploy.resources.requests."nvidia.com/gpu" int 1
models.instances.protenix.deploy.resources.requests.cpu string "8"
models.instances.protenix.deploy.resources.requests.memory string "64Gi"
models.instances.protenix.deploy.securityContext.allowPrivilegeEscalation bool false
models.instances.protenix.deploy.securityContext.capabilities.drop[0] string "ALL"
models.instances.protenix.deploy.securityContext.readOnlyRootFilesystem bool true
models.instances.protenix.deploy.securityContext.runAsGroup int 65534
models.instances.protenix.deploy.securityContext.runAsNonRoot bool true
models.instances.protenix.deploy.securityContext.runAsUser int 65534
models.instances.protenix.deploy.shmSize string "16Gi"
models.instances.protenix.deploy.tolerations[0].effect string "NoSchedule"
models.instances.protenix.deploy.tolerations[0].key string "nvidia.com/gpu"
models.instances.protenix.deploy.tolerations[0].operator string "Equal"
models.instances.protenix.deploy.tolerations[0].value string "true"
models.instances.protenix.id string "protenix"
models.instances.protenix.model string "protenix"
models.instances.protenix.submissionMode string "admission"
models.networkPolicy object {"enabled":false} Network policy configuration
models.networkPolicy.enabled bool false Enable network policy to restrict model pod network access
models.persistence object {"accessMode":"ReadWriteMany","annotations":{},"enabled":true,"existingVolumeName":null,"initWeightsVolume":false,"size":"50Gi","storageClass":""} Shared persistence for model inputs, outputs, and deployed weights
models.persistence.accessMode string "ReadWriteMany" Access mode for artifacts PVC
models.persistence.annotations object {} Annotations for artifacts PVC
models.persistence.enabled bool true Enable artifacts persistence via PVC
models.persistence.existingVolumeName string nil Existing PersistentVolume to bind to. If null, a new one will be dynamically created.
models.persistence.initWeightsVolume bool false Run a one-time Helm hook Job to create and set ownership of the weights directory on the shared PVC to UID/GID 65534. Enable this when binding to an existing or statically provisioned volume whose weights directories were created by root. Requires the cluster to permit runAsUser: 0 with CHOWN/FOWNER capabilities. Runs as a post-install/post-upgrade hook and deletes itself on success.
models.persistence.size string "50Gi" Size of artifacts PVC
models.persistence.storageClass string "" Storage class for artifacts PVC