values.yaml reference optimized for production deployments. Copy it, adapt the placeholders to your environment, and deploy.
How to use
- Copy the full configuration below into a file called
values-production.yaml - Replace all
{...}placeholders with your actual values - Review each section and adjust resource limits for your expected workload
- Deploy:
Full production values
Key decisions explained
Why Ledger instead of Onboarding + Transaction?
The unifiedledger service is the recommended approach for all new installations. It combines both modules into a single deployment, reducing operational overhead:
- Fewer pods to manage and monitor
- Simplified configuration (single configmap/secret)
- Single ingress endpoint
- Better resource utilization
- Will become the only option in future releases
Why external databases?
Production deployments should use managed database services for:- Automated backups and point-in-time recovery
- High availability with automatic failover
- Monitoring and alerting built-in
- Scaling without application downtime
- Security patching managed by the provider
| Dependency | AWS | GCP | Azure |
|---|---|---|---|
| PostgreSQL | Amazon RDS | Cloud SQL | Azure Database for PostgreSQL |
| MongoDB | Amazon DocumentDB or MongoDB Atlas | MongoDB Atlas | Azure Cosmos DB (MongoDB API) |
| RabbitMQ | Amazon MQ | Self-managed on GKE | Self-managed on AKS |
| Redis/Valkey | Amazon ElastiCache | Memorystore | Azure Cache for Redis |
Why use Kubernetes Secrets instead of inline passwords?
Inline passwords invalues.yaml are visible in Helm release history and may be committed to version control. Using useExistingSecret: true with pre-created Kubernetes Secrets:
- Keeps credentials out of Helm values
- Allows rotation without Helm upgrade
- Integrates with secret management tools (Vault, External Secrets Operator, Sealed Secrets)
Pod anti-affinity
ThepodAntiAffinity rule distributes Ledger pods across different nodes, so a single node failure doesn’t bring down the entire service.
Checklist before deploying
Create Kubernetes Secrets
Create all required secrets in the
midaz namespace before running helm install:midaz-ledger(database and message broker credentials)midaz-crm(encryption keys and MongoDB password)otel-api-key(if using Lerian telemetry)
Configure DNS
Point your domains to the ingress controller’s external IP:
{your-midaz-api-domain}→ ingress IP{your-crm-api-domain}→ ingress IP{your-grafana-domain}→ ingress IP
Provision TLS certificates
Either use cert-manager for automatic certificate provisioning or manually create TLS secrets for each domain.
Verify database connectivity
Ensure your Kubernetes cluster can reach all external databases. Test with:
Review resource limits
Adjust CPU and memory limits based on your expected transaction volume. The values in this reference are starting points for moderate workloads.
Related resources
- Using Helm - Full installation guide with all configuration options
- Upgrading Midaz - Step-by-step upgrade procedures
- Troubleshooting - Diagnosing common deployment issues
- Uninstalling Midaz - Cleanup procedures
- Helm chart source - Full
values.yamlwith all available parameters

