Deployment & Infrastructure
Docker, CI/CD, and environment configuration for all 22 services.
Last updated: 2026-03-19
Architecture Overview
All services run as Docker containers on AWS EKS (Kubernetes) in the eu-central-1 region. Container images are stored in AWS ECR. The platform uses three Kubernetes namespaces mapping to environments:
| Namespace | Branch | Environment |
|---|
helvia-dev | develop | Development |
helvia-stg | staging | Staging |
helvia | main | Production |
Two exceptions to the EKS-only pattern:
- hbf-webchat: static frontend deployed to AWS S3 + CloudFront CDN (no container)
- hbf-notifications: also deployed to Azure AKS (production only, via
azure-ci.yml)
Multi-tenant deployments exist for helvia-rag-pipelines (separate K8s deployments for helvia-rag-pipelines, isolved-rag-pipelines, hrwiz-rag-pipelines).
Service Port Map
| Service | Internal Port | docker-compose mapping | Start Command |
|---|
| hbf-core | 8080 | 8080:8080 | java -javaagent:/opt/elastic-apm-agent.jar -jar hbf-core.jar |
| hbf-bot | 3000 | 3000:3000 | npm start -- -h 0.0.0.0 |
| hbf-nlp | 3000 | 3000:3000 | npm run start:prod |
| hbf-lcm | 3000 | 3000:3000 | npm run start:prod |
| hbf-session-manager | 3000 | 3000:3000 | npm run start:prod |
| hbf-notifications | 3000 | 3000:3000 | npm run start:prod |
| hbf-reports | 3000 | 3000:3000 | npm run start:prod |
| hbf-media-manager | 3030 | 3030:3030 | npm run start:prod |
| hbf-broadcast | 3004 | 3004:3004 | npm run apm-start |
| hbf-event-publisher | 5000 | 5000:5000 | npm run start |
| hbf-client-integrations | configurable | n/a | npm run start:prod |
| hbf-data-retention | n/a (daemon) | no ports | npm run start:prod |
| hbf-stats | configurable | no ports | npm run start |
| hbf-console | 3000 | 8085:3000 | serve -s build |
| hbf-webchat | n/a (static) | n/a | n/a |
| hbf-core-api | n/a (library) | n/a | n/a |
| helvia-rag-pipelines | 8081 | n/a | poetry run uvicorn app.main:fast_api_app --port 8081 --workers 4 |
| semantic-doc-segmenter | 8081 | 8081:8081 | poetry run uvicorn app.main:app --host 0.0.0.0 --port 8081 --workers 1 |
| open-bot-framework | 1986 (HTTP), 1992 (WS) | no docker-compose | node dist/main |
| hbf-data-manager | 3000 | 3000:3000 | npm run start:prod |
| hbf-knowledge-manager | 3000 | no docker-compose | npm run start:prod |
| hbf-lcg | 1337 (HTTP), configurable (Redis microservice) | no docker-compose | npm run start:prod |
Docker Base Images
| Service | Base Image (build) | Base Image (runtime) | Notes |
|---|
| hbf-core | maven:3.9.7-eclipse-temurin-21 | eclipse-temurin:21-jdk | Java/Kotlin, multi-stage |
| hbf-bot | node:22-slim | node:22-slim | Multi-stage |
| hbf-nlp | node:22-slim | node:22-slim | Multi-stage |
| hbf-lcm | node:latest | node:latest | Multi-stage |
| hbf-session-manager | node:22-slim | node:22-slim | Multi-stage |
| hbf-notifications | node:22-slim | node:22-slim | Multi-stage |
| hbf-reports | node:22 | node:22 | Multi-stage |
| hbf-media-manager | node:22-slim | node:22-slim | Multi-stage |
| hbf-broadcast | node:18-slim | node:18-slim | Multi-stage |
| hbf-event-publisher | node:18.12.1 | node:18.12.1-slim | Multi-stage |
| hbf-client-integrations | node:22-slim | node:22-slim | Multi-stage |
| hbf-data-retention | node:22-slim | node:22-slim | Multi-stage |
| hbf-stats | node:18 | node:18-slim | Multi-stage |
| hbf-console | node:22-slim | node:22-slim | Build then serve -s build |
| hbf-webchat | n/a | n/a | No Dockerfile, static build |
| hbf-core-api | n/a | n/a | Library, no Dockerfile |
| helvia-rag-pipelines | python:3.11.2-slim | python:3.11.2-slim | Single-stage, Poetry + Uvicorn |
| semantic-doc-segmenter | python:3.11.2-slim | python:3.11.2-slim | Single-stage, Poetry + Uvicorn |
| open-bot-framework | n/a | n/a | No Dockerfile, Node.js direct |
| hbf-data-manager | node:latest (build) | node:latest (runtime) | Multi-stage; unpinned base image |
| hbf-knowledge-manager | node:22-slim | node:22-slim | Multi-stage |
| hbf-lcg | node:22-slim | node:22-slim | Multi-stage, runs as node user |
CI/CD Pipeline
All CI/CD runs on GitHub Actions. Image tags use git commit short SHA.
Per-Service CI/CD
| Service | Workflows | Trigger | Deploy Target | Rollout Timeout | Special |
|---|
| hbf-core | ci.yml, tests.yml | push main/staging/develop; PR staging/develop | AWS EKS + ECR | 600s | Sonarqube, separate isolved deployment |
| hbf-bot | ci.yml, node.js.yml, release-please.yml | push main/staging/develop | AWS EKS + ECR | 600s | release-please for versioning |
| hbf-nlp | ci.yml | push main/staging/develop | AWS EKS + ECR | 900s | Longer rollout timeout |
| hbf-lcm | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-session-manager | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-notifications | ci.yml, azure-ci.yml | push main/staging/develop | AWS EKS + ECR, Azure AKS | 600s | Dual-cloud (AWS + Azure) |
| hbf-reports | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-media-manager | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-broadcast | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-event-publisher | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | No GITHUB_TOKEN build arg |
| hbf-client-integrations | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-data-retention | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-stats | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | |
| hbf-console | ci.yml | push main/staging/develop | None (Sonarqube only) | n/a | No deployment in CI |
| hbf-webchat | deploy-branches.yml, deploy-tags.yml, deploy-isolved.yml | push develop/staging; v* tags | AWS S3 + CloudFront | n/a | Static CDN deploy |
| hbf-core-api | nodejs.yml, release-please.yml | push/PR to master | None (CI only) | n/a | Library, no deployment |
| helvia-rag-pipelines | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | Multi-tenant (helvia, isolved, hrwiz) |
| semantic-doc-segmenter | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | SonarQube audit |
| open-bot-framework | none | n/a | n/a | n/a | No CI/CD configured |
| hbf-data-manager | ci.yml | push main/staging/develop | AWS EKS + ECR | 600s | SonarQube audit |
| hbf-knowledge-manager | none | n/a | n/a | n/a | No CI/CD configured |
| hbf-lcg | none | n/a | n/a | n/a | No CI/CD configured |
Build Args
Most Node.js services pass GITHUB_TOKEN (from PAT_TOKEN secret) as a Docker build arg for authenticating to the GitHub npm registry (@helvia scope). Exception: hbf-event-publisher (no build arg needed).
Data Stores per Service
| Service | Primary DB | Connection Config |
|---|
| hbf-core | MongoDB | MONGODB_URL |
| hbf-nlp | MySQL (TypeORM) | TYPEORM_HOST/PORT/USERNAME/PASSWORD/DATABASE |
| hbf-lcm | MySQL (TypeORM) | TYPEORM_HOST/PORT/USERNAME/PASSWORD/DATABASE |
| hbf-notifications | MySQL (TypeORM) | TYPEORM_HOST/PORT/USERNAME/PASSWORD/DATABASE |
| hbf-event-publisher | MySQL (TypeORM) | TYPEORM_HOST/PORT/USERNAME/PASSWORD/DATABASE |
| hbf-reports | MySQL | DB_HOST/PORT/USERNAME/PASSWORD/NAME |
| hbf-media-manager | MySQL | DB_HOST/PORT/USERNAME/PASSWORD/NAME |
| hbf-session-manager | MySQL | DB_HOST/PORT/USERNAME/PASSWORD/NAME |
| helvia-rag-pipelines | MySQL (SQLAlchemy) | MYSQL_URL (connection string) |
| semantic-doc-segmenter | MySQL (PyMySQL) | MYSQL_URL (connection string) |
| open-bot-framework | PostgreSQL (TypeORM) | TYPEORM_HOST/PORT/USERNAME/PASSWORD/DATABASE |
| hbf-data-manager | MySQL + Kafka | MYSQL_HOST/PORT/USER/PASSWORD/DATABASE, KAFKA_BROKERS |
| hbf-knowledge-manager | n/a | Stateless; all state in hbf-core |
| hbf-lcg | MySQL (TypeORM) + Redis (optional cache) | TYPEORM_HOST/PORT/USERNAME/PASSWORD/DATABASE (lcm DB), CACHE_REDIS_URL |
| hbf-bot | Redis | REDIS_HOST |
| hbf-broadcast | n/a | Calls hbf-core API |
| hbf-stats | n/a | Calls hbf-core API |
| hbf-data-retention | n/a | Calls hbf-core API |
| hbf-client-integrations | n/a | Calls hbf-core API |
| hbf-console | n/a | Frontend SPA |
| hbf-webchat | n/a | Frontend widget |
| hbf-core-api | n/a | Library |
Environment Variables Reference
Common Patterns
Most Node.js services share these env var patterns:
Core API integration:
CORE_URL / CORE_BASEURL / HBF_CORE_URL -- hbf-core base URLCORE_TOKEN / HBF_CORE_ACCESS_TOKEN / HBF_CORE_API_TOKEN -- static service token
Logging (Pino):
PINO_LOGGER_USE -- enable/disable (true/false)PINO_LOGGER_LEVEL -- trace/debug/info/warn/errorPINO_LOGGER_AUTO_LOGGING -- auto-log HTTP requests (true/false)
Elastic APM:
ELASTIC_APM_ACTIVE -- enable/disableELASTIC_APM_SERVER_URL -- APM server endpointELASTIC_APM_SECRET_TOKEN -- auth tokenELASTIC_APM_SERVICE_NAME -- service identifierELASTIC_APM_ENVIRONMENT -- environment name
TypeORM (NestJS services):
TYPEORM_CONNECTION -- mysqlTYPEORM_HOST / TYPEORM_PORT / TYPEORM_USERNAME / TYPEORM_PASSWORD / TYPEORM_DATABASETYPEORM_AUTORUN_MIGRATIONS -- auto-run on startup
DB config (non-TypeORM services):
DB_HOST / DB_PORT / DB_USERNAME / DB_PASSWORD / DB_NAME
hbf-core
| Var | Required | Description |
|---|
| MONGODB_URL | yes | MongoDB connection string |
| ROOT_LOGGING_LEVEL | no | Logging level (default: INFO) |
hbf-bot
| Var | Required | Description |
|---|
| CORE_BASEURL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Service auth token |
| REDIS_HOST | yes | Redis hostname |
| KAFKAJS_NO_PARTITIONER_WARNING | no | Suppress Kafka warning |
hbf-nlp
| Var | Required | Description |
|---|
| SERVICE_PORT | yes | Listen port (default: 2055) |
| HBF_CORE_URL | yes | hbf-core base URL |
| HBF_CORE_API_TOKEN | yes | Core API token |
| AZURE_OPENAI_ENDPOINT | yes | Azure OpenAI endpoint |
| AZURE_OPENAI_DEPLOYMENT_NAME | yes | Model deployment (e.g. gpt-4o-mini) |
| AZURE_OPENAI_API_VERSION | yes | API version |
| AZURE_OPENAI_API_KEY | yes | API key |
| SESSION_ANALYSIS_DEFAULT_MODEL | no | Default LLM model |
| JWT_SECRET | yes | JWT signing key |
| CACHE_REDIS_ENABLED | no | Enable Redis cache |
| CACHE_REDIS_URL | conditional | Redis URL (if cache enabled) |
| TYPEORM_* | yes | MySQL connection (TypeORM pattern) |
| NOTIFICATIONS_SERVICE_URL | no | hbf-notifications URL |
helvia-rag-pipelines
| Var | Required | Description |
|---|
| MYSQL_URL | yes | SQLAlchemy MySQL connection string |
| QDRANT_API_URL | yes | Qdrant vector DB URL |
| QDRANT_BACKEND_TYPE | no | Backend type (default: api) |
| SQLALCHEMY_POOL_SIZE | no | Connection pool size |
| SQLALCHEMY_POOL_OVERFLOW | no | Pool overflow limit |
| VECTOR_DB | no | Vector DB selection (qdrant) |
hbf-lcm
| Var | Required | Description |
|---|
| TYPEORM_* | yes | MySQL connection (TypeORM pattern) |
| REDIS_ENABLE | no | Enable Redis caching |
hbf-session-manager
| Var | Required | Description |
|---|
| PORT | yes | Listen port (default: 3000) |
| DB_* | yes | MySQL connection (DB_ pattern) |
| CORE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Core API token |
| NLP_URL | yes | hbf-nlp URL |
| CHAT_SESSION_CHECK_INTERVAL_IN_MINS | no | Session check interval |
| BOT_EXPIRE_CONVERSATION_AFTER_DEFAULT_VALUE | no | Conversation expiry (minutes) |
| EVENT_PUBLISHER_URL | no | hbf-event-publisher URL |
| EMAIL_* | no | SMTP settings for email |
| CONSOLE_URL | no | hbf-console URL |
hbf-notifications
| Var | Required | Description |
|---|
| SERVICE_PORT | yes | Listen port (default: 2048) |
| TYPEORM_* | yes | MySQL connection (TypeORM pattern) |
| CORE_URL | yes | hbf-core base URL |
| JWT_SECRET | yes | JWT signing secret |
hbf-reports
| Var | Required | Description |
|---|
| PORT | yes | Listen port (default: 3000) |
| DB_* | yes | MySQL connection (DB_ pattern) |
| CORE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Core API token |
| CONSOLE_URL | no | hbf-console URL |
| EMAIL_* | no | SMTP settings for scheduled reports |
| RUN_MIGRATIONS | no | Run DB migrations on startup |
| Var | Required | Description |
|---|
| PORT | yes | Listen port (default: 3030) |
| DB_* | yes | MySQL connection (DB_ pattern) |
| CORE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Core API token |
hbf-broadcast
| Var | Required | Description |
|---|
| HOST | yes | Bind address (0.0.0.0) |
| PORT | yes | Listen port (default: 3004) |
| CORE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Core API token |
| SCAN_INTERVAL_TIME | yes | Broadcast scan interval (seconds) |
| FB_GRAPH_VERSION | yes | Facebook Graph API version |
| FB_MAX_USERS_PER_BATCH | yes | Facebook batch size |
| TEAMS_MAX_USERS_PER_BATCH | yes | Teams batch size |
| VIBER_MAX_USERS_PER_BATCH | yes | Viber batch size |
hbf-event-publisher
| Var | Required | Description |
|---|
| TYPEORM_* | yes | MySQL connection (TypeORM pattern) |
hbf-data-retention
| Var | Required | Description |
|---|
| HBF_CORE_URL | yes | hbf-core base URL |
| HBF_CORE_ACCESS_TOKEN | yes | Core API token |
| EXECUTION_INTERVAL_IN_HOURS | yes | Retention job interval (hours) |
| THRESHOLD_OF_DELETION_RETIRES | no | Deletion retry count |
hbf-stats
| Var | Required | Description |
|---|
| CORE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Core API token |
| SERVICE_PORT | no | Listen port |
| EXECUTION_TIME_INTERVAL_MILLISECONDS | no | Stats computation interval |
| BATCH_SIZE | no | Processing batch size |
| BATCH_COOLDOWN_SECONDS | no | Cooldown between batches |
hbf-client-integrations
Has extensive env vars for per-client CRM/API integrations (Dynamics 365, Zendesk, Pobuca, Novibet). Each integration has DEV/UAT/PROD variants. Key vars:
| Var | Required | Description |
|---|
| PORT | yes | Listen port |
| BASE_URL | yes | Service base URL |
| CORE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Core API token |
| CORE_TOKEN_SECRET | yes | Core token secret |
Plus per-integration OAuth/API credentials (CLIENT_ID, CLIENT_SECRET, CRM_URL, etc.) for each environment tier.
hbf-console
React SPA with REACT_APP_* build-time env vars. Key categories:
- API URLs:
REACT_APP_API_CORE_URL, REACT_APP_API_LIVECHAT_URL, REACT_APP_API_REPORTS_URL, REACT_APP_API_MEDIA_URL, REACT_APP_API_NOTIFICATIONS_URL, REACT_APP_API_NLP_SERVICE_URL
- OAuth:
REACT_APP_GOOGLE_CLIENT_ID, REACT_APP_MICROSOFT_CLIENT_ID
- Feature flags: ~25
REACT_APP_*_ENABLED/REACT_APP_*_DISABLED toggles
- White-label:
REACT_APP_HRWIZ_* flags for HRWiz variant
hbf-webchat
No env vars at runtime (static). Build-time public_path for iSolved CDN variants.
hbf-core-api
Library package, no deployment env vars. CI only: CI=true for test runner.
open-bot-framework
| Var | Required | Description |
|---|
| PORT | no | HTTP listen port (default: 1986) |
| SOCKET_PORT | no | WebSocket port (default: 1992) |
| DIRECTLINE_HOST | yes | Hostname used in DirectLine stream URLs |
| DIRECTLINE_REGION | yes | Region tag |
| DIRECTLINE_SOCKET_URL | yes | WebSocket base URL returned to clients |
| JWT_SECRET | yes | JWT signing secret for DirectLine tokens |
| JWT_EXPIRATION_SECONDS | no | Token lifetime in seconds (default: 3600) |
| TYPEORM_CONNECTION | yes | DB driver — must be postgres |
| TYPEORM_HOST | yes | PostgreSQL host |
| TYPEORM_PORT | yes | PostgreSQL port |
| TYPEORM_USERNAME | yes | PostgreSQL user |
| TYPEORM_PASSWORD | yes | PostgreSQL password |
| TYPEORM_DATABASE | yes | PostgreSQL database name (default: obf) |
| TYPEORM_AUTORUN_MIGRATIONS | no | Run migrations on startup (default: true) |
| STORAGE_ACCESS_KEY | conditional | S3 access key (required for file uploads) |
| STORAGE_SECRET_KEY | conditional | S3 secret key (required for file uploads) |
| STORAGE_BUCKET | conditional | S3 bucket name (required for file uploads) |
| STORAGE_REGION_S3 | no | S3 region (default: us-east-1, AWS S3 only) |
| STORAGE_FORCE_S3_PATH_STYLE | no | Path-style URLs — set true for MinIO/custom (default: true) |
| STORAGE_ENDPOINT | no | S3-compatible endpoint (omit for AWS) |
| REDIS_URI | no | Redis connection URI (default: redis://localhost:6379) |
| ATOMIC_OPERATIONS_IMPLEMENTATION | no | Counter backend: redis or memory (default: redis) |
semantic-doc-segmenter
| Var | Required | Description |
|---|
| MYSQL_URL | yes | PyMySQL connection string |
| JWT_SECRET | yes | JWT auth signing key |
| LOG_LEVEL_APP | no | App log level (default: DEBUG) |
| GOOGLE_APPLICATION_CREDENTIALS | conditional | Google Cloud service account JSON path |
| OPENAI_API_KEY | conditional | OpenAI API key |
| GEMINI_API_KEY | conditional | Google Gemini API key |
| GEMINI_MODEL | no | Gemini model identifier |
| GEMINI_PROMPT_TEXT_ONLY_PATH | no | Text-only prompt template path |
| GEMINI_PROMPT_TEXT_AND_IMAGES_PATH | no | Text+images prompt template path |
| GEMINI_LOG_PROMPT | no | Log Gemini prompts (default: false) |
| GEMINI_DEBUG_SAVE_OVERLAY_PDF | no | Debug overlay PDF (default: false) |
| GEMINI_DEBUG_OVERLAY_DIR | no | Overlay PDF output directory |
| USE_GOOGLE_LANGUAGE_DETECTION | no | Use Google vs FastText for lang detection |
| FASTTEXT_LANGUAGE_DETECT_MODEL | no | FastText model variant (lite/full) |
| LANGUAGE_DETECT_GOOGLE_TIMEOUT_SECONDS | no | Google lang detection timeout |
| SEGMENTER_MAX_ARTICLE_SIZE | no | Max article segment size (default: 2000) |
| AWS_S3_BUCKET_NAME | yes | S3 bucket for images |
| AWS_REGION_NAME | yes | AWS region |
| AWS_ACCESS_KEY_ID | yes | AWS access key |
| AWS_SECRET_ACCESS_KEY | yes | AWS secret key |
| IMAGE_HANDLING_MODE | no | Image handling backend (s3) |
| FTLANG_CACHE | no | FastText cache directory |
hbf-data-manager
| Var | Required | Description |
|---|
| PORT | no | HTTP listen port (default: 3000) |
| NODE_ENV | yes | Runtime environment |
| CORE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Core API auth token |
| MYSQL_HOST | yes | MySQL hostname |
| MYSQL_PORT | no | MySQL port (default: 3306) |
| MYSQL_USER | yes | MySQL username |
| MYSQL_PASSWORD | yes | MySQL password |
| MYSQL_DATABASE | yes | MySQL database name |
| DB_SYNCHRONIZE | no | TypeORM schema sync — disable in prod |
| TYPEORM_AUTORUN_MIGRATIONS | no | Run migrations on startup |
| KAFKA_BROKERS | yes | Comma-separated Kafka broker list |
| KAFKA_CLIENT_ID | yes | Kafka client identifier |
| KAFKA_GROUP_ID | yes | Kafka consumer group ID |
| KAFKA_TOPICS | yes | Comma-separated topic subscriptions |
| KAFKA_SSL | no | Enable SSL for Kafka |
| KAFKA_SECURITY_PROTOCOL | no | Kafka security protocol (e.g. SASL_SSL) |
| KAFKA_SASL_MECHANISM | no | SASL mechanism (e.g. PLAIN) |
| KAFKA_SASL_USERNAME | conditional | SASL username (required if SASL enabled) |
| KAFKA_SASL_PASSWORD | conditional | SASL password (required if SASL enabled) |
| PINO_LOGGER_USE | no | Enable Pino logger |
| PINO_LOG_LEVEL | no | Pino log level |
hbf-knowledge-manager
| Var | Required | Description |
|---|
| PORT | no | HTTP listen port (default: 3000) |
| CORE_BASE_URL | yes | hbf-core base URL |
| CORE_TOKEN | yes | Static service auth token for hbf-core |
| PINO_LOGGER_USE | no | Enable Pino structured logging |
| PINO_LOGGER_LEVEL | no | Log level (default: info) |
| PINO_LOGGER_AUTO_LOGGING | no | Auto-log HTTP requests (default: false) |
| ELASTIC_APM_ACTIVE | no | Enable Elastic APM (default: false) |
| ELASTIC_APM_SERVER_URL | conditional | APM server endpoint (required if APM active) |
| ELASTIC_APM_SECRET_TOKEN | conditional | APM auth token (required if APM active) |
| ELASTIC_APM_SERVICE_NAME | conditional | Service identifier in APM |
| ELASTIC_APM_ENVIRONMENT | conditional | Environment name in APM |
| SHAREPOINT_CLIENT_ID | conditional | Helvia's multi-tenant Azure AD app client ID. Required for SharePoint KB integrations. |
| SHAREPOINT_CLIENT_SECRET | conditional | Helvia's multi-tenant Azure AD app client secret. Required for SharePoint KB integrations. |
| SHAREPOINT_WEBHOOK_BASE_URL | conditional | Public HTTPS base URL for Graph webhook notifications (e.g., https://api.example.com/hbf-knowledge-manager). Required for real-time SharePoint sync. |
Note: Azure Blob Storage credentials (accountName, containerName, sasToken) and SharePoint per-integration config (tenantId, siteId, driveId) are per-org config stored in hbf-core, not service-level env vars.
hbf-lcg
| Var | Required | Description |
|---|
| SERVICE_URL | yes | Service base URL |
| SERVICE_PORT | yes | HTTP listen port (default: 1337) |
| HBF_CORE_URL | yes | hbf-core base URL |
| HBF_CORE_API_TOKEN | yes | Core API token |
| HBF_LCM_URL | yes | hbf-lcm base URL |
| HBF_LCM_TOKEN | yes | hbf-lcm auth token |
| HBF_BOT_EVENT_URL | yes | hbf-bot event endpoint URL |
| JWT_SECRET | yes | JWT signing secret |
| JWT_SUB | yes | JWT subject claim |
| TYPEORM_* | yes | MySQL connection (TypeORM pattern); database: lcm (shared with hbf-lcm) |
| TYPEORM_AUTORUN_MIGRATIONS | yes | Auto-run migrations on startup (set to true) |
| CACHE_REDIS_URL | no | Redis connection URL for optional caching |
| MICROSERVICE_REDIS_HOST | no | Redis host for NestJS microservice transport |
| MICROSERVICE_REDIS_PORT | no | Redis port for NestJS microservice transport |
| ELASTIC_APM_ACTIVE | no | Enable Elastic APM (default: false) |
| ELASTIC_APM_SERVER_URL | conditional | APM server endpoint (required if APM active) |
| ELASTIC_APM_SECRET_TOKEN | conditional | APM auth token (required if APM active) |
| ELASTIC_APM_SERVICE_NAME | conditional | Service identifier in APM |
| ELASTIC_APM_ENVIRONMENT | conditional | Environment name in APM |
Note: hbf-lcg shares the lcm MySQL database with hbf-lcm and auto-runs TypeORM migrations on startup. Redis is used for both optional response caching (CACHE_REDIS_URL) and as a NestJS microservice transport layer (MICROSERVICE_REDIS_*).
Health Checks
Most services have no explicit Docker HEALTHCHECK directives. Health monitoring relies on Kubernetes liveness/readiness probes (configured in K8s manifests, not in this repo).
Exception: semantic-doc-segmenter defines a docker-compose health check: curl -f http://semantic-doc-segmenter:8081 (15s interval, 10s timeout, 3 retries).
hbf-data-manager exposes GET /health returning {"status":"ok","timestamp":"<ISO>","uptimeSeconds":<N>}. No Docker HEALTHCHECK directive; relies on K8s probes in production.
Secrets Management
Secrets are injected via:
- GitHub Actions Secrets for CI/CD (AWS credentials, KUBE_CONFIG, PAT_TOKEN, SONAR_TOKEN)
- Kubernetes environment variables for runtime (set in K8s deployment manifests)
- Docker build args for
GITHUB_TOKEN (npm registry auth during image build)
CI/CD Secrets Used
| Secret | Services | Purpose |
|---|
| AWS_ACCESS_KEY_ID | all deployed services | AWS authentication |
| AWS_SECRET_ACCESS_KEY | all deployed services | AWS authentication |
| KUBE_CONFIG_DATA_NEW | most services | EKS kubectl access |
| PAT_TOKEN | most Node.js services | GitHub npm registry auth (build arg) |
| SONAR_TOKEN | all services | SonarQube code analysis |
| SONAR_HOST_URL | all services | SonarQube server URL |
| AZURE_CREDENTIALS | hbf-notifications | Azure login for AKS deploy |
| AZURE_RESOURCE_GROUP | hbf-notifications | Azure resource group for AKS |
| AKS_CLUSTER_NAME | hbf-notifications | Azure AKS cluster name |
| AWS_CLOUDFRONT_DISTRIBUTION_ID | hbf-webchat | CloudFront cache invalidation |
| GPR_ACCESS_TOKEN | hbf-bot | GitHub Package Registry access |
docker-compose (Local Development)
Each service with a docker-compose file provides a local dev stack. Common patterns:
- MySQL services use mysql:8.0.34 with default dev credentials
- Redis services use bitnami/redis:latest with empty password
- MongoDB (hbf-core) uses mongo:8.2.1 with replica set (
--replSet rs0)
Services that include infrastructure in docker-compose:
| Service | Includes |
|---|
| hbf-core | MongoDB (replset), Redis |
| hbf-bot | Redis, ngrok tunnel |
| hbf-broadcast | self only |
| hbf-console | self only |
| hbf-data-retention | self only |
| hbf-event-publisher | MySQL |
| hbf-lcm | MySQL |
| hbf-media-manager | MySQL |
| hbf-nlp | self only (env from .env file) |
| hbf-notifications | MySQL |
| hbf-reports | MySQL |
| hbf-session-manager | MySQL |
| hbf-stats | self only |
| semantic-doc-segmenter | MySQL, self + test runner |
| hbf-data-manager | MySQL (mysql:8.4), Kafka (confluentinc/cp-kafka:7.6.1), Confluent Control Center (confluentinc/cp-enterprise-control-center:7.6.1) |
| hbf-knowledge-manager | none (no docker-compose; run via npm run start:dev) |
| hbf-lcg | none (no docker-compose; standalone service) |
Infrastructure Notes
- Container registry: AWS ECR in eu-central-1
- Orchestration: AWS EKS (Kubernetes) with three namespaces
- Azure: hbf-notifications has a separate Azure AKS deployment (
helviaagentsregistry-eserg5f6d5enfpgf.azurecr.io)
- CDN: hbf-webchat static assets on S3 (
helvia-cdn bucket) + CloudFront
- Multi-tenant K8s deployments: helvia-rag-pipelines runs as three separate deployments (helvia, isolved, hrwiz)
- No Helm/Terraform: deployments use raw
kubectl set image + kubectl rollout status in CI
- Elastic APM: supported by hbf-core, hbf-reports, hbf-session-manager, hbf-media-manager (configurable via env vars)
- SonarQube: all repos run code quality analysis on push
- Kafka: introduced by hbf-data-manager. The service's standalone docker-compose bundles Confluent Platform 7.6.1 (cp-kafka + cp-enterprise-control-center) running in KRaft mode (no ZooKeeper). The shared platform docker-compose does NOT include Kafka — in local dev, hbf-data-manager must either run with its own docker-compose stack or point
KAFKA_BROKERS at an external broker. A task should be created to evaluate adding a shared Kafka to the platform dev stack.
- hbf-knowledge-manager: stateless NestJS service. No database, no Kafka, no Redis. No docker-compose; run with
npm run start:dev locally. Azure Blob Storage and Azure Event Grid are cloud-only external dependencies — not present in local infra. Azure credentials are per-org config in hbf-core, not service env vars. No CI/CD configured yet.
- hbf-lcg: NestJS service. Shares the
lcm MySQL database with hbf-lcm (same TypeORM connection config, same database name). Redis is optional: used for caching (CACHE_REDIS_URL) and as a microservice transport (MICROSERVICE_REDIS_HOST/PORT). HTTP port is 1337 (SERVICE_PORT), diverging from the platform's usual 3000. Auto-runs TypeORM migrations on startup. No docker-compose; no CI/CD configured yet.