Skip to content

ChiefOnboarding

Employee onboarding automation platform. ChiefOnboarding lets HR teams define onboarding sequences for new hires — assigning tasks, collecting documents, sending introductions, and integrating with tools like Slack and Google Workspace. All onboarding data and workflow definitions are stored in PostgreSQL.

Key Features

  • Onboarding sequences — ordered tasks, automated triggers, and conditional workflows
  • Integrations — Slack, Google Workspace, email notifications, and webhook support
  • Multi-role access — admin, manager, and buddy role assignments
  • PostgreSQL backend — bundled subchart or external database
  • Django application — secure SECRET_KEY management for sessions and CSRF protection
  • Ingress support — TLS via cert-manager with configurable ingress class

Installation

HTTPS repository:

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install chiefonboarding helmforge/chiefonboarding

OCI registry:

helm install chiefonboarding oci://ghcr.io/helmforgedev/helm/chiefonboarding

Deployment Examples

# values.yaml — ChiefOnboarding with bundled PostgreSQL (default)
chiefonboarding:
  baseUrl: 'https://onboarding.example.com'
  secretKey: 'a-random-50-char-django-secret-key-here-replace-me'

postgresql:
  enabled: true
  auth:
    password: 'postgres-password'

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: onboarding.example.com
      paths:
        - path: /
          pathType: Prefix
# values.yaml — ChiefOnboarding with external PostgreSQL
chiefonboarding:
  baseUrl: 'https://onboarding.example.com'
  secretKey: 'a-random-50-char-django-secret-key-here-replace-me'

postgresql:
  enabled: false

database:
  external:
    host: postgresql.database.svc
    port: '5432'
    name: chiefonboarding
    username: chiefonboarding
    password: 'db-password'

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: onboarding.example.com
      paths:
        - path: /
          pathType: Prefix
# values.yaml — Production setup with secrets, TLS, and Slack integration
chiefonboarding:
  baseUrl: 'https://onboarding.example.com'
  existingSecret: chiefonboarding-secret
  existingSecretKey: secret-key
  extraEnv:
    # Slack integration
    - name: SLACK_APP_TOKEN
      valueFrom:
        secretKeyRef:
          name: chiefonboarding-integrations
          key: slack-app-token
    - name: SLACK_BOT_TOKEN
      valueFrom:
        secretKeyRef:
          name: chiefonboarding-integrations
          key: slack-bot-token

postgresql:
  enabled: false

database:
  external:
    host: postgresql.production.svc
    port: '5432'
    name: chiefonboarding
    username: chiefonboarding
    existingSecret: chiefonboarding-db-secret
    existingSecretPasswordKey: password

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: onboarding.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: chiefonboarding-tls
      hosts:
        - onboarding.example.com

Configuration Reference

Security Scan

Kubescape scan for the chart standards backfill:

Framework Score
MITRE 100%
NSA 67.5%
SOC2 90%

Production hardening should include stable existing Secrets, explicit CPU and memory requests and limits, TLS ingress, and platform-level network policy where required.

Core

Parameter Type Default Description
nameOverride string "" Override the chart name.
fullnameOverride string "" Override the full release name.
commonLabels object {} Extra labels added to all resources.

Image

Parameter Type Default Description
image.repository string docker.io/chiefonboarding/chiefonboarding ChiefOnboarding container image.
image.tag string "v2.4.1" Image tag.
image.pullPolicy string IfNotPresent Image pull policy.
imagePullSecrets array [] Pull secrets for private registries.

ChiefOnboarding Configuration

Parameter Type Default Description
chiefonboarding.port integer 8000 Internal HTTP port (Django development server).
chiefonboarding.baseUrl string "" Public base URL of the instance (e.g. https://onboarding.example.com).
chiefonboarding.secretKey string "" Django SECRET_KEY for session signing and CSRF protection.
chiefonboarding.existingSecret string "" Existing Kubernetes Secret containing the Django secret key.
chiefonboarding.existingSecretKey string secret-key Key inside the existing secret holding the Django SECRET_KEY.
chiefonboarding.extraEnv array [] Extra environment variables for integrations and advanced configuration.
Set baseUrl to your public URL

chiefonboarding.baseUrl must be set to your actual public URL before deploying. Django uses this value to generate links in email notifications and onboarding task messages. Without it, all links sent to new hires will be empty or incorrect.

Always set secretKey explicitly

If chiefonboarding.secretKey is empty, a Django SECRET_KEY is auto-generated at startup. If the pod is recreated with a new key, all user sessions are invalidated, all pending password reset links expire, and all CSRF tokens become invalid. Always provide a stable, explicit key or use chiefonboarding.existingSecret.

Integrations via extraEnv

ChiefOnboarding integrations (Slack, Google Workspace, email) are configured via environment variables. Use chiefonboarding.extraEnv with secretKeyRef to inject integration tokens securely. See the ChiefOnboarding integration documentation for the full list of required variables per integration.

Database — Embedded Subchart

Parameter Type Default Description
postgresql.enabled boolean true Deploy a bundled PostgreSQL subchart for ChiefOnboarding.
postgresql.architecture string standalone PostgreSQL deployment architecture.
postgresql.auth.database string chiefonboarding Database name created by the subchart.
postgresql.auth.username string chiefonboarding Database username created by the subchart.
postgresql.auth.password string "" Database password (auto-generated if empty).

Database — External

Parameter Type Default Description
database.external.host string "" External PostgreSQL hostname or IP.
database.external.port string "5432" External PostgreSQL port.
database.external.name string chiefonboarding Database name on the external server.
database.external.username string chiefonboarding Username for the external database.
database.external.password string "" Password for the external database (plain text — prefer secret).
database.external.existingSecret string "" Existing secret containing the database password.
database.external.existingSecretPasswordKey string password Key inside the existing secret for the password.

Service

Parameter Type Default Description
service.type string ClusterIP Kubernetes service type.
service.port integer 80 Service port exposed to the cluster.
service.annotations object {} Annotations for the Service.

Ingress

Parameter Type Default Description
ingress.enabled boolean false Enable an Ingress resource.
ingress.ingressClassName string traefik Ingress class name.
ingress.annotations object {} Annotations for the Ingress (e.g. cert-manager).
ingress.hosts array [] Ingress host and path rules.
ingress.tls array [] TLS configuration (secret name and hosts).

Probes

Parameter Type Default Description
probes.startup.enabled boolean true Enable startup probe.
probes.startup.initialDelaySeconds integer 10 Startup probe initial delay.
probes.startup.periodSeconds integer 5 Startup probe period.
probes.startup.timeoutSeconds integer 3 Startup probe timeout.
probes.startup.failureThreshold integer 30 Startup probe failure threshold.
probes.liveness.enabled boolean true Enable liveness probe.
probes.liveness.initialDelaySeconds integer 0 Liveness probe initial delay.
probes.liveness.periodSeconds integer 15 Liveness probe period.
probes.liveness.timeoutSeconds integer 5 Liveness probe timeout.
probes.liveness.failureThreshold integer 3 Liveness probe failure threshold.
probes.readiness.enabled boolean true Enable readiness probe.
probes.readiness.initialDelaySeconds integer 0 Readiness probe initial delay.
probes.readiness.periodSeconds integer 10 Readiness probe period.
probes.readiness.timeoutSeconds integer 5 Readiness probe timeout.
probes.readiness.failureThreshold integer 3 Readiness probe failure threshold.

Resources and Security

Parameter Type Default Description
resources object {} CPU and memory requests and limits.
podSecurityContext object {} Pod-level security context.
securityContext object {} Container-level security context.

Service Account

Parameter Type Default Description
serviceAccount.create boolean false Create a dedicated ServiceAccount.
serviceAccount.name string "" Override the ServiceAccount name.
serviceAccount.annotations object {} Annotations for the ServiceAccount.

Scheduling

Parameter Type Default Description
nodeSelector object {} Node selector for scheduling.
tolerations array [] Tolerations for scheduling.
affinity object {} Affinity rules.
topologySpreadConstraints array [] Topology spread constraints.
priorityClassName string "" PriorityClass for the pod.
terminationGracePeriodSeconds integer 30 Termination grace period.
podLabels object {} Extra labels for the pod.
podAnnotations object {} Extra annotations for the pod.

Extra

Parameter Type Default Description
extraVolumes array [] Extra volumes to attach to the pod.
extraVolumeMounts array [] Extra volume mounts for the container.
extraManifests array [] Extra Kubernetes manifests deployed alongside the chart.

Common Issues

Users cannot log in after upgrade

If users cannot log in after a Helm upgrade, the Django SECRET_KEY may have changed. Check that chiefonboarding.secretKey or chiefonboarding.existingSecret is set and matches the value used during the previous deployment.

Create the first admin user

ChiefOnboarding does not ship with a default admin account. After the first deployment, access the instance and complete the initial setup wizard to create your admin credentials. The setup wizard is only shown when no admin account exists.

More Information