ChiefOnboarding

Employee onboarding automation platform. ChiefOnboarding lets HR teams define onboarding sequences for new hires — assigning tasks, collecting documents, sending introductions, and integrating with tools like Slack and Google Workspace. All onboarding data and workflow definitions are stored in PostgreSQL.

Key Features

Onboarding sequences — ordered tasks, automated triggers, and conditional workflows
Integrations — Slack, Google Workspace, email notifications, and webhook support
Multi-role access — admin, manager, and buddy role assignments
PostgreSQL backend — bundled subchart or external database
Django application — secure SECRET_KEY management for sessions and CSRF protection
Ingress support — TLS via cert-manager with configurable ingress class

Installation

HTTPS repository:

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install chiefonboarding helmforge/chiefonboarding

OCI registry:

helm install chiefonboarding oci://ghcr.io/helmforgedev/helm/chiefonboarding

Deployment Examples

# values.yaml — ChiefOnboarding with bundled PostgreSQL (default)
chiefonboarding:
  baseUrl: 'https://onboarding.example.com'
  secretKey: 'a-random-50-char-django-secret-key-here-replace-me'

postgresql:
  enabled: true
  auth:
    password: 'postgres-password'

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: onboarding.example.com
      paths:
        - path: /
          pathType: Prefix

# values.yaml — ChiefOnboarding with external PostgreSQL
chiefonboarding:
  baseUrl: 'https://onboarding.example.com'
  secretKey: 'a-random-50-char-django-secret-key-here-replace-me'

postgresql:
  enabled: false

database:
  external:
    host: postgresql.database.svc
    port: '5432'
    name: chiefonboarding
    username: chiefonboarding
    password: 'db-password'

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: onboarding.example.com
      paths:
        - path: /
          pathType: Prefix

# values.yaml — Production setup with secrets, TLS, and Slack integration
chiefonboarding:
  baseUrl: 'https://onboarding.example.com'
  existingSecret: chiefonboarding-secret
  existingSecretKey: secret-key
  extraEnv:
    # Slack integration
    - name: SLACK_APP_TOKEN
      valueFrom:
        secretKeyRef:
          name: chiefonboarding-integrations
          key: slack-app-token
    - name: SLACK_BOT_TOKEN
      valueFrom:
        secretKeyRef:
          name: chiefonboarding-integrations
          key: slack-bot-token

postgresql:
  enabled: false

database:
  external:
    host: postgresql.production.svc
    port: '5432'
    name: chiefonboarding
    username: chiefonboarding
    existingSecret: chiefonboarding-db-secret
    existingSecretPasswordKey: password

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: onboarding.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: chiefonboarding-tls
      hosts:
        - onboarding.example.com

Configuration Reference

Core

Parameter	Type	Default	Description
`nameOverride`	string	`""`	Override the chart name.
`fullnameOverride`	string	`""`	Override the full release name.
`commonLabels`	object	`{}`	Extra labels added to all resources.

Image

Parameter	Type	Default	Description
`image.repository`	string	`docker.io/chiefonboarding/chiefonboarding`	ChiefOnboarding container image.
`image.tag`	string	`"v2.4.1"`	Image tag.
`image.pullPolicy`	string	`IfNotPresent`	Image pull policy.
`imagePullSecrets`	array	`[]`	Pull secrets for private registries.

ChiefOnboarding Configuration

Parameter	Type	Default	Description
`chiefonboarding.port`	integer	`8000`	Internal HTTP port (Django development server).
`chiefonboarding.baseUrl`	string	`""`	Public base URL of the instance (e.g. `https://onboarding.example.com`).
`chiefonboarding.secretKey`	string	`""`	Django SECRET_KEY for session signing and CSRF protection.
`chiefonboarding.existingSecret`	string	`""`	Existing Kubernetes Secret containing the Django secret key.
`chiefonboarding.existingSecretKey`	string	`secret-key`	Key inside the existing secret holding the Django SECRET_KEY.
`chiefonboarding.extraEnv`	array	`[]`	Extra environment variables for integrations and advanced configuration.

Set baseUrl to your public URL

chiefonboarding.baseUrl must be set to your actual public URL before deploying. Django uses this value to generate links in email notifications and onboarding task messages. Without it, all links sent to new hires will be empty or incorrect.

Always set secretKey explicitly

If chiefonboarding.secretKey is empty, a Django SECRET_KEY is auto-generated at startup. If the pod is recreated with a new key, all user sessions are invalidated, all pending password reset links expire, and all CSRF tokens become invalid. Always provide a stable, explicit key or use chiefonboarding.existingSecret.

Integrations via extraEnv

ChiefOnboarding integrations (Slack, Google Workspace, email) are configured via environment variables. Use chiefonboarding.extraEnv with secretKeyRef to inject integration tokens securely. See the ChiefOnboarding integration documentation for the full list of required variables per integration.

Database — Embedded Subchart

Parameter	Type	Default	Description
`postgresql.enabled`	boolean	`true`	Deploy a bundled PostgreSQL subchart for ChiefOnboarding.
`postgresql.architecture`	string	`standalone`	PostgreSQL deployment architecture.
`postgresql.auth.database`	string	`chiefonboarding`	Database name created by the subchart.
`postgresql.auth.username`	string	`chiefonboarding`	Database username created by the subchart.
`postgresql.auth.password`	string	`""`	Database password (auto-generated if empty).

Database — External

Parameter	Type	Default	Description
`database.external.host`	string	`""`	External PostgreSQL hostname or IP.
`database.external.port`	string	`"5432"`	External PostgreSQL port.
`database.external.name`	string	`chiefonboarding`	Database name on the external server.
`database.external.username`	string	`chiefonboarding`	Username for the external database.
`database.external.password`	string	`""`	Password for the external database (plain text — prefer secret).
`database.external.existingSecret`	string	`""`	Existing secret containing the database password.
`database.external.existingSecretPasswordKey`	string	`password`	Key inside the existing secret for the password.

Service

Parameter	Type	Default	Description
`service.type`	string	`ClusterIP`	Kubernetes service type.
`service.port`	integer	`80`	Service port exposed to the cluster.
`service.annotations`	object	`{}`	Annotations for the Service.

Ingress

Parameter	Type	Default	Description
`ingress.enabled`	boolean	`false`	Enable an Ingress resource.
`ingress.ingressClassName`	string	`traefik`	Ingress class name.
`ingress.annotations`	object	`{}`	Annotations for the Ingress (e.g. cert-manager).
`ingress.hosts`	array	`[]`	Ingress host and path rules.
`ingress.tls`	array	`[]`	TLS configuration (secret name and hosts).

Probes

Parameter	Type	Default	Description
`probes.startup.enabled`	boolean	`true`	Enable startup probe.
`probes.startup.initialDelaySeconds`	integer	`10`	Startup probe initial delay.
`probes.startup.periodSeconds`	integer	`5`	Startup probe period.
`probes.startup.timeoutSeconds`	integer	`3`	Startup probe timeout.
`probes.startup.failureThreshold`	integer	`30`	Startup probe failure threshold.
`probes.liveness.enabled`	boolean	`true`	Enable liveness probe.
`probes.liveness.initialDelaySeconds`	integer	`0`	Liveness probe initial delay.
`probes.liveness.periodSeconds`	integer	`15`	Liveness probe period.
`probes.liveness.timeoutSeconds`	integer	`5`	Liveness probe timeout.
`probes.liveness.failureThreshold`	integer	`3`	Liveness probe failure threshold.
`probes.readiness.enabled`	boolean	`true`	Enable readiness probe.
`probes.readiness.initialDelaySeconds`	integer	`0`	Readiness probe initial delay.
`probes.readiness.periodSeconds`	integer	`10`	Readiness probe period.
`probes.readiness.timeoutSeconds`	integer	`5`	Readiness probe timeout.
`probes.readiness.failureThreshold`	integer	`3`	Readiness probe failure threshold.

Resources and Security

Parameter	Type	Default	Description
`resources`	object	`{}`	CPU and memory requests and limits.
`podSecurityContext`	object	`{}`	Pod-level security context.
`securityContext`	object	`{}`	Container-level security context.

Service Account

Parameter	Type	Default	Description
`serviceAccount.create`	boolean	`false`	Create a dedicated ServiceAccount.
`serviceAccount.name`	string	`""`	Override the ServiceAccount name.
`serviceAccount.annotations`	object	`{}`	Annotations for the ServiceAccount.

Scheduling

Parameter	Type	Default	Description
`nodeSelector`	object	`{}`	Node selector for scheduling.
`tolerations`	array	`[]`	Tolerations for scheduling.
`affinity`	object	`{}`	Affinity rules.
`topologySpreadConstraints`	array	`[]`	Topology spread constraints.
`priorityClassName`	string	`""`	PriorityClass for the pod.
`terminationGracePeriodSeconds`	integer	`30`	Termination grace period.
`podLabels`	object	`{}`	Extra labels for the pod.
`podAnnotations`	object	`{}`	Extra annotations for the pod.

Extra

Parameter	Type	Default	Description
`extraVolumes`	array	`[]`	Extra volumes to attach to the pod.
`extraVolumeMounts`	array	`[]`	Extra volume mounts for the container.
`extraManifests`	array	`[]`	Extra Kubernetes manifests deployed alongside the chart.

Common Issues

Users cannot log in after upgrade

If users cannot log in after a Helm upgrade, the Django SECRET_KEY may have changed. Check that chiefonboarding.secretKey or chiefonboarding.existingSecret is set and matches the value used during the previous deployment.

Create the first admin user

ChiefOnboarding does not ship with a default admin account. After the first deployment, access the instance and complete the initial setup wizard to create your admin credentials. The setup wizard is only shown when no admin account exists.