Helm Values Reference
Complete reference for all configurable values in the e6data operator Helm chart.
Installation
Basic Installation
helm install e6-operator ./helm/e6-operator \
--namespace e6-operator-system \
--create-namespace \
--set image.repository=us-docker.pkg.dev/e6data-analytics/e6data/e6-operator \
--set image.tag=1.0.201 \
--set imagePullSecrets[0].name=gcr-json-key
Using Values File (Recommended)
helm install e6-operator ./helm/e6-operator \
--namespace e6-operator-system \
--create-namespace \
--values operator-values.yaml
Core Values
Image Configuration
| Value | Description | Default |
image.repository | Container image repository | e6data/e6-operator |
image.tag | Image tag (defaults to chart appVersion) | "" |
image.pullPolicy | Image pull policy | IfNotPresent |
imagePullSecrets | Array of image pull secret names | [] |
image:
repository: us-docker.pkg.dev/e6data-analytics/e6data/e6-operator
tag: "1.0.201"
pullPolicy: IfNotPresent
imagePullSecrets:
- name: gcr-json-key
Replica Count
| Value | Description | Default |
replicaCount | Number of operator replicas | 1 |
Note: Should always be 1 for leader election to work properly.
ServiceAccount
| Value | Description | Default |
serviceAccount.create | Create service account | true |
serviceAccount.annotations | Annotations for SA | {} |
serviceAccount.name | SA name (generated if empty) | "" |
serviceAccount:
create: true
annotations:
# AWS IRSA annotation (if operator needs AWS access)
eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT:role/e6-operator-role"
name: ""
RBAC Configuration
| Value | Description | Default |
rbac.create | Create RBAC resources | true |
rbac.scope | RBAC scope: cluster or namespaced | cluster |
rbac.watchNamespaces | Namespaces for namespaced RBAC | [] |
rbac.extraRules | Additional RBAC rules | [] |
Cluster-Wide RBAC (Default)
rbac:
create: true
scope: cluster
Namespace-Scoped RBAC
Restricts operator to specific namespaces:
rbac:
create: true
scope: namespaced
watchNamespaces:
- workspace-prod
- workspace-staging
- greptime-system
Additional RBAC Rules
rbac:
extraRules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
Karpenter Integration
| Value | Description | Default |
karpenter.enabled | Enable Karpenter RBAC | false |
Enable when using Karpenter for dynamic node provisioning (AWS/Azure/GCP):
This grants the operator permissions to create/manage: - NodePools (karpenter.sh) - EC2NodeClasses (AWS) - AKSNodeClasses (Azure) - GCPNodeClasses (GCP)
Webhook Configuration
| Value | Description | Default |
webhook.enabled | Enable validation webhooks | true |
webhook.port | Webhook server port | 9443 |
webhook.service.type | Service type | ClusterIP |
webhook.service.port | Service port | 443 |
webhook.certManager.enabled | Use cert-manager for TLS | true |
webhook.certManager.duration | Certificate validity | 8760h (1 year) |
webhook.certManager.renewBefore | Renewal period | 720h (30 days) |
Using cert-manager (Recommended)
webhook:
enabled: true
certManager:
enabled: true
duration: 8760h
renewBefore: 720h
# Optional: use custom issuer
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
Manual Certificates
webhook:
enabled: true
certManager:
enabled: false
certificate:
cert: "base64-encoded-certificate"
key: "base64-encoded-key"
ca: "base64-encoded-ca"
API Server Configuration
The operator exposes an HTTP API for autoscaling endpoints.
| Value | Description | Default |
api.port | API server port | 8082 |
api.service.enabled | Create API service | true |
api.service.type | Service type | ClusterIP |
api.service.port | Service port | 8082 |
api:
port: 8082
service:
enabled: true
type: ClusterIP
port: 8082
annotations:
# Add annotations if needed
Metrics Configuration
| Value | Description | Default |
metrics.port | Metrics port | 8080 |
metrics.service.enabled | Create metrics service | true |
metrics.service.type | Service type | ClusterIP |
metrics.service.port | Service port | 8080 |
metrics:
port: 8080
service:
enabled: true
type: ClusterIP
port: 8080
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
ServiceMonitor (Prometheus Operator)
| Value | Description | Default |
serviceMonitor.enabled | Create ServiceMonitor | false |
serviceMonitor.interval | Scrape interval | 30s |
serviceMonitor.scrapeTimeout | Scrape timeout | 10s |
serviceMonitor.additionalLabels | Extra labels | {} |
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 10s
additionalLabels:
release: prometheus
Resource Configuration
| Value | Description | Default |
resources.limits.cpu | CPU limit | 500m |
resources.limits.memory | Memory limit | 512Mi |
resources.requests.cpu | CPU request | 100m |
resources.requests.memory | Memory request | 128Mi |
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
Production Recommendation
For production clusters with many CRs:
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 200m
memory: 256Mi
Scheduling Configuration
Node Selector
| Value | Description | Default |
nodeSelector | Node labels for pod assignment | {} |
nodeSelector:
kubernetes.io/arch: amd64
node-type: system
Tolerations
| Value | Description | Default |
tolerations | Pod tolerations | [] |
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
Affinity
| Value | Description | Default |
affinity | Pod affinity rules | {} |
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- e6-operator
topologyKey: kubernetes.io/hostname
Priority Class
| Value | Description | Default |
priorityClassName | Priority class for pod | "" |
priorityClassName: system-cluster-critical
Health Probes
Liveness Probe
| Value | Description | Default |
livenessProbe.httpGet.path | Health check path | /healthz |
livenessProbe.httpGet.port | Health check port | 8081 |
livenessProbe.initialDelaySeconds | Initial delay | 15 |
livenessProbe.periodSeconds | Check interval | 20 |
Readiness Probe
| Value | Description | Default |
readinessProbe.httpGet.path | Readiness check path | /readyz |
readinessProbe.httpGet.port | Readiness check port | 8081 |
readinessProbe.initialDelaySeconds | Initial delay | 5 |
readinessProbe.periodSeconds | Check interval | 10 |
Controller Manager Configuration
| Value | Description | Default |
controllerManager.verboseLogging | Enable verbose logs | false |
controllerManager.logLevel | Log level | info |
controllerManager.extraArgs | Additional CLI args | [] |
controllerManager:
verboseLogging: false
logLevel: info # debug, info, error
extraArgs:
- --zap-log-level=debug
- --zap-encoder=console
Leader Election
| Value | Description | Default |
leaderElection.enabled | Enable leader election | true |
Note: Should always be true for production deployments.
Security Configuration
Pod Security Context
| Value | Description | Default |
podSecurityContext.runAsNonRoot | Run as non-root | true |
Container Security Context
| Value | Description | Default |
securityContext.allowPrivilegeEscalation | Allow privilege escalation | false |
securityContext.capabilities.drop | Capabilities to drop | [ALL] |
podSecurityContext:
runAsNonRoot: true
fsGroup: 65534
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
Advanced Configuration
extraVolumes:
- name: custom-config
configMap:
name: operator-config
extraVolumeMounts:
- name: custom-config
mountPath: /etc/operator-config
readOnly: true
Environment Variables
env:
- name: LOG_FORMAT
value: json
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
Deployment Strategy
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
DNS Configuration
dnsPolicy: ClusterFirst
dnsConfig:
options:
- name: ndots
value: "2"
Termination Grace Period
terminationGracePeriodSeconds: 30
Example Values Files
Minimal Production
image:
repository: us-docker.pkg.dev/e6data-analytics/e6data/e6-operator
tag: "1.0.201"
imagePullSecrets:
- name: gcr-json-key
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
rbac:
create: true
AWS with Karpenter
image:
repository: us-docker.pkg.dev/e6data-analytics/e6data/e6-operator
tag: "1.0.201"
imagePullSecrets:
- name: gcr-json-key
karpenter:
enabled: true
tolerations:
- key: "e6data-workspace-name"
operator: "Exists"
effect: "NoSchedule"
serviceMonitor:
enabled: true
additionalLabels:
release: prometheus
Multi-Tenant (Namespace-Scoped)
image:
repository: us-docker.pkg.dev/e6data-analytics/e6data/e6-operator
tag: "1.0.201"
imagePullSecrets:
- name: gcr-json-key
rbac:
create: true
scope: namespaced
watchNamespaces:
- tenant-a
- tenant-b
- greptime-system
High Availability
image:
repository: us-docker.pkg.dev/e6data-analytics/e6data/e6-operator
tag: "1.0.201"
imagePullSecrets:
- name: gcr-json-key
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 200m
memory: 256Mi
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: e6-operator
topologyKey: kubernetes.io/hostname
priorityClassName: system-cluster-critical
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"