Kubernetes Operator Helm chart parameters
This page describes the Helm chart parameters for the Delphix Kubernetes Operator (v1.0.0)
Required Parameters
Installation Mode
| Parameter | Description | Default |
|---|---|---|
|
installMode |
Installation mode. Set to crds-only to install only CRDs (equivalent to make install), or full to install CRDs + Operator + Webhooks + RBAC (equivalent to make deploy). |
full |
Image Configuration
| Parameter | Description | Default |
|---|---|---|
|
image.repository |
Operator container image repository. |
k8s-pgsql-operator.download.delphix.com/delphix-kubernetes-operator |
| image.tag | Operator container image tag. | v1.0.0 |
| image.pullPolicy | Image pull policy. | Always |
| imagePullSecrets | List of Kubernetes secrets for pulling images from private registries. | [] |
DCT (Data Control Tower) Configuration
These parameters configure the operator’s connection to the Delphix Data Control Tower instance.
| Parameter | Description | Default |
|---|---|---|
|
dct.url
|
URL of the Delphix DCT instance.It should be same DCT instance which was used in k8s driver(e.g., dct.company.com or https://dct.company.com). Required when installMode is full. |
" " |
| dct.apiKey | API key for authenticating with the DCT instance. Required when installMode is full. | " " |
| dct.skipSSLVerify | Set to true to skip SSL certificate verification (e.g., for self-signed certificates). | false |
|
dct.existingSecret (See the note below for additional information) |
Name of pre-existing K8s secret for DCT credentials. If specified, the # url and apiKey are omitted and the chart will NOT create a new secret. | “dct-credentials” |
*NOTE: To use an existing Kubernetes secret, create the required DCT credentials secret as shown below:
kubectl create secret generic dct-credentials \
--from-literal=ENGINE_HOST=<DCT_HOST_ADDRESS> \
--from-literal=API_KEY=<DCT_API_KEY> \
--from-literal=SKIP_SSL_VERIFY=true \
-n <namespace>Private Registry Configuration
These parameters configure image pulling from a private container registry.
| Parameter | Description | Default |
|---|---|---|
|
privateRegistry.enabled |
Enable private registry support. When enabled, a Docker registry secret is created automatically. |
false |
| privateRegistry.registry | URL of the private container registry. | " " |
| privateRegistry.username | Username for authenticating with the private registry. | " " |
| privateRegistry.password | Password for authenticating with the private registry. | " " |
Pre-flight Checks
Pre-flight checks run as a Helm pre-install/pre-upgrade hook to validate the cluster environment before deploying the operator.
| Parameter | Description | Default |
|---|---|---|
|
preflightChecks.checkStorageClass |
Enable the pre-flight check that verifies the required StorageClass exists. |
true |
| preflightChecks.requiredStorageClass | Name of the StorageClass that must exist in the cluster. The Delphix CSI Driver creates this StorageClass. | de-fs-storage |
Service Account
| Parameter | Description | Default |
|---|---|---|
|
serviceAccount.create |
Whether to create a ServiceAccount for the operator. |
true |
| serviceAccount.annotations | Annotations to add to the ServiceAccount. | {} |
| serviceAccount.name | Name of the ServiceAccount. If not set, a name is generated from the release name. | " " |
Resources
| Parameter | Description | Default |
|---|---|---|
|
resources.limits.cpu |
CPU limit for the operator container. |
500m |
| resources.limits.memory | Memory limit for the operator container. | 512Mi |
| resources.requests.cpu | CPU request for the operator container. | 100m |
| resources.requests.memory | Memory request for the operator container. | 128Mi |
Optional parameters
Service
| Parameter | Description | Default |
|---|---|---|
|
service.type |
Kubernetes Service type for exposing metrics. |
ClusterIP |
| service.port | Port for the metrics service. | 8080 |
General
| Parameter | Description | Default |
|---|---|---|
|
replicaCount
|
Number of operator pod replicas. |
1 |
| nameOverride | Overrides the chart name used in resource names. | " " |
| fullnameOverride | Fully overrides the generated resource name | " " |
Pod configuration
| Parameter | Description | Default |
|---|---|---|
|
podAnnotations |
Annotations to add to the operator pod. |
{} |
| podSecurityContext.runAsNonRoot | Require the pod to run as a non-root user. | true |
Container Security Context
| Parameter | Description | Default |
|---|---|---|
|
securityContext.allowPrivilegeEscalation |
Disallow privilege escalation in the operator container. |
false |
| securityContext.capabilities.drop | Linux capabilities to drop. | ["ALL"] |
| securityContext.readOnlyRootFilesystem | Mount the root filesystem as read-only. | true |
| securityContext.runAsNonRoot | Require the container to run as a non-root user. | true |
Scheduling
| Parameter | Description | Default |
|---|---|---|
|
nodeSelector |
Node labels for pod scheduling constraints. Example: {"disktype": "ssd"}. |
{} |
| tolerations | Tolerations for pod scheduling on tainted nodes. | [] |
| affinity | Affinity rules for advanced pod scheduling (node affinity, pod affinity/anti-affinity). | {} |
Monitoring
| Parameter | Description | Default |
|---|---|---|
|
metrics.enabled |
Enable Prometheus metrics endpoint |
true |
| metrics.port | Port for the metrics endpoint. | 8080 |
Webhooks
| Parameter | Description | Default |
|---|---|---|
|
webhooks.enabled |
Enable admission webhook validation and defaulting. Requires cert-manager or manual certificates. |
false |
| webhooks.certManager.issuerKind | Specifies the kind of cert-manager issuer to use for the webhook TLS certificate (Issuer or ClusterIssuer). Defaults to the self-signed Issuer created by the chart. | " " |
| webhooks.certManager.issuerName | Name of the cert-manager issuer. Defaults to <release-name>-selfsigned-issuer. | " " |
| webhooks.manualCerts.caBundle | Base64-encoded CA certificate used to verify the webhook server TLS certificate. Required when webhooks.certManager.enabled=false. | " " |
| webhooks.port | Port for the webhook server. | 9443 |
| webhooks.failurePolicy | Webhook failure policy. Set to Fail to reject requests when the webhook is unavailable, or Ignore to allow them. | Fail |
| webhooks.namespaceSelector | Namespace selector to limit which namespaces the webhook applies to. | {} |
| webhooks.admissionReviewVersions | Supported admission review API versions. | ["v1", "v1beta1"] |
| webhooks.certManager.enabled | Use cert-manager for automatic certificate management (recommended). | true |
| webhooks.manualCerts.tlsCrt | Base64-encoded TLS certificate (used when certManager.enabled is false). | " " |
| webhooks.manualCerts.tlsKey | Base64-encoded TLS private key (used when certManager.enabled is false). | " " |
Operator configuration
| Parameter | Description | Default |
|---|---|---|
|
logLevel |
Log verbosity for the operator manager. Passed to --zap-log-level. Accepts named levels (info, debug, error) or an integer (0=info, 1=debug). Omit or set to empty string to use the operator's compiled-in default. |
"info" |
| logFormat | Log encoder format — `"json"` (structured, production) or `"console"` (human-readable, development) | “json” |