Helm chart parameters

The following table describes the available settings for the VerticaDB operator and admission controller Helm chart.

Helm chart parameters are organized into two groups, one set controls the VerticaDB operator and admission controller, while the other manages the monitoring components (Grafana, Prometheus, and Loki/Alloy).

VerticaDB operator and admission controller parameters

affinity

Applies rules that constrain the VerticaDB operator to specific nodes. It is more expressive than nodeSelector. If this parameter is not set, then the operator uses no affinity setting.

containerSecurityContext

Specifies the security settings for running the manager container.

Defaults:

 allowPrivilegeEscalation: false 
 readOnlyRootFilesystem: true 
 capabilities:
   drop: 
   - ALL

controllers.burstSize

Defines the burst size for event recording in the operator. Increasing this value allows the controllers to record more events in a short period.

Default: 100

controllers.enable

Determines whether controllers are enabled when running the operator. Controllers watch and act on custom resources within the cluster.

For namespace-scoped operators, set this to false. This deploys the cluster-scoped operator only as a webhook, and then you can set webhook.enable to false and deploy the controllers to an individual namespace. For details, see Installing the VerticaDB operator.

Default: true

controllers.sandboxMaxBackoffDuration

Specifies the maximum backoff duration (in milliseconds) for requeuing in the sandbox controller. Increase this value to reduce the requeue frequency when you have multiple sandboxes running.

Default: 1000

controllers.scope

Scope of the controllers in the VerticaDB operator. Controllers watch and act on custom resources within the cluster. This parameter accepts the following values:

cluster: The controllers watch for changes to all resources across all namespaces in the cluster.
namespace: The controllers watch for changes to resources only in the namespace specified during deployment. You must deploy the operator as a webhook for the cluster, then deploy the operator controllers in a namespace. You can deploy multiple namespace-scoped operators within the same cluster.

For details, see Installing the VerticaDB operator.

Default: cluster

controllers.vdbMaxBackoffDuration

Specifies the maximum backoff duration (in milliseconds) for requeuing in the VerticaDB controller. Increase this value to reduce the requeue frequency when multiple databases are running.

Default: 1000

image.name

Name of the image that runs the operator.

Default: vertica/verticadb-operator:version

imagePullSecrets

List of Secrets that store credentials to authenticate to the private container repository specified by image.repo. For details, see Specifying ImagePullSecrets in the Kubernetes documentation.

image.repo

Server that hosts the repository that contains image.name. Use this parameter for deployments that require control over a private hosting server, such as an air-gapped operator.

Default: docker.io

keda.createRBACRules

Specifies if ClusterRole-based RBAC rules are created for accessing KEDA resources.

Default: true

logging.filePath

Deprecated

This parameter is deprecated and will be removed in a future release.

Path to a log file in the VerticaDB operator filesystem. If this value is not specified, OpenText™ Analytics Database writes logs to standard output.

Default: Empty string (' ') that indicates standard output.

logging.level

Minimum logging level. This parameter accepts the following values:

debug
info
warn
error

Default: info

logging.maxFileSize

Deprecated

This parameter is deprecated and will be removed in a future release.

When logging.filePath is set, the maximum size in MB of the logging file before log rotation occurs.

Default: 500

logging.maxFileAge

Deprecated

This parameter is deprecated and will be removed in a future release.

When logging.filePath is set, the maximum age in days of the logging file before log rotation deletes the file.

Default: 7

logging.maxFileRotation

Deprecated

This parameter is deprecated and will be removed in a future release.

When logging.filePath is set, the maximum number of files that are kept in rotation before the old ones are removed.

Default: 3

nameOverride

Sets the prefix for the name assigned to all objects that the Helm chart creates.

If this parameter is not set, each object name begins with the name of the Helm chart, verticadb-operator.

nodeSelector

Controls which nodes are used to schedule the operator pod. If this is not set, the node selector is omitted from the operator pod when it is created. To set this parameter, provide a list of key/value pairs.

The following example schedules the operator only on nodes that have the region=us-east label:

nodeSelector:
      region: us-east

priorityClassName

PriorityClass name assigned to the operator pod. This affects where the pod is scheduled.

prometheus.createProxyRBAC

When set to true, creates role-based access control (RBAC) rules that authorize access to the operator's /metrics endpoint for the Prometheus integration.

Default: true

prometheus.expose

Configures the operator's /metrics endpoint for the Prometheus integration. The following options are valid:

EnableWithAuth: Creates a new service object that exposes an HTTPS /metrics endpoint. RBAC rules contol access to the metrics.
EnableWithoutAuth: Creates a new service object that exposes an HTTP /metrics endpoint that does not authorize connections. Any client with network access can read the metrics.
EnableWithTLS: Creates a service object that exposes an HTTPS /metrics endpoint. However, it does not perform authority validation when using the endpoint. Any Kubernetes pod with network access and the appropriate certificates can read the metrics. The endpoint requires Prometheus.tlsSecret for TLS configuration. If Prometheus.tlsSecret is not set, the behavior mirrors EnableWithoutAuth, except that the endpoint operates over HTTPS.
Disable: Prometheus metrics are not exposed.

Default: Disable

prometheus.tlsSecret

Secret that contains the TLS certificates for the Prometheus /metrics endpoint. You must create this Secret in the same namespace that you deployed the Helm chart.

The Secret requires the following values:

tls.key: TLS private key
tls.crt: TLS certificate for the private key
ca.crt: Certificate authority (CA) certificate

To ensure that the operator uses the certificates in this parameter, you must set prometheus.expose to EnableWithTLS.

When prometheus.expose is set to EnableWithAuth and prometheus.tlsSecret is set, your private key and certificate (if provided) are validated against the CA certificate (ca.crt) in prometheus.tlsSecret. If no key and certificate are provided, certificate authentication does not occur.

When prometheus.expose is set to EnableWithTLS and prometheus.tlsSecret is set, you must provide a valid private key and certificate.

reconcileConcurrency.sandboxconfigmap

Number of concurrent reconciliations for ConfigMaps that store the state for a sandbox.

Default: 1

reconcileConcurrency.verticaautoscaler

Number of concurrent reconciliation loops the operator runs for all VerticaAutoscaler CRs in the cluster.

reconcileConcurrency.verticadb

Number of concurrent reconciliation loops the operator runs for all VerticaDB CRs in the cluster.

reconcileConcurrency.verticaeventtrigger

Number of concurrent reconciliation loops the operator runs for all EventTrigger CRs in the cluster.

reconcileConcurrency.verticareplicator

Number of concurrent reconciliations for VerticaReplicator custom resources.

Default: 3

reconcileConcurrency.verticarestorepointsquery

Number of concurrent reconciliations for VerticaRestorePointsQuery custom resources.

Default: 1

reconcileConcurrency.verticascrutinize

Number of concurrent reconciliations for VerticaScrutinize custom resources.

Default: 1

resources.limits and resources.requests

The resource requirements for the operator pod.

resources.limits is the maximum amount of CPU and memory that an operator pod can consume from its host node.

resources.requests is the maximum amount of CPU and memory that an operator pod can request from its host node.

Defaults:

resources:
  limits:
    cpu: 100m
    memory: 750Mi
  requests:
    cpu: 100m
    memory: 20Mi

securityContext

Specifies pod-level security attributes and common container settings.

Defaults:

 fsGroup: 65532 
 runAsGroup: 65532
 runAsNonRoot: true 
 runAsUser: 65532 
 seccompProfile:
   type: RuntimeDefault

serviceAccountAnnotations

Map of annotations that is added to the service account created for the operator.

serviceAccountNameOverride

Controls the name of the service account created for the operator.

tolerations

Any taints and tolerations that influence where the operator pod is scheduled.

webhook.certSource

How TLS certificates are provided for the admission controller webhook. This parameter accepts the following values:

internal: The VerticaDB operator internally generates a self-signed, 10-year expiry certificate before starting the managing controller. When the certificate expires, you must manually restart the operator pod to create a new certificate.
secret: You generate the custom certificates before you create the Helm chart and store them in a Secret. This option requires that you set webhook.tlsSecret.

If webhook.tlsSecret is set, then this option is implicitly selected.

Default: internal

For details, see Installing the VerticaDB operator.

webhook.enable

Determines whether the Helm chart installs the admission controller webhooks for the custom resource definitions. The webhook is cluster-scoped, and you can install only one webhook per cluster.

If your environment uses namespace-scoped operators, you must install the webhook for the cluster, then disable the webhook for each namespace installation. For details, see Installing the VerticaDB operator.

Caution

Webhooks prevent invalid state changes to the custom resource. Running Vertica on Kubernetes without webhook validations might result in invalid state transitions.

Default: true

webhook.tlsSecret

Secret that contains a PEM-encoded certificate authority (CA) bundle and its keys.

The CA bundle validates the webhook's server certificate. If this is not set, the webhook uses the system trust roots on the apiserver.

This Secret includes the following keys for the CA bundle:

tls.key
ca.crt
tls.crt

Monitoring parameters

alloy.enabled

Deploys Alloy as part of the chart.

Default: false

alloy.configMap.create

Determines whether to create a new ConfigMap for the configuration file.

Default: true

alloy.configMap.key

Key in the ConfigMap to use when referencing an existing configuration.

alloy.configMap.name

Name of the existing ConfigMap to use when alloy.configMap.create is false.

alloy.rbac.create

Determines whether to create RBAC resources for Alloy.

Default: true

alloy.replicaCount

Specifies the number of replicas for the Alloy deployment.

Default: 3

alloy.serviceAccount.create

Determines whether to create a service account for Alloy.

Default: true

alloy.serviceAccount.name

Specifies the name of the existing service account to use when alloy.serviceAccount.create is set to false.

grafana.admin.existingSecret:

Name of the existing secret. Supports templating.

Default: ""

grafana.admin.passwordKey

The key within the secret that contains the password.

Default: admin-password

grafana.admin.userKey

The key within the secret that contains the username.

Default: admin-user

grafana.adminPassword

Password for the Grafana administrator account.

Default: admin

grafana.adminUser

Username for the Grafana administrator account.

Default: admin

grafana.enabled

Deploys Grafana as part of the chart.

Default: false

grafana.grafana.ini

Grafana's primary configuration.

grafana.namespaceOverride

Overrides the namespace in which Grafana is deployed.

Default: ""

grafana.persistence

Controls persistent storage for Grafana.

persistence:
    type: pvc
    enabled: false
    ## (Optional) Use this to bind the claim to an existing PersistentVolume (PV) by name.
    volumeName: ""
    accessModes:
      - ReadWriteOnce
    size: 10Gi
    finalizers:
      - kubernetes.io/pvc-protection

grafana.replicas

Number of grafana pods.

Default: 1

grafana.service

Exposes the grafana service either externally via LoadBalancer or internally via ClusterIP. You can set the service type and port for access.

service:
  enabled: true
  type: ClusterIP
  ipFamilyPolicy: ""
  ipFamilies: []
  loadBalancerIP: ""
  loadBalancerClass: ""
  port: 80
  targetPort: 3000
  annotations: {}
  labels: {}
  portName: http-web
  appProtocol: ""
  sessionAffinity: ""

loki.enabled

Deploys Loki as part of the chart.

Default: false

loki.lokiCanary.enabled

Enables the Loki canary which pushes logs to and queries from this Loki instance to test that it is working correctly.

Default: true

loki.minio.enabled

Indicates whether MinIO is used as the object storage backend.

Default: true

loki.loki.commonConfig.replication_factor

Stores multiple copies of logs in the ingester component.

Default: 3

loki.loki.compactor.retention_enabled

Enables log retention.

Default: false

loki.loki.limits_config.retention_period

Sets the global retention period.

Default: 720h

loki.loki.schemaConfig.configs.object_store

Specifies the type of object storage used for schema configuration.

Default: s3

loki.loki.storage.type

Storage for Loki chunks.

Default: s3

loki.test.enabled

Enables testing of the Loki data source to check that it is working.

Default: true

prometheusServer.defaultRules.create

Creates default recording and alerting rules.

Default: false

prometheusServer.enabled

Deploys Prometheus server as part of the chart.

Default: false

prometheusServer.prometheusOperator.admissionWebhooks.enabled

Enable admission webhooks for Prometheus Operator.

Default: false

prometheusServer.prometheusOperator.enabled

Enables the Prometheus Operator which is required for Prometheus deployment.

Default: true

prometheusServer.prometheus.prometheusSpec.replicas

Number of Prometheus replicas.

Default: 1

prometheusServer.prometheus.prometheusSpec.retention

Duration for which Prometheus retains data.

Default: 7 days

prometheusServer.prometheus.prometheusSpec.retentionSize

Maximum storage size before Prometheus begins deleting older data.

Default: 2GB

prometheusServer.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage

Size of the persistent volume for Prometheus storage.

Default: 5Gi

prometheusServer.prometheus.service

Configuration for Prometheus service.

prometheusServer.prometheus.serviceAccount.annotations

Annotations to add to the serviceAccount.

Default: {}

prometheusServer.prometheus.serviceAccount.automountServiceAccountToken

Specifies whether the serviceAccount’s token is automatically mounted into the pod.

Default: true

prometheusServer.prometheus.serviceAccount.create

Specifies whether a serviceAccount with the required permissions should be created.

Default: false

prometheusServer.prometheus.serviceAccount.name

Name of the serviceAccount. Defaults to prometheus-vertica-sa if create is false (this is the static name generated by the operator from a template).

prometheusServer.prometheus.web

WebTLSConfig defines the TLS parameters for HTTPS.

Default: {}