azure-service-operator
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
1
# Create secret or use an existing secret
2
createAzureOperatorSecret: true
3
# azureTenantID is the Entra tenant that the subscription is in
4
azureTenantID: ""
5
# azureAdditionalTenants is the list of (comma-separated) additional tenants the operator can authenticate with.
6
# This is required when performing cross-tenant authentication. See
7
# https://learn.microsoft.com/entra/external-id/cross-tenant-access-overview for more details.
8
azureAdditionalTenants: ""
9
# azureSubscriptionID is the Azure Subscription the operator will act against.
10
azureSubscriptionID: ""
11
# azureClientID is the client ID of the Azure Service Principal or Managed Identity to use to authenticate with Azure.
12
azureClientID: ""
13
# azureClientSecret is the client secret of the Azure Service Principal used to authenticate with Azure.
14
# This is required when using Service Principal authentication.
15
azureClientSecret: ""
16
# A PEM or PKCS12 certificate string including the private key for Azure Credential Authentication. If certificate is password protected, use 'azureClientCertificatePassword' for password.
17
azureClientCertificate: ""
18
# Password used to protect the client certificate (optional).
19
azureClientCertificatePassword: ""
20
# [Deprecated] Managed Identity (aad-pod-identity) Authentication
21
# azureManagedIdentityResourceId is the resource ID (/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{managedIdentityName})
22
# of the Azure Managed Identity used to authenticate with Azure if using aad-pod-identity authorization.
23
aadPodIdentity:
24
enable: false
25
azureManagedIdentityResourceId: ""
26
# azureSyncPeriod is the frequency at which resources are re-reconciled with Azure
27
# when there have been no triggering changes in the Kubernetes resources. This sync
28
# exists to detect and correct changes that happened in Azure that Kubernetes is not
29
# aware about. BE VERY CAREFUL setting this value low - even a modest number of resources
30
# can cause subscription level throttling if they are re-synced frequently.
31
# Durations are specified as "1h", "15m", or "60s". Specify the special value "never" to prevent
32
# syncing. See https://pkg.go.dev/time#ParseDuration for more details.
33
azureSyncPeriod: ""
34
# useWorkloadIdentityAuth can be set to use workload identity authentication
35
# See https://azure.github.io/azure-workload-identity/docs/introduction.html for more details about Azure Workload Identity.
36
# See https://azure.github.io/azure-service-operator/guide/authentication/ for details on setting up Workload Identity with ASO
37
useWorkloadIdentityAuth: false
38
# azureUserAgentSuffix is appended to the default User-Agent for Azure HTTP clients.
39
azureUserAgentSuffix: ""
40
# azureAuthorityHost is the URL of the AAD authority. If not specified, the default
41
# is the AAD URL for the public cloud: https://login.microsoftonline.com/. See
42
# https://docs.microsoft.com/azure/active-directory/develop/authentication-national-cloud
43
azureAuthorityHost: ""
44
# azureResourceManagerEndpoint is the Azure Resource Manager endpoint.
45
# If not specified, the default is the Public cloud resource manager endpoint.
46
# See https://docs.microsoft.com/cli/azure/manage-clouds-azure-cli#list-available-clouds for details
47
# about how to find available resource manager endpoints for your cloud. Note that the resource manager
48
# endpoint is referred to as "resourceManager" in the Azure CLI.
49
azureResourceManagerEndpoint: ""
50
# azureResourceManagerAudience is the Azure Resource Manager AAD audience.
51
# If not specified, the default is the Public cloud resource manager audience https://management.core.windows.net/.
52
# See https://docs.microsoft.com/cli/azure/manage-clouds-azure-cli#list-available-clouds for details
53
# about how to find available resource manager audiences for your cloud. Note that the resource manager
54
# audience is referred to as "activeDirectoryResourceId" in the Azure CLI.
55
azureResourceManagerAudience: ""
56
# allowMultiEnvManagement determines whether per-namespace and per-resource credentials can specify
57
# their own Azure cloud environment settings (AZURE_RESOURCE_MANAGER_ENDPOINT, AZURE_RESOURCE_MANAGER_AUDIENCE,
58
# and AZURE_AUTHORITY_HOST). When enabled, credentials must specify ALL three of these settings or NONE of them.
59
# When disabled, any attempt to specify these settings in a credential will cause reconciliation to fail.
60
# This defaults to false for security reasons.
61
allowMultiEnvManagement: false
62
# azureTargetNamespaces lists the namespaces the operator will watch
63
# for Azure resources (if the mode includes running watchers). If
64
# it's empty the operator will watch all namespaces.
65
azureTargetNamespaces: []
66
# azureOperatorMode determines whether the operator should run
67
# watchers, webhooks or both.
68
azureOperatorMode: ""
69
webhook:
70
# webhook.port determines the port the webhook endpoint binds to.
71
port: 9443
72
# webhook.certDir determines which dir to mount webhook certs.
73
certDir: "/tmp/k8s-webhook-server/serving-certs"
74
# image defines the container image the ASO pod should run
75
# Note: This should use the latest released tag number explicitly. If
76
# it's ':latest' and someone deploys the chart after a new version has
77
# been released but before the the chart is updated, they could get
78
# errors, eg. due to types in the operator binary that have no
79
# corresponding CRD yaml in the cart (and so no CRD in the k8s
80
# repository).
81
image:
82
tag: 2.19.0-r0
83
repository: cgr.dev/scratch-images/test-tmp/azure-service-operator
84
pullSecrets: []
85
digest: sha256:250392937205d72a6e58a60ce324ae32181ab94d746203ea59a3da57e3999d5f
86
# 'metrics' define settings for the metrics from controller.
87
# 'address' field defines the metrics binding address on which metrics
88
metrics:
89
enable: true
90
# secure controls whether metrics should be served via 'http' or 'https'.
91
# Flagging secure as 'true' would use https
92
# Refer to https://azure.github.io/azure-service-operator/guide/metrics/ for more information
93
secure: true
94
# profiling exposes below endpoints.
95
# /debug/pprof/
96
# /debug/pprof/cmdline
97
# /debug/pprof/profile
98
# /debug/pprof/symbol
99
# /debug/pprof/trace
100
#
101
# pprof endpoints are sensitive and can only be enabled when serving metrics securely
102
profiling: false
103
address: 0.0.0.0:{{ .Values.metrics.port }}
104
port: 8443
105
# installCRDs configures if the operator attempts to install and manage the CRDs associated with ASO.
106
# If the operator does not install and manage the CRDs on its own, you must manually install the appropriate
107
# CRDs for version of the ASO operator you're running. Manually installing a subset of the CRDs is supported;
108
# the operator will only reconcile that subset if those are the only CRDs it finds when the pod starts.
109
installCRDs: true
110
# crdPattern is a semicolon delimited string or a list of strings containing the CRD patterns for the operator to install.
111
# Setting this has no effect if installCRDs is false.
112
# This defines what new CRDs will be installed by ASO. Will always upgrade any existing CRDs even if no
113
# crdPattern is defined. Leaving this field unspecified for a fresh install of ASO will result in the operator pod
114
# exiting with an error saying no CRDs are configured. Leaving this field unspecified during an upgrade of ASO preserves
115
# the existing set of CRDs already in the cluster. The existing CRDs will be upgraded to the latest version but no
116
# new CRDs will be installed.
117
# Values can be globs utilizing * or ?. The pattern is compared against the "{group}/{kind}" string of each CRD.
118
# Patterns are case-insensitive.
119
# Example: "resources.azure.com/*" would match the "resources.azure.com/ResourceGroup" resource.
120
# Example: "compute.azure.com/*" would match all compute CRDs
121
# Example: "resources.azure.com/*;compute.azure.com/*" would match all resources.azure.com resources as well as all
122
# compute resources.
123
# We strongly recommend including entire groups such as "dbformysql.azure.com/*". Individual CRDs such as
124
# "dbformysql.azure.com/FlexibleServer" can be listed, but there are often other resources in the group which pair
125
# together to enable other scenarios, such as dbformysql.azure.com/FlexibleServersFirewallRules, and it's generally
126
# easier to just include the whole group.
127
# See https://azure.github.io/azure-service-operator/guide/crd-management for more details.
128
crdPattern: ""
129
useJSONLogging: false
130
# deploymentAnnotations contain the deployment annotations for Azure Service Operator
131
deploymentAnnotations: {}
132
# multitenant contains the value to enable multi-tenant mode for ASOv2. If multitenant.enable is true + azureOperatorMode set to "webhooks", chart will
133
# install a cluster and if multitenant.enable is true + azureOperatorMode set to "watchers", chart will install a tenant.
134
# NOTE: 'installCRDs' should be set to false while installing a tenant.
135
multitenant:
136
enable: false
137
# networkPolicies allows you to configure the NetworkPolicies deployed as part of the Chart
138
networkPolicies:
139
enable: true
140
# TCP port to be configured for talking to the Kubernetes API
141
kubernetesApiPort: 6443
142
# Destination CIDR for talking to the Kubernetes API
143
kubernetesApiCIDR: 0.0.0.0/0
144
# Destination CIDR for talking to MySQL servers
145
mysqlCIDR: 0.0.0.0/0
146
# Destination CIDR for talking to PostgreSQL servers
147
postgresqlCIDR: 0.0.0.0/0
148
# Destination CIDR for talking to Sql servers
149
sqlCIDR: 0.0.0.0/0
150
# Node labels for pod assignment
151
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
152
nodeSelector:
153
kubernetes.io/os: linux
154
# podAnnotations contain the pod annotations for Azure Service Operator
155
podAnnotations: {}
156
# Enable the pod disruption budget
157
# Specifies the minimum number of pods that must be available at any given time during the disruption.
158
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
159
podDisruptionBudget:
160
enabled: true
161
minAvailable: 50%
162
# Labels to be added to the pod
163
podLabels: {}
164
# The securityContext of the pod
165
# See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
166
podSecurityContext: {}
167
# Assign a PriorityClassName to pods if set
168
priorityClassName: ""
169
# Number of pod replicas to create for the deployment
170
replicaCount: 2
171
# Recommended initial values for resources
172
# adjust them as necessary
173
resources:
174
limits:
175
cpu: 500m
176
memory: 512Mi
177
requests:
178
cpu: 200m
179
memory: 256Mi
180
go:
181
memLimit: 400MiB # This should be set to ~80-90% of the hard memory limit set above in resources
182
# Number of old history to retain to allow rollback
183
# Default Kubernetes value is set to 10
184
revisionHistoryLimit: 10
185
# Specify security settings for a Container
186
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
187
# It is not recommended to reduce the restrictions in this list, but additional restrictions outside the default set
188
# can be applied. If you believe additional securityContext configuration should be specified by default
189
# please raise an issue.
190
securityContext:
191
runAsUser: 65532 # nonroot user from gcr.io/distroless/static:nonroot image
192
runAsGroup: 65532 # nonroot group from gcr.io/distroless/static:nonroot image
193
runAsNonRoot: true
194
allowPrivilegeEscalation: false
195
readOnlyRootFilesystem: true
196
capabilities:
197
drop:
198
- ALL
199
# Tolerations are applied to pods. Tolerations allow the scheduler to schedule pods with matching taints. Tolerations allow scheduling but don't guarantee scheduling
200
# For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration.
201
tolerations: []
202
# Affinity and anti-affinity expands the types of constraints you can define.
203
# The affinity feature consists of two types of affinity:
204
# Node affinity functions like the nodeSelector field but is more expressive and allows you to specify soft rules.
205
# Inter-pod affinity/anti-affinity allows you to constrain Pods against labels on other Pods.
206
# For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
207
# For specific affinity best practices on AKS clusters, see https://azure.github.io/azure-service-operator/guide/best-practices/#affinity
208
affinity: {}
209
# MaxConcurrentReconciles is the number of threads/goroutines dedicated to reconciling each resource type.
210
# If not specified, the default is 4.
211
# IMPORTANT: Having MaxConcurrentReconciles set to N does not mean that ASO is limited to N interactions with
212
# Azure at any given time, because the control loop yields to another resource while it is not actively issuing HTTP
213
# calls to Azure. Any single resource only blocks the control-loop for its resource-type for as long as it takes to issue
214
# an HTTP call to Azure, view the result, and make a decision. In most cases the time taken to perform these actions
215
# (and thus how long the loop is blocked and preventing other resources from being acted upon) is a few hundred
216
# milliseconds to at most a second or two. In a typical 60s period, hundreds of resources
217
# for a given resource type can be managed with this set to 1.
218
# MaxConcurrentReconciles applies to every registered resource type being watched/managed by ASO.
219
maxConcurrentReconciles: 4
220
rateLimit:
221
# mode configures the internal rate-limiting mode.
222
# Valid values are [disabled, bucket]
223
# * disabled: No ASO-controlled rate-limiting occurs. ASO will attempt to communicate with Azure and
224
# kube-apiserver as much as needed based on load. It will back off based on throttling from
225
# either kube-apiserver or Azure, but will not artificially limit its throughput.
226
# * bucket: Uses a token-bucket algorithm to rate-limit reconciliations. Note that this limits how often
227
# the operator performs a reconciliation, but not every reconciliation triggers a call to kube-apiserver
228
# or Azure (though many do). Since this controls reconciles it can be used to coarsely control throughput
229
# and CPU usage of the operator, as well as the number of requests that the operator issues to Azure.
230
# Keep in mind that the Azure throttling limits (defined at
231
# https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/request-limits-and-throttling)
232
# differentiate between request types. Since a given reconcile for a resource may result in polling (a GET) or
233
# modification (a PUT) it's not possible to entirely avoid Azure throttling by tuning these bucket limits.
234
# We don't recommend enabling this mode by default.
235
# If enabling this mode, we strongly recommend doing some experimentation to tune these values to something to
236
# works for your specific need.
237
mode: disabled
238
# The rate (per second) that the bucket is refilled. This value only has an effect if mode is 'bucket'.
239
qps: 5
240
# The size of the bucket. This value only has an effect if mode is 'bucket'.
241
bucketSize: 100
242
serviceAccount:
243
# Specifies whether a ServiceAccount should be created
244
create: true
245
# The name of the ServiceAccount to use.
246
# If not set and create is true, `azureserviceoperator-default` would be used as a name
247
name: ""
248
annotations: {}
249
# List of extra environment variables to inject into the manager container
250
# Example:
251
# extraEnv:
252
# - name: ENV
253
# value: "prod"
254
# - name: SERVICE
255
# value: "azure-service-operator"
256
extraEnv: []
257
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.