eck-operator
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
1
# nameOverride is the short name for the deployment. Leave empty to let Helm generate a name using chart values.
2
nameOverride: "elastic-operator"
3
# fullnameOverride is the full name for the deployment. Leave empty to let Helm generate a name using chart values.
4
fullnameOverride: "elastic-operator"
5
# managedNamespaces is the set of namespaces that the operator manages. Leave empty to manage all namespaces.
6
managedNamespaces: []
7
# installCRDs determines whether Custom Resource Definitions (CRD) are installed by the chart.
8
# Note that CRDs are global resources and require cluster admin privileges to install.
9
# If you are sharing a cluster with other users who may want to install ECK on their own namespaces, setting this to true can have unintended consequences.
10
# 1. Upgrades will overwrite the global CRDs and could disrupt the other users of ECK who may be running a different version.
11
# 2. Uninstalling the chart will delete the CRDs and potentially cause Elastic resources deployed by other users to be removed as well.
12
installCRDs: true
13
# replicaCount is the number of operator pods to run.
14
replicaCount: 1
15
image:
16
# repository is the container image prefixed by the registry name.
17
repository: cgr.dev/chainguard-private/eck-operator-fips
18
# pullPolicy is the container image pull policy.
19
pullPolicy: IfNotPresent
20
# tag is the container image tag. If not defined, defaults to chart appVersion.
21
tag: latest@sha256:aaaf6b4b0bcd08931c47ca5f6f74b028edd65c3713d5e1573a61c55fb7019f93
22
# digest pins the image to a specific content digest for immutable image references.
23
# When set, the rendered image reference becomes repo:tag@sha256:<hex>.
24
# Must be in the format sha256:<hex> (64 hex characters).
25
# Example:
26
# digest: sha256:8c933444cb78d632d2d15851daf7bcb1fc4ec57689bb4aebf7b3353e6bf395a9
27
digest: null
28
# fips specifies whether the operator will use a FIPS compliant container image for its own StatefulSet image.
29
# This setting does not apply to Elastic Stack applications images.
30
# Can be combined with config.ubiOnly.
31
fips: false
32
# priorityClassName defines the PriorityClass to be used by the operator pods.
33
priorityClassName: ""
34
# imagePullSecrets defines the secrets to use when pulling the operator container image.
35
imagePullSecrets: []
36
# resources define the container resource limits for the operator.
37
resources:
38
limits:
39
cpu: 1
40
memory: 1Gi
41
requests:
42
cpu: 100m
43
memory: 150Mi
44
# statefulsetAnnotations define the annotations that should be added to the operator StatefulSet.
45
statefulsetAnnotations: {}
46
# statefulsetLabels define additional labels that should be added to the operator StatefulSet.
47
statefulsetLabels: {}
48
# podAnnotations define the annotations that should be added to the operator pod.
49
podAnnotations: {}
50
## podLabels define additional labels that should be added to the operator pod.
51
podLabels: {}
52
# podSecurityContext defines the pod security context for the operator pod.
53
podSecurityContext:
54
runAsNonRoot: true
55
# securityContext defines the security context of the operator container.
56
securityContext:
57
allowPrivilegeEscalation: false
58
capabilities:
59
drop:
60
- ALL
61
readOnlyRootFilesystem: true
62
runAsNonRoot: true
63
# nodeSelector defines the node selector for the operator pod.
64
nodeSelector: {}
65
# tolerations defines the node tolerations for the operator pod.
66
tolerations: []
67
# affinity defines the node affinity rules for the operator pod.
68
affinity: {}
69
# podDisruptionBudget configures the minimum or the maxium available pods for voluntary disruptions,
70
# set to either an integer (e.g. 1) or a percentage value (e.g. 25%).
71
podDisruptionBudget:
72
enabled: false
73
minAvailable: 1
74
# maxUnavailable: 3
75
# additional environment variables for the operator container.
76
env: []
77
# additional volume mounts for the operator container.
78
volumeMounts: []
79
# additional volumes to add to the operator pod.
80
volumes: []
81
# createClusterScopedResources determines whether cluster-scoped resources (ClusterRoles, ClusterRoleBindings) should be created.
82
createClusterScopedResources: true
83
# Automount API credentials for the Service Account into the pod.
84
automountServiceAccountToken: true
85
serviceAccount:
86
# create specifies whether a service account should be created for the operator.
87
create: true
88
# Specifies whether a service account should automount API credentials.
89
automountServiceAccountToken: true
90
# annotations to add to the service account
91
annotations: {}
92
# name of the service account to use. If not set and create is true, a name is generated using the fullname template.
93
name: ""
94
tracing:
95
# enabled specifies whether APM tracing is enabled for the operator.
96
enabled: false
97
# config is a map of APM Server configuration variables that should be set in the environment.
98
config:
99
ELASTIC_APM_SERVER_URL: http://localhost:8200
100
ELASTIC_APM_SERVER_TIMEOUT: 30s
101
refs:
102
# enforceRBAC specifies whether RBAC should be enforced for cross-namespace associations between resources.
103
enforceRBAC: false
104
webhook:
105
# enabled determines whether the webhook is installed.
106
enabled: true
107
# caBundle is the PEM-encoded CA trust bundle for the webhook certificate. Only required if manageCerts is false and certManagerCert is null.
108
caBundle: Cg==
109
# certManagerCert is the name of the cert-manager certificate to use with the webhook.
110
certManagerCert: null
111
# certsDir is the directory to mount the certificates.
112
certsDir: "/tmp/k8s-webhook-server/serving-certs"
113
# failurePolicy of the webhook.
114
failurePolicy: Ignore
115
# manageCerts determines whether the operator manages the webhook certificates automatically.
116
manageCerts: true
117
# namespaceSelector corresponds to the namespaceSelector property of the webhook.
118
# Setting this restricts the webhook to act only on objects submitted to namespaces that match the selector.
119
namespaceSelector: {}
120
# objectSelector corresponds to the objectSelector property of the webhook.
121
# Setting this restricts the webhook to act only on objects that match the selector.
122
objectSelector: {}
123
# port is the port that the validating webhook binds to.
124
port: 9443
125
# secret specifies the Kubernetes secret to be mounted into the path designated by the certsDir value to be used for webhook certificates.
126
certsSecret: ""
127
# hostNetwork allows a Pod to use the Node network namespace.
128
# This is required to allow for communication with the kube API when using some alternate CNIs in conjunction with webhook enabled.
129
# If hostNetwork is enabled, dnsPolicy defaults to ClusterFirstWithHostNet unless explicitly set.
130
# CAUTION: Proceed at your own risk. This setting has security concerns such as allowing malicious users to access workloads running on the host.
131
hostNetwork: false
132
# dnsPolicy defines the DNS policy for the operator pod.
133
# Check https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy for more details.
134
dnsPolicy: ""
135
# dnsConfig defines the DNS configuration for the operator pod.
136
# Check https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config for more details.
137
# dnsConfig:
138
# nameservers:
139
# - 169.254.20.10
140
# searches:
141
# - svc.cluster.local
142
# options:
143
# - name: ndots
144
# value: "2"
145
dnsConfig: {}
146
softMultiTenancy:
147
# enabled determines whether the operator is installed with soft multi-tenancy extensions.
148
# This requires network policies to be enabled on the Kubernetes cluster.
149
enabled: false
150
# kubeAPIServerIP is required when softMultiTenancy is enabled.
151
kubeAPIServerIP: null
152
# kubeAPIServerPort is the port used by the Kubernetes API server.
153
# Only used when softMultiTenancy is enabled. Defaults to 443.
154
kubeAPIServerPort: 443
155
telemetry:
156
# disabled determines whether the operator periodically updates ECK telemetry data for Kibana to consume.
157
disabled: false
158
# distributionChannel denotes which distribution channel was used to install the operator.
159
distributionChannel: "helm"
160
# config values for the operator.
161
config:
162
# logVerbosity defines the logging level. Valid values are as follows:
163
# -2: Errors only
164
# -1: Errors and warnings
165
# 0: Errors, warnings, and information
166
# number greater than 0: Errors, warnings, information, and debug details.
167
logVerbosity: "0"
168
# (Deprecated: use metrics.port: will be removed in v2.14.0) metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
169
metricsPort: 0
170
metrics:
171
# port defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
172
port: "0"
173
# secureMode contains the options for enabling and configuring RBAC and TLS/HTTPs for the metrics endpoint.
174
secureMode:
175
# secureMode.enabled specifies whether to enable RBAC and TLS/HTTPs for the metrics endpoint.
176
# * This option makes most sense when using a ServiceMonitor to scrape the metrics and is therefore mutually exclusive with the podMonitor.enabled option.
177
# * This option also requires using cluster scoped resources (ClusterRole, ClusterRoleBinding) to
178
# grant access to the /metrics endpoint. (createClusterScopedResources: true is required)
179
#
180
enabled: false
181
tls:
182
# certificateSecret is the name of the tls secret containing the custom TLS certificate and key for the secure metrics endpoint.
183
#
184
# * This is an optional setting and is only required if you are using a custom TLS certificate. A self-signed certificate will be generated by default.
185
# * TLS secret key must be named tls.crt.
186
# * TLS key's secret key must be named tls.key.
187
# * It is assumed to be in the same namespace as the ServiceMonitor.
188
#
189
# example: kubectl create secret tls eck-metrics-tls-certificate -n elastic-system \
190
# --cert=/path/to/tls.crt --key=/path/to/tls.key
191
certificateSecret: ""
192
# containerRegistry to use for pulling Elasticsearch and other application container images.
193
containerRegistry: docker.elastic.co
194
# containerRepository to use for pulling Elasticsearch and other application container images.
195
# containerRepository: ""
196
197
# containerSuffix suffix to be appended to container images by default. Cannot be combined with -ubiOnly flag
198
# containerSuffix: ""
199
200
# maxConcurrentReconciles is the number of concurrent reconciliation operations to perform per controller.
201
maxConcurrentReconciles: "3"
202
# caValidity defines the validity period of the CA certificates generated by the operator.
203
caValidity: 8760h
204
# caRotateBefore defines when to rotate a CA certificate that is due to expire.
205
caRotateBefore: 24h
206
# caDir defines the directory containing a CA certificate (tls.crt) and its associated private key (tls.key) to be used for all managed resources.
207
# Setting this makes caRotateBefore and caValidity values ineffective.
208
caDir: ""
209
# certificatesValidity defines the validity period of certificates generated by the operator.
210
certificatesValidity: 8760h
211
# certificatesRotateBefore defines when to rotate a certificate that is due to expire.
212
certificatesRotateBefore: 24h
213
# disableConfigWatch specifies whether the operator watches the configuration file for changes.
214
disableConfigWatch: false
215
# exposedNodeLabels is an array of regular expressions of node labels which are allowed to be copied as annotations on Elasticsearch Pods.
216
exposedNodeLabels: ["topology.kubernetes.io/.*", "failure-domain.beta.kubernetes.io/.*"]
217
# ipFamily specifies the IP family to use. Possible values: IPv4, IPv6 and "" (auto-detect)
218
ipFamily: ""
219
# setDefaultSecurityContext determines whether a default security context is set on application containers created by the operator.
220
# *note* that the default option now is "auto-detect" to attempt to set this properly automatically when both running
221
# in an openshift cluster, and a standard kubernetes cluster. Valid values are as follows:
222
# "auto-detect" : auto detect
223
# "true" : set pod security context when creating resources.
224
# "false" : do not set pod security context when creating resources.
225
setDefaultSecurityContext: "auto-detect"
226
# kubeClientTimeout sets the request timeout for Kubernetes API calls made by the operator.
227
kubeClientTimeout: 60s
228
# elasticsearchClientTimeout sets the request timeout for Elasticsearch API calls made by the operator.
229
elasticsearchClientTimeout: 180s
230
# policies contains policies for the operator, currently only password generation policies are supported.
231
policies: {}
232
# passwords:
233
# length: 24
234
235
# validateStorageClass specifies whether storage classes volume expansion support should be verified.
236
# Can be disabled if cluster-wide storage class RBAC access is not available.
237
validateStorageClass: true
238
# enableLeaderElection specifies whether leader election should be enabled
239
enableLeaderElection: true
240
# Interval between observations of Elasticsearch health, non-positive values disable asynchronous observation.
241
elasticsearchObservationInterval: 10s
242
# ubiOnly specifies whether the operator will use only UBI container images to deploy Elastic Stack applications as well as for its own StatefulSet image. UBI images are only available from 7.10.0 onward.
243
# Cannot be combined with the containerSuffix value.
244
ubiOnly: false
245
# Prometheus PodMonitor configuration
246
# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmonitor
247
podMonitor:
248
# enabled determines whether a podMonitor should deployed to scrape the eck metrics.
249
# This requires the prometheus operator and the config.metrics.port not to be 0
250
enabled: false
251
# labels adds additional labels to the podMonitor
252
labels: {}
253
# annotations adds additional annotations to the podMonitor
254
annotations: {}
255
# namespace determines in which namespace the podMonitor will be deployed.
256
# If not set the podMonitor will be created in the namespace where the Helm release is installed into
257
# namespace: monitoring
258
259
# interval specifies the interval at which metrics should be scraped
260
interval: 5m
261
# scrapeTimeout specifies the timeout after which the scrape is ended
262
scrapeTimeout: 30s
263
# podTargetLabels transfers labels on the Kubernetes Pod onto the target.
264
podTargetLabels: []
265
# podMetricsEndpointConfig allows to add an extended configuration to the podMonitor
266
podMetricsEndpointConfig: {}
267
# honorTimestamps: true
268
# Prometheus ServiceMonitor configuration
269
# Only used when config.enableSecureMetrics is true
270
# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#servicemonitor
271
serviceMonitor:
272
# This option requires the following settings within Prometheus to function:
273
# 1. RBAC settings for the Prometheus instance to access the metrics endpoint.
274
#
275
# - nonResourceURLs:
276
# - /metrics
277
# verbs:
278
# - get
279
#
280
# 2. If using the Prometheus Operator and your Prometheus instance is not in the same namespace as the operator you will need
281
# the Prometheus Operator configured with the following Helm values:
282
#
283
# prometheus:
284
# prometheusSpec:
285
# serviceMonitorNamespaceSelector: {}
286
# serviceMonitorSelectorNilUsesHelmValues: false
287
#
288
# allows to disable the serviceMonitor, enabled by default for backwards compatibility
289
enabled: true
290
# namespace determines in which namespace the serviceMonitor will be deployed.
291
# If not set the serviceMonitor will be created in the namespace where the Helm release is installed into
292
# namespace: monitoring
293
# caSecret is the name of the secret containing the custom CA certificate used to generate the custom TLS certificate for the secure metrics endpoint.
294
#
295
# * This *must* be the name of the secret containing the CA certificate used to sign the custom TLS certificate for the metrics endpoint.
296
# * This secret *must* be in the same namespace as the Prometheus instance that will scrape the metrics.
297
# * If using the Prometheus operator this secret must be within the `spec.secrets` field of the `Prometheus` custom resource such that it is mounted into the Prometheus pod at `caMountDirectory`, which defaults to /etc/prometheus/secrets/{secret-name}.
298
# * This is an optional setting and is only required if you are using a custom TLS certificate.
299
# * Key must be named ca.crt.
300
#
301
# example: kubectl create secret generic eck-metrics-tls-ca -n monitoring \
302
# --from-file=ca.crt=/path/to/ca.pem
303
caSecret: ""
304
# caMountDirectory is the directory at which the CA certificate is mounted within the Prometheus pod.
305
#
306
# * You should only need to adjust this if you are *not* using the Prometheus operator.
307
caMountDirectory: "/etc/prometheus/secrets/"
308
# insecureSkipVerify specifies whether to skip verification of the TLS certificate for the secure metrics endpoint.
309
#
310
# * If this setting is set to false, then the following settings are required:
311
# - certificateSecret
312
# - caSecret
313
insecureSkipVerify: true
314
# extraObjects allows injecting additional Kubernetes resources into the chart.
315
# These resources will be created/deleted alongside the chart release.
316
# The value is a list of strings, each string is a YAML manifest.
317
# Helm templating is supported within each manifest.
318
# Example:
319
# extraObjects:
320
# - |
321
# apiVersion: v1
322
# kind: ConfigMap
323
# metadata:
324
# name: {{ include "eck-operator.fullname" . }}-extra-config
325
# namespace: {{ .Release.Namespace }}
326
# data:
327
# key: value
328
extraObjects: []
329
# Globals meant for internal use only
330
global:
331
# manifestGen specifies whether the chart is running under manifest generator.
332
# This is used for tasks specific to generating the all-in-one.yaml file.
333
manifestGen: false
334
# createOperatorNamespace defines whether the operator namespace manifest should be generated when in manifestGen mode.
335
# Usually we do want that to happen (e.g. all-in-one.yaml) but, sometimes we don't (e.g. E2E tests).
336
createOperatorNamespace: true
337
# kubeVersion is the effective Kubernetes version we target when generating the all-in-one.yaml.
338
kubeVersion: 1.21.0
339
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.