Redpanda Helm Chart Specification

Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. For details, see the Kubernetes documentation.

Default: {}

Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0.

Default:

Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages.

Default: 16777216

Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled.

Default: false

Event types that should be captured by audit logs, default is [admin, authenticate, management].

Default: nil

List of principals to exclude from auditing, default is null.

Default: nil

List of topics to exclude from auditing, default is null.

Default: nil

Kafka listener name, note that it must have authenticationMethod set to sasl. For external listeners, use the external listener name, such as default.

Default: "internal"

Integer value defining the number of partitions used by a newly created audit topic.

Default: 12

In ms, frequency in which per shard audit logs are batched to client for write to audit log.

Default: 500

Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard.

Default: 1048576

Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the internal_topic_replication_factor cluster config value. Default is null

Default: nil

Authentication settings. For details, see the SASL documentation.

Default:

Details about how to create the bootstrap user for the cluster. The secretKeyRef is optionally specified. If it is specified, the chart will use a password written to that secret when creating the kubernetes-controller'' bootstrap user. If it is unspecified, then the secret will be generated and stored in the secret releasename''-bootstrap-user, with the key ``password''.

Default:

The authentication mechanism to use for the bootstrap user. Options are SCRAM-SHA-256 and SCRAM-SHA-512.

Default: "SCRAM-SHA-256"

Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in auth.sasl.secretRef.

Default: false

The authentication mechanism to use for the superuser. Options are SCRAM-SHA-256 and SCRAM-SHA-512.

Default: "SCRAM-SHA-512"

A Secret that contains your superuser credentials. For details, see the SASL documentation.

Default: "redpanda-users"

Optional list of superusers. These superusers will be created in the Secret whose name is defined in auth.sasl.secretRef. If this list is empty, the Secret in auth.sasl.secretRef must already exist in the cluster before you deploy the chart. Uncomment the sample list if you wish to try adding sample sasl users or override to use your own.

Default: []

Default Kubernetes cluster domain.

Default: "cluster.local"

Additional labels to add to all Kubernetes objects. For example, my.k8s.service: redpanda.

Default: {}

This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the configuration documentation.

Default:

Cluster Configuration Properties

Default: {}

Broker (node) Configuration Properties.

Default: {"crash_loop_limit":5}

Crash loop limit A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. This limit prevents a broker from getting stuck in an infinite cycle of crashes. User can disable this crash loop limit check by the following action: * One hour elapses since the last crash * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects * The startup_log file in the node’s data_directory is manually deleted Default to 5 REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit

Default: 5

Tunable cluster properties. Deprecated: all settings here may be specified via config.cluster.

Default:

See the property reference documentation.

Default: 67108864

See the property reference documentation.

Default: 1000

See the property reference documentation.

Default: 268435456

See the property reference documentation.

Default: 16777216

See the property reference documentation.

Default: 536870912

Redpanda Managed Connectors settings For a reference of configuration settings, see the Redpanda Connectors documentation.

Default:

Redpanda Console settings. For a reference of configuration settings, see the Redpanda Console documentation.

Default:

Enterprise (optional) For details, see the License documentation.

Default:

license (optional).

Default: ""

Secret name and key where the license key is stored.

Default: {}

External access settings. For details, see the Networking and Connectivity documentation.

Default:

Enable external access for each Service. You can toggle external access for each listener in listeners.<service name>.external.<listener-name>.enabled.

Default: true

Service allows you to manage the creation of an external kubernetes service object

Default: {"enabled":true}

Enabled if set to false will not create the external service type You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). Set this to false if you rather manage your own service.

Default: true

External access type. Only NodePort and LoadBalancer are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority.

Default: "NodePort"

Override redpanda.fullname template.

Default: ""

Redpanda Docker image settings.

Default:

The imagePullPolicy. If image.tag is latest', the default is `Always.

Default: "IfNotPresent"

Docker repository from which to pull the Redpanda Docker image.

Default:

The Redpanda version. See DockerHub for: All stable versions and all unstable versions.

Default: Chart.appVersion.

Pull secrets may be used to provide credentials to image repositories See the Kubernetes documentation.

Default: []

DEPRECATED Enterprise license key (optional). For details, see the License documentation.

Default: ""

DEPRECATED Secret name and secret key where the license key is stored.

Default: {}

Listener settings. Override global settings configured above for individual listeners. For details, see the listeners documentation.

Default:

Admin API listener (only one).

Default:

Optional external access settings.

Default:

Name of the external listener.

Default:

The port advertised to this listener’s external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, listeners.admin.port is used.

Default: {"cert":"external"}

The port for both internal and external connections to the Admin API.

Default: 9644

Optional TLS section (required if global TLS is enabled)

Default:

Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs).

Default: "default"

If true, the truststore file for this listener is included in the ConfigMap.

Default: false

HTTP API listeners (aka PandaProxy).

Default:

Kafka API listeners.

Default:

If undefined, listeners.kafka.external.default.port is used.

Default: [31092]

The port used for external client connections.

Default: 9094

The port for internal client connections.

Default: 9093

RPC listener (this is never externally accessible).

Default:

Schema registry listeners.

Default:

Log-level settings.

Default:

Log level Valid values (from least to most verbose) are: warn, info, debug, and trace.

Default: "info"

Send usage statistics back to Redpanda Data. For details, see the stats reporting documentation.

Default: {"enabled":true}

Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.

Default:

Override redpanda.name template.

Default: ""

Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the Kubernetes documentation.

Default: {}

Default: {}

Default: true

Additional annotations to apply to the Pods of this Job.

Default: {}

Additional labels to apply to the Pods of this Job.

Default: {}

A subset of Kubernetes’ PodSpec type that will be merged into the final PodSpec. See Merge Semantics for details.

Default:

Rack Awareness settings. For details, see the Rack Awareness documentation.

Default:

When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with `get'' Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true and rbac.enabled=true.

Default: false

The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation.

Default:

Role Based Access Control.

Default:

Annotations to add to the rbac resources.

Default: {}

Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the --set rbac.createRPKBundleCRs=true flag to give it the required ClusterRoles.

Default: false

Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the statefulset.yaml and configmap.yaml templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the Pod resources documentation.

Default:

CPU resources. For details, see the Pod resources documentation.

Default: {"cores":1}

Redpanda makes use of a thread per core model. For details, see this blog. For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is not currently supported. See the GitHub issue. This setting is equivalent to --smp, resources.requests.cpu, and resources.limits.cpu. For production, use 4 or greater. To maximize efficiency, use the static CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. See https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy.

Default: 1

Memory resources For details, see the Pod resources documentation.

Default:

Enables memory locking. For production, set to true. enable_memory_locking: false It is recommended to have at least 2Gi of memory per core for the Redpanda binary. This memory is taken from the total memory given to each container. The Helm chart allocates 80% of the container’s memory to Redpanda, leaving the rest for the Seastar subsystem (reserveMemory) and other container processes. So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. These values affect --memory and --reserve-memory flags passed to Redpanda and the memory requests/limits in the StatefulSet. Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi To create Guaranteed Pod QoS for Redpanda brokers, provide both container max and min values for the container. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request.

Default: {"max":"2.5Gi"}

Maximum memory count for each Redpanda broker. Equivalent to resources.limits.memory. For production, use 10Gi or greater.

Default: "2.5Gi"

Service account management.

Default:

Annotations to add to the service account.

Default: {}

Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers

Default: false

Specifies whether a service account should be created.

Default: false

The name of the service account to use. If not set and serviceAccount.create is true, a name is generated using the redpanda.fullname template.

Default: ""

Additional flags to pass to redpanda,

Default: []

Additional labels to be added to statefulset label selector. For example, my.k8s.service: redpanda.

Default: {}

DEPRECATED Please use statefulset.podTemplate.annotations. Annotations are used only for Statefulset.spec.template.metadata.annotations. The StatefulSet does not have any dedicated annotation.

Default: {}

Default: 1

Default: ""

Default: ""

Default: "busybox"

Default: "latest"

Default: ""

To create Guaranteed Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.

Default: {}

Default: ""

Default: false

Default: "xfs"

Default: ""

To create Guaranteed Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.

Default: {}

In environments where root is not allowed, you cannot change the ownership of files and directories. Enable setDataDirOwnership when using default minikube cluster configuration.

Default: false

Default: ""

To create Guaranteed Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.

Default: {}

Default: ""

To create Guaranteed Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.

Default: {}

Default: ""

To create Guaranteed Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.

Default: {}

Default: 3

Default: 10

Default: 10

Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global nodeSelector value. For details, see the Kubernetes documentation.

Default: {}

Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the Kubernetes documentation.

Default: {}

Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the Kubernetes documentation. You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults.

Default:

Change podAntiAffinity.type to custom and provide your own podAntiAffinity rules here.

Default: {}

The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc.

Default: "kubernetes.io/hostname"

Valid anti-affinity types are soft, hard, or custom. Use custom if you want to supply your own anti-affinity rules in the podAntiAffinity.custom object.

Default: "hard"

Weight for soft anti-affinity rules. Does not apply to other anti-affinity types.

Default: 100

Additional annotations to apply to the Pods of the StatefulSet.

Default: {}

Additional labels to apply to the Pods of the StatefulSet.

Default: {}

A subset of Kubernetes’ PodSpec type that will be merged into the final PodSpec. See Merge Semantics for details.

Default:

PriorityClassName given to Pods of this StatefulSet. For details, see the Kubernetes documentation.

Default: ""

Default: 3

Default: 1

Default: 10

Default: 1

Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster)

Default: 3

DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0\].securityContext.

Default:

Default: true

Default: ""

To create Guaranteed Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the static CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy

Default: {}

Default: {}

Default: true

Default: false

Default: ":8085"

Default:

Default: "v2.2.5-24.2.7"

Default: ":9082"

To create Guaranteed Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the static CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy

Default: {}

Default: "all"

Default: {}

Adjust the period for your probes to meet your needs. For details, see the Kubernetes documentation.

Default:

Termination grace period in seconds is time required to execute preStop hook which puts particular Redpanda Pod (process/container) into maintenance mode. Before settle down on particular value please put Redpanda under load and perform rolling upgrade or rolling restart. That value needs to accommodate two processes: * preStop hook needs to put Redpanda into maintenance mode * after preStop hook Redpanda needs to handle gracefully SIGTERM signal Both processes are executed sequentially where preStop hook has hard deadline in the middle of terminationGracePeriodSeconds. REF: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination

Default: 90

Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the Kubernetes documentation.

Default: []

Default: 1

Default:

Default: "ScheduleAnyway"

Default: "RollingUpdate"

Persistence settings. For details, see the storage documentation.

Default:

Absolute path on the host to store Redpanda’s data. If unspecified, then an emptyDir volume is used. If specified but persistentVolume.enabled is true, storage.hostPath has no effect.

Default: ""

If persistentVolume.enabled is true, a PersistentVolumeClaim is created and used to store Redpanda’s data. Otherwise, storage.hostPath is used.

Default:

Additional annotations to apply to the created PersistentVolumeClaims.

Default: {}

Additional labels to apply to the created PersistentVolumeClaims.

Default: {}

Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to persistentVolume

Default: ""

To disable dynamic provisioning, set to -. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).

Default: ""

Tiered Storage settings Requires enterprise.licenseKey or enterprised.licenseSecretRef For details, see the Tiered Storage documentation. For a list of properties, see Object Storage Properties.

Default:

Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the property reference documentation.

Default: 5368709120

Cluster level default remote read configuration for new topics. See the property reference documentation.

Default: true

Cluster level default remote write configuration for new topics. See the property reference documentation.

Default: true

Global flag that enables Tiered Storage if a license key is provided. See the property reference documentation.

Default: false

Absolute path on the host to store Redpanda’s Tiered Storage cache.

Default: ""

Additional annotations to apply to the created PersistentVolumeClaims.

Default: {}

Additional labels to apply to the created PersistentVolumeClaims.

Default: {}

To disable dynamic provisioning, set to ``-''. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).

Default: ""

Default: true

TLS settings. For details, see the TLS documentation.

Default:

List all Certificates here, then you can reference a specific Certificate’s name in each listener’s listeners.<listener name>.tls.cert setting.

Default:

This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate’s name in listeners.<listener-name>.tls.cert.

Default: {"caEnabled":true}

Indicates whether or not the Secret holding this certificate includes a ca.crt key. When true, chart managed clients, such as rpk, will use ca.crt for certificate verification and listeners with require_client_auth and no explicit truststore will use ca.crt as their truststore_file for verification of client certificates. When false, chart managed clients will use tls.crt for certificate verification and listeners with require_client_auth and no explicit truststore will use the container’s CA certificates.

Default: true

Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners.

Default: {"caEnabled":true}

Indicates whether or not the Secret holding this certificate includes a ca.crt key. When true, chart managed clients, such as rpk, will use ca.crt for certificate verification and listeners with require_client_auth and no explicit truststore will use ca.crt as their truststore_file for verification of client certificates. When false, chart managed clients will use tls.crt for certificate verification and listeners with require_client_auth and no explicit truststore will use the container’s CA certificates.

Default: true

Enable TLS globally for all listeners. Each listener must include a Certificate name in its <listener>.tls object. To allow you to enable TLS for individual listeners, Certificates in auth.tls.certs are always loaded, even if tls.enabled is false. See listeners.<listener-name>.tls.enabled.

Default: true

Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the Kubernetes documentation.

Default: []

Redpanda tuning settings. Each is set to their default values in Redpanda.

Default: {"tune_aio_events":true}

Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting tune_aio_events to false. For more details, see the tuning documentation.

Default: true