Redpanda Helm Chart Specification
This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s values.yaml file. Each of the settings is listed and described on this page, along with any default values.
For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the deployment documentation.
Autogenerated from chart metadata using helm-docs v1.11.0
Source Code
Requirements
Kubernetes: ^1.21.0-0
| Repository | Name | Version |
|---|---|---|
| https://charts.redpanda.com | console | >=0.5 <1.0 |
Settings
auth
Authentication settings. For details, see the SASL documentation.
Default:
{"sasl":{"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[{"mechanism":"SCRAM-SHA-512","name":"admin","password":"change-me"}]}}
auth.sasl.enabled
Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in auth.sasl.secretRef.
Default: false
auth.sasl.mechanism
The authentication mechanism to use for the superuser. Options are SCRAM-SHA-256 and SCRAM-SHA-512.
Default: "SCRAM-SHA-512"
auth.sasl.secretRef
A Secret that contains your superuser credentials. The file must include an empty line at the end. For details, see the SASL documentation.
Default: "redpanda-users"
auth.sasl.users
Optional list of superusers. These superusers will be created in the Secret whose name is defined in auth.sasl.secretRef. If this list is empty, the Secret in auth.sasl.secretRef must already exist in the cluster before you deploy the chart.
Default:
[{"mechanism":"SCRAM-SHA-512","name":"admin","password":"change-me"}]
clusterDomain
Default Kubernetes cluster domain.
Default: "cluster.local"
commonLabels
Additional labels to add to all Kubernetes objects. For example, my.k8s.service: redpanda.
Default: {}
config
This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the configuration documentation.
Default:
{"cluster":{},"node":{},"tunable":{"compacted_log_segment_size":67108864,"group_topic_partitions":16,"kafka_batch_max_bytes":1048576,"kafka_connection_rate_limit":1000,"log_segment_size":134217728,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912,"topic_partitions_per_shard":1000}}
config.node
Node (broker) properties. See the property reference documentation.
Default: {}
config.tunable
Tunable cluster properties.
Default:
{"compacted_log_segment_size":67108864,"group_topic_partitions":16,"kafka_batch_max_bytes":1048576,"kafka_connection_rate_limit":1000,"log_segment_size":134217728,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912,"topic_partitions_per_shard":1000}
config.tunable.compacted_log_segment_size
See the property reference documentation.
Default: 67108864
config.tunable.group_topic_partitions
See the property reference documentation.
Default: 16
config.tunable.kafka_batch_max_bytes
See the property reference documentation.
Default: 1048576
config.tunable.kafka_connection_rate_limit
See the property reference documentation.
Default: 1000
config.tunable.log_segment_size
See the property reference documentation.
Default: 134217728
config.tunable.log_segment_size_max
See the property reference documentation.
Default: 268435456
config.tunable.log_segment_size_min
See the property reference documentation.
Default: 16777216
config.tunable.max_compacted_log_segment_size
See the property reference documentation.
Default: 536870912
config.tunable.topic_partitions_per_shard
See the property reference documentation.
Default: 1000
console
Redpanda Console settings. For a reference of configuration settings, see the Redpanda Console documentation.
Default:
{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}}
external
External access settings. For details, see the Networking and Connectivity documentation.
Default:
{"enabled":true,"type":"NodePort"}
external.enabled
Enable external access for each Service. You can toggle external access for each listener in listeners.<service name>.external.<listener-name>.enabled.
Default: true
external.type
External access type. Only NodePort and LoadBalancer are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority.
Default: "NodePort"
fullnameOverride
Override redpanda.fullname template.
Default: ""
image
Redpanda Docker image settings.
Default:
{"pullPolicy":"IfNotPresent","repository":"vectorized/redpanda","tag":""}
image.pullPolicy
The imagePullPolicy. If image.tag is 'latest', the default is Always.
Default: "IfNotPresent"
image.repository
Docker repository from which to pull the Redpanda Docker image.
Default: "vectorized/redpanda"
image.tag
The Redpanda version. See DockerHub for: All stable versions and all unstable versions.
Default: Chart.appVersion.
imagePullSecrets
Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
Default: []
license_key
Enterprise license key (optional). For details, see the License documentation.
Default: ""
license_secret_ref
Secret name and secret key where the license key is stored.
Default: {}
listeners
Listener settings. Override global settings configured above for individual listeners. For details, see the listeners documentation.
Default:
{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}}
listeners.admin
Admin API listener (only one).
Default:
{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}}
listeners.admin.external
Optional external access settings.
Default:
{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}}
listeners.admin.external.default
Name of the external listener.
Default:
{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}
listeners.admin.external.default.tls
The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, listeners.admin.port is used.
Default: {"cert":"external"}
listeners.admin.port
The port for both internal and external connections to the Admin API.
Default: 9644
listeners.admin.tls
Optional TLS section (required if global TLS is enabled)
Default:
{"cert":"default","requireClientAuth":false}
listeners.admin.tls.cert
Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs).
Default: "default"
listeners.admin.tls.requireClientAuth
If true, the truststore file for this listener is included in the ConfigMap.
Default: false
listeners.http
HTTP API listeners (aka PandaProxy).
Default:
{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}}
listeners.kafka
Kafka API listeners.
Default:
{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}}
listeners.kafka.external.default.advertisedPorts
If undefined, listeners.kafka.external.default.port is used.
Default: [31092]
listeners.kafka.external.default.port
The port used for external client connections.
Default: 9094
listeners.kafka.port
The port for internal client connections.
Default: 9093
listeners.rpc
RPC listener (this is never externally accessible).
Default:
{"port":33145,"tls":{"cert":"default","requireClientAuth":false}}
listeners.schemaRegistry
Schema registry listeners.
Default:
{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external"}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}
logging
Log-level settings.
Default:
{"logLevel":"info","usageStats":{"enabled":true}}
logging.logLevel
Log level Valid values (from least to most verbose) are: warn, info, debug, and trace.
Default: "info"
logging.usageStats
Send usage statistics back to Redpanda Data. For details, see the stats reporting documentation.
Default: {"enabled":true}
monitoring
Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
Default:
{"enabled":false,"scrapeInterval":"30s"}
nameOverride
Override redpanda.name template.
Default: ""
nodeSelector
Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the Kubernetes documentation.
Default: {}
post_install_job.enabled
Default: true
post_upgrade_job.enabled
Default: true
rackAwareness
Rack Awareness settings. For details, see the Rack Awareness documentation.
Default:
{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"}
rackAwareness.enabled
When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set serviceAccount.create=true and rbac.enabled=true.
Default: false
rackAwareness.nodeAnnotation
The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation.
Default:
"topology.kubernetes.io/zone"
rbac
Role Based Access Control.
Default:
{"annotations":{},"enabled":false}
rbac.annotations
Annotations to add to the rbac resources.
Default: {}
rbac.enabled
Enable for features that need extra privileges.
Default: false
resources
Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the statefulset.yaml and configmap.yaml templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the Pod resources documentation.
Default:
{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}}
resources.cpu
CPU resources. For details, see the Pod resources documentation.
Default: {"cores":1}
resources.cpu.cores
Redpanda makes use of a thread per core model. For details, see this blog. For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is not currently supported. See the GitHub issue. This setting is equivalent to --smp, resources.requests.cpu, and resources.limits.cpu. For production, use 4 or greater.
Default: 1
resources.memory
Memory resources For details, see the Pod resources documentation.
Default:
{"container":{"max":"2.5Gi"}}
resources.memory.container.max
Maximum memory count for each Redpanda broker. Equivalent to resources.limits.memory. For production, use 10Gi or greater.
Default: "2.5Gi"
serviceAccount
Service account management.
Default:
{"annotations":{},"create":false,"name":""}
serviceAccount.annotations
Annotations to add to the service account.
Default: {}
serviceAccount.create
Specifies whether a service account should be created.
Default: false
serviceAccount.name
The name of the service account to use. If not set and serviceAccount.create is true, a name is generated using the redpanda.fullname template.
Default: ""
statefulset.additionalRedpandaCmdFlags
Additional flags to pass to redpanda,
Default: []
statefulset.annotations
Additional annotations to apply to the Pods of this StatefulSet.
Default: {}
statefulset.budget.maxUnavailable
Default: 1
statefulset.initContainerImage.repository
Default: "busybox"
statefulset.initContainerImage.tag
Default: "latest"
statefulset.initContainers.configurator.resources
Default: {}
statefulset.initContainers.setDataDirOwnership.enabled
In environments where root is not allowed, you cannot change the ownership of files and directories. Enable setDataDirOwnership when using default minikube cluster configuration.
Default: false
statefulset.initContainers.setDataDirOwnership.resources
Default: {}
statefulset.initContainers.setTieredStorageCacheDirOwnership.resources
Default: {}
statefulset.initContainers.tuning.resources
Default: {}
statefulset.livenessProbe.failureThreshold
Default: 3
statefulset.livenessProbe.initialDelaySeconds
Default: 10
statefulset.livenessProbe.periodSeconds
Default: 10
statefulset.nodeSelector
Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global nodeSelector value. For details, see the Kubernetes documentation.
Default: {}
statefulset.podAffinity
Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the Kubernetes documentation.
Default: {}
statefulset.podAntiAffinity
Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the Kubernetes documentation. You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults.
Default:
{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100}
statefulset.podAntiAffinity.custom
Change podAntiAffinity.type to custom and provide your own podAntiAffinity rules here.
Default: {}
statefulset.podAntiAffinity.topologyKey
The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc.
Default: "kubernetes.io/hostname"
statefulset.podAntiAffinity.type
Valid anti-affinity types are soft, hard, or custom. Use custom if you want to supply your own anti-affinity rules in the podAntiAffinity.custom object.
Default: "hard"
statefulset.podAntiAffinity.weight
Weight for soft anti-affinity rules. Does not apply for other anti-affinity types.
Default: 100
statefulset.priorityClassName
PriorityClassName given to Pods of this StatefulSet. For details, see the Kubernetes documentation.
Default: ""
statefulset.readinessProbe.failureThreshold
Default: 3
statefulset.readinessProbe.initialDelaySeconds
Default: 1
statefulset.readinessProbe.periodSeconds
Default: 10
statefulset.readinessProbe.successThreshold
Default: 1
statefulset.replicas
Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster)
Default: 3
statefulset.securityContext.fsGroup
Default: 101
statefulset.securityContext.fsGroupChangePolicy
Default: "OnRootMismatch"
statefulset.securityContext.runAsUser
Default: 101
statefulset.sideCars.configWatcher.enabled
Default: true
statefulset.sideCars.configWatcher.resources
Default: {}
statefulset.startupProbe
Adjust the period for your probes to meet your needs. For details, see the Kubernetes documentation.
Default:
{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10}
statefulset.terminationGracePeriodSeconds
Default: 90
statefulset.tolerations
Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the Kubernetes documentation.
Default: []
statefulset.topologySpreadConstraints[0].maxSkew
Default: 1
statefulset.topologySpreadConstraints[0].topologyKey
Default:
"topology.kubernetes.io/zone"
statefulset.topologySpreadConstraints[0].whenUnsatisfiable
Default: "ScheduleAnyway"
statefulset.updateStrategy.type
Default: "RollingUpdate"
storage
Persistence settings. For details, see the storage documentation.
Default:
{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""},"tieredConfig":{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""},"tieredStorageHostPath":"","tieredStoragePersistentVolume":{"annotations":{},"enabled":false,"labels":{},"storageClass":""}}
storage.hostPath
Absolute path on the host to store Redpanda's data. If unspecified, then an emptyDir volume is used. If specified but persistentVolume.enabled is true, storage.hostPath has no effect.
Default: ""
storage.persistentVolume
If persistentVolume.enabled is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, storage.hostPath is used.
Default:
{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""}
storage.persistentVolume.annotations
Additional annotations to apply to the created PersistentVolumeClaims.
Default: {}
storage.persistentVolume.labels
Additional labels to apply to the created PersistentVolumeClaims.
Default: {}
storage.persistentVolume.storageClass
To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).
Default: ""
storage.tieredConfig
Tiered Storage settings Requires license_key or license_secret_ref For details, see the Tiered Storage documentation.
Default:
{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""}
storage.tieredConfig.cloud_storage_access_key
Required for AWS and GCS authentication with access keys. See the property reference documentation.
Default: ""
storage.tieredConfig.cloud_storage_api_endpoint
See the property reference documentation.
Default: ""
storage.tieredConfig.cloud_storage_azure_container
Required for ABS. See the property reference documentation.
Default: nil
storage.tieredConfig.cloud_storage_azure_shared_key
Required for ABS. See the property reference documentation.
Default: nil
storage.tieredConfig.cloud_storage_azure_storage_account
Required for ABS. See the property reference documentation.
Default: nil
storage.tieredConfig.cloud_storage_bucket
Required for AWS and GCS. See the property reference documentation.
Default: ""
storage.tieredConfig.cloud_storage_cache_size
Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the property reference documentation.
Default: 5368709120
storage.tieredConfig.cloud_storage_credentials_source
Required for AWS and GCS authentication with IAM roles. See the property reference documentation.
Default: "config_file"
storage.tieredConfig.cloud_storage_enable_remote_read
See the property reference documentation.
Default: true
storage.tieredConfig.cloud_storage_enable_remote_write
See the property reference documentation.
Default: true
storage.tieredConfig.cloud_storage_enabled
Global flag that enables Tiered Storage if a license key is provided. See the property reference documentation.
Default: false
storage.tieredConfig.cloud_storage_region
Required for AWS and GCS. See the property reference documentation.
Default: ""
storage.tieredConfig.cloud_storage_secret_key
Required for AWS and GCS authentication with access keys. See the property reference documentation.
Default: ""
storage.tieredStorageHostPath
Absolute path on the host to store Redpanda's Tiered Storage cache. If unspecified, then an emptyDir volume is used. If specified but tieredStoragePersistentVolume.enabled is true, storage.tieredStorageHostPath has no effect.
Default: ""
storage.tieredStoragePersistentVolume.annotations
Additional annotations to apply to the created PersistentVolumeClaims.
Default: {}
storage.tieredStoragePersistentVolume.labels
Additional labels to apply to the created PersistentVolumeClaims.
Default: {}
storage.tieredStoragePersistentVolume.storageClass
To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).
Default: ""
tls
TLS settings. For details, see the TLS documentation.
Default:
{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true}
tls.certs
List all Certificates here, then you can reference a specific Certificate's name in each listener's listeners.<listener name>.tls.cert setting.
Default:
{"default":{"caEnabled":true},"external":{"caEnabled":true}}
tls.certs.default
This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in listeners.<listener-name>.tls.cert.
Default: {"caEnabled":true}
tls.certs.default.caEnabled
Set the caEnabled flag to true only for Certificates that are not authenticated using public authorities.
Default: true
tls.certs.external
Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners.
Default: {"caEnabled":true}
tls.certs.external.caEnabled
Set the caEnabled flag to true only for Certificates that are not authenticated using public authorities.
Default: true
tls.enabled
Enable TLS globally for all listeners. Each listener must include a Certificate name in its <listener>.tls object. To allow you to enable TLS for individual listeners, Certificates in auth.tls.certs are always loaded, even if tls.enabled is false. See listeners.<listener-name>.tls.enabled.
Default: true
tolerations
Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the Kubernetes documentation.
Default: []
tuning
Redpanda tuning settings. Each is set to their default values in Redpanda.
Default: {"tune_aio_events":true}
tuning.tune_aio_events
Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, see the tuning documentation.
Default: true