Helm values reference¶
Key Kollect chart values for platform operators. This page summarizes the most common production knobs; the authoritative full list lives in the chart tree.
Assumptions
This guide assumes Helm 3 and a chart install path (Install). For CRD vs operator upgrade ordering, see Upgrading Kollect.
Pre-beta API
v1alpha1 fields may change. Check ROADMAP before locking production values.
Source of truth¶
| File | Purpose |
|---|---|
charts/kollect/values.yaml |
All defaults |
charts/kollect/values.schema.json |
JSON Schema validation (CI: task helm-test) |
charts/kollect/README.md |
Inventory HTTP auth, connection-test detail |
Do not duplicate the chart README
The oauth2-proxy sidecar layout and inventory HTTP RBAC examples are maintained in the chart README only — link there instead of copying large blocks into docs.
Core values¶
| Key | Description | Default |
|---|---|---|
image.repository |
Controller image | ghcr.io/konih/kollect |
image.tag |
Image tag | latest (pin in production) |
replicaCount |
Manager pod replicas | 1 |
leaderElection.enabled |
Controller-runtime leader election | true |
mode |
Operator deployment mode — single-cluster only; fleets run N single-mode operators (ADR-0501) | single |
tenantMode |
Namespaced Role RBAC for per-team installs | false |
watchNamespaces |
Restrict informer cache to these namespaces | [] (all) |
webhooks.enabled |
Validating webhook for profiles | true |
webhooks.certManager.create |
cert-manager Certificate for webhook TLS |
true |
sinkDefaults.connectionTest |
Default for sample KollectSink probes |
false |
scrubKeys |
Extra attribute map keys redacted before store insert | [] (built-in denylist always on) |
Export debouncing is configured per sink ref on KollectInventory / KollectClusterInventory
(ADR-0413): ref override → sink default → inventory
default 30s → scope floor.
Enable Prometheus Operator scraping and alerts:
metrics:
serviceMonitor:
enabled: true
labels:
release: kube-prometheus-stack
prometheusRule:
enabled: true
labels:
release: kube-prometheus-stack
See Metrics for the alert catalog and chart README — monitoring.
Per-team install (minimal RBAC)¶
Golden path: platform cluster-wide operator + namespaced KollectScope per tenant.
Team path: chart profile values-minimal-rbac.yaml
(ADR-0203).
helm upgrade --install kollect-team ./charts/kollect \
--namespace team-a --create-namespace \
-f charts/kollect/values-minimal-rbac.yaml \
--set watchNamespaces[0]=team-a
Key values:
tenantMode: true
watchNamespaces:
- team-a
webhooks:
enabled: false
featureGates:
inventoryHttp:
enabled: false
Namespaced KollectProfile, family sinks, KollectTarget, and KollectInventory live in the team
namespace. Grant workload get/list/watch via a separate RoleBinding — see
Team-owned operator.
Walkthroughs: Team-owned operator · Multi-tenant watch scope.
Multi-cluster fleet¶
Run one operator per cluster; export to a shared sink with distinct spec.cluster values
(ADR-0501).
| Pattern | Key values | Notes |
|---|---|---|
| Postgres fleet | Same DSN, different spec.cluster on KollectDatabaseSink |
Rows merge by PK |
| Git fleet | pathTemplate: clusters/{cluster}/… on snapshot sink |
Per-cluster paths |
Walkthrough: Multi-cluster fleet.
Feature gates¶
Optional HTTP and debug surfaces are off by default (ADR-0704):
| Gate | Helm values | Default |
|---|---|---|
| Inventory HTTP API | featureGates.inventoryHttp.enabled |
false |
| pprof | pprof.enabled |
false |
| Validating webhooks | webhooks.enabled |
true |
Inventory HTTP auth uses Kubernetes bearer tokens by default (ADR-0404).
Optional oauth2Proxy sidecar is for browser/OIDC only — see the
chart README — Inventory HTTP authentication.
Connection tests¶
Production sink manifests should use spec.connectionTest: false (chart default) and trigger probes
with the kollect.dev/test-connection: "true" annotation when needed. CI and samples may set
connectionTest: true (ADR-0403).
Resources, metrics, and webhooks¶
| Key | Description | Default |
|---|---|---|
resources |
CPU/memory requests and limits | See values.yaml |
metrics.enabled |
Prometheus metrics listener | true |
metrics.serviceMonitor.enabled |
Prometheus Operator ServiceMonitor |
false |
metrics.prometheusRule.enabled |
Default PrometheusRule alerts |
false |
controller.maxConcurrentReconciles.* |
Per-controller concurrency | See values.yaml |
extraArgs |
Additional manager flags (debug only) | [] |
Webhook serving certificates: cert-manager default or self-signed bootstrap — ADR-0105 · Cert-manager webhooks example.
See also¶
- Operator manual · Upgrading Kollect · Metrics
- ADR-0704: Helm chart and CRD lifecycle
- High availability —
replicaCountand leader election