Skip to content

Helm Values Reference

The kMetal umbrella chart exposes the following top-level keys. Defaults are documented in the chart's values.yaml; this page shows the shape you'd use in your overlay.

Top-level shape

network:
  flannel: { ... }
  kubeOvn: { ... }
  multus:  { ... }
metallb:      { ... }
kubevirt:     { ... }
cdi:          { ... }
kamaji:       { ... }
capi:         { ... }
certManager:  { ... }
glue:
  kamajiAddonOvn: { ... }
storage:
  localPath: { ... }
tenants:
  defaults: { ... }

# Sub-chart override blocks (passed straight through to each sub-chart)
cert-manager:            { ... }
flannel:                 { ... }
kube-ovn:                { ... }
metallb:                 { ... }      # operator-facing key above; this is the sub-chart override
local-path-provisioner:  { ... }
kamaji:                  { ... }      # operator-facing key above; this is the sub-chart override
capi-operator:           { ... }
kubevirt-operator:       { ... }
kubevirt:                { ... }      # operator-facing key above; this is the sub-chart override
cdi-operator:            { ... }
cdi:                     { ... }      # operator-facing key above; this is the sub-chart override
kamaji-addon-ovn:        { ... }

The operator-facing key (kamaji, kubevirt, cdi, …) sets a small surface of opinionated knobs; the matching sub-chart override block accepts the underlying chart's full schema for everything else. The two are merged at install time.

Operator-facing keys

network

network:
  flannel:
    enabled: true
    podCidr: "10.93.0.0/16"
    backend: "host-gw"
  kubeOvn:
    enabled: true
    podCidr: "10.16.0.0/16"
    podGateway: "10.16.0.1"
    svcCidr: "10.96.0.0/16"
    joinCidr: "100.64.0.0/16"
    tunnelInterface: ""          # REQUIRED per deployment
    tunnelType: "geneve"          # geneve | vxlan | stt
    externalGatewaySwitch: "external"
    externalGatewayVlanId: "0"
  multus:
    enabled: true

metallb

metallb:
  enabled: true
  pools: []                       # per-deployment overlay populates this
  l2Advertisements: []
  controller:
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""

kubevirt

kubevirt:
  enabled: true
  version: v1.7.2                  # vendored upstream; bump only when re-vendoring
  namespace: system-kubevirt
  spec: {}                         # KubeVirt CR spec; {} = operator defaults

cdi

cdi:
  enabled: true
  version: v1.64.0
  spec:
    config:
      featureGates:
        - HonorWaitForFirstConsumer
    infra:
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""

kamaji

kamaji:
  enabled: true
  replicas: 2
  defaultDatastore: ""             # per-Cluster choice; no platform default

capi

capi:
  enabled: true
  namespace: kmetal-capi-providers
  providers:
    core:
      version: "v1.10.10"
    bootstrap:
      kubeadm:
        enabled: true
        version: "v1.10.10"
    infrastructure:
      kubevirt:
        enabled: true
        version: "v0.10.5"         # CAPK
    controlPlane:
      kamaji:
        enabled: true
        version: "v0.19.0"         # CACPK

certManager

certManager:
  enabled: true
  installCRDs: true

glue.kamajiAddonOvn

glue:
  kamajiAddonOvn:
    enabled: true

storage.localPath

storage:
  localPath:
    enabled: true                  # set false to use a vendor CSI driver instead
    nodePathMap: []                # per-deployment overlay

tenants.defaults

tenants:
  defaults:
    workerImage: ""                # default tenant worker image
    workerSize: small

Sub-chart override blocks

Each sub-chart accepts its upstream schema verbatim under the matching top-level key. See the upstream chart's values.yaml for the full set of options.

cert-manager (sub-chart)

Defaults pin all four cert-manager components (controller, cainjector, webhook, startupapicheck) to control-plane nodes.

cert-manager:
  crds:
    enabled: true
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  cainjector:
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
  webhook:
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""
  startupapicheck:
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""

kube-ovn (sub-chart)

Critical Kube-OVN overrides (these line up with network.kubeOvn.* via YAML anchors in the reference overlays):

kube-ovn:
  ipv4:
    POD_CIDR: "10.16.0.0/16"
    POD_GATEWAY: "10.16.0.1"
    SVC_CIDR: "10.96.0.0/16"
  networking:
    IFACE: ""                       # NIC for Geneve traffic (REQUIRED)
    TUNNEL_TYPE: "geneve"
    ENABLE_EIP_SNAT: true
  cni_conf:
    NON_PRIMARY_CNI: true           # Kube-OVN runs as secondary CNI via Multus
    CNI_CONFIG_PRIORITY: "99"       # ensures Flannel is the default delegate
  func:
    ENABLE_NAT_GW: false            # we use OVN distributed gateway, not vpc-nat-gw

kamaji (sub-chart)

kamaji:
  imagePullSecrets:
    - name: clastix-ghcr
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  resources:
    requests: { cpu: "1", memory: 512Mi }
    limits:   { cpu: "2", memory: 1Gi  }
  defaultDatastoreName: ""

local-path-provisioner (sub-chart)

local-path-provisioner:
  storageClass:
    create: true
    defaultClass: true
    name: local-path
    reclaimPolicy: Delete
    volumeBindingMode: WaitForFirstConsumer
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  nodePathMap: []

Others

flannel, kubevirt-operator, cdi-operator, kamaji-addon-ovn, capi-operator accept their upstream schemas. For most deployments, the chart's defaults are sufficient.

Per-environment overlays

Maintain one overlay per environment. The repeated values that change between deployments:

  • network.kubeOvn.tunnelInterface and kube-ovn.networking.IFACE
  • metallb.pools[].addresses
  • storage.localPath.nodePathMap and local-path-provisioner.nodePathMap
  • Resource limits and replica counts (sub-chart override blocks)

The chart's reference overlays use YAML anchors so each canonical value appears once. See the chart's values.yaml header comments for the anchor pattern.

Validation

helm template kmetal oci://ghcr.io/clastix/oci/kmetal \
  --values kmetal-values.yaml > rendered.yaml

Inspect rendered.yaml for the resources, namespaces, and image tags you expect before running helm install / helm upgrade.