Data Plane
Dependenciesβ
This chart depends on the following sub-charts. For full configuration options of each dependency, please refer to their official documentation.
| Name | Version | Repository | Condition |
|---|---|---|---|
| kube-prometheus-stack | 81.6.3 | https://prometheus-community.github.io/helm-charts | kube-prometheus-stack.enabled |
Cluster Agentβ
Cluster Agent configuration for WebSocket connection to control plane cluster gateway
| Parameter | Description | Type | Default |
|---|---|---|---|
clusterAgent.affinity | Affinity rules for pod scheduling | object | {} |
clusterAgent.heartbeatInterval | Interval between heartbeat messages to control plane | string | 30s |
clusterAgent.image.pullPolicy | Image pull policy | string | IfNotPresent |
clusterAgent.image.repository | Cluster agent image repository | string | ghcr.io/openchoreo/cluster-agent |
clusterAgent.image.tag | Image tag. Empty uses Chart.AppVersion. | string | |
clusterAgent.logLevel | Log level for cluster agent | string | info |
clusterAgent.name | Name of the cluster agent deployment | string | cluster-agent-dataplane |
clusterAgent.nodeSelector | Node selector for pod scheduling | object | {} |
clusterAgent.planeID | Logical plane identifier shared across multiple CRs connecting to the same physical plane. Defaults to Helm release name if not specified. | string | default |
clusterAgent.planeType | Type of plane this agent manages | string | dataplane |
clusterAgent.podAnnotations | Annotations to add to cluster agent pods | object | {} |
clusterAgent.podDisruptionBudget.enabled | Enable PodDisruptionBudget for cluster agent | boolean | false |
clusterAgent.podDisruptionBudget.maxUnavailable | Maximum number of pods that can be unavailable | integer,null | null |
clusterAgent.podDisruptionBudget.minAvailable | Minimum number of pods that must be available | integer | 1 |
clusterAgent.podSecurityContext.fsGroup | Group ID for volume mounts | integer | 1000 |
clusterAgent.podSecurityContext.runAsNonRoot | Run container as non-root user | boolean | true |
clusterAgent.podSecurityContext.runAsUser | User ID to run container as | integer | 1000 |
clusterAgent.priorityClass.create | Create a PriorityClass for cluster agent | boolean | false |
clusterAgent.priorityClass.name | PriorityClass name | string | cluster-agent-dataplane |
clusterAgent.priorityClass.value | Priority value (higher = more important) | integer | 900000 |
clusterAgent.rbac.create | Create RBAC resources (ClusterRole, ClusterRoleBinding) | boolean | true |
clusterAgent.reconnectDelay | Delay before attempting reconnection after disconnect | string | 5s |
clusterAgent.replicas | Number of cluster agent replicas (typically 1 per data plane) | integer | 1 |
clusterAgent.resources.limits.cpu | CPU limit for the agent | string | 100m |
clusterAgent.resources.limits.memory | Memory limit for the agent | string | 256Mi |
clusterAgent.resources.requests.cpu | CPU request for the agent | string | 50m |
clusterAgent.resources.requests.memory | Memory request for the agent | string | 128Mi |
clusterAgent.securityContext.allowPrivilegeEscalation | Prevent privilege escalation | boolean | false |
clusterAgent.securityContext.capabilities.drop | Capabilities to drop from container | array | ["ALL"] |
clusterAgent.securityContext.readOnlyRootFilesystem | Mount root filesystem as read-only | boolean | true |
clusterAgent.serverUrl | WebSocket URL of the cluster gateway in control plane | string | wss://cluster-gateway.openchoreo-control-plane.svc.cluster.local:8443/ws |
clusterAgent.serviceAccount.annotations | Annotations to add to the service account | object | {} |
clusterAgent.serviceAccount.create | Create a service account for the cluster agent | boolean | true |
clusterAgent.serviceAccount.name | Service account name | string | cluster-agent-dataplane |
clusterAgent.tls.caSecretName | CA secret name for signing agent client certificates. If empty, self-signed certs will be generated (required for multi-cluster setup). | string | cluster-gateway-ca |
clusterAgent.tls.clientSecretName | Secret name for client certificate (typically same as secretName) | string | cluster-agent-tls |
clusterAgent.tls.duration | Certificate validity duration | string | 2160h |
clusterAgent.tls.enabled | Enable TLS for agent-gateway communication | boolean | true |
clusterAgent.tls.generateCerts | Generate client certificates locally using cert-manager with a self-signed CA | boolean | true |
clusterAgent.tls.renewBefore | Time before expiry to renew certificate | string | 360h |
clusterAgent.tls.secretName | Secret name for client certificate and key | string | cluster-agent-tls |
clusterAgent.tls.serverCAConfigMap | ConfigMap name containing server CA certificate for verifying gateway | string | cluster-gateway-ca |
clusterAgent.tolerations | Tolerations for pod scheduling | array | [] |
Gatewayβ
KGateway API gateway configuration. Provides HTTP/HTTPS traffic routing using Kubernetes Gateway API and Envoy proxy.
| Parameter | Description | Type | Default |
|---|---|---|---|
gateway.agentgateway.enabled | Enable Agent Gateway for AI agent connectivity | boolean | false |
gateway.annotations | Annotations added to the Gateway resource. Use this to configure cert-manager, external-dns, or other integrations. | object | {} |
gateway.controller.image.pullPolicy | Image pull policy for the controller container | string | IfNotPresent |
gateway.controller.image.registry | Container registry for the controller image. Empty uses default registry. | string | |
gateway.controller.image.repository | Image repository name for the gateway controller | string | kgateway |
gateway.controller.image.tag | Image tag. Empty uses Chart.AppVersion. | string | |
gateway.controller.logLevel | Log level for the gateway controller | string | info |
gateway.controller.replicaCount | Number of gateway controller replicas | integer | 1 |
gateway.controller.resources.limits.cpu | CPU limit for the controller | string | 200m |
gateway.controller.resources.limits.memory | Memory limit for the controller | string | 256Mi |
gateway.controller.resources.requests.cpu | CPU request for the controller | string | 100m |
gateway.controller.resources.requests.memory | Memory request for the controller | string | 128Mi |
gateway.controller.service.ports.agwGrpc | Agent gateway gRPC port | integer | 9978 |
gateway.controller.service.ports.grpc | gRPC port for xDS communication | integer | 9977 |
gateway.controller.service.ports.health | Health check endpoint port | integer | 9093 |
gateway.controller.service.ports.metrics | Metrics endpoint port | integer | 9092 |
gateway.controller.service.type | Service type for the gateway controller | string | ClusterIP |
gateway.enabled | Enable Gateway CR creation | boolean | true |
gateway.gatewayClassName | GatewayClass name to reference in the Gateway CR | string | kgateway |
gateway.httpPort | Port for the HTTP listener on the gateway | integer | 80 |
gateway.httpsPort | Port for the HTTPS listener on the gateway | integer | 443 |
gateway.infrastructure.labels | object | {"openchoreo.dev/system-component":"gateway"} | |
gateway.tls.certificateRefs | TLS certificate references for the HTTPS listener. Each entry references a Secret containing the TLS cert/key pair. | array | |
gateway.tls.enabled | Enable HTTPS listener on the gateway. When false, only the HTTP listener is created. | boolean | true |
gateway.tls.hostname | Hostname pattern for the HTTPS listener (SNI matching) | string | *.openchoreoapis.invalid |
Globalβ
Global values shared across all components in the data plane
| Parameter | Description | Type | Default |
|---|---|---|---|
global.commonLabels | Common labels applied to all resources deployed by this chart | object | {} |
Kube Prometheus Stackβ
For full configuration options, please refer to the official chart documentation.
Prometheus stack configuration (kube-prometheus-stack sub-chart). Provides metrics collection for workload observability.
| Parameter | Description | Type | Default |
|---|---|---|---|
kube-prometheus-stack.alertmanager.enabled | Enable Alertmanager for alert management (not used by OpenChoreo) | boolean | false |
kube-prometheus-stack.cleanPrometheusOperatorObjectNames | Produce cleaner resource names without redundant prefixes | boolean | true |
kube-prometheus-stack.coreDns.enabled | Enable CoreDNS metrics collection | boolean | false |
kube-prometheus-stack.crds.enabled | Install Prometheus Operator CRDs (ServiceMonitor, PodMonitor, etc.) | boolean | true |
kube-prometheus-stack.defaultRules.create | Create default alerting rules (disabled - OpenChoreo uses custom rules) | boolean | false |
kube-prometheus-stack.enabled | Enable the Prometheus monitoring stack for metrics collection | boolean | false |
kube-prometheus-stack.fullnameOverride | Override the full name of Prometheus stack resources | string | openchoreo-observability |
kube-prometheus-stack.grafana.enabled | Enable Grafana dashboards (not used by OpenChoreo - use observability plane instead) | boolean | false |
kube-prometheus-stack.kube-state-metrics.collectors | Kubernetes resource types to collect metrics from | array | ["pods"] |
kube-prometheus-stack.kube-state-metrics.fullnameOverride | Override the full name of kube-state-metrics resources | string | kube-state-metrics |
kube-prometheus-stack.kube-state-metrics.metricAllowlist | Specific metrics to collect (allowlist filter) | array | |
kube-prometheus-stack.kube-state-metrics.metricLabelsAllowlist | Pod labels to include in metrics for filtering by OpenChoreo resources | array | |
kube-prometheus-stack.kubeApiServer.enabled | Enable API server metrics collection | boolean | false |
kube-prometheus-stack.kubeControllerManager.enabled | Enable controller manager metrics collection | boolean | false |
kube-prometheus-stack.kubeEtcd.enabled | Enable etcd metrics collection | boolean | false |
kube-prometheus-stack.kubeProxy.enabled | Enable kube-proxy metrics collection | boolean | false |
kube-prometheus-stack.kubeScheduler.enabled | Enable scheduler metrics collection | boolean | false |
kube-prometheus-stack.nodeExporter.enabled | Enable node-level metrics collection | boolean | false |
kube-prometheus-stack.prometheus.agentMode | Run Prometheus in agent mode for lightweight remote-write only operation | boolean | true |
kube-prometheus-stack.prometheus.enabled | Deploy a Prometheus instance (requires Prometheus Operator) | boolean | true |
kube-prometheus-stack.prometheus.prometheusSpec.remoteWrite | Remote write endpoints for forwarding metrics to external storage | array | |
kube-prometheus-stack.prometheusOperator.enabled | Enable Prometheus Operator for managing Prometheus instances | boolean | true |
kube-prometheus-stack.prometheusOperator.fullnameOverride | Override the full name of Prometheus Operator resources | string | prometheus-operator |
kube-prometheus-stack.prometheusOperator.resources.limits.cpu | CPU limit for Prometheus Operator | string | 40m |
kube-prometheus-stack.prometheusOperator.resources.limits.memory | Memory limit for Prometheus Operator | string | 50Mi |
kube-prometheus-stack.prometheusOperator.resources.requests.cpu | CPU request for Prometheus Operator | string | 20m |
kube-prometheus-stack.prometheusOperator.resources.requests.memory | Memory request for Prometheus Operator | string | 30Mi |
Kubernetes Cluster Domainβ
Kubernetes cluster DNS domain used for service discovery and certificate generation
| Parameter | Description | Type | Default |
|---|---|---|---|
kubernetesClusterDomain | Kubernetes cluster DNS domain used for service discovery and certificate generation | string | cluster.local |
Networkingβ
Network configuration for the data plane
| Parameter | Description | Type | Default |
|---|---|---|---|
networking.enabled | Enable networking features (network policies, service mesh integration) | boolean | true |
Securityβ
Security configuration for the data plane
| Parameter | Description | Type | Default |
|---|---|---|---|
security.enabled | Enable security features (certificate issuers, TLS configuration) | boolean | true |