# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Used to generate top-level secrets (overridden by custom-values.yaml) # Subcharts configuration # Dynamo operator configuration dynamo-operator: # -- Whether to enable the Dynamo Kubernetes operator deployment enabled: true # -- NATS server address for operator communication (leave empty to use the bundled NATS chart). Format: "nats://hostname:port" natsAddr: "" # -- etcd server address for operator state storage (leave empty to use the bundled etcd chart). Format: "http://hostname:port" or "https://hostname:port" etcdAddr: "" # -- URL for the Model Express server if not deployed by this helm chart. This is ignored if Model Express server is installed by this helm chart (global.model-express.enabled is true). modelExpressURL: "" # -- Namespace access controls for the operator namespaceRestriction: # -- Whether to restrict operator to specific namespaces. By default, the operator will run with cluster-wide permissions. Only 1 instance of the operator should be deployed in the cluster. If you want to deploy multiple operator instances, you can set this to true and specify the target namespace (by default, the target namespace is the helm release namespace). enabled: false # -- Target namespace for operator deployment (leave empty for current namespace) targetNamespace: # Namespace scope marker lease configuration (used to prevent conflicts when running both cluster-wide and namespace-restricted operators) lease: # Duration before the namespace scope marker lease expires if not renewed (namespace-restricted mode only). When a namespace-restricted operator is running, it creates a lease in its namespace. The cluster-wide operator detects this lease and excludes that namespace from processing. If the namespace operator stops renewing the lease (e.g., crashes), the lease expires and the cluster-wide operator automatically resumes processing that namespace. duration: 30s # Interval for renewing the namespace scope marker lease (namespace-restricted mode only). The namespace-restricted operator renews its lease at this interval to signal it's still running. renewInterval: 10s # -- The Dynamo discovery backend to use. Default is "kubernetes" for Kubernetes API service discovery. Set to "etcd" to use ETCD for discovery. -- discoveryBackend: "kubernetes" # Controller manager configuration controllerManager: # -- Node tolerations for controller manager pods tolerations: [] # -- Affinity for controller manager pods affinity: [] # Leader election configuration for cluster-wide coordination leaderElection: # -- Leader election ID for cluster-wide coordination. WARNING: All cluster-wide operators must use the SAME ID to prevent split-brain. Different IDs would allow multiple leaders simultaneously. id: "" # If empty, defaults to: dynamo.nvidia.com (shared across all cluster-wide operators) # -- Namespace for leader election leases (only used in cluster-wide mode). If empty, defaults to kube-system for cluster-wide coordination. All cluster-wide operators should use the SAME namespace for proper leader election. namespace: "" manager: # Container image configuration for the operator manager image: # -- Official NVIDIA Dynamo operator image repository repository: "nvcr.io/nvidia/ai-dynamo/kubernetes-operator" # -- Image tag (leave empty to use chart default) tag: "" # -- Image pull policy - when to pull the image pullPolicy: IfNotPresent # Command line arguments for the operator manager args: # -- Health probe endpoint for Kubernetes health checks - --health-probe-bind-address=:8081 # -- Metrics endpoint for Prometheus scraping (localhost only for security) - --metrics-bind-address=127.0.0.1:8080 # -- Secrets for pulling private container images imagePullSecrets: [] # Core Dynamo platform configuration dynamo: # -- How long to wait before forcefully terminating Grove instances groveTerminationDelay: 4h # Internal utility images used by the platform internalImages: # -- Debugger image for troubleshooting deployments debugger: python:3.12-slim # -- Whether to enable restricted security contexts for enhanced security enableRestrictedSecurityContext: false # Docker registry configuration for private repositories dockerRegistry: # -- Whether to use Kubernetes secrets for registry authentication useKubernetesSecret: false # -- Docker registry server URL server: # -- Registry username username: # -- Registry password (consider using existingSecretName instead) password: # -- Name of existing Kubernetes secret containing registry credentials existingSecretName: # -- Whether the registry uses HTTPS secure: true # Ingress configuration for external access ingress: # -- Whether to create ingress resources enabled: false # -- Ingress class name (e.g., "nginx", "traefik") className: # -- Secret name containing TLS certificates tlsSecretName: my-tls-secret # Istio service mesh configuration istio: # -- Whether to enable Istio integration enabled: false # -- Istio gateway name for routing gateway: # -- Host suffix for generated ingress hostnames ingressHostSuffix: "" # -- Whether VirtualServices should support HTTPS routing virtualServiceSupportsHTTPS: false # Metrics configuration metrics: # -- Endpoint that services can use to retrieve metrics. If set, dynamo operator will automatically inject the PROMETHEUS_ENDPOINT environment variable into services it manages. Users can override the value of the PROMETHEUS_ENDPOINT environment variable by modifying the corresponding deployment's environment variables prometheusEndpoint: "" # MPI Run configuration mpiRun: # -- Name of the secret containing the SSH key for MPI Run secretName: "mpi-run-ssh-secret" # SSH key generation configuration sshKeygen: # -- Whether to enable SSH key generation for MPI Run enabled: true # Webhook configuration for admission control and validation webhook: # -- Whether to enable admission webhooks for resource validation. When enabled, the operator will validate DynamoComponentDeployment and DynamoGraphDeployment resources before they are created or updated in the cluster. Enabled by default for production-ready validation and better error reporting. enabled: true # Certificate configuration for webhook TLS certificateSecret: # -- Name of the Kubernetes secret containing webhook TLS certificates. The secret must contain three keys: tls.crt (server certificate), tls.key (server private key), and ca.crt (Certificate Authority certificate). name: webhook-server-cert # -- Whether to manage the certificate secret externally. When false (default), certificates are automatically generated via Helm hooks during installation. When true, you must create the secret manually before installing the chart. external: false # -- Certificate validity duration in days for auto-generated certificates. Only used when certManager.enabled=false and certificateSecret.external=false. After this duration, certificates will expire and need to be regenerated. certificateValidity: 365 # Container image for certificate generation and CA injection jobs # Only used when certManager.enabled=false and certificateSecret.external=false certGenerator: image: # -- Container image repository for certificate generation jobs. This image must contain both openssl and kubectl commands. repository: bitnami/kubectl # -- Container image tag for certificate generation jobs tag: latest # -- Image pull policy for certificate generation jobs pullPolicy: IfNotPresent # -- CA bundle (base64 encoded) for webhook validation. Only used when certificateSecret.external=true. For automatic certificate generation or cert-manager integration, leave this empty as it will be injected automatically. caBundle: "" # -- Webhook failure policy controls how Kubernetes handles requests when the webhook is unavailable. 'Fail' (recommended for production) rejects requests if the webhook cannot be reached, ensuring strict validation. 'Ignore' allows requests through if the webhook is unavailable, providing availability over validation guarantees. failurePolicy: Fail # -- Timeout in seconds for webhook validation calls. If the webhook doesn't respond within this time, the request will be handled according to the failurePolicy. timeoutSeconds: 10 # Namespace selector for webhook scope control # -- Custom namespace selector for webhook validation. Use this to include or exclude specific namespaces from webhook validation. For CLUSTER-WIDE operators, you can exclude namespaces managed by namespace-restricted operators by using: matchExpressions: [{ key: "dynamo-operator", operator: "NotIn", values: ["namespace-restricted"] }]. For NAMESPACE-RESTRICTED operators, leave empty as it will be auto-configured to match only the operator's namespace. namespaceSelector: {} # cert-manager integration for automated certificate lifecycle management certManager: # -- Whether to use cert-manager for automatic certificate management. Requires cert-manager to be installed in the cluster. When enabled, cert-manager will automatically generate, renew, and rotate certificates, and the automatic certificate generation via Helm hooks will be disabled. enabled: false # Certificate configuration for cert-manager certificate: # -- Certificate duration for webhook certificates managed by cert-manager (e.g., "8760h" for 1 year). cert-manager will automatically renew the certificate before it expires. duration: "8760h" # -- Time before certificate expiration to trigger renewal (e.g., "360h" for 15 days). cert-manager will attempt to renew the certificate when this threshold is reached. renewBefore: "360h" # Root CA configuration for cert-manager rootCA: # -- Duration for the root CA certificate (e.g., "87600h" for 10 years). The root CA typically has a much longer lifetime than the leaf certificates it signs. duration: "87600h" # -- Time before root CA expiration to trigger renewal (e.g., "720h" for 30 days). Renewing a CA can be disruptive as all signed certificates must be reissued. renewBefore: "720h" # Grove component - distributed inference orchestration grove: # -- Whether to enable Grove for multi-node inference coordination, if enabled, the Grove operator will be deployed cluster-wide enabled: false # Kai Scheduler component - advanced workload scheduling kai-scheduler: # -- Whether to enable Kai Scheduler for intelligent resource allocation, if enabled, the Kai Scheduler operator will be deployed cluster-wide enabled: false # etcd configuration - distributed key-value store for operator state etcd: # -- Whether to enable etcd deployment, disable if you want to use an external etcd instance. For complete configuration options, see: https://github.com/bitnami/charts/tree/main/bitnami/etcd , all etcd settings should be prefixed with "etcd." enabled: true image: # -- following bitnami announcement for brownout - https://github.com/bitnami/charts/tree/main/bitnami/etcd#%EF%B8%8F-important-notice-upcoming-changes-to-the-bitnami-catalog, we need to use the legacy repository until we migrate to the new "secure" repository repository: bitnamilegacy/etcd tag: 3.5.18-debian-12-r5 # Persistent storage configuration for etcd data persistence: # Whether to enable persistent storage (recommended for production) enabled: true # Use the cluster default storage-class or override with a named class storageClass: null # Size of persistent volume for etcd data size: 1Gi # Pre-upgrade job configuration preUpgradeJob: # Whether to run pre-upgrade validation jobs enabled: false # Number of etcd replicas (1 for single-node, 3+ for HA) replicaCount: 1 # Authentication and authorization settings # Explicitly remove authentication for simplified internal communication auth: rbac: # Whether to create RBAC authentication (disabled for internal use) create: false # Health check configuration readinessProbe: # Whether to enable readiness probes (disabled to reduce startup complexity) enabled: false livenessProbe: # Whether to enable liveness probes (disabled to reduce startup complexity) enabled: false # Pod Disruption Budget configuration # Should be enabled for HA deployments with 3+ replicas pdb: # Whether to create a PodDisruptionBudget (disabled for single-node deployments) create: false # Node tolerations for etcd pods (allows scheduling on specific nodes) tolerations: [] # NATS configuration - messaging system for operator communication nats: # -- Whether to enable NATS deployment, disable if you want to use an external NATS instance. For complete configuration options, see: https://github.com/nats-io/k8s/tree/main/helm/charts/nats , all nats settings should be prefixed with "nats." enabled: true # TLS Certificate Authority configuration for secure communication # Reference a common CA Certificate or Bundle in all nats config `tls` blocks and nats-box contexts # Note: `tls.verify` still must be set in the appropriate nats config `tls` blocks to require mTLS tlsCA: # Whether to enable TLS CA configuration enabled: false # Core NATS server configuration config: # NATS clustering for high availability (multiple NATS servers) cluster: # Whether to enable NATS clustering (disabled for single-node setups) enabled: false # JetStream - persistent messaging and streaming capabilities jetstream: # Whether to enable JetStream (recommended for persistent messaging) enabled: true # File-based storage for JetStream streams and consumers fileStore: # Whether to enable file storage (persistent across restarts) enabled: true # Directory path for JetStream file storage dir: /data ############################################################ # Persistent Volume Claim for JetStream file storage ############################################################ pvc: # Whether to create a PVC for JetStream storage enabled: true # Size of the persistent volume for JetStream data size: 10Gi # Storage class name (leave empty for default) storageClassName: # Advanced PVC configuration (merge additional fields) # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core merge: {} patch: [] # PVC name (defaults to "{{ include "nats.fullname" $ }}-js") name: # Maximum size for JetStream file storage (defaults to PVC size) maxSize: # Memory-based storage for JetStream (non-persistent) memoryStore: # Whether to enable memory storage (faster but not persistent) enabled: false # Advanced JetStream configuration # For options see: https://docs.nats.io/running-a-nats-service/configuration#jetstream merge: {} patch: [] # Core NATS server settings nats: # Port for NATS client connections port: 4222 # TLS configuration for encrypted connections tls: # Whether to enable TLS encryption enabled: false # Advanced TLS configuration # For options see: https://docs.nats.io/running-a-nats-service/configuration/securing_nats/tls merge: {} patch: [] # Leaf nodes for creating NATS topologies and remote connections leafnodes: # Whether to enable leaf node connections enabled: false # WebSocket support for browser-based NATS clients websocket: # Whether to enable WebSocket protocol support enabled: false # MQTT protocol bridge for IoT device connectivity mqtt: # Whether to enable MQTT protocol support enabled: false # Gateway connections for multi-cluster NATS deployments gateway: # Whether to enable gateway connections enabled: false # HTTP monitoring endpoint for NATS server metrics monitor: # Whether to enable HTTP monitoring interface enabled: true # Port for monitoring HTTP endpoint port: 8222 # TLS configuration for monitoring endpoint tls: # Whether to enable HTTPS for monitoring (requires config.nats.tls enabled) # When enabled, monitoring port will use HTTPS with the options from config.nats.tls enabled: false # Go pprof profiling endpoint for performance debugging profiling: # Whether to enable profiling endpoint (for debugging only) enabled: false # Port for profiling endpoint port: 65432 # Account resolver for multi-tenant NATS deployments resolver: # Whether to enable account resolution (for advanced multi-tenancy) enabled: false # Server naming configuration # Adds a prefix to the server name, which defaults to the pod name # Helpful for ensuring server name is unique in a super cluster serverNamePrefix: "" # Advanced NATS configuration merging and patching # For complete options see: https://docs.nats.io/running-a-nats-service/configuration # Special rules apply: # 1. strings that start with << and end with >> will be unquoted # use this for variables and numbers with units # 2. keys ending in $include will be switched to include directives # keys are sorted alphabetically, use prefix before $includes to control includes ordering # paths should be relative to /etc/nats-config/nats.conf # Example: # merge: # $include: ./my-config.conf # zzz$include: ./my-config-last.conf # server_name: nats # authorization: # token: << $TOKEN >> # jetstream: # max_memory_store: << 1GB >> merge: # 10MB which allows for larger context size : The default NATS max payload size is 1MB, and 256K tokens (with tokens being int32 - 4 bytes each) tips over that 1MB max. max_payload: 10485760 patch: [] ############################################################ # NATS container configuration in StatefulSet ############################################################ container: # NATS server container image configuration image: # Official NATS server repository repository: nats # NATS server version (Alpine-based for smaller size) tag: 2.10.21-alpine # Image pull policy (leave empty for chart default) pullPolicy: # Custom registry URL (leave empty for Docker Hub) registry: # Container port configuration # Note: Ports must also be enabled in the config section above # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#containerport-v1-core ports: # Main NATS client connection port nats: {} # Leaf node connection port leafnodes: {} # WebSocket connection port websocket: {} # MQTT protocol port mqtt: {} # Cluster communication port cluster: {} # Gateway connection port gateway: {} # HTTP monitoring port monitor: {} # Go profiling port profiling: {} # Environment variables for the NATS container # Map with key as env var name, value can be string or map # Example: # env: # GOMEMLIMIT: 7GiB # TOKEN: # valueFrom: # secretKeyRef: # name: nats-auth # key: token env: {} # Advanced container configuration merging and patching # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core merge: {} patch: [] ############################################################ # Configuration reloader container for hot config updates ############################################################ reloader: # Whether to enable the config reloader sidecar container enabled: true # Config reloader container image image: # Official NATS config reloader repository repository: natsio/nats-server-config-reloader # Config reloader version tag: 0.16.0 # Image pull policy (leave empty for chart default) pullPolicy: # Custom registry URL (leave empty for Docker Hub) registry: # Environment variables for the reloader container env: {} # Volume mount prefixes from NATS container to share with reloader # All NATS container volume mounts with these prefixes will be mounted into the reloader natsVolumeMountPrefixes: - /etc/ # Advanced reloader container configuration # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core merge: {} patch: [] ############################################################ # Prometheus metrics exporter container (optional) ############################################################ # Note: config.monitor must be enabled for this to work promExporter: # Whether to enable Prometheus metrics exporter sidecar enabled: false ############################################################ # Kubernetes Service for NATS access ############################################################ service: # Whether to create a Kubernetes Service for NATS enabled: true # Service port configuration # Additional boolean field 'enabled' controls whether port is exposed in the service # Note: Ports must also be enabled in the config section above # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#serviceport-v1-core ports: # Main NATS client connection port nats: enabled: true # Leaf node connection port leafnodes: enabled: true # WebSocket connection port websocket: enabled: true # MQTT protocol port mqtt: enabled: true # Cluster communication port (typically internal only) cluster: enabled: false # Gateway connection port (typically internal only) gateway: enabled: false # HTTP monitoring port (typically internal only) monitor: enabled: false # Go profiling port (typically internal only) profiling: enabled: false # Advanced service configuration # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core merge: {} patch: [] # Service name (defaults to "{{ include "nats.fullname" $ }}") name: ############################################################ # Advanced NATS Kubernetes resource configuration ############################################################ # StatefulSet configuration for NATS server persistence statefulSet: # Advanced StatefulSet configuration merging and patching # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#statefulset-v1-apps merge: {} patch: [] # StatefulSet name (defaults to "{{ include "nats.fullname" $ }}") name: # Pod template configuration for NATS StatefulSet podTemplate: # Whether to add a hash of the ConfigMap as a pod annotation # This will cause the StatefulSet to roll when the ConfigMap is updated configChecksumAnnotation: true # Pod topology spread constraints for better distribution across nodes # Map of topologyKey: topologySpreadConstraint # labelSelector will be added automatically to match StatefulSet pods # Example: # topologySpreadConstraints: # kubernetes.io/hostname: # maxSkew: 1 topologySpreadConstraints: {} # Advanced pod template configuration # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#pod-v1-core merge: spec: # Node tolerations for NATS pods (allows scheduling on specific nodes) tolerations: [] patch: [] # Headless service for StatefulSet pod discovery headlessService: # Advanced headless service configuration # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#service-v1-core merge: {} patch: [] # Headless service name (defaults to "{{ include "nats.fullname" $ }}-headless") name: # ConfigMap for NATS server configuration configMap: # Advanced ConfigMap configuration # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#configmap-v1-core merge: {} patch: [] # ConfigMap name (defaults to "{{ include "nats.fullname" $ }}-config") name: # Pod Disruption Budget for controlled rolling updates podDisruptionBudget: # Whether to create a PodDisruptionBudget (recommended for production) enabled: true # Service Account for NATS server pods serviceAccount: # Whether to create and use a dedicated service account enabled: false ############################################################ # NATS Box - CLI tools and debugging container # NATS Box provides CLI tools for interacting with NATS server ############################################################ natsBox: # Whether to deploy NATS Box for CLI access and debugging enabled: false ############################################################ # NATS client contexts for authentication and connection ############################################################ contexts: # Default context configuration default: # Credentials-based authentication creds: # Inline credentials file contents (base64 encoded) contents: # Name of existing secret containing credentials file secretName: # Directory to mount credentials (defaults to /etc/nats-creds/) dir: # Key name in secret for credentials file key: nats.creds # NKey-based authentication (public/private key pairs) nkey: # Inline NKey file contents (base64 encoded) contents: # Name of existing secret containing NKey file secretName: # Directory to mount NKey (defaults to /etc/nats-nkeys/) dir: # Key name in secret for NKey file key: nats.nk # TLS client certificate authentication tls: # Name of existing secret containing TLS client certificates secretName: # Directory to mount certificates (defaults to /etc/nats-certs/) dir: # Certificate file name in secret cert: tls.crt # Private key file name in secret key: tls.key # Advanced context configuration # For options see: https://docs.nats.io/using-nats/nats-tools/nats_cli#nats-contexts merge: {} patch: [] # Name of context to select by default for NATS CLI operations defaultContextName: default ############################################################ # NATS Box container configuration ############################################################ container: # NATS Box container image image: # Official NATS Box repository with CLI tools repository: natsio/nats-box # NATS Box version tag: 0.14.5 # Image pull policy (leave empty for chart default) pullPolicy: # Custom registry URL (leave empty for Docker Hub) registry: # Environment variables for NATS Box container env: {} # Advanced container configuration # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#container-v1-core merge: {} patch: [] # Service Account for NATS Box deployment serviceAccount: # Whether to create and use a dedicated service account for NATS Box enabled: false # Pod template configuration for NATS Box deployment podTemplate: merge: spec: # Node tolerations for NATS Box pods tolerations: [] patch: []