Back to Meshery

meshery-operator

install/kubernetes/helm/meshery-operator/README.md

1.0.525.1 KB
Original Source

meshery-operator

Meshery Operator chart. Deploys the meshery-operator manager, which reconciles the Broker (NATS) and MeshSync custom resources.

The chart's version/appVersion and the CRD bundles under crds/ and files/ are kept in lockstep with meshery-operator releases by that repo's sync-downstream workflow — do not hand-edit them here.

CRD lifecycle

  • Install: Helm applies crds/crds.yaml before anything else, and the crds.updateJob pre-install hook server-side-applies the same bundle.

  • Upgrade: Helm never touches crds/ on upgrade; the crds.updateJob pre-upgrade hook is what refreshes the CRDs, so helm upgrade delivers schema updates to live clusters.

  • Uninstall: the CRDs (and every Broker/MeshSync object) deliberately survive helm uninstall — they are never owned by the release. To remove them permanently, including all custom resources of those types:

    console
    kubectl delete crd brokers.meshery.io meshsyncs.meshery.io
    
  • Conversion: both CRDs serve v1alpha1 and v1alpha2 (storage) with conversion strategy None, which is exact while the two schemas are field-identical — no webhook and no cert-manager required. When the schemas diverge upstream, enable webhook.enabled (chart-generated self-signed certificate) or webhook.certManager.enabled (cert-manager v1) and the CRD update Job patches webhook conversion onto the CRDs.

Maintainers

NameEmailUrl
Meshery Authors[email protected]
aisuko[email protected]
maintainers[email protected]

Requirements

RepositoryNameVersion
meshery-broker0.5.0
meshery-meshsync0.5.0

Values

KeyTypeDefaultDescription
affinityobject{}
annotationsobject{}Extra annotations for the manager Deployment
crds.updateJob.enabledbooltruePre-install/pre-upgrade hook Job that server-side-applies files/crds.yaml; disabling means upgrades will NOT refresh CRDs
crds.updateJob.image.pullPolicystring"IfNotPresent"
crds.updateJob.image.repositorystring"alpine/k8s"kubectl-capable image for the CRD update Job
crds.updateJob.image.tagstring"1.35.6"
envobject{}Extra environment variables for the manager container
fullnameOverridestring"meshery-operator"
image.pullPolicystring"IfNotPresent"
image.repositorystring"meshery/meshery-operator"
image.tagstring"1.0.0"Pinned operator release, stamped by the sync workflow. Kept explicit because server-release chart publishing re-stamps appVersion with the server tag; empty falls back to the chart appVersion
imagePullSecretslist[]
ingress.annotationsobject{}
ingress.enabledboolfalse
ingress.hosts[0].hoststring"chart-example.local"
ingress.hosts[0].pathslist[]
ingress.tlslist[]
leaderElection.enabledbooltrueLeader election (adds the leases Role/RoleBinding and --enable-leader-election)
meshery-broker.enabledbooltrue
meshery-broker.fullnameOverridestring"meshery-broker"
meshery-broker.serviceAccountNameOverridestring"meshery-server"
meshery-meshsync.enabledbooltrue
meshery-meshsync.fullnameOverridestring"meshery-meshsync"
meshery-meshsync.serviceAccountNameOverridestring"meshery-server"
nameOverridestring""
nodeSelectorobject{}
podAnnotationsobject{}
podSecurityContextobjectrunAsNonRoot 65532, RuntimeDefault seccompParity with the operator's own config/manager
replicaCountint1
resourcesobjectlimits 500m/256Mi, requests 100m/64MiParity with the operator's own config/manager
securityContextobjectno privilege escalation, read-only rootfs, drop ALL
service.annotationsobject{}
service.portint8443TLS metrics endpoint (authn/authz-filtered; bind scrapers to the meshery-metrics-reader ClusterRole)
service.typestring"ClusterIP"
serviceAccount.createbooltrue
serviceAccount.namestring"meshery-operator"
tolerationslist[]
webhook.certManager.enabledboolfalseIssue the webhook serving cert with cert-manager (cert-manager.io/v1) + CA injection instead of the chart-generated self-signed certificate
webhook.enabledboolfalseServe v1alpha1<->v1alpha2 CRD conversion through the operator's webhook; not required while the schemas are field-identical