Shared Helm Values
5 minute read
These values are available in all three Edge Delta Helm charts: edgedelta/edgedelta (node agent), edgedelta/edgedelta-gateway, and edgedelta/edgedelta-coordinator.
For chart-specific values, see:
Authentication
| Variable | Default | Description |
|---|---|---|
apiKey | "" | Plaintext pipeline ID. Not recommended for production. Use secretApiKey instead. |
secretApiKey.value | "" | Pipeline ID stored as a Kubernetes Secret. |
secretApiKey.name | "" | Name of the Kubernetes Secret object. Defaults to ed-api-key. |
secretApiKey.key | "ed-api-key" | Key within the Secret. |
secretApiKey.enable | false | Set true when creating templates from charts. |
Use either apiKey or secretApiKey.value, not both.
For production, store the pipeline ID in a secrets management tool. See Continuous Deployment.
Example:
helm upgrade edgedelta edgedelta/edgedelta -i \
--set secretApiKey.value=<pipeline-id> \
-n edgedelta --create-namespace
Environment Variables
These top-level Helm values map to environment variables injected into agent containers.
| Variable | Default | Description |
|---|---|---|
edBackendDisabled | "" | true to run fully offline — agents never contact the SaaS backend. |
edClusterName | "" | Friendly cluster name shown in the UI. |
edSkipConfDownload | "" | true to skip fetching config from backend. Combine with edConfigContent. |
edDisableLeaderElection | "" | true disables processor leader-election loop (single-agent labs). |
edTraceFiles | "" | Enable file tracing (debug only). |
edAggregatorTraceFiles | "" | Same as above but for aggregator mode. |
edConfigContent | "" | Base64-encoded full pipeline YAML injected directly into the agent. |
edSkipTlsVerify | "" | true to ignore SSL/TLS certificate errors. |
edSuppressionMode | "" | Suppress duplicate issue notifications across agents. |
edEnableControllerDiscovery | true | Enables Kubernetes controller discovery. |
goMemLimit | "" | Go runtime memory limit for the main agent process. |
Leave a value empty ("") to accept the chart’s default behavior.
Custom Tags
Variable: edCustomTags
Custom tags are pipe (|) delimited key:value pairs attached to all outgoing data from Edge Delta agents.
Example:
--set edCustomTags="cluster:prod_us_west_2|provider:aws|region:us_west_2"
Verify by checking the ED_CUSTOM_TAGS environment variable on the pod:
kubectl describe pod <pod-name> -n edgedelta
Tag Override
| Variable | Default | Description |
|---|---|---|
edTagOverride | "" | Override the pipeline tag. Use to deploy two pipelines with the same configuration. |
Image
| Variable | Default | Description |
|---|---|---|
repository | gcr.io/edgedelta | Container registry. |
image.name | agent | Image name. |
image.tag | "" | Image tag. Defaults to chart appVersion. |
image.fullPath | "" | Full image path including registry and tag. Overrides repository + image.name + image.tag. |
image.pullPolicy | IfNotPresent | Image pull policy: Always, IfNotPresent, or Never. |
image.pullSecrets | [] | Image pull secrets for private registries. |
Example:
--set image.pullPolicy=Always
RBAC
Starting with agent version v2.12.0, ClusterRole RBAC rules are defined in values.yaml rather than being hardcoded in chart templates.
clusterRoleRules
Variable: clusterRoleRules
Defines the complete set of ClusterRole rules for the Edge Delta service account. See the full default rule set in the chart values.yaml.
Replacing
clusterRoleRulesoverrides the entire default rule set. To add permissions for custom resources, useadditionalClusterRoleRulesinstead.
Example — minimal baseline:
clusterRoleRules:
- apiGroups: [""]
resources: ["namespaces", "pods", "pods/log", "events", "nodes", "nodes/metrics", "services", "endpoints"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
additionalClusterRoleRules
Variable: additionalClusterRoleRules (default: [])
Appends extra ClusterRole rules without modifying the base rules.
Example — grant access to ArgoCD CRDs:
additionalClusterRoleRules:
- apiGroups: ["argoproj.io"]
resources: ["applications", "appprojects"]
verbs: ["get", "list", "watch"]
See Kubernetes Event Source — Custom Resource Permissions for a walkthrough.
Pod Security
Configure pod security policies, Security Context Constraints (SCC) for OpenShift, SELinux labels, and AppArmor profiles.
| Variable | Default | Description |
|---|---|---|
podSecurity.securityContextConstraints.create | false | Create an OpenShift SCC or PodSecurityPolicy. |
podSecurity.privileged | false | Grant privileged: true to containers. Required for eBPF tracer. |
podSecurity.seLinuxContext.type | MustRunAs | SELinux context type. |
podSecurity.seLinuxContext.seLinuxOptions.type | spc_t | SELinux label. |
podSecurity.apparmor.enabled | false | Enable AppArmor profile enforcement. |
podSecurity.apparmor.profile | unconfined | AppArmor profile name. |
podSecurity.capabilities | (11 capabilities) | Allowed Linux capabilities. |
podSecurity.volumes | [configMap, downwardAPI, emptyDir, hostPath, secret] | Allowed volume types. |
podSecurity.seccompProfiles | ["runtime/default"] | Allowed seccomp profiles. |
Example:
podSecurity:
securityContextConstraints:
create: true
privileged: true
seLinuxContext:
type: MustRunAs
seLinuxOptions:
type: spc_t
Service Account
| Variable | Default | Description |
|---|---|---|
serviceAccount.labels | {} | Labels for the service account. |
serviceAccount.annotations | {} | Annotations for the service account (e.g., for IRSA). |
Networking
| Variable | Default | Description |
|---|---|---|
httpProxy | "" | HTTP proxy for outbound traffic. |
httpsProxy | "" | HTTPS proxy for outbound traffic. |
noProxy | "" | Comma-separated list of hosts/CIDRs that bypass the proxy. |
Example:
--set httpProxy="http://corp-proxy:8080" \
--set httpsProxy="http://corp-proxy:8443" \
--set noProxy="169.254.169.254,10.0.0.0/8,.svc.cluster.local"
See Proxy Configuration for detailed guidance.
Network Policy
| Variable | Default | Description |
|---|---|---|
networkPolicy.enabled | false | Create a network policy for Edge Delta pods. |
networkPolicy.type | cilium | Policy type. Currently supports cilium. |
Example — Cilium egress policy:
networkPolicy:
enabled: true
type: cilium
cilium:
dnsSelector:
toEndpoints:
- matchLabels:
k8s-app: kube-dns
customEndpoints:
toFQDNs:
- matchName: api.edgedelta.com
toPorts:
- ports:
- port: "443"
protocol: TCP
Resources
| Variable | Default | Description |
|---|---|---|
resources.limits.cpu | 2000m | Maximum CPU for agent pods. |
resources.limits.memory | 2Gi | Maximum memory for agent pods. |
resources.requests.cpu | 200m | Minimum CPU for scheduling. |
resources.requests.memory | 256Mi | Minimum memory for scheduling. |
priorityClassName | "" | PriorityClass for agent pods. Higher priority pods can preempt lower priority pods. |
See Reducing Agent Resource Consumption for optimization strategies.
Scheduling
| Variable | Default | Description |
|---|---|---|
annotations | {} | Custom annotations for pods. |
nodeSelector | {} | Node selector labels for pod scheduling. |
tolerations | {} | Tolerations for scheduling on tainted nodes. |
updateStrategy.type | RollingUpdate | Update strategy type. |
updateStrategy.rollingUpdate.maxUnavailable | 1 | Max unavailable pods during rolling update. |
Monitoring Ports
| Variable | Default | Description |
|---|---|---|
storePort | "" | Port for pipeline metrics storage. |
profilerPort | "" | Port for CPU/memory profiling via pprof. See Performance Profiling. |
promPort | "" | Port for Prometheus metrics scraping. |
Watcher Sidecar
| Variable | Default | Description |
|---|---|---|
watcherProps.enabled | false | Deploy a sidecar that monitors agent health (OOM kills, crash loops, evictions). |
watcherProps.targetContainerName | "" | Container to monitor. Empty = auto-detect. |
watcherProps.checkInterval | "" | Health check interval (e.g., 30s). Empty = default 30s. |
watcherProps.resources.limits.cpu | 200m | Watcher CPU limit. |
watcherProps.resources.limits.memory | 256Mi | Watcher memory limit. |
watcherProps.resources.requests.cpu | 50m | Watcher CPU request. |
watcherProps.resources.requests.memory | 64Mi | Watcher memory request. |
Miscellaneous
| Variable | Default | Description |
|---|---|---|
skipCommonLabels | false | Skip adding standard Helm labels to resources. |
nameOverride | "" | Override the chart name in resource names. |
fullnameOverride | "" | Override the full resource name. |
Deprecated Values
| Variable | Description |
|---|---|
edWorkflows | Colon-separated list of workflow names to enable (v2 agents only). |
edWorkflowPrefixes | Colon-separated list of workflow prefixes to enable (v2 agents only). |
Viewing Default Values
To view all default values for any chart:
helm repo update
helm show values edgedelta/edgedelta
helm show values edgedelta/edgedelta-gateway
helm show values edgedelta/edgedelta-coordinator