Parameters

The parent key for all of the following parameters is vcluster.

This component supports multi-instantiation.

namespace

type

string
default

syn-${_instance}

The namespace in which to deploy this component.

Deploying multiple vclusters in the same namespace isn’t supported.

namespaceMetadata

type

dictionary
default

{}
example 
namespace:
  annotations:
    prometheus: infra

Additional metadata for the namespace.

images

type

dictionary

Dictionary containing the container images used by this component.

The kubectl image is used to create OCP routes. The kubectl and jq binaries are required in this image.

k3s.additional_args

type

list
default

[]
example 
k3s:
  additional_args:
  - --kube-apiserver-arg=oidc-issuer-url=https://id.local/auth/realms/local
  - --kube-apiserver-arg=oidc-client-id=local
  - --kube-apiserver-arg=oidc-username-claim=email
  - --kube-apiserver-arg=oidc-groups-claim=groups

Additional arguments for the k3s cluster.

backing_store

type

dictionary

Configuration for the backing store. If nothing configured it uses embedded database (sqlite). For configuration options see the offical documentation

resources

type

string
default 
resources:
  k3s:
    requests:
      cpu: 40m
      memory: 64Mi
    limits:
      cpu: 100m
      memory: 256Mi
  syncer:
    requests:
      cpu: 200m
      memory: 256Mi
    limits:
      memory: 2Gi

The resource requests and limits for the k3s and syncer containers.

ingress.host

type

string
default

null

If set, an ingress with the defined host is created. The ingress is created with TLS spec for the same host.

It’s assumed that cert-manager is running on the cluster to provision Let’s Encrypt certificates.

ingress.annotations

type

dict
default

{cert-manager.io/cluster-issuer: letsencrypt-production}
example 
ingress:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"

Additional annotations for the ingress object.

ocp_route.host

type

string
default

null

If set, a route.openshift.io/v1.Route with the defined host is created.

The route is set with TLS termination set to re-encrypt.

The re-encyption breaks the mTLS user authentication. A secondary authentication method, like OIDC, should be configured.

syn.registration_url

type

string
default

null
example

api.syn.example.com/install/steward.json?token=cHJvamVjdCBzeW4gaXMgbG92ZQo=

If set, the vcluster is registered with a Project SYN instance.

storage.persistence

type

bool or string
default

auto

Persistence controls whether vcluster resources are persisted between deployments. Defaults to auto, where vcluster will automatically determine based on the chosen distro and backing_store.

storage.size

type

string
default

5Gi

The size of the persistent volume claim.

storage.class_name

type

string
default

null

The StorageClass used for the persistent volume claim.

additional_manifests

type

string
default

""
example 
additional_manifests: |-
  cluster-admin:
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: oidc-cluster-admin
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: Group
      name: admin

Manifests that should be applied to the vcluster after startup.

helm_values

type

dict

You can override the default helm values here. The default configuration comes with k3s as well as ingress enabled. See defaults.yaml for the exact configuration.

Example

ingress:
  host: testcluster.local
k3s:
  additional_args:
    - --kube-apiserver-arg=oidc-issuer-url=https://id.local/auth/realms/local
    - --kube-apiserver-arg=oidc-client-id=local
    - --kube-apiserver-arg=oidc-username-claim=email
    - --kube-apiserver-arg=oidc-groups-claim=groups
backing_store:
  etcd:
    deploy:
      enabled: true