This is the v2 of the Helm Chart, replacing the first version in the long term. Make sure to adjust your old values with the new ones and pre-generate your templates with a dry-run to ensure no breaking change occurs.
The Helm chart is available from GitHub Container Registry:
helm install kube-ovn oci://ghcr.io/kubeovn/charts/kube-ovn-v2 --version 1.15.0helm install kube-ovn ./charts/kube-ovn-v2To install Kube-OVN on Talos Linux, declare the OpenvSwitch module in the machine config of your Talos install:
machine:
kernel:
modules:
- name: openvswitchThen use the following options to install this chart:
ovsOvn:
disableModulesManagement: true
ovsDirectory: "/var/lib/openvswitch"
ovnDirectory: "/var/lib/ovn"
cni:
mountToolingDirectory: falseThis README is generated using helm-docs. Launch helm-docs while in this folder to regenerate the documented values.
| Key | Type | Default | Description |
|---|---|---|---|
| agent | object | "{}"
|
Configuration for kube-ovn-cni, the agent responsible for handling CNI requests from the CRI. |
| agent.annotations | object | {} |
Annotations to be added to all top-level agent objects (resources under templates/agent) |
| agent.labels | object | {} |
Labels to be added to all top-level agent objects (resources under templates/agent) |
| agent.metrics | object | "{}"
|
Agent metrics configuration. |
| agent.metrics.port | int | 10665 |
Configure the port on which the agent service will serve metrics. |
| agent.mirroring | object | "{}"
|
Mirroring of the traffic for debug or analysis. https://kubeovn.github.io/docs/stable/en/guide/mirror/ |
| agent.mirroring.enabled | bool | false |
Enable mirroring of the traffic. |
| agent.mirroring.interface | string | "mirror0" |
Interface on which to send the mirrored traffic. |
| agent.podAnnotations | object | {} |
Annotations to be added to the agent pods (kube-ovn-cni) |
| agent.podLabels | object | {} |
Labels to be added to the agent pods (kube-ovn-cni) |
| agent.resources | object | {
"limits": {
"cpu": "1000m",
"memory": "1Gi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
} |
Agent daemon resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| Key | Type | Default | Description |
|---|---|---|---|
| agent.dpdkTunnelInterface | string | "br-phy" |
"" |
| agent.interface | string | "" |
"" |
| Key | Type | Default | Description |
|---|---|---|---|
| apiNad | object | "{}"
|
API NetworkAttachmentDefinition to give some pods (CoreDNS, NAT GW) in custom VPCs access to the K8S API. This requires Multus to be installed. |
| apiNad.enabled | bool | false |
Enable the creation of the API NAD. |
| apiNad.name | string | "ovn-kubernetes-api" |
Name of the NAD. |
| apiNad.provider | string | "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" |
Name of the provider, must be in the form "nadName.nadNamespace.ovn". |
| apiNad.subnet | object | "{}"
|
Subnet associated with the NAD, it will have full access to the API server. |
| apiNad.subnet.cidrBlock | string | "100.100.0.0/16,fd00:100:100::/112" |
CIDR block used by the API subnet. |
| apiNad.subnet.name | string | "ovn-kubernetes-api" |
Name of the subnet. |
| apiNad.subnet.protocol | string | "Dual" |
Protocol for the API subnet. |
| Key | Type | Default | Description |
|---|---|---|---|
| bgpSpeaker | object | "{}"
|
Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world. |
| bgpSpeaker.annotations | object | {} |
Annotations to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) |
| bgpSpeaker.args | list | [] |
Args passed to the kube-ovn-speaker pod. |
| bgpSpeaker.enabled | bool | false |
Enable the kube-ovn-speaker. |
| bgpSpeaker.labels | object | {} |
Labels to be added to all top-level kube-ovn-speaker objects (resources under templates/speaker) |
| bgpSpeaker.nodeSelector | object | {} |
Node selector to restrict the deployment of the speaker to specific nodes. |
| bgpSpeaker.podAnnotations | object | {} |
Annotations to be added to kube-ovn-speaker pods. |
| bgpSpeaker.podLabels | object | {} |
Labels to be added to kube-ovn-speaker pods. |
| bgpSpeaker.resources | object | {
"limits": {},
"requests": {
"cpu": "500m",
"memory": "300Mi"
}
} |
kube-ovn-speaker resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| Key | Type | Default | Description |
|---|---|---|---|
| central | object | "{}"
|
Configuration for ovn-central, the daemon containing the northbound/southbound DBs and northd. |
| central.annotations | object | {} |
Annotations to be added to all top-level ovn-central objects (resources under templates/central) |
| central.labels | object | {} |
Labels to be added to all top-level ovn-central objects (resources under templates/central) |
| central.podAnnotations | object | {} |
Annotations to be added to ovn-central pods. |
| central.podLabels | object | {} |
Labels to be added to ovn-central pods. |
| central.resources | object | {
"limits": {
"cpu": "3",
"memory": "4Gi"
},
"requests": {
"cpu": "300m",
"memory": "200Mi"
}
} |
ovn-central resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| Key | Type | Default | Description |
|---|---|---|---|
| central.ovnLeaderProbeInterval | int | 5 |
"" |
| central.ovnNorthdNThreads | int | 1 |
"" |
| central.ovnNorthdProbeInterval | int | 5000 |
"" |
| Key | Type | Default | Description |
|---|---|---|---|
| clusterDomain | string | "cluster.local" |
Domain used by the cluster. |
| fullnameOverride | string | "" |
Full name override. |
| global | object | {
"images": {
"kubeovn": {
"repository": "kube-ovn",
"tag": "v1.14.0"
}
},
"registry": {
"address": "docker.io/kubeovn",
"imagePullSecrets": []
}
} |
Global configuration. |
| image | object | "{}"
|
Image configuration. |
| image.pullPolicy | string | "IfNotPresent" |
Pull policy for all images. |
| masterNodes | list | [] |
Comma-separated list of IPs for each master node. If not specified, fallback to auto-identifying masters based on "masterNodesLabels" |
| masterNodesLabels | object | {
"kube-ovn/role": "master"
} |
Label used to auto-identify masters. Any node that has any of these labels will be considered a master node. Note: This feature uses Helm "lookup" function, which is not compatible with tools such as ArgoCD. |
| nameOverride | string | "" |
Name override. |
| namespace | string | "kube-system" |
Namespace in which the CNI is deployed. |
| Key | Type | Default | Description |
|---|---|---|---|
| cni | object | "{}"
|
CNI binary/configuration injected on the nodes. |
| cni.binaryDirectory | string | "/opt/cni/bin" |
Location on the node where the agent will inject the Kube-OVN binary. |
| cni.configDirectory | string | "/etc/cni/net.d" |
Location of the CNI configuration on the node. |
| cni.configPriority | string | "01" |
Priority of Kube-OVN within the CNI configuration directory on the node. Should be a string representing a double-digit integer. |
| cni.localConfigFile | string | "/kube-ovn/01-kube-ovn.conflist" |
Location of the CNI configuration inside the agent's pod. |
| cni.mountToolingDirectory | bool | false |
Whether to mount the node's tooling directory into the pod. |
| cni.nonPrimaryCNI | bool | false |
Whether to use Kube-OVN as non-primary CNI. When set to true, Kube-OVN will not allocate/handle primary network interfaces. Interfaces are created using Network Attachment Definitions (NADs) |
| cni.toolingDirectory | string | "/usr/local/bin" |
Location on the node where the CNI will install Kube-OVN's tooling. |
| Key | Type | Default | Description |
|---|---|---|---|
| controller | object | "{}"
|
Configuration for kube-ovn-controller, the controller responsible for syncing K8s with OVN. |
| controller.annotations | object | {} |
Annotations to be added to all top-level kube-ovn-controller objects (resources under templates/controller) |
| controller.labels | object | {} |
Labels to be added to all top-level kube-ovn-controller objects (resources under templates/controller) |
| controller.metrics | object | "{}"
|
Controller metrics configuration. |
| controller.metrics.port | int | 10660 |
Configure the port on which the controller service will serve metrics. |
| controller.podAnnotations | object | {} |
Annotations to be added to kube-ovn-controller pods. |
| controller.podLabels | object | {} |
Labels to be added to kube-ovn-controller pods. |
| controller.resources | object | {
"limits": {
"cpu": "1000m",
"memory": "1Gi"
},
"requests": {
"cpu": "200m",
"memory": "200Mi"
}
} |
kube-ovn-controller resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| Key | Type | Default | Description |
|---|---|---|---|
| extraObjects | list | [] |
Array of extra K8s manifests to deploy. Note: Supports use of custom Helm templates (Go templating) |
| Key | Type | Default | Description |
|---|---|---|---|
| features | object | {
"ENABLE_ANP": false,
"ENABLE_BIND_LOCAL_IP": true,
"ENABLE_DNS_NAME_RESOLVER": false,
"ENABLE_OVN_LB_PREFER_LOCAL": false,
"LS_CT_SKIP_DST_LPORT_IPS": true,
"LS_DNAT_MOD_DL_DST": true,
"OVSDB_CON_TIMEOUT": 3,
"OVSDB_INACTIVITY_TIMEOUT": 10,
"SET_VXLAN_TX_OFF": false,
"enableExternalVpcs": false,
"enableHardwareOffload": false,
"enableKeepVmIps": true,
"enableLiveMigrationOptimization": true,
"enableLoadbalancer": true,
"enableLoadbalancerService": false,
"enableNatGateways": true,
"enableNetworkPolicies": true,
"enableOvnInterconnections": false,
"enableOvnIpsec": false,
"enableSecureServing": false,
"enableTproxy": false,
"enableU2OInterconnections": false
} |
Features of Kube-OVN we wish to enable/disable. |
| features.enableExternalVpcs | bool | false |
Enable external VPCs |
| features.enableHardwareOffload | bool | false |
Enable hardware offloads |
| features.enableKeepVmIps | bool | true |
Enable persistent VM IPs |
| features.enableLiveMigrationOptimization | bool | true |
Enable optimized live migrations for VMs |
| features.enableLoadbalancer | bool | true |
Enable Kube-OVN loadbalancers |
| features.enableLoadbalancerService | bool | false |
Enable Kube-OVN loadbalancer services |
| features.enableNatGateways | bool | true |
Enable NAT gateways |
| features.enableNetworkPolicies | bool | true |
Enable Kube-OVN network policies |
| features.enableOvnInterconnections | bool | false |
Enable OVN interconnections |
| features.enableOvnIpsec | bool | false |
Enable IPSEC |
| features.enableSecureServing | bool | false |
Enable secure serving |
| features.enableTproxy | bool | false |
Enable TProxy |
| features.enableU2OInterconnections | bool | false |
Enable underlay to overlay interconnections |
| Key | Type | Default | Description |
|---|---|---|---|
| kubelet | object | "{}"
|
Kubelet configuration. |
| kubelet.directory | string | "/var/lib/kubelet" |
Directory in which the kubelet operates. |
| logging.directory | string | "/var/log" |
Directory in which to write the logs. |
| Key | Type | Default | Description |
|---|---|---|---|
| logging | object | "{}"
|
Logging configuration for all the daemons. |
| Key | Type | Default | Description |
|---|---|---|---|
| monitor | object | "{}"
|
Configuration for kube-ovn-monitor, the agent monitoring and returning metrics for the northbound/southbound DBs and northd. |
| monitor.annotations | object | {} |
Annotations to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) |
| monitor.labels | object | {} |
Labels to be added to all top-level kube-ovn-monitor objects (resources under templates/monitor) |
| monitor.metrics | object | "{}"
|
kube-ovn-monitor metrics configuration. |
| monitor.metrics.port | int | 10661 |
Configure the port on which the kube-ovn-monitor service will serve metrics. |
| monitor.podAnnotations | object | {} |
Annotations to be added to kube-ovn-monitor pods. |
| monitor.podLabels | object | {} |
Labels to be added to kube-ovn-monitor pods. |
| monitor.resources | object | {
"limits": {
"cpu": "200m",
"memory": "200Mi"
},
"requests": {
"cpu": "200m",
"memory": "200Mi"
}
} |
kube-ovn-monitor resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| Key | Type | Default | Description |
|---|---|---|---|
| natGw | object | "{}"
|
Configuration for the NAT gateways. |
| natGw.bgpSpeaker | object | "{}"
|
Configuration of the BGP sidecar for when a NAT gateway is running in BGP mode. |
| natGw.bgpSpeaker.apiNadProvider | string | "{{ .Values.apiNad.name }}.{{ .Values.namespace }}.ovn" |
Network attachment definition used to reach the API server when running on BGP mode. By default, equals the value set at ".apiNad.provider", you will need to set ".apiNad.enabled" to true. See https://kubeovn.github.io/docs/stable/en/advance/with-bgp/ |
| natGw.bgpSpeaker.image | object | "{}"
|
Image used by the NAT gateway sidecar. |
| natGw.bgpSpeaker.image.pullPolicy | string | "IfNotPresent" |
Image pull policy. |
| natGw.bgpSpeaker.image.repository | string | "docker.io/kubeovn/kube-ovn" |
Image repository. |
| natGw.bgpSpeaker.image.tag | string | "v1.15.0" |
Image tag. |
| natGw.image | object | "{}"
|
Image used by the NAT gateway. |
| natGw.image.pullPolicy | string | "IfNotPresent" |
Image pull policy. |
| natGw.image.repository | string | "docker.io/kubeovn/vpc-nat-gateway" |
Image repository. |
| natGw.image.tag | string | "v1.15.0" |
Image tag. |
| natGw.namePrefix | string | "vpc-nat-gw" |
Prefix appended to the name of the NAT gateways when generating the Pods. If this value is changed after NAT GWs have been provisioned, every NAT gateway will need to be manually destroyed and recreated. |
| Key | Type | Default | Description |
|---|---|---|---|
| networkPolicies | object | "{}"
|
Configuration for network policies |
| networkPolicies.enforcement | string | "standard" |
Enforcement level of network policies when they get applied (can be: standard, lax). Enforcement "standard" blocks everything except what is allowed by the network policies. Enforcement "lax" is similar to "standard" with the exception that ARP/DHCPv4/DHCPv6/ICMPv4/ICMPv6 is allowed by default. This mode is useful when using Kubevirt and VMs with IPs configured via Kube-OVN's DHCP. |
| Key | Type | Default | Description |
|---|---|---|---|
| networking | object | "{}"
|
General configuration of the network created by Kube-OVN. |
| networking.defaultVpcName | string | "ovn-cluster" |
Name of the default VPC once it is generated in the cluster. Pods in the default subnet live in this VPC. |
| networking.enableCompact | bool | false |
"" |
| networking.enableEcmp | bool | false |
"" |
| networking.enableEipSnat | bool | true |
Enable EIP and SNAT. |
| networking.enableMetrics | bool | true |
Enable listening on the metrics endpoint for the CNI daemons. |
| networking.enableSsl | bool | false |
Deploy the CNI with SSL encryption in between components. |
| networking.exchangeLinkName | bool | false |
"" |
| networking.excludeIps | string | "" |
IPs to exclude from IPAM in the default subnet. |
| networking.join | object | "{}"
|
Configuration of the "join" subnet, used by the nodes to contact (join) the pods in the default subnet. If .networking.stack is set to IPv4, only the .v4 key is used. If .networking.stack is set to IPv6, only the .v6 key is used. If .networking.stack is set to Dual, both keys are used. |
| networking.join.cidr | object | "{}"
|
CIDR used by the join subnet. |
| networking.join.cidr.v4 | string | "100.64.0.0/16" |
IPv4 CIDR. |
| networking.join.cidr.v6 | string | "fd00:100:64::/112" |
IPv6 CIDR. |
| networking.join.subnetName | string | "join" |
Name of the join subnet once it gets generated in the cluster. |
| networking.networkType | string | "geneve" |
Network type can be "geneve" or "vlan". |
| networking.nodeLocalDnsIp | string | "" |
Comma-separated string of NodeLocal DNS IP addresses. |
| networking.podNicType | string | "veth-pair" |
NIC type used on pods to connect them to the CNI. |
| networking.pods | object | "{}"
|
Configuration for the default pod subnet. If .networking.stack is set to IPv4, only the .v4 key is used. If .networking.stack is set to IPv6, only the .v6 key is used. If .networking.stack is set to Dual, both keys are used. |
| networking.pods.cidr | object | "{}"
|
CIDR used by the pods subnet. |
| networking.pods.cidr.v4 | string | "10.16.0.0/16" |
IPv4 CIDR. |
| networking.pods.cidr.v6 | string | "fd00:10:16::/112" |
IPv6 CIDR. |
| networking.pods.enableGatewayChecks | bool | true |
Enable default gateway checks. |
| networking.pods.enableLogicalGateways | bool | false |
Enable logical gateways. |
| networking.pods.gateways | object | "{}"
|
Gateways used in the pod subnet. |
| networking.pods.gateways.v4 | string | "10.16.0.1" |
IPv4 gateway. |
| networking.pods.gateways.v6 | string | "fd00:10:16::1" |
IPv6 gateway. |
| networking.pods.mtu | int | 0 |
MTU of the subnet. If set to 0, the MTU is auto-detected. |
| networking.pods.subnetName | string | "ovn-default" |
Name of the pod subnet once it gets generated in the cluster. |
| networking.services | object | "{}"
|
Configuration for the service subnet. If .networking.stack is set to IPv4, only the .v4 key is used. If .networking.stack is set to IPv6, only the .v6 key is used. If .networking.stack is set to Dual, both keys are used. |
| networking.services.cidr | object | "{}"
|
CIDR used by the service subnet. |
| networking.services.cidr.v4 | string | "10.96.0.0/12" |
IPv4 CIDR. |
| networking.services.cidr.v6 | string | "fd00:10:96::/112" |
IPv6 CIDR. |
| networking.skipConntrackDstCidrs | string | "" |
Comma-separated list of destination IP CIDRs that should skip conntrack processing. |
| networking.stack | string | "IPv4" |
Protocol(s) used by Kube-OVN to allocate IPs to pods and services. Can be either IPv4, IPv6 or Dual. |
| networking.tunnelType | string | "geneve" |
Tunnel type can be "geneve", "vxlan" or "stt". |
| networking.vlan | object | {
"id": "100",
"interfaceName": "",
"name": "ovn-vlan",
"providerName": "provider"
} |
Configuration if we're running on top of a VLAN. |
| Key | Type | Default | Description |
|---|---|---|---|
| ovsOvn | object | "{}"
|
Configuration for ovs-ovn, the Open vSwitch/Open Virtual Network daemons. |
| ovsOvn.annotations | object | {} |
Annotations to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) |
| ovsOvn.disableModulesManagement | bool | false |
Disable auto-loading of kernel modules by OVS. If this is disabled, you will have to enable the Open vSwitch kernel module yourself. |
| ovsOvn.dpdkHybrid | object | "{}"
|
DPDK-hybrid support for OVS. ref: https://kubeovn.github.io/docs/v1.12.x/en/advance/dpdk/ |
| ovsOvn.dpdkHybrid.enabled | bool | false |
Enables DPDK-hybrid support on OVS. |
| ovsOvn.dpdkHybrid.resources | object | {
"limits": {
"cpu": "2",
"hugepages-2Mi": "1Gi",
"memory": "1000Mi"
},
"requests": {
"cpu": "200m",
"memory": "200Mi"
}
} |
ovs-ovn resource limits & requests when DPDK-hybrid is enabled. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| ovsOvn.dpdkHybrid.tag | string | "v1.14.0-dpdk" |
DPDK image tag. |
| ovsOvn.labels | object | {} |
Labels to be added to all top-level ovs-ovn objects (resources under templates/ovs-ovn) |
| ovsOvn.ovnDirectory | string | "/etc/origin/ovn" |
Directory on the node where Open Virtual Network (OVN) lives. |
| ovsOvn.ovsDirectory | string | "/etc/origin/openvswitch" |
Directory on the node where Open vSwitch (OVS) lives. |
| ovsOvn.podAnnotations | object | {} |
Annotations to be added to ovs-ovn pods. |
| ovsOvn.podLabels | object | {} |
Labels to be added to ovs-ovn pods. |
| ovsOvn.resources | object | {
"limits": {
"cpu": "2",
"memory": "1000Mi"
},
"requests": {
"cpu": "200m",
"memory": "200Mi"
}
} |
ovs-ovn resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| Key | Type | Default | Description |
|---|---|---|---|
| performance | object | "{}"
|
Performance tuning parameters. |
| performance.gcInterval | int | 360 |
"" |
| performance.inspectInterval | int | 20 |
"" |
| performance.ovsVsctlConcurrency | int | 100 |
"" |
| Key | Type | Default | Description |
|---|---|---|---|
| pinger | object | "{}"
|
Configuration for kube-ovn-pinger, the agent monitoring and returning metrics for OVS/external connectivity. |
| pinger.annotations | object | {} |
Annotations to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) |
| pinger.labels | object | {} |
Labels to be added to all top-level kube-ovn-pinger objects (resources under templates/pinger) |
| pinger.metrics | object | "{}"
|
kube-ovn-pinger metrics configuration. |
| pinger.metrics.port | int | 8080 |
Configure the port on which the kube-ovn-monitor service will serve metrics. |
| pinger.podAnnotations | object | {} |
Annotations to be added to kube-ovn-pinger pods. |
| pinger.podLabels | object | {} |
Labels to be added to kube-ovn-pinger pods. |
| pinger.resources | object | {
"limits": {
"cpu": "200m",
"memory": "400Mi"
},
"requests": {
"cpu": "100m",
"memory": "100Mi"
}
} |
kube-ovn-pinger resource limits & requests. ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| pinger.targets | object | "{}"
|
Remote targets used by the pinger daemon to determine if the CNI works and has external connectivity. |
| pinger.targets.externalAddresses | object | "{}"
|
Raw IPv4/6 on which to issue pings. |
| pinger.targets.externalAddresses.v4 | string | "1.1.1.1" |
IPv4 address. |
| pinger.targets.externalAddresses.v6 | string | "2606:4700:4700::1111" |
IPv6 address. |
| pinger.targets.externalDomain | object | "{}"
|
Domains to resolve and to ping. Make sure the v6 domain resolves both A and AAAA records, while the v4 only resolves A records. |
| pinger.targets.externalDomain.v4 | string | "kube-ovn.io." |
Domain name resolving to an IPv4 only (A record) |
| pinger.targets.externalDomain.v6 | string | "google.com." |
Domain name resolving to an IPv6 and IPv4 only (A/AAAA record) |
| Key | Type | Default | Description |
|---|---|---|---|
| validatingWebhook | object | "{}"
|
Configuration of the validating webhook used to verify custom resources before they are pushed to Kubernetes. Make sure cert-manager is installed for the generation of certificates for the webhook. See https://kubeovn.github.io/docs/stable/en/guide/webhook/ |
| validatingWebhook.annotations | object | {} |
Annotations to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) |
| validatingWebhook.enabled | bool | false |
Enable the deployment of the validating webhook. |
| validatingWebhook.labels | object | {} |
Labels to be added to all top-level kube-ovn-webhook objects (resources under templates/webhook) |
| validatingWebhook.podAnnotations | object | {} |
Annotations to be added to kube-ovn-webhook pods. |
| validatingWebhook.podLabels | object | {} |
Labels to be added to kube-ovn-webhook pods. |
| Key | Type | Default | Description |
|---|---|---|---|
| ovsOvn.ovsIpsecKeysDirectory | string | "/etc/origin/ovs_ipsec_keys" |
Directory on the node where Open vSwitch (OVS) IPSEC keys live. |