DirectorySecurity AdvisoriesPricing
Sign in
Directory
flux-operator logoHELM

flux-operator

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# Default values for flux-operator.
2
3
nameOverride: ""
4
fullnameOverride: ""
5
# -- Enable [multitenancy lockdown](https://fluxoperator.dev/docs/crd/resourceset/#role-based-access-control) for the ResourceSet APIs.
6
multitenancy:
7
enabled: false
8
enabledForWorkloadIdentity: false
9
defaultServiceAccount: "flux-operator" # @schema required: true
10
defaultWorkloadIdentityServiceAccount: "flux-operator" # @schema required: true
11
# -- Flux [reporting](https://fluxoperator.dev/docs/crd/fluxreport/) settings.
12
reporting:
13
interval: 5m # @schema required: true
14
web:
15
# -- Enable the [Flux Status web server](https://fluxoperator.dev/web-ui/) on port 9080.
16
enabled: true
17
# -- The spec of the [Web Config API](https://fluxoperator.dev/docs/web-ui/web-config-api/)
18
config: {} # @schema type: object
19
# -- Reference to an existing Secret in the same namespace as the deployment containing the Web Config API. Should have the key `config.yaml`.
20
configSecretName: "" # @schema default: ""
21
# -- GitOps actions configuration for the web UI.
22
userActions:
23
# -- Access mode for GitOps actions. When set to `FineGrained`, actions are performed using the web server's own privileges instead of impersonating the user, and the web ClusterRole is extended with the native Kubernetes permissions required by the actions (only effective in `web.serverOnly` mode; otherwise the operator already runs as cluster-admin). Either `Impersonated` (default) or `FineGrained`.
24
access: Impersonated # @schema enum:["Impersonated", "FineGrained"]; default: "Impersonated"
25
# -- Create a NetworkPolicy to allow access to the Flux Status web interface.
26
networkPolicy:
27
create: true
28
# -- Create standard roles for [user access management](https://fluxoperator.dev/docs/web-ui/user-management/).
29
rbac:
30
createRoles: true # @schema default: true
31
createAggregation: false # @schema default: false
32
# -- Run the Flux Status web server as a standalone deployment (requires a dedicated Helm release).
33
serverOnly: false
34
# -- Number of replicas for the Flux Status web server standalone deployment (only applicable if `web.serverOnly` is `true`).
35
serverReplicas: 1 # @schema default: 1
36
# -- Ingress settings for the Flux Status web interface.
37
ingress: # @schema default: {"enabled":false,"className":"","annotations":{}}
38
enabled: false # @schema default: false
39
className: ""
40
annotations: {} # @schema type: object
41
hosts: [] # @schema item: object ; uniqueItems: true
42
# - host: flux-operator.example.com
43
# paths:
44
# - path: /
45
# pathType: ImplementationSpecific
46
tls: [] # @schema item: object ; uniqueItems: true
47
# - secretName: flux-operator-tls
48
# hosts:
49
# - flux-operator.example.com
50
# -- Gateway API HTTPRoute settings for the Flux Status web interface.
51
httpRoute: # @schema default: {"enabled":false,"annotations":{},"parentRefs":[],"hostnames":[]}
52
enabled: false # @schema default: false
53
annotations: {} # @schema type: object
54
parentRefs: [] # @schema item: object ; uniqueItems: true
55
# - name: my-gateway
56
# namespace: gateway-system
57
# sectionName: https
58
hostnames: [] # @schema item: string ; uniqueItems: true
59
# - flux.example.com
60
# -- Install and upgrade the custom resource definitions.
61
installCRDs: true # @schema default: true
62
# -- Common annotations to add to all deployed objects including pods.
63
commonAnnotations: {}
64
# -- Common labels to add to all deployed objects including pods.
65
commonLabels: {}
66
# -- Container image settings.
67
# The image tag defaults to the chart appVersion.
68
image:
69
repository: cgr.dev/chainguard-private/flux-operator
70
tag: latest@sha256:30e43a90b3cf9ea039e16f29ffac50a2b76216aa62dcbe2def35e34d47fbb7f2
71
pullSecrets: [] # @schema item: object ; uniqueItems: true
72
imagePullPolicy: IfNotPresent # @schema enum:[IfNotPresent, Always, Never]
73
# -- Pod priority class name.
74
# Recommended value is system-cluster-critical.
75
priorityClassName: "" # @schema default: "system-cluster-critical"
76
# -- Kubernetes [API priority and fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/) settings.
77
apiPriority: # @schema default: {"enabled":false,"level":"workload-high","extraServiceAccounts":[]}
78
enabled: false
79
level: workload-high
80
extraServiceAccounts: []
81
# - name: kustomize-controller
82
# namespace: flux-system
83
# - name: helm-controller
84
# namespace: flux-system
85
86
# -- Container resources requests and limits settings.
87
resources: # @schema required: true
88
limits:
89
cpu: 2000m
90
memory: 1Gi
91
requests: # @schema default: {"cpu":"100m","memory":"64Mi"}
92
cpu: 100m
93
memory: 64Mi
94
# -- Container liveness probe settings.
95
livenessProbe: # @schema default: {"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20}
96
httpGet:
97
path: /healthz
98
port: 8081
99
initialDelaySeconds: 15
100
periodSeconds: 20
101
# -- Container readiness probe settings.
102
readinessProbe: # @schema default: {"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}
103
httpGet:
104
path: /readyz
105
port: 8081
106
initialDelaySeconds: 5
107
periodSeconds: 10
108
# -- Pod service account settings.
109
# The name of the service account defaults to the release name.
110
serviceAccount: # @schema default: {"create":true,"automount":true,"name":""}
111
create: true
112
automount: true
113
name: ""
114
rbac:
115
# -- Grant the cluster-admin role to the flux-operator service account (required for the Flux Instance deployment).
116
create: true
117
# -- Grant the Kubernetes view, edit and admin roles access to ResourceSet APIs.
118
createAggregation: true
119
# -- Pod security context settings.
120
podSecurityContext: {} # @schema default: {"fsGroup":1337}
121
# -- Container security context settings.
122
# The default is compliant with the pod security restricted profile.
123
securityContext: # @schema required: true
124
runAsNonRoot: true # @schema default: true
125
readOnlyRootFilesystem: true # @schema default: true
126
allowPrivilegeEscalation: false # @schema default: false
127
capabilities: # @schema default: {"drop":["ALL"]}
128
drop: # @schema item: string ; uniqueItems: true
129
- "ALL"
130
seccompProfile: # @schema default: {"type":"RuntimeDefault"}
131
type: "RuntimeDefault"
132
# -- Pod affinity and anti-affinity settings.
133
affinity: # @schema default: {"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"kubernetes.io/os","operator":"In","values":["linux"]}]}]}}}
134
nodeAffinity:
135
requiredDuringSchedulingIgnoredDuringExecution:
136
nodeSelectorTerms:
137
- matchExpressions:
138
- key: kubernetes.io/os
139
operator: In
140
values:
141
- linux
142
# -- Pod tolerations settings.
143
tolerations: [] # @schema item: object ; uniqueItems: true
144
# -- Pod Node Selector settings.
145
nodeSelector: {} # @schema type: object
146
# -- Deployment update strategy. Set `{"type":"Recreate"}` for single-replica installs whose web UI is fronted by a load balancer health check, where a rolling update would otherwise deadlock.
147
strategy: {} # @schema type: object
148
# -- If `true`, the container ports (`8080` and `8081`) are exposed on the host network.
149
hostNetwork: false # @schema default: false
150
# -- Pod extra volumes.
151
extraVolumes: [] # @schema item: object ; uniqueItems: true
152
# -- Container extra environment variables.
153
extraEnvs: [] # @schema item: object ; uniqueItems: true
154
# -- Container extra arguments.
155
extraArgs: [] # @schema item: string ; uniqueItems: true
156
# -- Container extra volume mounts.
157
extraVolumeMounts: [] # @schema item: object ; uniqueItems: true
158
# -- Container logging level flag.
159
logLevel: "info" # @schema enum:[debug,info,error]
160
# -- Prometheus Operator scraping settings.
161
serviceMonitor: # @schema default: {"create":false,"interval":"60s","scrapeTimeout":"30s"}
162
create: false
163
interval: 60s
164
scrapeTimeout: 30s
165
labels: {}
166
service:
167
# -- Sets the IP family policy on all Service resources. Uses Kubernetes defaults if unset
168
ipFamilyPolicy: '' # @schema type: string; enum:['', SingleStack, PreferDualStack, RequireDualStack]
169
# -- Marketplace settings.
170
marketplace:
171
type: ""
172
license: ""
173
account: ""
174

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.