EDB Klio Operator Helm Chart v0.0.12
The EDB Klio Operator Helm chart from EDB allows you to deploy the Klio Operator in your Kubernetes cluster. It is distributed as a private OCI image.
Prerequisites
Before installing the Klio Operator, ensure you have:
- Helm – see the Helm installation guide
- Kubernetes cluster with appropriate permissions
- Credentials to access the registry hosting the Helm chart, the Klio operator
image, and the Klio operand image. For the EDB registry, your username will be
k8sand your password will be your EDB Repos 2.0 token. - CloudNativePG Operator already installed in your Kubernetes cluster. See the CloudNativePG installation guide.
- cert-manager (optional, but strongly recommended for managing TLS certificates). See the cert-manager installation guide.
- Prometheus Operator (optional, for operator monitoring). See the Prometheus Operator installation guide.
Installation
For simplicity, the instructions below assume you've put the following values into environment variables:
$TOKEN- will be your EDB Repos 2.0 token.$NAMESPACE- will be the namespace where you installed CNPG (cnpg-systemis the default namespace for CNPG installations).
Example:
export TOKEN=your-edb-token export NAMESPACE=cnpg-system
Step 1: Registry Authentication
First, authenticate with the EDB registry where the Helm chart is hosted:
helm registry login helm.oci.cloudsmith.io -u enterprisedb/k8s -p "${TOKEN}"
Step 2: Create an Image Pull Secret
Create a Kubernetes secret to allow the operator to pull container images from the registry:
kubectl create secret docker-registry klio-registry-secret \ --docker-server=docker.enterprisedb.com \ "--docker-username=k8s" \ "--docker-password=${TOKEN}" \ "--namespace "${NAMESPACE}"
Namespace Selection
Select the namespace where you want to deploy the Klio Operator. This must be the same namespace where CloudNativePG is deployed.
Step 3: Install the Helm Chart
Deploy the Klio Operator to your cluster:
helm install klio-operator oci://helm.oci.cloudsmith.io/enterprisedb/k8s/klio-operator-chart \ --version 0.0.12 \ --namespace "${NAMESPACE}" \ --set "controllerManager.manager.image.pullSecrets[0].name=klio-registry-secret"
Step 4: Verify Installation
After installation, verify that the Klio Operator is running:
kubectl get pods -n "${NAMESPACE}" -l app.kubernetes.io/name=klio
You should see the operator pod in a Running state. Check the logs to ensure
there are no errors:
kubectl logs -n "${NAMESPACE}" deployment/klio-controller-manager -f
Verify that the Custom Resource Definitions (CRDs) were created:
kubectl get crds | grep klio.enterprisedb.io
You should see CRDs like servers.klio.enterprisedb.io and pluginconfigurations.klio.enterprisedb.io.
Configuration
Customizing the Installation
The chart is designed to be customizable, allowing you to configure multiple
aspects of the Klio Operator deployment, passing in values through a custom
values.yaml file or using the --set flag during installation.
See the Helm documentation for more details
on how to customize and manage Helm charts.
Inspecting the Chart
Before installing, you can download the Helm chart to inspect its contents, review the default values, and understand what resources it will create:
helm pull oci://docker.enterprisedb.com/k8s/klio-operator-chart --version 0.0.12
This downloads the chart as a .tgz file. Extract it to examine the templates,
default values.yaml, and other chart files:
tar -xzf klio-operator-chart-0.0.12.tgz cd klio-operator-chart cat values.yaml
Configuration Reference
| Key | Type | Default | Description |
|---|---|---|---|
| certmanager.clusterDomain | string | "cluster.local" | The DNS domain of the cluster |
| certmanager.createMetricsCertificate | bool | true | Create certificates for the metrics service. |
| certmanager.createPluginClientCertificate | bool | true | Create certificates for the plugin client. |
| certmanager.createPluginServerCertificate | bool | true | Create certificates for the plugin server. |
| certmanager.duration | string | "2160h" | The duration of the certificates. |
| certmanager.enable | bool | true | Enable cert-manager integration for certificate creation. |
| certmanager.renewBefore | string | "360h" | The renew before time for the certificates. |
| controllerManager.affinity | object | {} | Affinity rules for the operator deployment. |
| controllerManager.manager.args | list | ["--metrics-bind-address=:8443","--leader-elect","--health-probe-bind-address=:8081","--plugin-server-cert=/pluginServer/tls.crt","--plugin-server-key=/pluginServer/tls.key","--plugin-client-cert=/pluginClient/tls.crt","--plugin-server-address=:9090","--custom-cnpg-group=postgresql.cnpg.io"] | List of command line arguments to pass to the controller manager. |
| controllerManager.manager.containerSecurityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}} | The security context for the controller manager container. |
| controllerManager.manager.env | object | {"SIDECAR_IMAGE":"docker.enterprisedb.com/k8s/klio:v0.0.12"} | The environment variables to set in the controller manager container. |
| controllerManager.manager.image.pullPolicy | string | "Always" | The controller manager container imagePullPolicy. |
| controllerManager.manager.image.pullSecrets | list | [] | The list of imagePullSecrets. |
| controllerManager.manager.image.repository | string | "docker.enterprisedb.com/k8s/klio-operator" | The image to use for the controller manager container. |
| controllerManager.manager.image.tag | string | "v0.0.12" | The tag to use for the controller manager container image. |
| controllerManager.manager.livenessProbe | object | {"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20} | Liveness probe configuration. |
| controllerManager.manager.readinessProbe | object | {"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10} | Readiness probe configuration. |
| controllerManager.manager.resources | object | {"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}} | The resources to allocate. |
| controllerManager.nodeSelector | object | {} | NodeSelector for the operator deployment. |
| controllerManager.podSecurityContext | object | {"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}} | The security context for the controller manager pod. |
| controllerManager.priorityClassName | string | "" | Priority class name for the controller manager pod. |
| controllerManager.serviceAccount.annotations | object | {} | The annotations to add to the service account. |
| controllerManager.tolerations | list | [] | Tolerations for the operator deployment. |
| controllerManager.topologySpreadConstraints | list | [] | Topology Spread Constraints for the operator deployment. |
| fullnameOverride | string | "" | Override the fully qualified name of the Helm Chart. |
| kubernetesClusterDomain | string | "cluster.local" | The domain for the Kubernetes cluster. |
| metricsService.enable | bool | true | Enable the metrics service for the controller manager. |
| metricsService.metricsServiceSecret | string | "klio-metrics-server-cert" | The name of the secret containing the TLS certificate for the metrics service. |
| metricsService.ports | list | [{"name":"https","port":8443,"protocol":"TCP","targetPort":8443}] | The port the metrics service will listen on. |
| metricsService.type | string | "ClusterIP" | Service type for the metrics service. |
| nameOverride | string | "klio" | Override the name of the Helm Chart. |
| plugin.clientSecret | string | "klio-plugin-client-tls" | The Client TLS certificate. |
| plugin.name | string | "klio.enterprisedb.io" | The name the plugin will use to register itself with the CNPG Operator. |
| plugin.port | int | 9090 | The port the plugin will listen on. It must match the "--plugin-server-address" argument. |
| plugin.serverSecret | string | "klio-plugin-server-tls" | The Server TLS certificate. |
| prometheus.enable | bool | true | To enable a ServiceMonitor to export metrics to Prometheus set true. |
| serviceAccount.annotations | object | {} | The annotations to add to the service account. |
| serviceAccount.automount | bool | true | Automount service account token. |
| serviceAccount.create | bool | true | Specifies whether a service account should be created. |
| serviceAccount.name | string | "" | The name of the service account |
Upgrading
To upgrade the Klio Operator to a newer version:
helm upgrade klio-operator oci://docker.enterprisedb.com/k8s/klio-operator-chart \ --version <NEW_VERSION> \ --namespace "${NAMESPACE}"
...where <NEW_VERSION> is the version you're upgrading to.
When upgrading, you can control how Helm handles values from the previous installation. Please refer to the Helm upgrade documentation to understand the different options.
CRD Upgrades
Helm does not automatically upgrade CRDs. If the new version includes CRD updates, you may need to apply them manually. Check the release notes for specific upgrade instructions.
Uninstalling
To uninstall the Klio Operator:
helm uninstall klio-operator --namespace "${NAMESPACE}"
Data Preservation
Uninstalling the operator does not automatically remove:
- Custom Resource Definitions (CRDs)
- Existing Klio resources (Servers, PluginConfigurations)
- Persistent volumes containing backup data
To completely remove Klio from your cluster, you must manually delete these resources. If you want to completely remove Klio, you must manually delete these resources.
To remove the CRDs after uninstalling:
kubectl delete crd servers.klio.enterprisedb.io kubectl delete crd pluginconfigurations.klio.enterprisedb.io