EDB Klio Operator Helm Chart v0.0.15
The EDB Klio Operator Helm chart allows you to deploy the Klio Operator in your Kubernetes cluster. It is distributed as a private OCI image.
Namespace Selection
We have used the cnpg-system namespace for all examples on this page.
If you have deployed CloudNativePG in a different namespace, ensure you replace
cnpg-system with your specific namespace in all commands.
The Klio Operator must reside in the same namespace as the CloudNativePG
operator.
Prerequisites
Before installing the Klio Operator, ensure you have:
- Helm – see the Helm installation guide
- Kubernetes cluster with appropriate permissions
- Credentials to access the registry hosting the Helm chart, the Klio operator image, and the Klio operand image.
- CloudNativePG Operator already installed in your Kubernetes cluster. See the CloudNativePG installation guide.
- cert-manager (optional, but strongly recommended for managing TLS certificates). See the cert-manager installation guide.
- Prometheus Operator (optional, for operator monitoring). See the Prometheus Operator installation guide.
Installation
Step 1: Registry Authentication
Authenticate with the EDB registry where the Helm chart is hosted:
helm registry login helm.oci.cloudsmith.io -u enterprisedb/k8s -p <TOKEN>
Replace <TOKEN> with the required credentials.
Step 2: Create an Image Pull Secret
Create a Kubernetes secret to allow the operator to pull container images from the registry:
kubectl create secret docker-registry klio-registry-secret \ --docker-server=docker.enterprisedb.com \ --docker-username=k8s \ --namespace cnpg-system \ --docker-password=<TOKEN>
Step 3: Create a values file
Create a values.yaml file with your configuration. At minimum, set
the image pull secret created in the previous step. If you have not
installed cert-manager or the Prometheus Operator, disable them to
avoid errors during installation:
controllerManager: manager: image: pullSecrets: - name: klio-registry-secret # Uncomment if cert-manager is not installed # certmanager: # enable: false # Uncomment if the Prometheus Operator is not installed # prometheus: # enable: false
See the Configuration section for the full list of available parameters. You will reuse this file for future upgrades.
Step 4: Install the Helm Chart
Deploy the Klio Operator to your cluster:
helm install klio-operator \ oci://helm.oci.cloudsmith.io/enterprisedb/k8s/klio-operator-chart \ --version 0.0.15 \ --namespace cnpg-system \ -f values.yaml
Step 5: Verify Installation
After installation, verify that the Klio Operator is running:
kubectl get pods -n cnpg-system -l app.kubernetes.io/name=klio
You should see the operator pod in a Running state. Check the logs to ensure
there are no errors:
kubectl logs -n cnpg-system -l app.kubernetes.io/name=klio -f
Verify that the Custom Resource Definitions (CRDs) were created:
kubectl get crds | grep klio.enterprisedb.io
You should see CRDs like servers.klio.enterprisedb.io and
pluginconfigurations.klio.enterprisedb.io.
Configuration
Inspecting the Chart
You can download the Helm chart to inspect its contents, review the default values, and understand what resources it will create:
helm pull oci://helm.oci.cloudsmith.io/enterprisedb/k8s/klio-operator-chart \ --version 0.0.15 \ --untar
This downloads the chart and extracts it into the
klio-operator-chart folder, where you can review the templates,
the default values.yaml, and other chart files.
Configuration Reference
| Key | Type | Default | Description |
|---|---|---|---|
| certmanager.clusterDomain | string | "cluster.local" | The DNS domain of the cluster |
| certmanager.createMetricsCertificate | bool | true | Create certificates for the metrics service. |
| certmanager.createPluginClientCertificate | bool | true | Create certificates for the plugin client. |
| certmanager.createPluginServerCertificate | bool | true | Create certificates for the plugin server. |
| certmanager.duration | string | "2160h" | The duration of the certificates. |
| certmanager.enable | bool | true | Enable cert-manager integration for certificate creation. |
| certmanager.renewBefore | string | "360h" | The renew before time for the certificates. |
| controllerManager.affinity | object | {} | Affinity rules for the operator deployment. |
| controllerManager.manager.args | list | ["--metrics-bind-address=:8443","--leader-elect","--health-probe-bind-address=:8081","--plugin-server-cert=/pluginServer/tls.crt","--plugin-server-key=/pluginServer/tls.key","--plugin-client-cert=/pluginClient/tls.crt","--plugin-server-address=:9090"] | List of command line arguments to pass to the controller manager. |
| controllerManager.manager.containerSecurityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}} | The security context for the controller manager container. |
| controllerManager.manager.env | object | {"SIDECAR_IMAGE":"docker.enterprisedb.com/k8s/klio:v0.0.15"} | The environment variables to set in the controller manager container. |
| controllerManager.manager.image.pullPolicy | string | "Always" | The controller manager container imagePullPolicy. |
| controllerManager.manager.image.pullSecrets | list | [] | The list of imagePullSecrets. |
| controllerManager.manager.image.repository | string | "docker.enterprisedb.com/k8s/klio-operator" | The image to use for the controller manager container. |
| controllerManager.manager.image.tag | string | "v0.0.15" | The tag to use for the controller manager container image. |
| controllerManager.manager.livenessProbe | object | {"httpGet":{"path":"/healthz","port":8081},"initialDelaySeconds":15,"periodSeconds":20} | Liveness probe configuration. |
| controllerManager.manager.readinessProbe | object | {"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10} | Readiness probe configuration. |
| controllerManager.manager.resources | object | {"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}} | The resources to allocate. |
| controllerManager.nodeSelector | object | {} | NodeSelector for the operator deployment. |
| controllerManager.podSecurityContext | object | {"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}} | The security context for the controller manager pod. |
| controllerManager.priorityClassName | string | "" | Priority class name for the controller manager pod. |
| controllerManager.serviceAccount.annotations | object | {} | The annotations to add to the service account. |
| controllerManager.tolerations | list | [] | Tolerations for the operator deployment. |
| controllerManager.topologySpreadConstraints | list | [] | Topology Spread Constraints for the operator deployment. |
| fullnameOverride | string | "" | Override the fully qualified name of the Helm Chart. |
| kubernetesClusterDomain | string | "cluster.local" | The domain for the Kubernetes cluster. |
| metricsService.enable | bool | true | Enable the metrics service for the controller manager. |
| metricsService.metricsServiceSecret | string | "klio-metrics-server-cert" | The name of the secret containing the TLS certificate for the metrics service. |
| metricsService.ports | list | [{"name":"https","port":8443,"protocol":"TCP","targetPort":8443}] | The port the metrics service will listen on. |
| metricsService.type | string | "ClusterIP" | Service type for the metrics service. |
| nameOverride | string | "klio" | Override the name of the Helm Chart. |
| plugin.clientSecret | string | "klio-plugin-client-tls" | The Client TLS certificate. |
| plugin.name | string | "klio.enterprisedb.io" | The name the plugin will use to register itself with the CNPG Operator. |
| plugin.port | int | 9090 | The port the plugin will listen on. It must match the "--plugin-server-address" argument. |
| plugin.serverSecret | string | "klio-plugin-server-tls" | The Server TLS certificate. |
| prometheus.enable | bool | true | To enable a ServiceMonitor to export metrics to Prometheus set true. |
| serviceAccount.annotations | object | {} | The annotations to add to the service account. |
| serviceAccount.automount | bool | true | Automount service account token. |
| serviceAccount.create | bool | true | Specifies whether a service account should be created. |
| serviceAccount.name | string | "" | The name of the service account |
Custom CNPG API Group
Klio targets the CloudNativePG API group
(postgresql.cnpg.io, version v1) by default. If you are running
a CNPG-based operator that uses a different API group or version (for example,
EDB Postgres® AI for CloudNativePG™ Cluster),
you must tell the Klio operator which group and version to use.
Set the --custom-cnpg-group and --custom-cnpg-version flags via
the controllerManager.manager.args Helm value:
controllerManager: manager: args: # … other flags … - "--custom-cnpg-group=postgresql.k8s.enterprisedb.io" - "--custom-cnpg-version=v1"
The operator passes these values to every Klio sidecar as the
CUSTOM_CNPG_GROUP and CUSTOM_CNPG_VERSION environment variables,
so the sidecar and the operator always use the same API group and
version.
Note
When running on CloudNativePG the defaults
(postgresql.cnpg.io / v1) are correct and you do not need
to set these flags explicitly.
Upgrades
A complete upgrade consists of three steps that must be performed in order:
- Upgrade the CRDs — apply updated CRD manifests
- Upgrade the Operator — run
helm upgrade - Upgrade the Klio Server and client — upgrade operand images
Upgrade the CRDs
Upgrading CRDs
Helm does not upgrade CRDs after initial installation
(details).
When upgrading to a version that includes CRD changes, apply them
manually before running helm upgrade (as explained below).
CRD breaking changes
If the CRDs contain breaking changes, old resource definitions may not work. In this case, resources should be edited when upgrading the Klio Server and client. Check the Upgrade Notes for version-specific instructions.
Step 1: Download the new chart
Download the new version of the Helm chart to access the updated CRD manifests:
helm pull oci://helm.oci.cloudsmith.io/enterprisedb/k8s/klio-operator-chart \ --version 0.0.15 \ --untar
Step 2: Review CRD changes
Before applying, review the CRD changes to understand what is being modified:
kubectl diff -f klio-operator-chart/crds/
Step 3: Apply the updated CRDs
Apply the CRD manifests to your cluster:
kubectl apply --server-side --force-conflicts -f klio-operator-chart/crds/Step 4: Clean up
Remove the extracted chart directory:
rm -rf klio-operator-chart
Upgrade the Operator
To upgrade the Klio Operator to a newer version, run the following Helm upgrade command:
helm upgrade klio-operator \ oci://helm.oci.cloudsmith.io/enterprisedb/k8s/klio-operator-chart \ --version 0.0.15 \ --namespace cnpg-system \ -f values.yaml
See the Helm upgrade documentation for more details on this and other upgrade options.
Upgrade the Klio Server and client
After upgrading the operator and the CRDs, Klio images in Server
resources and the ones used as sidecars in Cluster resources should
be upgraded as well. We recommend using the same version for the
operator and the operand.
Future improvement
We plan to reduce the amount of manual work required during upgrades in future versions of the operator.
Upgrade Klio servers
Klio servers are not automatically updated when a new operand image is
released. Update the spec.image field with the new image reference:
kubectl patch server <server-name> -n <namespace> \ --type merge \ -p '{"spec":{"image":"docker.enterprisedb.com/k8s/klio:v0.0.15"}}'
Verify that the Klio Server pods are running the latest version:
kubectl get pods -l klio.enterprisedb.io/klio-server -A \ -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,IMAGE:.spec.containers[0].image'
Warning
If the Klio Pod gets into a broken state before the image upgrade, a new Pod with the image upgrade will not be rolled out. In this case you should delete the Klio Pod. The StatefulSet managing it will recreate it with the chosen image.
Warning
Not all parameters can be updated in a StatefulSet. In case a new version of the operator requires such a change, delete the StatefulSet managing the Klio Server. The operator will automatically recreate the StatefulSet. StatefulSets retain their PVCs by default, make sure your data is safe before proceeding.
kubectl delete statefulset -l klio.enterprisedb.io/klio-server=<SERVER_NAME> -n <NAMESPACE>
Upgrade Klio client sidecars
The Pods of the CNPG instances need to be recreated to run the new Klio image.
You can use the CNPG kubectl plugin to trigger a rolling update:
kubectl cnpg restart <cluster-name>
Refer to the CloudNativePG documentation for guidance on performing rolling updates.
Verify that the sidecar containers are running the latest version:
kubectl get pods -l cnpg.io/cluster -A \ -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{range .spec.initContainers[?(@.name=="klio-plugin")]}{.image}{end}{"\n"}{end}'
Uninstalling
To uninstall the Klio Operator:
helm uninstall klio-operator --namespace cnpg-systemData Preservation
Uninstalling the operator does not automatically remove:
- Custom Resource Definitions (CRDs)
- Existing Klio resources (Servers, PluginConfigurations)
- Persistent volumes containing backup data
To completely remove Klio from your cluster, you must manually delete these resources.
To remove the CRDs after uninstalling:
kubectl delete crd servers.klio.enterprisedb.io kubectl delete crd pluginconfigurations.klio.enterprisedb.io