Skip to main content

Helm Values Reference

The Kestrel Operator is configured through Helm values. Below is a complete reference of all available configuration options.

Quick Configuration Examples

Basic Cilium Setup

auth:
  token: "your-token-here"

operator:
  cluster:
    id: "cluster-uuid"
    name: "production-cluster"

Istio Service Mesh Setup

auth:
  token: "your-token-here"

operator:
  cluster:
    id: "cluster-uuid"
    name: "production-cluster"
  cilium:
    disableFlows: true
  istio:
    enabled: true
    alsPort: 8080

Safe-Apply Enabled

auth:
  token: "your-token-here"

operator:
  cluster:
    id: "cluster-uuid"
    name: "production-cluster"
  safeApply:
    enabled: true

Complete Values Reference

Image Configuration

image.repository

  • Type: string
  • Default: ghcr.io/kestrelai/kestrel-operator
  • Description: Container image repository

image.tag

  • Type: string
  • Default: latest
  • Description: Container image tag

image.pullPolicy

  • Type: string
  • Default: IfNotPresent
  • Description: Image pull policy

Authentication

auth.token (Required)

  • Type: string
  • Default: ""
  • Description: JWT token for operator authentication
  • Example: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
Generate this token through the Kestrel AI Dashboard. The token automatically renews every 24 hours.

Server Connection

server.host

  • Type: string
  • Default: grpc.platform.usekestrel.ai
  • Description: Kestrel AI platform gRPC endpoint

server.port

  • Type: integer
  • Default: 443
  • Description: gRPC server port

Cilium Integration

operator.cilium.disableFlows

  • Type: boolean
  • Default: false
  • Description: Disable Cilium flow collection entirely
Set to true when:
  • Using Istio for flow collection instead
  • Cluster doesn’t have Cilium installed
  • Only want resource inventory management

operator.cilium.hubble.tls.forceDisable

  • Type: boolean
  • Default: false
  • Description: Force disable TLS for Hubble connections
By default, the operator attempts to use TLS when connecting to Hubble Relay. Only disable if your Hubble setup doesn’t support TLS.

Istio Integration

operator.istio.enabled

  • Type: boolean
  • Default: false
  • Description: Enable Istio Access Log Service (ALS) for L7 flow collection

operator.istio.alsPort

  • Type: integer
  • Default: 8080
  • Description: Port for the ALS gRPC server
When enabling Istio, you must also configure Istio’s mesh configuration to define the Kestrel Operator as an extension provider. See the Istio mesh configuration section below.

Istio Mesh Configuration

The operator’s Helm chart automatically creates the Telemetry resources, but you must register the extension providers in Istio’s mesh configuration. Required extension providers: 
meshConfig:
  extensionProviders:
    - name: kestrel-operator-als
      envoyHttpAls:
        service: kestrel-operator-als.kestrel-ai.svc.cluster.local
        port: 8080
    - name: kestrel-operator-als-tcp
      envoyTcpAls:
        service: kestrel-operator-als.kestrel-ai.svc.cluster.local
        port: 8080
For new Istio installations (or Helm-managed Istio), pass these as Helm --set flags: 
helm upgrade --install istiod istio/istiod -n istio-system \
  --set 'meshConfig.extensionProviders[0].name=kestrel-operator-als' \
  --set 'meshConfig.extensionProviders[0].envoyHttpAls.service=kestrel-operator-als.kestrel-ai.svc.cluster.local' \
  --set 'meshConfig.extensionProviders[0].envoyHttpAls.port=8080' \
  --set 'meshConfig.extensionProviders[1].name=kestrel-operator-als-tcp' \
  --set 'meshConfig.extensionProviders[1].envoyTcpAls.service=kestrel-operator-als.kestrel-ai.svc.cluster.local' \
  --set 'meshConfig.extensionProviders[1].envoyTcpAls.port=8080'
For existing installations without custom mesh config, use kubectl patch: 
kubectl patch configmap istio -n istio-system --type merge -p '{"data":{"mesh":"extensionProviders:\n- name: kestrel-operator-als\n  envoyHttpAls:\n    service: kestrel-operator-als.kestrel-ai.svc.cluster.local\n    port: 8080\n- name: kestrel-operator-als-tcp\n  envoyTcpAls:\n    service: kestrel-operator-als.kestrel-ai.svc.cluster.local\n    port: 8080"}}'
The kubectl patch --type merge command replaces the entire mesh key. Only use this if you don’t have existing custom mesh configuration. If you do, use the edit-in-place approach below.
For existing installations with custom mesh config, edit the ConfigMap directly to preserve your settings: 
kubectl edit configmap istio -n istio-system
Add the extensionProviders block into the existing mesh: YAML, keeping all other settings intact. Then restart Istiod: 
kubectl rollout restart deployment istiod -n istio-system

Namespace Sidecar Injection

Application namespaces must have Istio sidecar injection enabled for L7 flow collection to work. Label each namespace before deploying workloads: 
kubectl label namespace <your-namespace> istio-injection=enabled
If workloads are already running, add the label and restart deployments: 
kubectl label namespace <your-namespace> istio-injection=enabled --overwrite
kubectl rollout restart deployment -n <your-namespace> <deployment-name>
Verify sidecars are injected by checking that pods have an istio-proxy container: 
kubectl get pods -n <your-namespace> -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{range .spec.containers[*]}{.name}{" "}{end}{"\n"}{end}' | grep istio-proxy
If sidecars are injected, each pod will show istio-proxy in the container list.

Safe-Apply Configuration

operator.safeApply.enabled

  • Type: boolean
  • Default: false
  • Description: Grant RBAC permissions for applying approved YAML changes
When enabled, the operator can:
  • Create network policies
  • Update existing resources
  • Delete resources (with approval)

Next Steps