Helm Values Reference¶
Values for the bnerd-gitlab-operator Helm chart (charts/bnerd-gitlab-operator).
These values configure the operator itself — not the GitLab chart that Flux installs. GitLab chart values are configured via spec.helm.values on the GitlabInstance CRD.
Full values table¶
| Key | Type | Default | Description |
|---|---|---|---|
replicaCount |
int | 1 |
Number of operator pod replicas. Leader election is enabled by default; running more than one replica is supported. |
image.repository |
string | git.bnerd.net/cloud/operators/bnerd-gitlab-operator |
Operator container image repository. |
image.pullPolicy |
string | IfNotPresent |
Image pull policy. |
image.tag |
string | latest |
Image tag to deploy. Pin to a release tag (e.g. 0.1.0-beta) in production. |
imagePullSecrets |
list | [] |
List of image pull Secret names for private registries. |
nameOverride |
string | "" |
Override the chart name (used in resource naming). |
fullnameOverride |
string | "" |
Override the full release name. |
serviceAccount.create |
bool | true |
Create a dedicated ServiceAccount for the operator. |
serviceAccount.annotations |
object | {} |
Annotations added to the ServiceAccount (e.g. for IRSA / Workload Identity). |
serviceAccount.name |
string | "" |
Name of the ServiceAccount. Auto-generated when empty and create: true. |
podAnnotations |
object | {} |
Annotations added to the operator pod. |
podSecurityContext.runAsNonRoot |
bool | true |
Enforce non-root UID. |
podSecurityContext.runAsUser |
int | 65532 |
UID for the operator process. |
podSecurityContext.fsGroup |
int | 65532 |
fsGroup for volume permissions. |
securityContext.allowPrivilegeEscalation |
bool | false |
Prevent privilege escalation. |
securityContext.capabilities.drop |
list | ["ALL"] |
Drop all Linux capabilities. |
securityContext.readOnlyRootFilesystem |
bool | true |
Mount the root filesystem read-only. |
resources.limits.cpu |
string | 500m |
CPU limit for the operator container. |
resources.limits.memory |
string | 256Mi |
Memory limit for the operator container. |
resources.requests.cpu |
string | 10m |
CPU request. |
resources.requests.memory |
string | 128Mi |
Memory request. |
nodeSelector |
object | {} |
Node selector for the operator pod. |
tolerations |
list | [] |
Tolerations for the operator pod. |
affinity |
object | {} |
Affinity rules for the operator pod. |
operator.watchNamespace |
string | "" |
Namespace to watch for GitlabInstance resources. Empty = all namespaces (cluster-wide). |
operator.leaderElection.enabled |
bool | true |
Enable leader election for multi-replica deployments. |
operator.metrics.enabled |
bool | true |
Enable the Prometheus metrics endpoint. |
operator.metrics.port |
int | 8080 |
Port for the metrics endpoint. |
operator.health.port |
int | 8081 |
Port for the health probe endpoint. |
rbac.create |
bool | true |
Create ClusterRole and ClusterRoleBinding for the operator. |
Common customisations¶
Restrict to a single namespace¶
The operator will only reconcile GitlabInstance resources in my-gitlab-tenant. RBAC is still cluster-scoped (CRD reads require cluster access).
Pin the image tag¶
Private registry¶
image:
repository: my-registry.example.com/bnerd/gitlab-operator
tag: 0.1.0-beta
imagePullSecrets:
- name: my-registry-credentials
Resource tuning for large deployments¶
Clusters managing many GitlabInstance resources concurrently may need more memory: