Helm Values

This page documents all configurable values for the kymaros/kymaros Helm chart. Pass overrides using --set key=value or a custom values.yaml file via -f my-values.yaml.

helm install kymaros kymaros/kymaros \
  --namespace kymaros-system \
  --create-namespace \
  -f my-values.yaml

global

Settings that apply to all chart components.

Key	Type	Default	Description
`global.image.registry`	`string`	`"ghcr.io"`	Container image registry for all Kymaros components.
`global.image.pullPolicy`	`string`	`"IfNotPresent"`	Image pull policy. Accepted values: `Always`, `IfNotPresent`, `Never`.
`global.image.pullSecrets`	`[]string`	`[]`	List of `imagePullSecret` names to add to all pods.
`global.nameOverride`	`string`	`""`	Override the chart name used in resource naming.
`global.fullnameOverride`	`string`	`""`	Override the full resource name prefix.
`global.labels`	`map`	`{}`	Additional labels added to all resources.
`global.annotations`	`map`	`{}`	Additional annotations added to all resources.

controller

The reconciliation controller (kymaros-controller) that watches CRDs and drives the restore validation lifecycle.

Key	Type	Default	Description
`controller.enabled`	`bool`	`true`	Deploy the controller component.
`controller.image.repository`	`string`	`"kymorahq/kymaros-controller"`	Controller image repository.
`controller.image.tag`	`string`	`""`	Image tag. Defaults to the chart `appVersion`.
`controller.replicaCount`	`int`	`1`	Number of controller replicas. The controller uses leader election; more than one replica provides HA.
`controller.resources.requests.cpu`	`string`	`"100m"`	CPU request for the controller container.
`controller.resources.requests.memory`	`string`	`"128Mi"`	Memory request for the controller container.
`controller.resources.limits.cpu`	`string`	`"500m"`	CPU limit for the controller container.
`controller.resources.limits.memory`	`string`	`"256Mi"`	Memory limit for the controller container.
`controller.leaderElection.enabled`	`bool`	`true`	Enable leader election. Required when `replicaCount` > 1.
`controller.leaderElection.leaseDuration`	`string`	`"15s"`	Duration a leader lease is held before renewal.
`controller.leaderElection.renewDeadline`	`string`	`"10s"`	Deadline for the leader to renew the lease.
`controller.logLevel`	`string`	`"info"`	Controller log verbosity. Accepted values: `debug`, `info`, `warn`, `error`.
`controller.nodeSelector`	`map`	`{}`	Node selector for the controller pod.
`controller.tolerations`	`[]object`	`[]`	Tolerations for the controller pod.
`controller.affinity`	`object`	`{}`	Affinity rules for the controller pod.
`controller.podAnnotations`	`map`	`{}`	Annotations added to the controller pod.
`controller.securityContext.runAsNonRoot`	`bool`	`true`	Run the controller container as a non-root user.
`controller.securityContext.readOnlyRootFilesystem`	`bool`	`true`	Mount the root filesystem as read-only.

api

The REST API server (kymaros-api) that exposes the JSON API consumed by the dashboard and external tooling.

Key	Type	Default	Description
`api.enabled`	`bool`	`true`	Deploy the API server component.
`api.image.repository`	`string`	`"kymorahq/kymaros-api"`	API server image repository.
`api.image.tag`	`string`	`""`	Image tag. Defaults to the chart `appVersion`.
`api.replicaCount`	`int`	`1`	Number of API server replicas.
`api.port`	`int`	`8080`	Port the API server listens on.
`api.resources.requests.cpu`	`string`	`"100m"`	CPU request.
`api.resources.requests.memory`	`string`	`"128Mi"`	Memory request.
`api.resources.limits.cpu`	`string`	`"500m"`	CPU limit.
`api.resources.limits.memory`	`string`	`"256Mi"`	Memory limit.
`api.service.type`	`string`	`"ClusterIP"`	Kubernetes service type.
`api.service.port`	`int`	`8080`	Service port.
`api.nodeSelector`	`map`	`{}`	Node selector for the API server pod.
`api.tolerations`	`[]object`	`[]`	Tolerations for the API server pod.
`api.affinity`	`object`	`{}`	Affinity rules for the API server pod.
`api.podAnnotations`	`map`	`{}`	Annotations added to the API server pod.

dashboard

The built-in web dashboard (kymaros-frontend).

Key	Type	Default	Description
`dashboard.enabled`	`bool`	`true`	Deploy the dashboard component.
`dashboard.image.repository`	`string`	`"kymorahq/kymaros-frontend"`	Dashboard image repository.
`dashboard.image.tag`	`string`	`""`	Image tag. Defaults to the chart `appVersion`.
`dashboard.replicaCount`	`int`	`1`	Number of dashboard replicas.
`dashboard.port`	`int`	`3000`	Port the dashboard container listens on.
`dashboard.resources.requests.cpu`	`string`	`"50m"`	CPU request.
`dashboard.resources.requests.memory`	`string`	`"64Mi"`	Memory request.
`dashboard.resources.limits.cpu`	`string`	`"200m"`	CPU limit.
`dashboard.resources.limits.memory`	`string`	`"128Mi"`	Memory limit.
`dashboard.service.type`	`string`	`"ClusterIP"`	Kubernetes service type.
`dashboard.service.port`	`int`	`80`	Service port.
`dashboard.nodeSelector`	`map`	`{}`	Node selector for the dashboard pod.
`dashboard.tolerations`	`[]object`	`[]`	Tolerations for the dashboard pod.
`dashboard.affinity`	`object`	`{}`	Affinity rules for the dashboard pod.
`dashboard.podAnnotations`	`map`	`{}`	Annotations added to the dashboard pod.

ingress

Ingress resource for external access to the dashboard and API.

Key	Type	Default	Description
`ingress.enabled`	`bool`	`false`	Create an `Ingress` resource.
`ingress.className`	`string`	`""`	`IngressClass` name (e.g., `"nginx"`, `"traefik"`).
`ingress.annotations`	`map`	`{}`	Annotations added to the Ingress resource (e.g., cert-manager annotations).
`ingress.hosts`	`[]object`	`[]`	List of host rules. Each entry: `host` (string) and `paths` (array of `path` and `pathType`).
`ingress.tls`	`[]object`	`[]`	TLS configuration. Each entry: `secretName` and `hosts` list.

Example override:

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: kymaros.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: kymaros-tls
      hosts:
        - kymaros.example.com

serviceAccount

Key	Type	Default	Description
`serviceAccount.create`	`bool`	`true`	Create a dedicated `ServiceAccount` for Kymaros components.
`serviceAccount.name`	`string`	`""`	Name override. When empty and `create` is `true`, the name is derived from the chart fullname.
`serviceAccount.annotations`	`map`	`{}`	Annotations added to the `ServiceAccount` (e.g., for IRSA on EKS).

rbac

Key	Type	Default	Description
`rbac.create`	`bool`	`true`	Create `ClusterRole` and `ClusterRoleBinding` resources.

The controller requires cluster-scoped permissions to watch and create namespaces for sandboxes, apply network policies, and read backup provider resources. Disable only if managing RBAC externally.

sandbox

Default sandbox configuration applied when not overridden at the RestoreTest level.

Key	Type	Default	Description
`sandbox.namespacePrefix`	`string`	`"rp-test"`	Default prefix for generated sandbox namespace names.
`sandbox.ttl`	`string`	`"30m"`	Default sandbox TTL as a Go duration string.
`sandbox.networkIsolation`	`string`	`"strict"`	Default network isolation mode: `strict` or `group`.
`sandbox.defaultResourceQuota.cpu`	`string`	`""`	Default CPU quota for sandbox namespaces. Empty = no quota.
`sandbox.defaultResourceQuota.memory`	`string`	`""`	Default memory quota for sandbox namespaces.
`sandbox.defaultResourceQuota.storage`	`string`	`""`	Default storage quota for sandbox namespaces.

adapters

Configuration for backup provider integrations.

Key	Type	Default	Description
`adapters.velero.namespace`	`string`	`"velero"`	Namespace where Velero is installed.
`adapters.velero.timeout`	`string`	`"10m"`	Maximum time to wait for a Velero restore operation to complete.
`adapters.kasten.namespace`	`string`	`"kasten-io"`	Namespace where Kasten K10 is installed.
`adapters.kasten.timeout`	`string`	`"20m"`	Maximum time to wait for a Kasten restore operation to complete.
`adapters.trilio.namespace`	`string`	`"trilio"`	Namespace where TrilioVault is installed.
`adapters.trilio.timeout`	`string`	`"15m"`	Maximum time to wait for a TrilioVault restore operation to complete.

notifications

Global notification defaults. Individual RestoreTest resources override these per-test.

Key	Type	Default	Description
`notifications.slack.webhookSecretRef`	`string`	`""`	Name of a `Secret` containing a `url` key with the Slack webhook URL.
`notifications.pagerduty.tokenSecretRef`	`string`	`""`	Name of a `Secret` containing a `token` key with the PagerDuty integration key.
`notifications.webhook.secretRef`	`string`	`""`	Name of a `Secret` containing a `url` key for a generic outbound webhook.

metrics

Prometheus metrics configuration.

Key	Type	Default	Description
`metrics.enabled`	`bool`	`true`	Expose the `/metrics` endpoint on the API server.
`metrics.port`	`int`	`8080`	Port on which `/metrics` is served (same port as the API by default).
`metrics.serviceMonitor.enabled`	`bool`	`false`	Create a Prometheus Operator `ServiceMonitor` resource.
`metrics.serviceMonitor.namespace`	`string`	`""`	Namespace for the `ServiceMonitor`. Defaults to the release namespace.
`metrics.serviceMonitor.interval`	`string`	`"30s"`	Scrape interval.
`metrics.serviceMonitor.labels`	`map`	`{}`	Additional labels on the `ServiceMonitor` (e.g., `release: prometheus`).

sla

Global SLA defaults. Overridden per-test by spec.sla.

Key	Type	Default	Description
`sla.defaultMaxRTO`	`string`	`""`	Default `maxRTO` applied when a `RestoreTest` has an `sla` block but omits `maxRTO`.
`sla.alertOnExceed`	`bool`	`false`	Global default for `sla.alertOnExceed`.

license

License configuration for Pro and Enterprise tiers.

Key	Type	Default	Description
`license.secretRef`	`string`	`""`	Name of a `Secret` in the release namespace that contains a `key` field with the Kymaros license key. When empty, the operator runs in Community tier.

Example Secret:

apiVersion: v1
kind: Secret
metadata:
  name: kymaros-license
  namespace: kymaros-system
type: Opaque
stringData:
  key: "your-license-key-here"

# values.yaml
license:
  secretRef: kymaros-license

global​

controller​

api​

dashboard​

ingress​

serviceAccount​

rbac​

sandbox​

adapters​

notifications​

metrics​

sla​

license​