Configure the OpenLIT Operator deployment using Helm chart values. This page covers all operator-level settings including images, resources, security, and infrastructure configuration.

Core Configuration

Global Settings

ParameterDescriptionDefaultExample
global.namespaceOperator namespace override"" (uses release namespace)openlit-system
global.commonLabelsLabels added to all resources{}{team: "platform"}
global.commonAnnotationsAnnotations added to all resources{}{version: "v1.0.0"}
global:
  namespace: "openlit-system"
  commonLabels:
    team: "platform"
    environment: "production"
  commonAnnotations:
    version: "v1.0.0"
    managed-by: "helm"

Operator Image

ParameterDescriptionDefaultExample
image.repositoryOperator image repositoryghcr.io/openlit/openlit-operatormy-registry.com/openlit-operator
image.tagOperator image tag"" (uses Chart.AppVersion)v1.0.0
image.pullPolicyImage pull policyIfNotPresentAlways
image.pullSecretsImage pull secrets[][{name: "regcred"}]
image:
  repository: ghcr.io/openlit/openlit-operator
  tag: "v1.0.0"
  pullPolicy: IfNotPresent
  pullSecrets:
    - name: registry-secret
    - name: docker-hub-secret

Provider Images

Configure the instrumentation provider init container images:
ParameterDescriptionDefaultExample
providerImages.openlit.repositoryOpenLIT provider imageghcr.io/openlit/openlit-ai-instrumentationmy-registry.com/openlit-provider
providerImages.openlit.tagOpenLIT provider tag"" (inherits operator tag)v1.2.0
providerImages.openllmetry.repositoryOpenLLMetry provider imageghcr.io/openlit/openllmetry-ai-instrumentationCustom registry
providerImages.openllmetry.tagOpenLLMetry provider tag"" (inherits operator tag)v1.1.0
providerImages.openinference.repositoryOpenInference provider imageghcr.io/openlit/openinference-ai-instrumentationCustom registry
providerImages.openinference.tagOpenInference provider tag"" (inherits operator tag)v0.5.0
# Operator version that providers inherit by default
image:
  tag: "v1.0.0"

# Provider images with automatic version sync
providerImages:
  openlit:
    repository: ghcr.io/openlit/openlit-ai-instrumentation
    tag: ""  # Inherits v1.0.0 from operator
  openllmetry:
    repository: ghcr.io/openlit/openllmetry-ai-instrumentation
    tag: ""  # Inherits v1.0.0 from operator
  openinference:
    repository: ghcr.io/openlit/openinference-ai-instrumentation
    tag: "v0.9.0"  # Custom version override

Deployment Configuration

Resource Management

ParameterDescriptionDefaultExample
resources.requests.cpuCPU request100m200m
resources.requests.memoryMemory request128Mi256Mi
resources.limits.cpuCPU limit500m1000m
resources.limits.memoryMemory limit512Mi1Gi
resources:
  requests:
    cpu: 200m
    memory: 256Mi
  limits:
    cpu: 500m
    memory: 512Mi

Deployment Settings

ParameterDescriptionDefaultExample
deployment.replicasNumber of operator replicas13
deployment.strategy.typeDeployment strategyRollingUpdateRecreate
deployment.podAnnotationsPod annotations{}{version: "v1.0.0"}
deployment.podLabelsPod labels{}{component: "operator"}
deployment.nodeSelectorNode selector{}{role: "system"}
deployment.tolerationsPod tolerationsControl plane tolerationsCustom tolerations
deployment.affinityPod affinity rules{}Anti-affinity config
deployment.priorityClassNamePriority class""system-cluster-critical
deployment:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 1
  podAnnotations:
    prometheus.io/scrape: "true"
    fluentd.io/parser-type: "json"
  podLabels:
    component: "operator"
    tier: "control-plane"
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  priorityClassName: "system-cluster-critical"
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchLabels:
              app.kubernetes.io/name: openlit-operator
          topologyKey: kubernetes.io/hostname
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    operator: Exists
    effect: NoSchedule
  - key: node-role.kubernetes.io/master
    operator: Exists
    effect: NoSchedule

Webhook Configuration

Webhook Service

ParameterDescriptionDefaultExample
webhook.service.nameWebhook service name"" (auto-generated)openlit-webhook
webhook.service.typeService typeClusterIPLoadBalancer
webhook.service.portService port4438443
webhook.service.targetPortTarget port94438443
webhook.service.annotationsService annotations{}Load balancer config

Webhook Server

ParameterDescriptionDefaultExample
webhook.server.portWebhook server port94438443
webhook.server.pathWebhook path"/mutate""/webhook"
webhook.server.certDirCertificate directory"/tmp/k8s-webhook-server/serving-certs""/certs"

Webhook Behavior

ParameterDescriptionDefaultExample
webhook.failurePolicyFailure policyIgnoreFail
webhook.reinvocationPolicyReinvocation policyNeverIfNeeded
webhook.configNameWebhook configuration name"" (auto-generated)openlit-webhook
webhook:
  service:
    name: "openlit-webhook"
    type: ClusterIP
    port: 443
    targetPort: 9443
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
      external-dns.alpha.kubernetes.io/hostname: webhook.openlit.io
  server:
    port: 9443
    path: "/mutate"
    certDir: "/tmp/k8s-webhook-server/serving-certs"
  failurePolicy: Fail
  reinvocationPolicy: Never
  configName: "openlit-operator-webhook"

Security Configuration

Service Account

ParameterDescriptionDefaultExample
serviceAccount.createCreate service accounttruefalse
serviceAccount.nameService account name"" (auto-generated)custom-sa
serviceAccount.annotationsSA annotations{}OIDC annotations
serviceAccount:
  create: true
  name: "openlit-operator"
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456789:role/openlit-operator
    iam.gke.io/gcp-service-account: openlit-operator@my-project.iam.gserviceaccount.com

RBAC

ParameterDescriptionDefaultExample
rbac.createCreate RBAC resourcestruefalse
rbac.clusterRoleNameCluster role name"" (auto-generated)openlit-operator
rbac.clusterRoleBindingNameCluster role binding name"" (auto-generated)openlit-operator
rbac:
  create: true
  clusterRoleName: "openlit-operator"
  clusterRoleBindingName: "openlit-operator-binding"

Security Context

ParameterDescriptionDefaultExample
deployment.podSecurityContext.runAsNonRootRun as non-rootfalsetrue
deployment.podSecurityContext.runAsUserUser ID065534
deployment.podSecurityContext.fsGroupFilesystem group065534
deployment.securityContext.allowPrivilegeEscalationAllow privilege escalationfalsetrue
deployment.securityContext.readOnlyRootFilesystemRead-only root filesystemfalsetrue
deployment.securityContext.runAsNonRootContainer runs as non-rootfalsetrue
deployment:
  podSecurityContext:
    runAsNonRoot: false  # Required for certificate management
    runAsUser: 0
    runAsGroup: 0
    fsGroup: 0
    seccompProfile:
      type: RuntimeDefault
  securityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false  # Allow writing certificates
    runAsNonRoot: false
    capabilities:
      drop:
      - ALL

TLS Configuration

ParameterDescriptionDefaultExample
tls.validityDaysCertificate validity in days365730
tls.refreshDaysCertificate refresh threshold in days3060
tls.secretNameTLS secret name"" (auto-generated)webhook-tls
tls:
  validityDays: 365
  refreshDays: 30
  secretName: "openlit-operator-tls"

Observability Configuration

ParameterDescriptionDefaultExample
observability.logLevelLog levelinfodebug
observability.selfMonitoringEnabledEnable self-monitoring with OpenTelemetryfalsetrue
observability.otel.endpointOTLP endpoint for operator telemetry""http://openlit:4318
observability.otel.headersOTLP headers""Authorization=Bearer token
observability.otel.logsEndpointOTLP logs endpoint""http://openlit:4318/v1/logs
observability.otel.metricsEndpointOTLP metrics endpoint""http://openlit:4318/v1/metrics
observability:
  logLevel: info
  selfMonitoringEnabled: true
  otel:
    endpoint: "http://openlit:4318"
    headers: "Authorization=Bearer my-secret-token"
    logsEndpoint: "http://openlit:4318/v1/logs"
    metricsEndpoint: "http://openlit:4318/v1/metrics"

Health Checks

ParameterDescriptionDefaultExample
healthcheck.portHealth check port80819090
healthcheck.livenessProbe.initialDelaySecondsLiveness probe initial delay1530
healthcheck.livenessProbe.periodSecondsLiveness probe period2030
healthcheck.readinessProbe.initialDelaySecondsReadiness probe initial delay510
healthcheck.readinessProbe.periodSecondsReadiness probe period1015
healthcheck:
  port: 8081
  livenessProbe:
    httpGet:
      path: /healthz
      port: health
    initialDelaySeconds: 15
    periodSeconds: 20
    timeoutSeconds: 5
    failureThreshold: 3
  readinessProbe:
    httpGet:
      path: /readyz
      port: health
    initialDelaySeconds: 5
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3

Instrumentation Defaults

ParameterDescriptionDefaultExample
instrumentation.defaultProviderDefault instrumentation provideropenlitopeninference
instrumentation.defaultVersionDefault provider versionlatestv1.0.0
instrumentation.defaultImagePullPolicyDefault image pull policy for init containersIfNotPresentAlways
operator.defaultInitImageOverride default init image""my-registry.com/custom:v1.0
instrumentation:
  defaultProvider: openlit
  defaultVersion: latest
  defaultImagePullPolicy: IfNotPresent

operator:
  defaultInitImage: "my-registry.com/custom-instrumentation:v1.0"

Multi-Operator Support

ParameterDescriptionDefaultExample
multiOperator.watchNamespaceWatch specific namespace only"" (all namespaces)production
multiOperator:
  watchNamespace: "production"  # Only watch production namespace

Custom Resource Definition

ParameterDescriptionDefaultExample
crd.installInstall CRDstruefalse
crd.annotationsCRD annotations{}{version: "v1.0.0"}
schema.validationEnable schema validationtruefalse
crd:
  install: true
  annotations:
    version: "v1.0.0"
    last-updated: "2024-01-15"

schema:
  validation: true

Additional Configuration

Environment Variables

ParameterDescriptionDefaultExample
env.extraAdditional environment variables[]Custom env vars
env:
  extra:
    - name: CUSTOM_VAR
      value: "custom-value"
    - name: SECRET_VAR
      valueFrom:
        secretKeyRef:
          name: my-secret
          key: my-key
    - name: CONFIG_VAR
      valueFrom:
        configMapKeyRef:
          name: operator-config
          key: config-value
    - name: FIELD_VAR
      valueFrom:
        fieldRef:
          fieldPath: metadata.namespace

Additional Volumes

ParameterDescriptionDefaultExample
volumes.extraAdditional volumes[]ConfigMap volumes
volumeMounts.extraAdditional volume mounts[]Custom mount paths
volumes:
  extra:
    - name: custom-config
      configMap:
        name: operator-config
    - name: secret-volume
      secret:
        secretName: operator-secrets
    - name: empty-dir
      emptyDir: {}

volumeMounts:
  extra:
    - name: custom-config
      mountPath: /etc/config
      readOnly: true
    - name: secret-volume
      mountPath: /etc/secrets
      readOnly: true
    - name: empty-dir
      mountPath: /tmp/cache