Helm Chart Reference
The Hookbase Operator is distributed as a Helm chart for production deployment.
Installation
bash
helm repo add hookbase https://charts.hookbase.app
helm repo update
helm install hookbase-operator hookbase/hookbase-operator \
--namespace hookbase-system \
--create-namespace \
--set hookbase.apiKeySecretRef.name=hookbase-bootstrap-key \
--set hookbase.apiKeySecretRef.key=apiKeyValues Reference
Hookbase Configuration
| Value | Default | Description |
|---|---|---|
hookbase.apiKey | "" | Bootstrap API key (plaintext, creates a Secret) |
hookbase.apiKeySecretRef.name | "" | Existing Secret name containing the API key |
hookbase.apiKeySecretRef.key | "apiKey" | Key within the Secret |
hookbase.baseURL | "https://api.hookbase.app" | Hookbase API base URL |
Operator Settings
| Value | Default | Description |
|---|---|---|
image.repository | "ghcr.io/hookbase/hookbase-operator" | Operator image repository |
image.tag | "" | Image tag (defaults to chart appVersion) |
image.pullPolicy | "IfNotPresent" | Image pull policy |
replicaCount | 1 | Number of operator replicas |
watchNamespaces | [] | Namespaces to watch (empty = all namespaces) |
reconcileInterval | "5m" | Drift detection reconciliation interval |
leaderElection.enabled | true | Enable leader election for HA |
defaultAgentImage | "ghcr.io/hookbase/hookbase-agent:latest" | Default tunnel agent sidecar image |
Resources
| Value | Default | Description |
|---|---|---|
resources.requests.cpu | "50m" | CPU request |
resources.requests.memory | "128Mi" | Memory request |
resources.limits.cpu | "500m" | CPU limit |
resources.limits.memory | "256Mi" | Memory limit |
Admission Webhooks
| Value | Default | Description |
|---|---|---|
webhook.enabled | false | Enable admission webhooks |
webhook.certManager.enabled | false | Use cert-manager for webhook TLS |
webhook.certManager.issuerRef.name | "" | cert-manager Issuer name |
webhook.certManager.issuerRef.kind | "ClusterIssuer" | Issuer kind |
Prometheus Metrics
| Value | Default | Description |
|---|---|---|
metrics.enabled | true | Expose Prometheus metrics |
metrics.port | 8080 | Metrics port |
metrics.serviceMonitor.enabled | false | Create ServiceMonitor for Prometheus Operator |
metrics.serviceMonitor.namespace | "" | ServiceMonitor namespace (defaults to release namespace) |
metrics.serviceMonitor.interval | "30s" | Scrape interval |
metrics.serviceMonitor.labels | {} | Additional labels for ServiceMonitor |
Security Context
| Value | Default | Description |
|---|---|---|
securityContext.runAsNonRoot | true | Run as non-root |
securityContext.runAsUser | 65532 | UID |
securityContext.fsGroup | 65532 | FS group |
Pod Scheduling
| Value | Default | Description |
|---|---|---|
nodeSelector | {} | Node selector |
tolerations | [] | Tolerations |
affinity | {} | Affinity rules |
topologySpreadConstraints | [] | Topology spread constraints |
Service Account
| Value | Default | Description |
|---|---|---|
serviceAccount.create | true | Create a service account |
serviceAccount.name | "" | Service account name (generated if empty) |
serviceAccount.annotations | {} | Service account annotations |
Example Configurations
Minimal
yaml
hookbase:
apiKey: "whr_your_api_key_here"Production
yaml
hookbase:
apiKeySecretRef:
name: hookbase-bootstrap-key
key: apiKey
baseURL: "https://api.hookbase.app"
replicaCount: 2
leaderElection:
enabled: true
reconcileInterval: "5m"
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: "1"
memory: 512Mi
webhook:
enabled: true
certManager:
enabled: true
metrics:
serviceMonitor:
enabled: true
interval: "30s"
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- hookbase-operator
topologyKey: kubernetes.io/hostnameNamespace-Scoped
Watch only specific namespaces:
yaml
hookbase:
apiKeySecretRef:
name: hookbase-bootstrap-key
key: apiKey
watchNamespaces:
- production
- stagingCRD Management
CRDs are included in the templates/crds/ directory and are installed with the chart. To skip CRD installation (e.g., during upgrades managed separately):
bash
helm install hookbase-operator hookbase/hookbase-operator \
--skip-crds \
--namespace hookbase-systemUpgrading
bash
helm repo update
helm upgrade hookbase-operator hookbase/hookbase-operator \
--namespace hookbase-systemCRDs are not automatically upgraded by Helm. To update CRDs:
bash
kubectl apply -f https://charts.hookbase.app/crds/hookbase-crds.yamlUninstalling
bash
helm uninstall hookbase-operator --namespace hookbase-systemWARNING
Uninstalling the chart does not remove CRDs or custom resources. Delete custom resources first to trigger finalizer cleanup, then remove CRDs manually if desired:
bash
kubectl delete webhooksources,webhookdestinations,webhookroutes --all -A
kubectl delete crd webhooksources.hookbase.io webhookdestinations.hookbase.io webhookroutes.hookbase.ioRBAC
The chart creates a ClusterRole with fine-grained permissions for all 10 CRD types, Secrets (for API key resolution), Deployments (for sidecar injection), and Ingress resources.
See Also
- Kubernetes Operator Guide -- getting started
- CRD Reference -- all CRD specifications