Wallaroo Helm Reference Guides

The following guides include reference details related to installing Wallaroo via Helm.

1 - Wallaroo Helm Reference Table


A Helm chart for the control plane for Wallaroo


The following table lists the configurable parameters of the Wallaroo chart and their default values.

kubernetes_distributionOne of: aks, eks, gke, or kurl. May be safe to leave defaulted.""
imageRegistryimageRegistry where images are pulled from"ghcr.io/wallaroolabs"
replImagePrefiximageRegistry where images are pulled from, as overridden by Kots"ghcr.io/wallaroolabs"
assays.enabledControls the display of Assay data in the Dashboardtrue
custTlsSecretNameName of existing Kubernetes TLS type secret""
deploymentStageDeployment stage, must be set to “cust” when deployed"dev"
custTlsCertCustomer provided certificate chain when deploymentStage is “cust”.""
custTlsKeyCustomer provided private key when deploymentStage is “cust”.""
nodeSelectorGlobal node selector{}
tolerationsGlobal tolerations[{"key": "wallaroo", "operator": "Exists", "effect": "NoSchedule"}]
domainPrefixDNS prefix of Wallaroo endpoints, can be empty for none"xxx"
domainSuffixDNS suffix of Wallaroo endpoints, MUST be provided"yyy"
externalIpOverrideUsed in cases where we can’t accurately determine our external, inbound IP address. Normally “”.""
imagePullPolicyGlobal policy saying when K8s pulls images: Always, Never, or IfNotPresent."Always"
wallarooSecretNameSecret name for pulling Wallaroo images"regcred"
privateModelRegistry.enabledIf true, external containerized models can be accessedfalse
privateModelRegistry.registryRegistry URL, eg “reg.big.corp:3579”""
privateModelRegistry.emailOptional, for bookkeeping""
privateModelRegistry.usernameUsername access credential""
privateModelRegistry.passwordPassword access credential""
ociRegistry.enabledIf true, pipelines can be published to this OCI registry for use in edge deploymentsfalse
ociRegistry.registryRegistry URL, eg “reg.big.corp:3579”""
ociRegistry.repositoryRepository within the registry. May contain cloud account, eg “account123/wallaroothings”""
ociRegistry.emailOptional, for bookkeeping""
ociRegistry.usernameUsername access credential""
ociRegistry.passwordPassword access credential""
ociRegistry.noTlsSet to true if the registry does not support TLS - for development onlyfalse
apilb.nodeSelectorstandard node selector for API-LB{}
apilb.annotationsAnnotations for api-lb service{}
apilb.serviceTypeService type of api-lb service"ClusterIP"
apilb.external_inference_endpoints_enabledEnable external URL inference endpoints: pipeline inference endpoints that are accessible outside of the Wallaroo cluster.true
jupyter.enabledIf true, a jupyer hub was deployed which components can point to.false
keycloak.useradministrative username"admin"
keycloak.passworddefault admin password: overridden if generate_secrets is true"admin"
keycloak.provider.clientIdupstream client id""
keycloak.provider.clientSecretupstream client secret""
keycloak.provider.namehuman name for provider""
keycloak.provider.idType of provider, one of: “github”, “google”, or “OIDC”""
keycloak.provider.authorizationUrlURL to contact the upstream client for auth requestsnull
keycloak.provider.clientAuthMethodclient auth method - Must be client_secret_post for OIDC provider type, leave blank otherwise.null
keycloak.provider.displayNamehuman name for provider, displayed to end user in login dialogsnull
keycloak.provider.tokenUrlUsed only for ODIC, see token endpoint under Azure endpoints.null
dbcleaner.schedulewhen the cleaner runs, default is every eight hours"* */8 * * *"
dbcleaner.maxAgeDaysdelete older than this many days"30"
plateau.enabledEnable Plateau deploymenttrue
plateau.diskSizeDisk space to allocate. Smaller than 100Gi is not recommended."100Gi"
telemetry.enabledUsed only for our CE product. Leave disabled for EE/Helm installs.false
dashboard.enabledEnable dashboard servicetrue
dashboard.clientNameCustomer display name which appears at the top of the dashboard window."Fitzroy Macropods, LLC"
minio.imagePullSecretsMust override for helm + private registry; eg -name: "some-secret"[]
minio.image.repositoryMust override for helm + private registry"quay.io/minio/minio"
minio.mcImage.repositoryMust override for helm + private registry"quay.io/minio/mc"
minio.persistence.sizeMinio model storage disk size. Smaller than 10Gi is not recommended."10Gi"
fluent-bit.imagePullSecretsMust override for helm + private registry; eg -name: "some-secret"[]
fluent-bit.image.repositoryMust override for helm + private registry"cr.fluentbit.io/fluent/fluent-bit"
helmTests.enabledWhen enabled, create “helm test” resources.true
helmTests.nodeSelectorWhen helm test is run, this selector places the test pods.{}
explainabilityServer.enabledEnable the model explainability servicefalse
replImagePrefixSets the replicated image prefix for installation containers. Set to replImagePrefix: proxy.replicated.com/proxy/wallaroo/ghcr.io/wallaroolabs unless otherwise instructed.

2 - Wallaroo Helm Reference Details


This hook runs when you do helm uninstall unless:

  • you give –no-hooks to helm
  • you set the enable flag to False at INSTALL time.


Registry and Tag portion of Wallaroo images. Third party images are not included. Tag is
computed at runtime and overridden. In online Helm installs, these should not be touched; in
airgap Helm installs imageRegistry must be overridden to local registry.


If true, generate random secrets for several services at install time.
If false, use the generic defaults listed here, which can also be overridden by caller.


This is a (currently) Dashboard-specific feature flag to control the display of Assays.


To provide TLS certificates, (1) set deploymentStage to “cust”, then (2) provide EITHER the
name of an existing Kubernetes TLS secret in custTlsSecret OR provide base64 encoded secrets
in custTlsCert and custTlsKey.


DNS specification for our named external service endpoints.

To form URLs, we concatenate the optional domainPrefix, the service name in question, and then
the domainSuffix. Their values are based on license, type, and customer config inputs. They
MUST be overriden per install via helm values, or by Replicated.

Community – prefix/suffix in license

domainPrefixdomainSuffixdashboard_fqdnthing_fqdn (thing = jup, kc, etc)

Enterprise et al – prefix/suffix from config

domainPrefixdomainSuffixdashboard_fqdnthing_fqdn (thing = jup, kc, etc)


In online Helm installs, an image pull secret is created and this is its name. The secret allows
the Kubernetes node to pull images from proxy.replicated.com. In airgap Helm installs, a local
Secret of type docker-registry must be created and this value set to its name.


If the customer has specified a private model container registry, the enable flag will reflect
and the secret will be populated. registry, username, and password are mandatory. email
is optional. registry is of the form “hostname:port”. See the Wallaroo Private Model Registry
Guide for registry specific details.


In order to support edge deployments, a customer-supplied OCI registry is required. The enable
flag turns on the feature, which causes the secret to be populated. registry, repository,
username, and password are mandatory. email is optional. registry is of the form
“hostname:port”. Important: some cloud OCI registries require creation of the repository before
it can be published to. See the Wallaroo Private Model Registry Guide for registry specific


Main ingress LB for Wallaroo services.

The Kubernetes Ingress object is not used, instead we deploy a single Envoy load balancer with a
single IP in all cases, which serves: TLS termination, authentication (JWT) checking, and both
host based and path based application routing. Customer should be aware of two values in particular.

api.serviceType defaults to ClusterIP. If api.serviceType is set to LoadBalancer, cloud
services will allocate a hosted LB service, in which case the apilb.annotations should be
provided, in order to pass configuration such as “internal” or “external” to the cloud service.


        serviceType: LoadBalancer
        annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true"


Wallaroo can connect to a variety of identity providers, broker OpenID Connect authentication
requests, and then limit access to endpoints. This section configures a https://www.keycloak.org
installation. If a provider is specified here, Keycloak will configure itself to use that on
install. If no providers are specified here, the administrator must login to the Keycloak
service as the administrative user and either add users by hand or create an auth provider. In
general, a client must be created upstream and a URL, client ID, and secret (token) for that
client is entered here.


Manage retention for fluentbit table. This contains log message outputs from orchestration tasks.


Plateau is a low-profile fixed-footprint log processor / event store for fast storage of
inference results. The amount of disk space provisioned is adjustable. Smaller than “100Gi” is
not recommended for performance reasons.


This controls the wsProxy, and should only be enabled if nats (ArbEx) is also enabled.
wsProxy is required for the Dashboard to subscribe to events and show notifications.


Arbitrary Execution


Pipeline orchestration is general task execution service that allows users to upload arbitrary
code and have it executed on their behalf by the system. nats and arbex must be enabled.


Pipelines is service that supports packaging and publishing pipelines suitable for edge deployments.
It requires ociRegistry to be configured.


Wallsvc runs arbex, models, pipelines and orchestration.