Wallaroo Helm Reference Details


This hook runs when you do helm uninstall unless …

  • you give –no-hooks to helm
  • you set the enable flag to False at INSTALL time.


Required. One of: aks, eks, gke, oke, or kurl.

Several distribution–or cloud provider–specific decisions are made around storage classes, LoadBalancer (LB) types, etc. Its value must be one of: aks, eks, gke, oke, or kurl. If your distribution is not in this list, the product needs to be ported and validated for that distribution.


How the Wallaroo instance is reached through the Kubernetes network settings. Options include:

  • internal (Default): An internal cloud load balancer and associated resources are created. Network users outside the Kubernetes cluster – but on the same internal network – can connect directly using DNS names, and do not need to use port forward or related configurations.
  • external: An external, Internet-facing cloud load balancer, public IP, and associated resources are created. This is highly discouraged. Public DNS is also required. This is the default for Wallaroo Community Edition.
  • none: Services are local to the Kubernetes cluster. kubectl-port forward or some other means is required to access them. If all work will be done in-cluster, select this option.


Registry and Tag portion of Wallaroo images. Third party images are not included. Tag is
computed at runtime and overridden. In online Helm installs, these should not be touched; in
airgap Helm installs imageRegistry must be overridden to local registry.


If true, generate random secrets for several services at install time.
If false, use the generic defaults listed here, which can also be overridden by caller.


This is a (currently) Dashboard-specific feature flag to control the display of Assays.


To provide TLS certificates, (1) set deploymentStage to “cust”, then (2) provide EITHER the
name of an existing Kubernetes TLS secret in custTlsSecret OR provide base64 encoded secrets
in custTlsCert and custTlsKey.


DNS specification for our named external service endpoints.

To form URLs, we concatenate the optional domainPrefix, the service name in question, and then
the domainSuffix. Their values are based on license, type, and customer config inputs. They
MUST be overriden per install via helm values, or by Replicated.

Community – prefix/suffix in license

domainPrefixdomainSuffixdashboard_fqdnthing_fqdn (thing = jup, kc, etc)

Enterprise et al – prefix/suffix from config

domainPrefixdomainSuffixdashboard_fqdnthing_fqdn (thing = jup, kc, etc)


In online Helm installs, an image pull secret is created and this is its name. The secret allows
the Kubernetes node to pull images from proxy.replicated.com. In airgap Helm installs, a local
Secret of type docker-registry must be created and this value set to its name.


If the customer has specified a private model container registry, the enable flag will reflect
and the secret will be populated. registry, username, and password are mandatory. email
is optional. registry is of the form “hostname:port”. See the Wallaroo Private Model Registry
Guide for registry specific details.


In order to support edge deployments, a customer-supplied OCI registry is required. The enable
flag turns on the feature, which causes the secret to be populated. registry, repository,
username, and password are mandatory. email is optional. registry is of the form
“hostname:port”. Important: some cloud OCI registries require creation of the repository before
it can be published to. See the Wallaroo Private Model Registry Guide for registry specific


Main ingress LB for Wallaroo services.

The Kubernetes Ingress object is not used, instead we deploy a single Envoy load balancer with a
single IP in all cases, which serves: TLS termination, authentication (JWT) checking, and both
host based and path based application routing. Customer should be aware of two values in particular.

api.serviceType defaults to ClusterIP. If api.serviceType is set to LoadBalancer, cloud
services will allocate a hosted LB service, in which case the apilb.annotations should be
provided, in order to pass configuration such as “internal” or “external” to the cloud service.


   serviceType: LoadBalancer
   annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true"


Edge proxy allows observability: incoming connections from edge site over secured mTLS, carrying
inference results, metrics, and edge management commands. Note: publishing to edge is handled
separately under the ociRegistry tag.


If enabled, Jupyter Hub is deployed. This is deployed using helm hooks after the main chart is
rendered. If an upgrade is applied where hub is transitioned from enabled to disabled, any PVCs
will not be removed but they will be inaccessible.


Wallaroo can connect to a variety of identity providers, broker OpenID Connect authentication
requests, and then limit access to endpoints. This section configures a https://www.keycloak.org
installation. If a provider is specified here, Keycloak will configure itself to use that on
install. If no providers are specified here, the administrator must login to the Keycloak
service as the administrative user and either add users by hand or create an auth provider. In
general, a client must be created upstream and a URL, client ID, and secret (token) for that
client is entered here.


Manage retention for fluentbit table. This contains log message outputs from orchestration tasks.


Prometheus Metrics. Data will be retained until either retention size or retention time is
exceeded, whichever comes first. It’s a little difficult to predict which, because pipelines are
transient and the rate they generate metrics is variable. Scrape interval is fixed at 5s.


Plateau is a low-profile fixed-footprint log processor / event store for fast storage of
inference results. The amount of disk space provisioned is adjustable. Smaller than “100Gi” is
not recommended for performance reasons.


This controls the wsProxy, and should only be enabled if nats (ArbEx) is also enabled.
wsProxy is required for the Dashboard to subscribe to events and show notifications.


Arbitrary Execution


Pipeline orchestration is general task execution service that allows users to upload arbitrary
code and have it executed on their behalf by the system. nats and arbex must be enabled.


Pipelines is service that supports packaging and publishing pipelines suitable for edge deployments.
It requires ociRegistry to be configured.


Wallsvc runs arbex, models, pipelines and orchestration.