Skip to main content
Version: v2

Helm Values Reference

This page documents the configuration values you are most likely to override when installing the runtime-operator Helm chart. For the authoritative list of every value the chart supports, run:

shell
helm show values oci://ghcr.io/wasmcloud/charts/runtime-operator --version <version>

Top-level structure

The chart's values.yaml is organized into five top-level sections:

SectionPurpose
globalSettings that apply across all components (image registry, TLS, image pull secrets)
natsThe bundled NATS server — set enabled: false to connect an external NATS cluster instead
operatorThe wasmCloud runtime-operator deployment
gatewayDeprecated in 2.0.3. Legacy runtime-gateway. Set enabled: false to skip installing it
runtimeHost group deployments (pods running the wash host binary)

global

global.image.registry

Override the container image registry for all components at once. Useful for air-gapped or mirrored deployments.

yaml
global:
  image:
    registry: myregistry.example.com

See Private Registries and Air-Gapped Deployments for the full mirroring workflow.

global.tls.enabled

Introduced in 2.0.3. Set to false to disable TLS for NATS connections and skip certificate generation. Intended for clusters where a service mesh (e.g. Istio, Linkerd) provides mTLS between pods.

yaml
global:
  tls:
    enabled: false

When global.tls.enabled is false, the chart ignores global.certificates.generate — no self-signed certs are created and NATS runs plaintext.

global.certificates.generate

Controls whether the chart generates self-signed TLS certificates for NATS and the control plane. Set to false when bringing your own certificate secrets. See the TLS: bring your own certificates recipe for the full BYOC flow.

operator, nats, runtime — pod labels and annotations

Introduced in 2.0.3. Each deployment accepts podLabels and podAnnotations that are merged into the pod template. This is most commonly used for service mesh injection:

yaml
operator:
  podLabels:
    sidecar.istio.io/inject: "true"
  podAnnotations:
    proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true}'

nats:
  podLabels:
    sidecar.istio.io/inject: "true"

runtime:
  podLabels:
    sidecar.istio.io/inject: "true"

operator

operator.watchNamespaces

By default, the operator watches every namespace in the cluster. Set watchNamespaces to a list of namespace names to scope it down:

yaml
operator:
  watchNamespaces:
    - team-a
    - team-b

When watchNamespaces is populated, the chart generates namespace-scoped Role and RoleBinding resources for each listed namespace (instead of a single ClusterRole).

operator.hostNamespaces

Introduced in 2.1. List of namespaces where host pods run. The operator's pod informer cache and per-namespace pod RBAC cover this set so the host-pod controller can manage finalizers on host pods. Leave empty when host pods only run in the operator's own namespace (the chart's default).

yaml
operator:
  hostNamespaces:
    - team-a
    - team-b

When you set runtime.hostGroups[].namespace to deploy host pods outside the operator's namespace, also include those namespaces here — otherwise the operator can't observe or finalize the host pods running there.

operator.allowSharedHosts

Introduced in 2.1. Default: true. Controls whether WorkloadDeployments can schedule onto hosts whose Host.environment differs from the workload's own namespace, via spec.template.spec.environment.

yaml
operator:
  allowSharedHosts: false

The default (true) preserves the existing behavior where workloads with no environment set may schedule onto any matching host regardless of which tenant namespace the host runs in. This is permissive: in a multi-tenant cluster where each tenant has its own namespace and host pods, a workload in team-a can target hosts in team-b simply by setting spec.template.spec.environment: team-b.

Set to false when namespace boundaries are part of your tenant isolation model. With allowSharedHosts: false:

  • Scheduling is locked to the workload's own namespace.
  • Any cross-namespace environment value is rejected with a CrossEnvironmentSchedulingDenied Warning Event and a HostSelection=False condition on the Workload.

See Troubleshooting: Workload stays unscheduled with allowSharedHosts: false for the symptom and resolution patterns.

operator.image.tag

Defaults to the chart's appVersion. Override only when you need to pin to a specific operator build that differs from the chart release:

yaml
operator:
  image:
    tag: "2.0.6"

The same pattern applies to gateway.image.tag and runtime.image.tag.

gateway (deprecated)

Deprecated

The runtime-gateway is deprecated as of 2.0.3. HTTP routing is now handled by the runtime-operator via EndpointSlices tied to user-defined Kubernetes Services. See Expose a Workload via Kubernetes Service for the replacement pattern.

To skip installing the gateway, set gateway.enabled: false.

yaml
gateway:
  enabled: false

runtime

runtime.hostGroups

A host group is a Deployment of pods running the wash host. You can define multiple groups to isolate workloads or provide specialized capabilities (e.g. WebGPU-enabled hosts):

yaml
runtime:
  hostGroups:
    - name: default
      replicas: 3
      http:
        enabled: true
        port: 80
      resources:
        requests:
          memory: "64Mi"
          cpu: "250m"
        limits:
          memory: "512Mi"
          cpu: "500m"
    - name: gpu
      replicas: 1
      webgpu:
        enabled: true

WorkloadDeployment manifests target a group via spec.template.spec.hostSelector.hostgroup.

runtime.hostGroups[].namespace

Introduced in 2.1. Namespace to deploy this host group's Deployment, Service, generated TLS Secret, and ServiceAccount into. Empty (default) deploys to the chart release's namespace.

yaml
runtime:
  hostGroups:
    - name: team-a
      namespace: team-a
      replicas: 2

When you override this, ensure the namespace exists and is included in operator.hostNamespaces so the operator has the pod RBAC and informer cache access it needs to manage host pod lifecycle there. Each host's Host.environment will reflect the namespace where its pod runs, which is what allowSharedHosts: false matches against for namespace-scoped scheduling.

runtime.hostGroups[].http.port

Starting in 2.0.3, this value is honored by the host (it was previously hardcoded). This is the port the host's HTTP server listens on inside the pod, and the port the operator populates into each managed EndpointSlice. The upstream chart default is 9191; the values.local.yaml overlay overrides it to 80 for local development.

runtime.hostGroups[].webgpu.enabled

Enables the WebGPU plugin on hosts in the group. Requires a host image built with the wasi-webgpu feature.

runtime.image.tag

Starting in 2.0.3, this value defaults to the chart's appVersion (previously defaulted to a hardcoded tag). Leave unset to track the chart release.