Skip to content

How to upgrade the ECK-Operator chart📜

ECK-Operator is a modified/customized version of an upstream chart. The below details the steps required to update to a new version of the eck-operator package.

  1. Navigate to the upstream chart repo and folder and find the tag that corresponds with the new chart version for this update

  2. Checkout the renovate/ironbank branch.

  3. From the root of the repo run kpt pkg update chart@<tag> --strategy alpha-git-patch, where <tag> is found in step 1, checkout the chart/Kptfile ref for tag naming

    • Run a KPT package update
      kpt pkg update chart@<tag> --strategy alpha-git-patch
  4. Modify the version in Chart.yaml and append -bb.0 to the chart version from upstream. See Update main chart section of this document.

  5. Update eck-operator dependencies and binaries using helm dependency update ./chart

    helm dependency update ./chart

  6. Update adding an entry for the new version and noting all changes (at minimum should include Updated eck-operator to x.x.x).

  7. Generate the updates by following the guide in gluon.

  8. Push up your changes, add upgrade notices if applicable, validate that CI passes.

    • If there are any failures, follow the information in the pipeline to make the necessary updates.
    • Add the debug label to the MR for more detailed information.
    • Reach out to the CODEOWNERS if needed.
  9. Perform the steps below for manual testing. CI provides a good set of basic smoke tests but it is beneficial to run some additional checks.

Modifications made to upstream📜


  • updated image.repository to iron bank for hardened images

      # repository is the container image prefixed by the registry name.

  • updated resources limits and resources

    # resources define the container resource limits for the operator.
    resources: # Limits equal to request to provide QOS per BB Charter
        cpu: 200m # Values pulled from PB IL2 cluster
        memory: 256Mi
        cpu: 200m
        memory: 256Mi

  • Add fsGroup and supplementalGrousp to podSecurityContext

    # podSecurityContext defines the pod security context for the operator pod.
      runAsNonRoot: true
      fsGroup: 1001
      supplementalGroups: [1001]

  • Add runAsUser and runAsGroup to securityContext

    # securityContext defines the security context of the operator container.
      allowPrivilegeEscalation: false
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 1001
      runAsGroup: 1001

  • config.metrics.port set to 4321

      # logVerbosity defines the logging level. Valid values are as follows:
      # -2: Errors only
      # -1: Errors and warnings
      #  0: Errors, warnings, and information
      #  number greater than 0: Errors, warnings, information, and debug details.
      logVerbosity: "0"
      # (Deprecated: use metrics.port: will be removed in v2.14.0) metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
      metricsPort: 0
        # port defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
        port: "4321"

  • Added license values

  • Added networkPolicies values
  • Added monitoring values
  • Added openshift values
  • Added istio values
  • Added upgradeCrds values


  • Added BigBang Network Policies as applicable
  • Added BigBang Authorization Policies as applicable
  • Added OpenShift CRDS as applicable

Testing new ECK-Operator Version📜

NOTE: For these testing steps it is good to do them on both a clean install and an upgrade. For clean install, point ECK-Operator to your branch. For an upgrade do an install with ECK-Operator pointing to the latest tag, then perform a helm upgrade with ECK-Operator pointing to your branch.

ECK-Operator can be installed standalone and is not dependent on any other packages.

The following overrides can be used for a bare minimum ECK-Operator deployment:

  enabled: false

  enabled: false

  enabled: false
    validationFailureAction: "audit"

  enabled: false

  enabled: false

  enabled: false

  enabled: false
      enabled: true

  enabled: false

  enabled: false

  enabled: false

    enabled: false

  # -- Toggle deployment of ECK Operator.
  enabled: true
    tag: null
    branch: renovate/ironbank
  • Ensure that all ECK-Operator pods are up and running.

When in doubt with any testing or upgrade steps, reach out to the CODEOWNERS for assistance.

Last update: 2024-04-01 by Blane Staskiewicz