Customize Helm values

The NetFoundry Self-Hosted installer generates Helm values files during the quickstart that control the configuration of each component. After installation, you can modify these files to change ports, resource limits, logging, TLS settings, and more — then apply the changes with a single helm upgrade command.

Values file locations

All values files are stored in the installation directory. For DEB package installations, this is /opt/netfoundry/self-hosted. You can navigate there at any time by running:

nf

The following values files are generated during installation:

File	Chart	Description
`controller-values.yml`	`openziti/ziti-controller`	Controller advertise address, port, cluster mode, trust domain, and logging settings.
`router-values.yml`	`openziti/ziti-router`	Router advertise address, edge listener port, controller endpoint, and tunnel mode.
`support-values.yml`	`./helm-charts/support/`	Elasticsearch, Logstash, Kibana, Grafana, and RabbitMQ configuration.
`ziti-console-enterprise-values.yml`	`./helm-charts/ziti-console-enterprise/`	Ziti Console Enterprise configuration. Only present when the support stack is installed.

tip

Always make a backup of a values file before editing it:

cp controller-values.yml controller-values.yml.bak

Applying changes

After editing a values file, apply the changes by running the corresponding helm upgrade command. All commands below assume you are in the installation directory (/opt/netfoundry/self-hosted).

Ziti controller

# Without support stack
helm upgrade --install "ziti-controller" openziti/ziti-controller \
  -n ziti --values ./controller-values.yml

# With support stack (includes RabbitMQ event subscriptions)
helm upgrade --install "ziti-controller" openziti/ziti-controller \
  -n ziti --values ./controller-values.yml \
  --values ./helm-value-files/templates/support-stack-additions.yml

warning

If you installed the support stack, you must include the support-stack-additions.yml overlay every time you upgrade the controller. Omitting it will remove the RabbitMQ event subscriptions and break telemetry collection.

Ziti router

helm upgrade --install "ziti-router-1" openziti/ziti-router \
  -n ziti --values ./router-values.yml

Support stack

helm upgrade --install support ./helm-charts/support/ \
  -n support --values support-values.yml

Ziti Console Enterprise

helm upgrade --install ziti-console-enterprise ./helm-charts/ziti-console-enterprise/ \
  -n ziti --values ziti-console-enterprise-values.yml

Ziti Console Enterprise on EKS

EKS does not include a built-in ingress controller, so the Traefik-based default ingress configuration used on K3s will not work. Use an AWS LoadBalancer instead.

Set ziti-console-enterprise-values.yml to:

ziti:
  controllerAdvertiseAddress: "<your-controller-dns>"
  controllerAdvertisePort: 443

service:
  type: LoadBalancer

ingress:
  enabled: false
  usePublicCert: false
  tlsHosts: []

Apply the change:

helm upgrade --install ziti-console-enterprise ./helm-charts/ziti-console-enterprise/ \
  -n ziti --values ziti-console-enterprise-values.yml

Get the provisioned load balancer address:

kubectl get svc ziti-console-enterprise -n ziti

The EXTERNAL-IP column shows the ELB DNS name once ready (can take 1–2 minutes). Create a DNS CNAME record pointing your console hostname to that address, then access the console at https://<your-console-dns>/.

note

The console uses a self-signed TLS certificate issued by cert-manager. Your browser will show a certificate warning on first access unless you configure a public certificate.

Common customizations

Change the controller or router advertise address

Edit the advertisedHost and dnsNames fields in controller-values.yml:

clientApi:
  advertisedHost: new.controller.example.com
  dnsNames: ["new.controller.example.com"]
  advertisedPort: 1280

Or the advertisedHost in router-values.yml:

edge:
  advertisedHost: new.router.example.com
  advertisedPort: 3022

After changing the controller address, also update controller-vars.sh so that the upgrade script and utilities use the new address:

export CTRL_ADDR=new.controller.example.com
export CLIENT_PORT=1280

Change service types

By default, the controller and router use LoadBalancer services. To switch to NodePort:

# In controller-values.yml
clientApi:
  service:
    type: NodePort

# In router-values.yml
edge:
  service:
    type: NodePort

Adjust Elasticsearch resource limits

Edit support-values.yml to change Elasticsearch resource allocation:

elasticsearch:
  node_count: 1
  storage: 100Gi
  memory_limit: 4Gi
  cpu_limit: 2

Change Grafana settings

grafana:
  log_level: debug
  storage: 20Mi

Change log format

Both the controller and router default to JSON logging. To switch to plain text, remove the additionalArgs section from the respective values file:

# Remove or comment out this block
image:
  additionalArgs:
    - --log-formatter
    - json

Viewing current values

To see the full set of values that Helm is using for a release (including defaults), use helm get values:

# Show user-supplied values only
helm get values ziti-controller -n ziti

# Show all values including defaults
helm get values ziti-controller -n ziti --all

To see the full set of available values and their defaults for the upstream OpenZiti charts:

helm show values openziti/ziti-controller
helm show values openziti/ziti-router

For the support chart, the defaults are in ./helm-charts/support/values.yaml.

Upstream chart documentation

The OpenZiti Helm charts have their own documentation with the full list of configurable values:

Values file locations​

Applying changes​

Ziti controller​

Ziti router​

Support stack​

Ziti Console Enterprise​

Ziti Console Enterprise on EKS​

Common customizations​

Change the controller or router advertise address​

Change service types​

Adjust Elasticsearch resource limits​

Change Grafana settings​

Change log format​

Viewing current values​

Upstream chart documentation​