The KubermaticConfiguration CustomResourceDefinition is used for configuring the Kubermatic Kubernetes Platform (KKP) Operator and
replaces what previously was done with the values.yaml for the KKP Helm chart.
The following is an example configuration, showing all possible options. Note that all fields that you don’t define explicitly are always defaulted to these values.
apiVersion: kubermatic.k8c.io/v1
kind: KubermaticConfiguration
metadata:
  name: <<mykubermatic>>
  namespace: kubermatic
spec:
  # API configures the frontend REST API used by the dashboard.
  api:
    # AccessibleAddons is a list of addons that should be enabled in the API.
    accessibleAddons:
      - node-exporter
      - kube-state-metrics
      - multus
      - metallb
    # DebugLog enables more verbose logging.
    debugLog: false
    # DockerRepository is the repository containing the Kubermatic REST API image.
    dockerRepository: quay.io/kubermatic/dashboard
    # DockerTagSuffix is appended to the KKP version used for referring to the custom Kubermatic API image.
    # If left empty, either the `DockerTag` if specified or the original Kubermatic API Docker image tag will be used.
    # With DockerTagSuffix the tag becomes <KKP_VERSION-SUFFIX> i.e. "v2.15.0-SUFFIX".
    dockerTagSuffix: ""
    # PProfEndpoint controls the port the API should listen on to provide pprof
    # data. This port is never exposed from the container and only available via port-forwardings.
    pprofEndpoint: :6600
    # Replicas sets the number of pod replicas for the API deployment.
    replicas: 2
    # Resources describes the requested and maximum allowed CPU/memory usage.
    resources:
      # Claims lists the names of resources, defined in spec.resourceClaims,
      # that are used by this container.
      # This is an alpha field and requires enabling the
      # DynamicResourceAllocation feature gate.
      # This field is immutable. It can only be set for containers.
      claims: null
      # Limits describes the maximum amount of compute resources allowed.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      limits:
        cpu: "1"
        memory: 1Gi
      # Requests describes the minimum amount of compute resources required.
      # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
      # otherwise to an implementation-defined value. Requests cannot exceed Limits.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      requests:
        cpu: 200m
        memory: 150Mi
  # Applications contains configuration for Application settings.
  applications:
    # CatalogManager configures the Application Catalog CatalogManager, which is responsible for managing ApplicationDefinitions
    # in the cluster from specified OCI registries.
    # Note: The Application Catalog CatalogManager requires its feature flag to be enabled as it is currently in beta.
    catalogManager:
      # Image configures the container image for the application-catalog manager.
      image:
        # Repository is used to override the application-catalog manager image repository.
        # The default value is "quay.io/kubermatic/application-catalog-manager"
        repository: quay.io/kubermatic/application-catalog-manager
        # Tag is used to override the application-catalog manager image tag.
        tag: v0.1.0
      # Limit defines filtering criteria for ApplicationDefinitions to be reconciled from the OCI registry.
      # When undefined, all ApplicationDefinitions from the registry are pulled and reconciled.
      # When defined, only ApplicationDefinitions matching the specified criteria are processed.
      limit:
        # MetadataSelector defines criteria for selecting ApplicationDefinitions based on their metadata attributes.
        # For example, to select ApplicationDefinitions with a specific support tier (e.g., 'gold'),
        # specify that tier here.
        # When multiple tiers are specified, the Application Catalog Manager uses additive logic
        # to determine which ApplicationDefinitions to retrieve from the OCI registry.
        metadataSelector:
          # Tiers specifies the support tiers to filter ApplicationDefinitions.
          # ApplicationDefinitions matching any of the specified tiers will be selected.
          tiers: null
        # NameSelector defines criteria for selecting ApplicationDefinitions by name.
        # Each name must correspond to an ApplicationDefinition's `metadata.name` field.
        # When multiple names are specified, the Application Catalog Manager uses additive logic
        # to retrieve all matching ApplicationDefinitions from the OCI registry.
        # Example: Specifying ['nginx', 'cert-manager'] will retrieve only those specific ApplicationDefinitions.
        nameSelector: null
      # LogLevel specifies the logging verbosity level for the Application Catalog Manager.
      logLevel: ""
      # ReconciliationInterval is the interval at which application-catalog manager reconcile ApplicationDefinitions.
      # By default, ApplicationsDefinitions are reconciled at every 10 minutes.
      # Setting a value equal to 0 disables the force reconciliation of the default Application Catalog.
      reconciliationInterval: 0s
      # RegistrySettings configures the OCI registry from which the Application Catalog Manager
      # retrieves ApplicationDefinition manifests.
      registrySettings:
        # Credentials optionally references a secret containing Helm registry authentication credentials.
        # Either username/password or registryConfigFile can be specified, but not both.
        credentials: null
        # RegistryURL specifies the OCI registry URL where ApplicationDefinitions are stored.
        # Example: oci://localhost:5000/myrepo
        registryURL: quay.io/kubermatic/applications
        # Tag specifies the version tag for ApplicationDefinitions in the OCI registry.
        # Example: v1.0.0
        tag: 7fd8340dc8f0b3f6aae519301a1c9f8aff34d939
      # Resources describes the requested and maximum allowed CPU/memory usage.
      resources:
        # Claims lists the names of resources, defined in spec.resourceClaims,
        # that are used by this container.
        # This is an alpha field and requires enabling the
        # DynamicResourceAllocation feature gate.
        # This field is immutable. It can only be set for containers.
        claims: null
        # Limits describes the maximum amount of compute resources allowed.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        limits: null
        # Requests describes the minimum amount of compute resources required.
        # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
        # otherwise to an implementation-defined value. Requests cannot exceed Limits.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        requests: null
    # DefaultApplicationCatalog contains configuration for the default application catalog.
    defaultApplicationCatalog:
      # Applications is a list of application definition names that should be installed in the master cluster.
      # If not set, all the applications from the catalog are installed.
      applications: null
      # Enable is used to enable the installation of application definitions in the master cluster.
      enable: false
      # HelmRegistryConfigFile optionally holds the ref and key in the secret for the OCI registry credential file.
      # The value is dockercfg file that follows the same format rules as ~/.docker/config.json
      # The Secret must exist in the namespace where KKP is installed (default is "kubermatic").
      # The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm".
      helmRegistryConfigFile: null
      # HelmRepository specifies OCI repository containing Helm charts of Applications from the default application catalog e.g. oci://localhost:5000/myrepo.
      helmRepository: ""
    # SystemApplications contains configuration for system applications.
    systemApplications:
      # Applications is a list of application definition names that should be installed in the master cluster.
      # If not set, all the applications from the catalog are installed.
      applications: null
      # Disable is used to disable the installation of system application definitions in the master cluster.
      disable: false
  # Auth defines keys and URLs for Dex. These must be defined unless the HeadlessInstallation
  # feature gate is set, which will disable the UI/API and its need for an OIDC provider entirely.
  auth:
    clientID: kubermatic
    issuerClientID: kubermaticIssuer
    issuerClientSecret: ""
    issuerCookieKey: ""
    issuerRedirectURL: https://example.com/api/v1/kubeconfig
    serviceAccountKey: ""
    skipTokenIssuerTLSVerify: false
    tokenIssuer: https://example.com/dex
  # CABundle references a ConfigMap in the same namespace as the KubermaticConfiguration.
  # This ConfigMap must contain a ca-bundle.pem with PEM-encoded certificates. This bundle
  # automatically synchronized into each seed and each usercluster. APIGroup and Kind are
  # currently ignored.
  caBundle:
    # APIGroup is the group for the resource being referenced.
    # If APIGroup is not specified, the specified Kind must be in the core API group.
    # For any other third-party types, APIGroup is required.
    apiGroup: null
    # Kind is the type of resource being referenced
    kind: ""
    # Name is the name of resource being referenced
    name: ca-bundle
  # ExposeStrategy is the strategy to expose the cluster with.
  # Note: The `seed_dns_overwrite` setting of a Seed's datacenter doesn't have any effect
  # if this is set to LoadBalancerStrategy.
  exposeStrategy: NodePort
  # FeatureGates are used to optionally enable certain features.
  featureGates:
    EtcdLauncher: true
  # ImagePullSecret is used to authenticate against Docker registries.
  imagePullSecret: ""
  # Ingress contains settings for making the API and UI accessible remotely.
  ingress:
    # CertificateIssuer is the name of a cert-manager Issuer or ClusterIssuer (default)
    # that will be used to acquire the certificate for the configured domain.
    # To use a namespaced Issuer, set the Kind to "Issuer" and manually create the
    # matching Issuer in Kubermatic's namespace.
    # Setting an empty name disables the automatic creation of certificates and disables
    # the TLS settings on the Kubermatic Ingress.
    certificateIssuer:
      # APIGroup is the group for the resource being referenced.
      # If APIGroup is not specified, the specified Kind must be in the core API group.
      # For any other third-party types, APIGroup is required.
      apiGroup: null
      # Kind is the type of resource being referenced
      kind: ClusterIssuer
      # Name is the name of resource being referenced
      name: ""
    # ClassName is the Ingress resource's class name, used for selecting the appropriate
    # ingress controller.
    className: nginx
    # Disable will prevent an Ingress from being created at all. This is mostly useful
    # during testing. If the Ingress is disabled, the CertificateIssuer setting can also
    # be left empty, as no Certificate resource will be created.
    disable: false
    # Domain is the base domain where the dashboard shall be available. Even with
    # a disabled Ingress, this must always be a valid hostname.
    domain: example.com
    # NamespaceOverride need to be set if a different ingress-controller is used than the KKP default one.
    namespaceOverride: ""
  # MasterController configures the master-controller-manager.
  masterController:
    # DebugLog enables more verbose logging.
    debugLog: false
    # DockerRepository is the repository containing the Kubermatic master-controller-manager image.
    dockerRepository: quay.io/kubermatic/kubermatic
    # PProfEndpoint controls the port the master-controller-manager should listen on to provide pprof
    # data. This port is never exposed from the container and only available via port-forwardings.
    pprofEndpoint: :6600
    # ProjectsMigrator configures the migrator for user projects.
    projectsMigrator:
      # DryRun makes the migrator only log the actions it would take.
      dryRun: false
    # Replicas sets the number of pod replicas for the master-controller-manager.
    replicas: 1
    # Resources describes the requested and maximum allowed CPU/memory usage.
    resources:
      # Claims lists the names of resources, defined in spec.resourceClaims,
      # that are used by this container.
      # This is an alpha field and requires enabling the
      # DynamicResourceAllocation feature gate.
      # This field is immutable. It can only be set for containers.
      claims: null
      # Limits describes the maximum amount of compute resources allowed.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      limits:
        cpu: "1"
        memory: 400Mi
      # Requests describes the minimum amount of compute resources required.
      # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
      # otherwise to an implementation-defined value. Requests cannot exceed Limits.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      requests:
        cpu: 200m
        memory: 128Mi
  # MirrorImages is a list of container images that will be mirrored with the `kubermatic-installer mirror-images` command.
  # Each entry should be in the format "repository:tag".
  mirrorImages: null
  # Proxy allows to configure Kubermatic to use proxies to talk to the
  # world outside of its cluster.
  proxy:
    # HTTP is the full URL to the proxy to use for plaintext HTTP
    # connections, e.g. "http://internalproxy.example.com:8080".
    http: ""
    # HTTPS is the full URL to the proxy to use for encrypted HTTPS
    # connections, e.g. "http://secureinternalproxy.example.com:8080".
    https: ""
    # NoProxy is a comma-separated list of hostnames / network masks
    # for which no proxy shall be used. If you make use of proxies,
    # this list should contain all local and cluster-internal domains
    # and networks, e.g. "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,mydomain".
    # The operator will always prepend the following elements to this
    # list if proxying is configured (i.e. HTTP/HTTPS are not empty):
    # "127.0.0.1/8", "localhost", ".local", ".local.", "kubernetes", ".default", ".svc"
    noProxy: ""
  # SeedController configures the seed-controller-manager.
  seedController:
    # Deprecated: BackupCleanupContainer is the container used for removing expired backups from the storage location.
    # This field is a no-op and is no longer used. The old backup controller it was used for has been
    # removed. Do not set this field.
    backupCleanupContainer: ""
    # BackupCount specifies the maximum number of backups to retain (defaults to DefaultKeptBackupsCount).
    # Oldest backups are automatically deleted when this limit is exceeded. Only applies when Schedule is configured.
    backupCount: null
    # BackupDeleteContainer is the container used for deleting etcd snapshots from a backup location.
    backupDeleteContainer: |2
      name: delete-container
      image: d3fk/s3cmd@sha256:fb4c4dcf3b842c3d0ead58bda26d05d045b77546e11ac2143d90abca02cbe823
      command:
      - /bin/sh
      - -c
      - |
        SSL_FLAGS="--ca-certs=/etc/ca-bundle/ca-bundle.pem"
        if [ "${INSECURE:-false}" == "true" ]; then
          SSL_FLAGS="--no-ssl"
        fi
        s3cmd $SSL_FLAGS \
          --access_key=$ACCESS_KEY_ID \
          --secret_key=$SECRET_ACCESS_KEY \
          --host=$ENDPOINT \
          --host-bucket='%(bucket).'$ENDPOINT \
          del s3://$BUCKET_NAME/$CLUSTER-$BACKUP_TO_DELETE
        case $? in
        12)
          # backup no longer exists, which is fine
          exit 0
          ;;
        0)
          exit 0
          ;;
        *)
          exit $?
          ;;
        esac
    # BackupInterval defines the time duration between consecutive etcd backups.
    # Must be a valid time.Duration string format. Only takes effect when backup scheduling is enabled.
    backupInterval: 0s
    # BackupStoreContainer is the container used for shipping etcd snapshots to a backup location.
    backupStoreContainer: |2
      name: store-container
      image: d3fk/s3cmd@sha256:fb4c4dcf3b842c3d0ead58bda26d05d045b77546e11ac2143d90abca02cbe823
      command:
      - /bin/sh
      - -c
      - |
        set -e
        SSL_FLAGS="--ca-certs=/etc/ca-bundle/ca-bundle.pem"
        if [ "${INSECURE:-false}" == "true" ]; then
          SSL_FLAGS="--no-ssl"
        fi
        s3cmd $SSL_FLAGS \
          --access_key=$ACCESS_KEY_ID \
          --secret_key=$SECRET_ACCESS_KEY \
          --host=$ENDPOINT \
          --host-bucket='%(bucket).'$ENDPOINT \
          put /backup/snapshot.db.gz s3://$BUCKET_NAME/$CLUSTER-$BACKUP_TO_CREATE
      volumeMounts:
      - name: etcd-backup
        mountPath: /backup
    # DebugLog enables more verbose logging.
    debugLog: false
    # DisabledCollectors contains a list of metrics collectors that should be disabled.
    # Acceptable values are "Addon", "Cluster", "ClusterBackup", "Project", and "None".
    disabledCollectors: null
    # DockerRepository is the repository containing the Kubermatic seed-controller-manager image.
    dockerRepository: quay.io/kubermatic/kubermatic
    # MaximumParallelReconciles limits the number of cluster reconciliations
    # that are active at any given time.
    maximumParallelReconciles: 10
    # PProfEndpoint controls the port the seed-controller-manager should listen on to provide pprof
    # data. This port is never exposed from the container and only available via port-forwardings.
    pprofEndpoint: :6600
    # Replicas sets the number of pod replicas for the seed-controller-manager.
    replicas: 1
    # Resources describes the requested and maximum allowed CPU/memory usage.
    resources:
      # Claims lists the names of resources, defined in spec.resourceClaims,
      # that are used by this container.
      # This is an alpha field and requires enabling the
      # DynamicResourceAllocation feature gate.
      # This field is immutable. It can only be set for containers.
      claims: null
      # Limits describes the maximum amount of compute resources allowed.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      limits:
        cpu: "1"
        memory: 1Gi
      # Requests describes the minimum amount of compute resources required.
      # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
      # otherwise to an implementation-defined value. Requests cannot exceed Limits.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      requests:
        cpu: 200m
        memory: 100Mi
  # UI configures the dashboard.
  ui:
    # Config sets flags for various dashboard features.
    config: ""
    # DockerRepository is the repository containing the Kubermatic dashboard image.
    dockerRepository: quay.io/kubermatic/dashboard
    # DockerTagSuffix is appended to the KKP version used for referring to the custom dashboard image.
    # If left empty, either the `DockerTag` if specified or the original dashboard Docker image tag will be used.
    # With DockerTagSuffix the tag becomes <KKP_VERSION-SUFFIX> i.e. "v2.15.0-SUFFIX".
    dockerTagSuffix: ""
    # ExtraVolumeMounts allows to mount additional volumes into the UI container.
    extraVolumeMounts: null
    # ExtraVolumes allows to mount additional volumes into the UI container.
    extraVolumes: null
    # Replicas sets the number of pod replicas for the UI deployment.
    replicas: 2
    # Resources describes the requested and maximum allowed CPU/memory usage.
    resources:
      # Claims lists the names of resources, defined in spec.resourceClaims,
      # that are used by this container.
      # This is an alpha field and requires enabling the
      # DynamicResourceAllocation feature gate.
      # This field is immutable. It can only be set for containers.
      claims: null
      # Limits describes the maximum amount of compute resources allowed.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      limits:
        cpu: 250m
        memory: 128Mi
      # Requests describes the minimum amount of compute resources required.
      # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
      # otherwise to an implementation-defined value. Requests cannot exceed Limits.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      requests:
        cpu: 100m
        memory: 64Mi
  # UserCluster configures various aspects of the user-created clusters.
  userCluster:
    # Addons controls the optional additions installed into each user cluster.
    addons:
      # Default is the list of addons to be installed by default into each cluster.
      # Mutually exclusive with "defaultManifests".
      default: null
      # DefaultManifests is a list of addon manifests to install into all clusters.
      # Mutually exclusive with "default".
      defaultManifests: |-
        apiVersion: v1
        kind: List
        items:
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: canal
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: csi
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: kube-proxy
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: openvpn
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: rbac
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: kubeadm-configmap
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: kubelet-configmap
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: default-storage-class
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: aws-node-termination-handler
            labels:
              addons.kubermatic.io/ensure: true
        - apiVersion: kubermatic.k8c.io/v1
          kind: Addon
          metadata:
            name: azure-cloud-node-manager
            labels:
              addons.kubermatic.io/ensure: true
      # DockerRepository is the repository containing the Docker image containing
      # the possible addon manifests.
      dockerRepository: quay.io/kubermatic/addons
      # DockerTagSuffix is appended to the tag used for referring to the addons image.
      # If left empty, the tag will be the KKP version (e.g. "v2.15.0"), with a
      # suffix it becomes "v2.15.0-SUFFIX".
      dockerTagSuffix: ""
    # APIServerReplicas configures the replica count for the API-Server deployment inside user clusters.
    apiserverReplicas: 2
    # Applications contains configuration for default Application settings.
    applications:
      # Namespace is the namespace which is set as the default for applications installed via ui
      # If left empty the default for the application installation namespace is the name of the resource itself
      namespace: ""
    # DisableAPIServerEndpointReconciling can be used to toggle the `--endpoint-reconciler-type` flag for
    # the Kubernetes API server.
    disableApiserverEndpointReconciling: false
    # DNATControllerDockerRepository is the repository containing the
    # dnat-controller image.
    dnatControllerDockerRepository: quay.io/kubermatic/kubeletdnat-controller
    # EtcdLauncherDockerRepository is the repository containing the Kubermatic
    # etcd-launcher image.
    etcdLauncherDockerRepository: quay.io/kubermatic/etcd-launcher
    # EtcdVolumeSize configures the volume size to use for each etcd pod inside user clusters.
    etcdVolumeSize: 5Gi
    # KubermaticDockerRepository is the repository containing the Kubermatic user-cluster-controller-manager image.
    kubermaticDockerRepository: quay.io/kubermatic/kubermatic
    # MachineController configures the Machine Controller
    machineController:
      # ImageRepository is used to override the Machine Controller image repository.
      # It is only for development, tests and PoC purposes. This field must not be set in production environments.
      imageRepository: ""
      # ImageTag is used to override the Machine Controller image.
      # It is only for development, tests and PoC purposes. This field must not be set in production environments.
      imageTag: ""
    # Monitoring can be used to fine-tune to in-cluster Prometheus.
    monitoring:
      # CustomRules can be used to inject custom recording and alerting rules. This field
      # must be a YAML-formatted string with a `group` element at its root, as documented
      # on https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/.
      # This value is treated as a Go template, which allows to inject dynamic values like
      # the internal cluster address or the cluster ID. Refer to pkg/resources/prometheus
      # and the documentation for more information on the available fields.
      customRules: ""
      # CustomScrapingConfigs can be used to inject custom scraping rules. This must be a
      # YAML-formatted string containing an array of scrape configurations as documented
      # on https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config.
      # This value is treated as a Go template, which allows to inject dynamic values like
      # the internal cluster address or the cluster ID. Refer to pkg/resources/prometheus
      # and the documentation for more information on the available fields.
      customScrapingConfigs: ""
      # DisableDefaultRules disables the recording and alerting rules.
      disableDefaultRules: false
      # DisableDefaultScrapingConfigs disables the default scraping targets.
      disableDefaultScrapingConfigs: false
      # ScrapeAnnotationPrefix (if set) is used to make the in-cluster Prometheus scrape pods
      # inside the user clusters.
      scrapeAnnotationPrefix: monitoring.kubermatic.io
    # NodePortRange is the port range for user clusters - this must match the NodePort
    # range of the seed cluster.
    nodePortRange: 30000-32767
    # OperatingSystemManager configures the image repo and the tag version for osm deployment.
    operatingSystemManager:
      # DisableDefaultOperatingSystemProfiles setting this property to true, would disable the creation of OSMs default
      # OperatingSystemProfiles and users would need to provide a CustomOperatingSystemProfile to configure user clusters
      # worker nodes.
      disableDefaultOperatingSystemProfiles: false
      # ImageRepository is used to override the OperatingSystemManager image repository.
      # It is recommended to use this field only for development, tests and PoC purposes. For production environments.
      # it is not recommended, to use this field due to compatibility with the overall KKP stack.
      imageRepository: ""
      # ImageTag is used to override the OperatingSystemManager image.
      # It is recommended to use this field only for development, tests and PoC purposes. For production environments.
      # it is not recommended, to use this field due to compatibility with the overall KKP stack.
      imageTag: ""
    # OverwriteRegistry specifies a custom Docker registry which will be used for all images
    # used for user clusters (user cluster control plane + addons). This also applies to
    # the KubermaticDockerRepository and DNATControllerDockerRepository fields.
    overwriteRegistry: ""
    # SystemApplications contains configuration for system Applications (such as CNI).
    systemApplications:
      # HelmRegistryConfigFile optionally holds the ref and key in the secret for the OCI registry credential file.
      # The value is dockercfg file that follows the same format rules as ~/.docker/config.json
      # The Secret must exist in the namespace where KKP is installed (default is "kubermatic").
      # The Secret must be annotated with `apps.kubermatic.k8c.io/secret-type:` set to "helm".
      helmRegistryConfigFile: null
      # HelmRepository specifies OCI repository containing Helm charts of system Applications e.g. oci://localhost:5000/myrepo.
      helmRepository: ""
  # Versions configures the available and default Kubernetes versions and updates.
  versions:
    # Default is the default version to offer users.
    default: v1.33.5
    # ExternalClusters contains the available and default Kubernetes versions and updates for ExternalClusters.
    externalClusters:
      aks:
        # Default is the default version to offer users.
        default: v1.31
        # Updates is a list of available upgrades.
        updates: null
        # Versions lists the available versions.
        versions:
          - v1.31
      eks:
        # Default is the default version to offer users.
        default: v1.31
        # Updates is a list of available upgrades.
        updates: null
        # Versions lists the available versions.
        versions:
          - v1.31
    # ProviderIncompatibilities lists all the Kubernetes version incompatibilities
    providerIncompatibilities:
      - # Condition is the cluster or datacenter condition that must be met to block a specific version
        condition: inTreeProvider
        # Operation is the operation triggering the compatibility check (CREATE or UPDATE)
        operation: UPGRADE
        # Provider to which to apply the compatibility check.
        # Empty string matches all providers
        provider: ""
        # Version is the Kubernetes version that must be checked. Wildcards are allowed, e.g. "1.25.*".
        version: '>= 1.29.0'
    # Updates is a list of available and automatic upgrades.
    # All 'to' versions must be configured in the version list for this orchestrator.
    # Each update may optionally be configured to be 'automatic: true', in which case the
    # controlplane of all clusters whose version matches the 'from' directive will get
    # updated to the 'to' version. If automatic is enabled, the 'to' version must be a
    # version and not a version range.
    # Also, updates may set 'automaticNodeUpdate: true', in which case Nodes will get
    # updates as well. 'automaticNodeUpdate: true' implies 'automatic: true' as well,
    # because Nodes may not have a newer version than the controlplane.
    updates:
      - # Automatic controls whether this update is executed automatically
        # for the control plane of all matching user clusters.
        automatic: false
        # Automatic controls whether this update is executed automatically
        # for the worker nodes of all matching user clusters.
        automaticNodeUpdate: false
        # From is the version from which an update is allowed. Wildcards are allowed, e.g. "1.18.*".
        from: 1.31.*
        # To is the version to which an update is allowed.
        # Must be a valid version if `automatic` is set to true, e.g. "1.20.13".
        # Can be a wildcard otherwise, e.g. "1.20.*".
        to: 1.31.*
      - from: 1.31.*
        to: 1.32.*
      - from: 1.32.*
        to: 1.32.*
      - from: 1.32.*
        to: 1.33.*
      - from: 1.33.*
        to: 1.33.*
      - from: 1.33.*
        to: 1.34.*
      - from: 1.34.*
        to: 1.34.*
    # Versions lists the available versions.
    versions:
      - v1.31.1
      - v1.31.5
      - v1.31.7
      - v1.31.8
      - v1.31.10
      - v1.31.11
      - v1.31.13
      - v1.32.1
      - v1.32.3
      - v1.32.4
      - v1.32.6
      - v1.32.7
      - v1.32.9
      - v1.33.0
      - v1.33.2
      - v1.33.3
      - v1.33.5
      - v1.34.1
  # VerticalPodAutoscaler configures the Kubernetes VPA integration.
  verticalPodAutoscaler:
    admissionController:
      # DockerRepository is the repository containing the component's image.
      dockerRepository: registry.k8s.io/autoscaling/vpa-admission-controller
      # Resources describes the requested and maximum allowed CPU/memory usage.
      resources:
        # Claims lists the names of resources, defined in spec.resourceClaims,
        # that are used by this container.
        # This is an alpha field and requires enabling the
        # DynamicResourceAllocation feature gate.
        # This field is immutable. It can only be set for containers.
        claims: null
        # Limits describes the maximum amount of compute resources allowed.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        limits:
          cpu: 200m
          memory: 512Mi
        # Requests describes the minimum amount of compute resources required.
        # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
        # otherwise to an implementation-defined value. Requests cannot exceed Limits.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        requests:
          cpu: 50m
          memory: 128Mi
    recommender:
      # DockerRepository is the repository containing the component's image.
      dockerRepository: registry.k8s.io/autoscaling/vpa-recommender
      # Resources describes the requested and maximum allowed CPU/memory usage.
      resources:
        # Claims lists the names of resources, defined in spec.resourceClaims,
        # that are used by this container.
        # This is an alpha field and requires enabling the
        # DynamicResourceAllocation feature gate.
        # This field is immutable. It can only be set for containers.
        claims: null
        # Limits describes the maximum amount of compute resources allowed.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        limits:
          cpu: 200m
          memory: 3Gi
        # Requests describes the minimum amount of compute resources required.
        # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
        # otherwise to an implementation-defined value. Requests cannot exceed Limits.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        requests:
          cpu: 50m
          memory: 512Mi
    updater:
      # DockerRepository is the repository containing the component's image.
      dockerRepository: registry.k8s.io/autoscaling/vpa-updater
      # Resources describes the requested and maximum allowed CPU/memory usage.
      resources:
        # Claims lists the names of resources, defined in spec.resourceClaims,
        # that are used by this container.
        # This is an alpha field and requires enabling the
        # DynamicResourceAllocation feature gate.
        # This field is immutable. It can only be set for containers.
        claims: null
        # Limits describes the maximum amount of compute resources allowed.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        limits:
          cpu: 200m
          memory: 512Mi
        # Requests describes the minimum amount of compute resources required.
        # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
        # otherwise to an implementation-defined value. Requests cannot exceed Limits.
        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
        requests:
          cpu: 50m
          memory: 128Mi
  # Webhook configures the webhook.
  webhook:
    # DebugLog enables more verbose logging.
    debugLog: false
    # DockerRepository is the repository containing the Kubermatic webhook image.
    dockerRepository: quay.io/kubermatic/kubermatic
    # PProfEndpoint controls the port the webhook should listen on to provide pprof
    # data. This port is never exposed from the container and only available via port-forwardings.
    pprofEndpoint: :6600
    # Replicas sets the number of pod replicas for the webhook.
    replicas: 1
    # Resources describes the requested and maximum allowed CPU/memory usage.
    resources:
      # Claims lists the names of resources, defined in spec.resourceClaims,
      # that are used by this container.
      # This is an alpha field and requires enabling the
      # DynamicResourceAllocation feature gate.
      # This field is immutable. It can only be set for containers.
      claims: null
      # Limits describes the maximum amount of compute resources allowed.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      limits:
        cpu: 250m
        memory: 256Mi
      # Requests describes the minimum amount of compute resources required.
      # If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
      # otherwise to an implementation-defined value. Requests cannot exceed Limits.
      # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
      requests:
        cpu: 50m
        memory: 64Mi
status:
  # KubermaticEdition current Kubermatic Edition , i.e. Community Edition or Enterprise Edition.
  kubermaticEdition: ""
  # KubermaticVersion current Kubermatic Version.
  kubermaticVersion: ""