Default Values

Purpose: For platform engineers, provides every default configuration value organized by source, with override instructions.

Default values come from three sources. Understanding which source owns a default helps when troubleshooting unexpected behavior.

Source	Description	Where to change
CLI defaults	Values applied by opencenter cluster init. Defined in internal/config/defaults.go and internal/config/defaults/ (provider-region registry).	Config file or --set flag
Kubespray defaults	Values applied during Kubernetes deployment by Kubespray Ansible playbooks. Defined in generated group_vars/ inventory files.	Kubespray inventory group_vars/
GitOps-base defaults	Values applied by Helm charts in the openCenter-gitops-base repository. Each service has hardened default values in its helm-values/ directory.	Kustomize overlay override-values.yaml

Kubernetes Defaults

CLI Defaults

Applied by opencenter cluster init. Source: internal/config/defaults.go → defaultConfig().

Field	Default	YAML Path
Kubernetes version	1.33.5	opencenter.cluster.kubernetes.version
Kubespray version	v2.29.1	opencenter.cluster.kubernetes.kubespray_version
API port	443	opencenter.cluster.kubernetes.api_port
KubeVIP enabled	true	opencenter.cluster.kubernetes.kube_vip_enabled
Pod subnet	10.42.0.0/16	opencenter.cluster.kubernetes.subnet_pods
Service subnet	10.43.0.0/16	opencenter.cluster.kubernetes.subnet_services
CNI plugin	Calico (enabled)	opencenter.cluster.kubernetes.network_plugin.calico.enabled
Control plane count	3	opencenter.cluster.kubernetes.master_count
Worker count	2	opencenter.cluster.kubernetes.worker_count

Kubespray Defaults

Applied during cluster deployment via generated Kubespray inventory. These are set in group_vars/k8s_cluster/ and group_vars/all/ within the generated inventory directory.

Setting	Default	Inventory Variable
Container runtime	containerd	container_manager
DNS domain	cluster.local	dns_domain
Pod Security enforce	baseline	kube_pod_security_default_enforce
Pod Security audit	restricted	kube_pod_security_default_audit
Pod Security warn	restricted	kube_pod_security_default_warn
Admission controllers	PodSecurity, EventRateLimit, AlwaysPullImages	kube_apiserver_enable_admission_plugins
Audit logging	Enabled	kubernetes_audit
Encryption at rest	Enabled	kube_encrypt_secret_data

Kind Defaults

Kind uses a separate configuration template. Source: internal/config/defaults/kind.yaml.

Field	Default
Kubernetes version	1.30.4
Control plane count	1
Worker count	2
Pod subnet	10.244.0.0/16
Service subnet	10.96.0.0/16
Ingress controller	nginx
Registry enabled	false

Provider-Specific Defaults

OpenStack

CLI defaults from the provider-region registry. Source: internal/config/defaults/openstack.go.

Defaults vary by region. The table below shows SJC3 region values; other regions (DFW3, IAD3, ORD1) follow the same structure with region-specific image IDs and NTP servers.

Field	Default (SJC3)	YAML Path
Bastion flavor	gp.0.2.2	opencenter.infrastructure.compute.flavor_bastion
Control plane flavor	gp.0.4.8	opencenter.infrastructure.compute.flavor_master
Worker flavor	gp.0.4.16	opencenter.infrastructure.compute.flavor_worker
Windows worker flavor	gp.5.4.16	opencenter.infrastructure.compute.flavor_worker_windows
Storage class	csi-cinder-sc-delete	opencenter.infrastructure.storage.default_storage_class
Availability zones	az1, az2, az3	Provider-region registry
OS version	Ubuntu 24.04	opencenter.infrastructure.os_version

Available OpenStack regions: sjc3, dfw3, iad3, ord1.

VMware

VMware uses the same CLI defaults structure. Flavors and storage class are configured per-deployment since VMware environments vary.

Field	Default
Control plane count	3
Worker count	2

Baremetal

Baremetal uses the shared CLI defaults for Kubernetes versioning, node counts, networking, and security hardening. Host inventory remains operator-supplied.

Field	Default
Control plane count	3
Worker count	2
Provisioning model	Pre-provisioned hosts

AWS

Planned Provider

AWS provider support is planned for a future release and is not available in the GA provider set. The defaults below are draft compatibility values only. Documented GA providers: OpenStack, VMware, Baremetal, and Kind.

Source: internal/config/defaults/aws.go. Regions: us-east-1, us-west-2, eu-west-1.

Field	Default (us-east-1)
Bastion flavor	t3.small
Control plane flavor	t3.medium
Worker flavor	t3.large
Storage class	gp3

GCP

Planned Provider

GCP provider support is planned for a future release and is not available in the GA provider set. Documented GA providers: OpenStack, VMware, Baremetal, and Kind.

Source: internal/config/defaults/gcp.go. Regions: us-central1, europe-west1.

Field	Default (us-central1)
Bastion flavor	e2-small
Control plane flavor	e2-medium
Worker flavor	e2-standard-4
Storage class	standard-rwo

Azure

Planned Provider

Azure provider support is planned for a future release and is not available in the GA provider set. Documented GA providers: OpenStack, VMware, Baremetal, and Kind.

No default values defined yet. Azure-specific defaults will be added when the provider is implemented.

Security Defaults

These defaults span CLI and Kubespray sources.

Setting	Default	Source
Secrets backend	sops (Age-based encryption)	CLI
Age key rotation	90 days	CLI
SSH key rotation	180 days	CLI
OS hardening	Enabled	CLI (opencenter.cluster.networking.security.os_hardening)
K8s hardening	Enabled	CLI (opencenter.cluster.kubernetes.security.k8s_hardening)
Pod Security enforce	baseline	Kubespray
Pod Security audit	restricted	Kubespray
Audit logging	Enabled	Kubespray
Encryption at rest	Enabled	Kubespray
Admission controllers	PodSecurity, EventRateLimit, AlwaysPullImages	Kubespray

Service Defaults

Services are configured in the opencenter.services map. Source: internal/config/defaults.go → defaultConfig().

Enabled by Default

These services are enabled when opencenter cluster init runs with the default OpenStack provider:

Service	Enabled	Notes
calico	yes	Default CNI plugin
cert-manager	yes	TLS certificate automation
etcd-backup	yes	etcd backup to S3/Swift
external-snapshotter	yes	Volume snapshot support
fluxcd	yes	GitOps controller
gateway	yes	Gateway controller
gateway-api	yes	Gateway API CRDs
headlamp	yes	Cluster dashboard UI
keycloak	yes	Identity and access management
kube-prometheus-stack	yes	Monitoring (Prometheus, Grafana, Alertmanager)
kyverno	yes	Policy engine
loki	yes	Log aggregation
olm	yes	Operator Lifecycle Manager
openstack-ccm	yes	OpenStack cloud controller
openstack-csi	yes	OpenStack Cinder CSI driver
postgres-operator	yes	PostgreSQL operator
rbac-manager	yes	Declarative RBAC management
sources	yes	FluxCD GitRepository sources
tempo	yes	Distributed tracing
velero	yes	Backup and disaster recovery

Disabled by Default

Service	Enabled	Notes
vsphere-csi	no	Only for VMware environments
weave-gitops	no	Alternative GitOps UI
alert-proxy	no	Requires device ID, service token, and account number

GitOps-Base Service Versions

Service versions are pinned in the openCenter-gitops-base repository under applications/base/services/<service>/helm-values/. The CLI does not set service versions directly — it generates FluxCD GitRepository sources that reference a tagged release of openCenter-gitops-base.

To check or override a service version, inspect the HelmRelease in the gitops-base repository or add an override-values.yaml in your cluster overlay directory.

Overriding Defaults

Three methods, in order of precedence (highest first):

1. CLI --set flag: opencenter cluster init my-cluster --set opencenter.cluster.kubernetes.version=1.31.4
2. Config file edit: opencenter cluster edit my-cluster
3. Schema defaults: Applied automatically by opencenter cluster init

Values set via --set override config file values, which override schema defaults.

For Kubespray defaults, edit the generated inventory files in infrastructure/clusters/<cluster>/inventory/group_vars/.

For GitOps-base defaults, add an override-values.yaml in your cluster overlay at applications/overlays/<cluster>/services/<service>/.