Helm Values Schema
Purpose: For platform engineers, provides the three-tier values structure (base → component → overlay) with merge precedence.
Three-Tier Values Model
Helm values in openCenter follow a three-tier merge hierarchy. Each tier can override values from the tier below it.
Tier 1: Chart defaults (upstream chart's values.yaml)
↓ merged with
Tier 2: Base hardened values (openCenter-gitops-base/helm-values/)
↓ merged with
Tier 3: Cluster overlay values (customer repo override-values.yaml)
Tier 3 (cluster overlay) has the highest precedence.
Tier 2: Base Hardened Values
Located in openCenter-gitops-base at:
applications/base/services/<service>/helm-values/hardened-values-<version>.yaml
These files contain security-hardened defaults. Example for cert-manager:
# hardened-values-v1.18.2.yaml
installCRDs: true
replicaCount: 2
podSecurityContext:
runAsNonRoot: true
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 128Mi
The base values are referenced by the HelmRelease via valuesFrom:
spec:
valuesFrom:
- kind: ConfigMap
name: cert-manager-values
Tier 3: Cluster Overlay Values
Located in the customer repo at:
applications/overlays/<cluster>/services/<service>/override-values.yaml
Contains cluster-specific overrides. Only include fields that differ from the base:
# override-values.yaml
replicaCount: 3
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 256Mi
Merge Behavior
Helm performs a deep merge. Scalar values are replaced; maps are merged recursively; arrays are replaced entirely (not appended).
| Value type | Behavior |
|---|---|
| Scalar | Higher tier replaces lower tier |
| Map/Object | Keys merged recursively |
| Array/List | Higher tier replaces the entire array |
To remove a base value in the overlay, set it to null:
# Remove a specific annotation from base
podAnnotations:
prometheus.io/scrape: null
Viewing Resolved Values
To see the final merged values for a deployed release:
helm get values <release-name> -n <namespace> -a
To preview what FluxCD will apply without deploying:
flux diff kustomization <name> --path <local-path>
Adding Override Values
- Create the override file in the service overlay directory
- Reference it in the service's
kustomization.yamlas a ConfigMap generator or patch - Commit and push — FluxCD reconciles the change automatically
The HelmRelease in the base already includes valuesFrom entries. The overlay's kustomization.yaml patches additional values sources or replaces the ConfigMap content.