# Advanced Control Plane Configurations ## Helm Chart Values The NVIDIA Run:ai control plane installation can be customized to support your environment via Helm [values files](https://helm.sh/docs/chart_template_guide/values_files/) or [Helm install](https://helm.sh/docs/helm/helm_install/) flags. Make sure to restart the relevant NVIDIA Run:ai pods so they can fetch the new configurations. | Key | Change | Description | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `global.ingress.ingressClass` | Ingress class | NVIDIA Run:ai uses NGINX as the default ingress controller. If your cluster has a different ingress controller, you can configure the ingress class to be created by NVIDIA Run:ai. | | `global.ingress.tlsSecretName` | TLS secret name | NVIDIA Run:ai requires the creation of a secret with [domain certificate](https://run-ai-docs.nvidia.com/self-hosted/2.22/getting-started/installation/install-using-helm/cp-system-requirements#fully-qualified-domain-name-fqdn). If the `runai-backend` namespace already had such a secret, you can set the secret name here | | `.podLabels` | Pod labels | Set NVIDIA Run:ai and 3rd party services' [Pod Labels ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels)in a format of key/value pairs. | | .`.tolerations` | Pod tolerations | Set NVIDIA Run:ai and 3rd party services's [Pod Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) in a format of list. | |

\
resources:
limits:
    cpu: 500m
    memory: 512Mi
requests:
    cpu: 250m
    memory: 256Mi

| Pod request and limits | Set NVIDIA Run:ai and 3rd party services' resources | | `disableIstioSidecarInjection.enabled` | Disable Istio sidecar injection | Disable the automatic injection of Istio sidecars across the entire NVIDIA Run:ai Control Plane services. | | `global.affinity` | System nodes |

Sets the system nodes where NVIDIA Run:ai system-level services are scheduled.
Default: Prefer to schedule on nodes that are labeled with node-role.kubernetes.io/runai-system

| | `global.customCA.enabled` | Certificate authority | Enables the use of a custom Certificate Authority (CA) in your deployment. When set to `true`, the system is configured to trust a user-provided CA certificate for secure communication. | ## Additional Third-Party Configurations The NVIDIA Run:ai control plane chart includes multiple sub-charts of third-party components: * Data store- [PostgreSQL](https://artifacthub.io/packages/helm/bitnami/postgresql) (`postgresql`) * Metrics Store - [Thanos](https://artifacthub.io/packages/helm/bitnami/thanos) (`thanos`) * Identity & Access Management - [Keycloakx](https://artifacthub.io/packages/helm/codecentric/keycloakx) (`keycloakx`) * Analytics Dashboard - [Grafana](https://artifacthub.io/packages/helm/grafana/grafana) (`grafana`) * Caching, Queue - [NATS](https://artifacthub.io/packages/helm/bitnami/nats) (`nats`) {% hint style="info" %} **Note** Click on any component to view its chart values and configurations. {% endhint %} ### PostgreSQL If you have opted to connect to an [external PostgreSQL database](https://run-ai-docs.nvidia.com/self-hosted/2.22/getting-started/installation/install-using-helm/cp-system-requirements#external-postgres-database-optional), refer to the additional configurations table below. Adjust the following parameters based on your connection details: 1. Disable PostgreSQL deployment - `postgresql.enabled` 2. NVIDIA Run:ai connection details - `global.postgresql.auth` 3. Grafana connection details - `grafana.dbUser`, `grafana.dbPassword` | Key | Change | Description | | --------------------------------------------- | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `postgresql.enabled` | PostgreSQL installation | If set to `false`, PostgreSQL will not be installed. | | `global.postgresql.auth.host` | PostgreSQL host | Hostname or IP address of the PostgreSQL server. | | `global.postgresql.auth.port` | PostgreSQL port | Port number on which PostgreSQL is running. | | `global.postgresql.auth.username` | PostgreSQL username | Username for connecting to PostgreSQL. | | `global.postgresql.auth.password` | PostgreSQL password | Password for the PostgreSQL user specified by `global.postgresql.auth.username`. | | `global.postgresql.auth.postgresPassword` | PostgreSQL default admin password | Password for the built-in PostgreSQL superuser (`postgres`). | | `global.postgresql.auth.existingSecret` | Postgres Credentials (secret) | Existing secret name with authentication credentials. | | `global.postgresql.auth.dbSslMode` | Postgres connection SSL mode | Set the SSL mode. See the full list in [Protection Provided in Different Modes](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION). `Prefer` mode is not supported. | | `postgresql.primary.initdb.password` | PostgreSQL default admin password | Set the same password as in `global.postgresql.auth.postgresPassword` (if changed). | | `postgresql.primary.persistence.storageClass` | Storage class | The installation is configured to work with a specific storage class instead of the default one. | ### Thanos {% hint style="info" %} **Note** This section applies to Kubernetes only. {% endhint %} | Key | Change | Description | | ----------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------ | | `thanos.receive.persistence.storageClass` | Storage class | The installation is configured to work with a specific storage class instead of the default one. | ### Keycloakx The `keycloakx.adminUser` can only be set during the initial installation. The admin password can be changed later through the Keycloak UI, but you must also update the `keycloakx.adminPassword` value in the Helm chart using `helm upgrade`. See [Changing Keycloak admin password](#changing-keycloak-admin-password) for more details. | Key | Change | Description | | -------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | | `keycloakx.adminUser` | User name of the internal identity provider administrator | Defines the username for the Keycloak administrator. This can only be set during the initial installation. | | `keycloakx.adminPassword` | Password of the internal identity provider administrator | Defines the password for the Keycloak administrator. | | `keycloakx.existingSecret` | Keycloakx credentials (secret) | Existing secret name with authentication credentials. | | `global.keycloakx.host` | Keycloak (NVIDIA Run:ai internal identity provider) host path | Overrides the DNS for Keycloak. This can be used to access access Keycloak externally to the cluster. | #### Changing Keycloak Admin Password You can change the Keycloak admin password after deployment by performing the following steps: 1. Open the Keycloak UI at: `https:///auth` 2. Sign in with your existing admin credentials as configured in your Helm values 3. Go to **Users** and select **admin** (or your admin username) 4. Open **Credentials** → **Reset password** 5. Set the new password and click **Save** 6. Update the `keycloakx.adminPassword` value using the `helm upgrade` command to match the password you set in the Keycloak UI {% hint style="info" %} **Note** Failing to update the Helm values after changing the password can lead to control plane services encountering errors. {% endhint %} ### Grafana | Key | Change | Description | | ------------------------------ | ------------------------------------------------ | ------------------------------------------------------------------- | | `grafana.db.existingSecret` | Grafana database connection credentials (secret) | Existing secret name with authentication credentials. | | `grafana.dbUser` | Grafana database username | Username for accessing the Grafana database. | | `grafana.dbPassword` | Grafana database password | Password for the Grafana database user. | | `grafana.admin.existingSecret` | Grafana admin default credentials (secret) | Existing secret name with authentication credentials. | | `grafana.adminUser` | Grafana username | Override the NVIDIA Run:ai default user name for accessing Grafana. | | `grafana.adminPassword` | Grafana password | Override the NVIDIA Run:ai default password for accessing Grafana. |