Fluss Helm Chart – Additional Notes
On this page
Fluss Helm Chart - Additional Notes
Overview
The fluss-bundle chart wraps the upstream Apache Fluss Helm chart. For the canonical reference of every configurable field under the fluss: block (values, defaults, and sub-keys), see the official Fluss Helm Chart documentation.
This manual collects behaviors and patterns that are useful in practice but are not covered by the upstream reference. Each section calls out clearly whether it relies on documented Fluss behavior or on an implementation detail of the Fluss Docker image.
Environment-Variable Substitution in server.yaml
The Fluss Docker image's entrypoint script runs envsubst over the rendered /opt/fluss/conf/server.yaml before starting the server. This expands shell-style ${VAR} references to the values of pod environment variables, letting you source individual configuration values from a Kubernetes Secret (or any other env-var producer) instead of placing them directly in values.yaml.
Undocumented behavior.
his envsubst pass lives in the Fluss Docker image's docker-entrypoint.sh and is not part of Fluss's public configuration contract. It works today, but upstream may change or remove it without notice. Where a documented alternative exists — for example, an SDK's native credential-chain support for environment variables, or a secrets-management tool that injects values at Helm-render time (External Secrets Operator, Vault Agent, sealed-secrets, etc.) — prefer that path. Use the substitution mechanism described here when no documented alternative is available.
How It Works
- Helm renders the configurationOverrides block into a ConfigMap mounted at /opt/fluss/conf/server.yaml. The literal string ${VAR} passes through unchanged. Helm's templating only touches Go template syntax ({{ ... }}).
- The pod has the env var VAR set using extraEnv (single keys) or envFrom (whole Secret or ConfigMap). Both the coordinator and tablet pods need it.
- On container start, the entrypoint runs envsubst < server.yaml > server.yaml.tmp && mv server.yaml.tmp server.yaml. Each ${VAR} is replaced with the env var's value.
- Fluss reads the substituted server.yaml and starts.
Requirements
- Use POSIX shell syntax: ${VAR}. The Kubernetes pod-spec form $(VAR) does not work here. That form is only expanded by Kubernetes inside container command, args, and env.value, not in mounted ConfigMap files.
- The env var must exist in the pod through extraEnv or envFrom. Apply the same env-var injection to both fluss.coordinator and fluss.tablet.
Example
Inject a value from a Kubernetes Secret and reference it in configurationOverrides:
fluss:
coordinator:
extraEnv:
- name: MY_CONFIG_VALUE
valueFrom:
secretKeyRef:
name: my-secret
key: my-value
tablet:
extraEnv:
- name: MY_CONFIG_VALUE
valueFrom:
secretKeyRef:
name: my-secret
key: my-value
configurationOverrides:
some.config.key: ${MY_CONFIG_VALUE}
After substitution, the rendered server config contains some.config.key: <value-from-secret>.
To pull every key from a Secret at once, use envFrom:
fluss:
coordinator:
envFrom:
- secretRef:
name: my-secret
tablet:
envFrom:
- secretRef:
name: my-secret
The same pattern applies to ConfigMap sources using configMapRef.
When the Substitution Does Not Run
The entrypoint's envsubst pass runs unconditionally on container start. It does not run if you bypass the entrypoint (for example, by overriding command to a shell that invokes the server binaries directly), and it has no effect on values you set outside server.yaml (such as JVM flags via FLUSS_ENV_JAVA_OPTS.
Further Reading
- Fluss Helm Chart Documentation — canonical reference for the chart's configurable fields
- Apache Fluss Documentation — upstream reference
- External Secrets Operator — example of a Helm-render-time secret-injection tool