Installation and Configuration
On this page
Prerequisites
- Ververica Platform 3.1 or later deployed on Kubernetes
- The Kubernetes namespaces where you plan to create CRs must exist before you enable the operator
Install the CRD
The VvpDeployment CRD installs automatically as part of the Ververica Platform 3 Helm chart. No separate CRD installation is required.
The Ververica Platform 2 operator required the CRD to be installed from a separate chart. In Ververica Platform 3, the CRD ships with the main Helm chart.
Update the CRD After Upgrade
Helm installs the CRD automatically on the initial helm install, but does not update CRDs on subsequent helm upgrade operations. After each upgrade, apply the CRD manually to pick up any schema changes:
1kubectl apply -f charts/ververica-platform-crd/crds/vvpdeployments.yamlIf you installed from a packaged chart, extract it first:
1helm pull ververica/ververica-platform --version <version> --untar
2kubectl apply -f ververica-platform/charts/ververica-platform-crd/crds/
3rm -rf ververica-platform/kubectl apply is idempotent — this step is safe to run even if the CRD has not changed. If you skip this step, the CRD schema stays at the version from the initial install and you might see validation errors when using newer CR fields.
helm uninstall does not delete the CRD, so your existing CRs are preserved across uninstall and reinstall cycles.
Enable the Operator
The operator ships as part of the Ververica Platform 3 Helm chart and is disabled by default. To enable it, add the following to your Helm values. All three parameters are required:
1vvp-k8s-operator:
2 enabled: true
3 instanceId: "my-operator"
4 watchedNamespaces:
5 - my-deployment-namespaceMultiple Operator Instances
The Ververica Platform 3 operator supports multiple operator instances watching the same Kubernetes namespace. Each instance uses its instanceId to identify and reconcile only its own CRs. This allows multiple Ververica Platform installations to share a namespace without conflict.
The Ververica Platform 2 operator allowed only one operator instance per namespace. The Ververica Platform 3 operator removes this restriction.
RBAC
The Helm chart creates a ClusterRole with the necessary permissions and a RoleBinding in each watched namespace, bound to the operator's service account. The operator's permissions are limited to the minimum required:
- The main
ClusterRolegrants access only toVvpDeploymentcustom resources in theververica.platformAPI group. It cannot read, modify, or list any other Kubernetes resources such as Pods, Deployments, ConfigMaps, or Secrets. - A separate
ClusterRolegrants read and patch access to the operator's own webhook configuration, used only to inject the CA bundle for TLS. - A namespaced
Rolein the release namespace grants access to a single TLS Secret for certificate storage.
The RoleBinding-per-namespace design ensures the operator acts only on CRs in the namespaces listed in watchedNamespaces. No wildcard or cluster-admin permissions are used.
Webhook and TLS
The operator includes a validating admission webhook that rejects invalid CRs before they reach the cluster, providing immediate feedback through kubectl.
TLS is handled automatically: on startup, the operator generates a self-signed CA and certificate, stores them in a Kubernetes Secret, and patches the webhook configuration with the CA bundle. No manual certificate management is required.
After helm upgrade, the webhook configuration is re-rendered from the chart template, which resets the caBundle to empty. The operator automatically re-patches the caBundle on startup — within seconds of the pod becoming ready. There may be a brief window after upgrade where the webhook is unavailable and CRs cannot be created or updated.
API Key Authentication
The webhook validates that every VvpDeployment CR carries a valid Ververica Platform API token before admitting it to the cluster. This ensures that only authenticated users can create or modify operator-managed deployments through kubectl.
API key validation applies to CREATE and UPDATE operations only. DELETE operations are not validated.
To configure API key authentication:
- Create a Ververica Platform API token through the Ververica Platform UI or API. The token must have workspace and namespace role bindings.
- Store the token in a Kubernetes Secret in the same namespace as the CR:
1apiVersion: v1
2kind: Secret
3metadata:
4 name: my-vvp-apikey
5 namespace: my-deploy-namespace
6type: Opaque
7data:
8 apikey: <base64-encoded Ververica Platform API token>- Reference the Secret in the CR's
metadata.annotations:
1metadata:
2 annotations:
3 apikeySecretName: my-vvp-apikeyThe webhook reads the token from the referenced Secret on every CREATE and UPDATE and validates it against the Ververica Platform api-gateway's Access Control Service. If the token is missing, invalid, or the gateway is unreachable, the CR is rejected.
Helm configuration options:
When testing without API keys configured, set webhook.apiKeyValidation.enabled: false in your Helm values to disable the check.
Namespace Topology
The operator bridges three distinct namespace concepts. Do not confuse them:
These are independent. A single Kubernetes namespace can contain CRs targeting multiple Ververica Platform namespaces, and a single Ververica Platform namespace can be targeted by CRs in multiple Kubernetes namespaces.
Verify the Installation
After enabling the operator, confirm the pod is running:
1kubectl get pods -n <release-namespace> -l app=vvp-operatorWebhook Rejection Errors
The webhook validates CRs on CREATE and UPDATE operations and rejects requests that fail validation. The following table lists common rejection messages and how to resolve them: