redpanda-data · localleon · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -7,11 +7,6 @@ description: Find the default values and descriptions of settings in the Redpand
 
 This page describes the official Redpanda Operator Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](./values.yaml). Each of the settings is listed and described on this page, along with any default values.
 
-For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/).
-
-----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
-
 ## Source Code
 
 * <https://github.com/redpanda-data/redpanda-operator/tree/main/operator/chart>
@@ -122,16 +117,6 @@ Sets the port for the webhook server to listen on.
 
 **Default:** `9443`
 
-### [crds](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=crds)
-
-Flags to control CRD installation.
-
-**Default:**
-
-```
-{"enabled":false,"experimental":false}
-```
-
 ### [crds.enabled](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=crds.enabled)
 
 Specifies whether to install stable CRDs
@@ -204,6 +189,12 @@ Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`
 
 **Default:** `"info"`
 
+### [migrationJob](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=migrationJob)
+
+Allows customizing the PodTemplateSpec of the post-upgrade migration hook Job. Merged on top of chart-managed defaults via StrategicMergePatch semantics. Only the `spec` field is respected. Example:   migrationJob:     podTemplate:       spec:         securityContext:           runAsNonRoot: true
+
+**Default:** `{}`
+
 ### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=monitoring)
 
 Configuration for monitoring.
@@ -216,6 +207,22 @@ Creates a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetr
 
 **Default:** `false`
 
+### [multicluster.apiServerExternalAddress](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=multicluster.apiServerExternalAddress)
+
+**Default:** `""`
+
+### [multicluster.enabled](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=multicluster.enabled)
+
+**Default:** `false`
+
+### [multicluster.name](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=multicluster.name)
+
+**Default:** `""`
+
+### [multicluster.peers](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=multicluster.peers)
+
+**Default:** `[]`
+
 ### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=nameOverride)
 
 Overrides the `redpanda-operator.name` template.
@@ -286,8 +293,6 @@ Sets the number of instances of the Redpanda Operator to deploy. Each instance i
 
 ### [resources](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=resources)
 
-Sets resources requests/limits for Redpanda Operator Pods. By default requests and limits are not set to increase the chances that the charts run on environments with few resources, such as Minikube. To specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after `resources`.
-
 **Default:** `{}`
 
 ### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/operator?modal=values&path=serviceAccount)

@@ -8,7 +8,6 @@ description: Find the default values and descriptions of settings in the Redpand
 {{ define "chart.description" -}}
 This page describes the official Redpanda Operator Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](./values.yaml). Each of the settings is listed and described on this page, along with any default values.
 
-For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/).
 {{ end -}}
 
 {{ define "chart.valuesTable" }}

@@ -25,6 +25,32 @@ import (
 func PostUpgradeMigrationJob(dot *helmette.Dot) *batchv1.Job {
 	values := helmette.Unwrap[Values](dot.Values)
 
+	basePodTemplate := corev1.PodTemplateSpec{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: values.PodAnnotations,
+			Labels:      helmette.Merge(SelectorLabels(dot), values.PodLabels),
+		},
+		Spec: corev1.PodSpec{
+			RestartPolicy:                 corev1.RestartPolicyOnFailure,
+			AutomountServiceAccountToken:  ptr.To(false),
+			TerminationGracePeriodSeconds: ptr.To(int64(10)),
+			ImagePullSecrets:              values.ImagePullSecrets,
+			ServiceAccountName:            MigrationJobServiceAccountName(dot),
+			NodeSelector:                  values.NodeSelector,
+			Tolerations:                   values.Tolerations,
+			Volumes:                       []corev1.Volume{serviceAccountTokenVolume()},
+			Containers:                    migrationJobContainers(dot),
+		},
+	}
+
+	podTemplate := basePodTemplate
+	if values.MigrationJob.PodTemplate != nil {
+		patch := corev1.PodTemplateSpec{
+			Spec: values.MigrationJob.PodTemplate.Spec,
+		}
+		podTemplate = StrategicMergePatch(&patch, basePodTemplate)
+	}
+
 	return &batchv1.Job{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "batch/v1",
@@ -44,23 +70,7 @@ func PostUpgradeMigrationJob(dot *helmette.Dot) *batchv1.Job {
 			},
 		},
 		Spec: batchv1.JobSpec{
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					Annotations: values.PodAnnotations,
-					Labels:      helmette.Merge(SelectorLabels(dot), values.PodLabels),
-				},
-				Spec: corev1.PodSpec{
-					RestartPolicy:                 corev1.RestartPolicyOnFailure,
-					AutomountServiceAccountToken:  ptr.To(false),
-					TerminationGracePeriodSeconds: ptr.To(int64(10)),
-					ImagePullSecrets:              values.ImagePullSecrets,
-					ServiceAccountName:            MigrationJobServiceAccountName(dot),
-					NodeSelector:                  values.NodeSelector,
-					Tolerations:                   values.Tolerations,
-					Volumes:                       []corev1.Volume{serviceAccountTokenVolume()},
-					Containers:                    migrationJobContainers(dot),
-				},
-			},
+			Template: podTemplate,
 		},
 	}
 }

@@ -30,6 +30,36 @@ func PreInstallCRDJob(dot *helmette.Dot) *batchv1.Job {
 		return nil
 	}
 
+	basePodTemplate := corev1.PodTemplateSpec{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: values.PodAnnotations,
+			Labels:      helmette.Merge(SelectorLabels(dot), values.PodLabels),
+		},
+		Spec: corev1.PodSpec{
+			RestartPolicy:                 corev1.RestartPolicyOnFailure,
+			AutomountServiceAccountToken:  ptr.To(false),
+			TerminationGracePeriodSeconds: ptr.To(int64(10)),
+			ImagePullSecrets:              values.ImagePullSecrets,
+			ServiceAccountName:            CRDJobServiceAccountName(dot),
+			NodeSelector:                  values.NodeSelector,
+			Tolerations:                   values.Tolerations,
+			Volumes:                       []corev1.Volume{serviceAccountTokenVolume()},
+			Containers:                    crdJobContainers(dot),
+		},
+	}
+
+	podTemplate := basePodTemplate
+	if values.CRDs.PodTemplate != nil {
+		// only merge the spec portion; metadata labels/annotations are not
+		// currently applied to the hook job.  Restricting to the spec avoids
+		// nil-pointer dereferences when users supply a podTemplate with only a
+		// spec (metadata may be omitted).
+		patch := corev1.PodTemplateSpec{
+			Spec: values.CRDs.PodTemplate.Spec,
+		}
+		podTemplate = StrategicMergePatch(&patch, basePodTemplate)
+	}
+
 	return &batchv1.Job{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "batch/v1",
@@ -48,23 +78,7 @@ func PreInstallCRDJob(dot *helmette.Dot) *batchv1.Job {
 			},
 		},
 		Spec: batchv1.JobSpec{
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					Annotations: values.PodAnnotations,
-					Labels:      helmette.Merge(SelectorLabels(dot), values.PodLabels),
-				},
-				Spec: corev1.PodSpec{
-					RestartPolicy:                 corev1.RestartPolicyOnFailure,
-					AutomountServiceAccountToken:  ptr.To(false),
-					TerminationGracePeriodSeconds: ptr.To(int64(10)),
-					ImagePullSecrets:              values.ImagePullSecrets,
-					ServiceAccountName:            CRDJobServiceAccountName(dot),
-					NodeSelector:                  values.NodeSelector,
-					Tolerations:                   values.Tolerations,
-					Volumes:                       []corev1.Volume{serviceAccountTokenVolume()},
-					Containers:                    crdJobContainers(dot),
-				},
-			},
+			Template: podTemplate,
 		},
 	}
 }

@@ -11,8 +11,14 @@
 {{- (dict "r" (coalesce nil)) | toJson -}}
 {{- break -}}
 {{- end -}}
+{{- $basePodTemplate := (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil))) (dict "metadata" (mustMergeOverwrite (dict) (dict "annotations" $values.podAnnotations "labels" (merge (dict) (get (fromJson (include "operator.SelectorLabels" (dict "a" (list $dot)))) "r") $values.podLabels))) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil)) (dict "restartPolicy" "OnFailure" "automountServiceAccountToken" false "terminationGracePeriodSeconds" ((10 | int64) | int64) "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "operator.CRDJobServiceAccountName" (dict "a" (list $dot)))) "r") "nodeSelector" $values.nodeSelector "tolerations" $values.tolerations "volumes" (list (get (fromJson (include "operator.serviceAccountTokenVolume" (dict "a" (list)))) "r")) "containers" (get (fromJson (include "operator.crdJobContainers" (dict "a" (list $dot)))) "r"))))) -}}
+{{- $podTemplate := $basePodTemplate -}}
+{{- if (ne (toJson $values.crds.podTemplate) "null") -}}
+{{- $patch := (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil))) (dict "spec" $values.crds.podTemplate.spec)) -}}
+{{- $podTemplate = (get (fromJson (include "operator.StrategicMergePatch" (dict "a" (list $patch $basePodTemplate)))) "r") -}}
+{{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "batch/v1" "kind" "Job")) (dict "metadata" (mustMergeOverwrite (dict) (dict "name" (printf "%s-crds" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict) (get (fromJson (include "operator.Labels" (dict "a" (list $dot)))) "r")) "annotations" (dict "helm.sh/hook" "pre-install,pre-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded,hook-failed" "helm.sh/hook-weight" "-5"))) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) (dict "template" (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil))) (dict "metadata" (mustMergeOverwrite (dict) (dict "annotations" $values.podAnnotations "labels" (merge (dict) (get (fromJson (include "operator.SelectorLabels" (dict "a" (list $dot)))) "r") $values.podLabels))) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil)) (dict "restartPolicy" "OnFailure" "automountServiceAccountToken" false "terminationGracePeriodSeconds" ((10 | int64) | int64) "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "operator.CRDJobServiceAccountName" (dict "a" (list $dot)))) "r") "nodeSelector" $values.nodeSelector "tolerations" $values.tolerations "volumes" (list (get (fromJson (include "operator.serviceAccountTokenVolume" (dict "a" (list)))) "r")) "containers" (get (fromJson (include "operator.crdJobContainers" (dict "a" (list $dot)))) "r")))))))))) | toJson -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "batch/v1" "kind" "Job")) (dict "metadata" (mustMergeOverwrite (dict) (dict "name" (printf "%s-crds" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict) (get (fromJson (include "operator.Labels" (dict "a" (list $dot)))) "r")) "annotations" (dict "helm.sh/hook" "pre-install,pre-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded,hook-failed" "helm.sh/hook-weight" "-5"))) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) (dict "template" $podTemplate))))) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}

@@ -6,8 +6,14 @@
 {{- range $_ := (list 1) -}}
 {{- $_is_returning := false -}}
 {{- $values := $dot.Values.AsMap -}}
+{{- $basePodTemplate := (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil))) (dict "metadata" (mustMergeOverwrite (dict) (dict "annotations" $values.podAnnotations "labels" (merge (dict) (get (fromJson (include "operator.SelectorLabels" (dict "a" (list $dot)))) "r") $values.podLabels))) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil)) (dict "restartPolicy" "OnFailure" "automountServiceAccountToken" false "terminationGracePeriodSeconds" ((10 | int64) | int64) "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "operator.MigrationJobServiceAccountName" (dict "a" (list $dot)))) "r") "nodeSelector" $values.nodeSelector "tolerations" $values.tolerations "volumes" (list (get (fromJson (include "operator.serviceAccountTokenVolume" (dict "a" (list)))) "r")) "containers" (get (fromJson (include "operator.migrationJobContainers" (dict "a" (list $dot)))) "r"))))) -}}
+{{- $podTemplate := $basePodTemplate -}}
+{{- if (ne (toJson $values.migrationJob.podTemplate) "null") -}}
+{{- $patch := (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil))) (dict "spec" $values.migrationJob.podTemplate.spec)) -}}
+{{- $podTemplate = (get (fromJson (include "operator.StrategicMergePatch" (dict "a" (list $patch $basePodTemplate)))) "r") -}}
+{{- end -}}
 {{- $_is_returning = true -}}
-{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "batch/v1" "kind" "Job")) (dict "metadata" (mustMergeOverwrite (dict) (dict "name" (printf "%s-migration" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict) (get (fromJson (include "operator.Labels" (dict "a" (list $dot)))) "r")) "annotations" (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded,hook-failed" "helm.sh/hook-weight" "-4"))) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) (dict "template" (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil))) (dict "metadata" (mustMergeOverwrite (dict) (dict "annotations" $values.podAnnotations "labels" (merge (dict) (get (fromJson (include "operator.SelectorLabels" (dict "a" (list $dot)))) "r") $values.podLabels))) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil)) (dict "restartPolicy" "OnFailure" "automountServiceAccountToken" false "terminationGracePeriodSeconds" ((10 | int64) | int64) "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "operator.MigrationJobServiceAccountName" (dict "a" (list $dot)))) "r") "nodeSelector" $values.nodeSelector "tolerations" $values.tolerations "volumes" (list (get (fromJson (include "operator.serviceAccountTokenVolume" (dict "a" (list)))) "r")) "containers" (get (fromJson (include "operator.migrationJobContainers" (dict "a" (list $dot)))) "r")))))))))) | toJson -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict) "spec" (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) "status" (dict)) (mustMergeOverwrite (dict) (dict "apiVersion" "batch/v1" "kind" "Job")) (dict "metadata" (mustMergeOverwrite (dict) (dict "name" (printf "%s-migration" (get (fromJson (include "operator.Fullname" (dict "a" (list $dot)))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict) (get (fromJson (include "operator.Labels" (dict "a" (list $dot)))) "r")) "annotations" (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded,hook-failed" "helm.sh/hook-weight" "-4"))) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict) "spec" (dict "containers" (coalesce nil)))) (dict "template" $podTemplate))))) | toJson -}}
 {{- break -}}
 {{- end -}}
 {{- end -}}

@@ -70,22 +70,36 @@ type Values struct {
 	LivenessProbe         *corev1.Probe                 `json:"livenessProbe,omitempty"`
 	ReadinessProbe        *corev1.Probe                 `json:"readinessProbe,omitempty"`
 	CRDs                  CRDs                          `json:"crds"`
+	MigrationJob          MigrationJob                  `json:"migrationJob"`
 	VectorizedControllers VectorizedControllers         `json:"vectorizedControllers"`
 	Multicluster          Multicluster                  `json:"multicluster"`
 }
 
+type MigrationJob struct {
+	// PodTemplate allows overriding the spec of the post-upgrade migration
+	// hook Job's Pod, e.g. to set a securityContext, add tolerations, or tune
+	// container settings. Merged via StrategicMergePatch semantics on top of
+	// the chart-managed defaults.
+	PodTemplate *PodTemplateSpec `json:"podTemplate,omitempty"`
+}
+
 type VectorizedControllers struct {
 	Enabled bool `json:"enabled"`
 }
 
 type CRDs struct {
 	Enabled      bool `json:"enabled"`
 	Experimental bool `json:"experimental"`
+	// PodTemplate allows overriding the spec of the CRD pre-install hook Job's
+	// Pod, e.g. to set a securityContext, add tolerations, or tune container
+	// settings. Merged via StrategicMergePatch semantics on top of the
+	// chart-managed defaults.
+	PodTemplate *PodTemplateSpec `json:"podTemplate,omitempty"`
 }
 
 type PodTemplateSpec struct {
 	Metadata Metadata       `json:"metadata,omitempty"`
-	Spec     corev1.PodSpec `json:"spec,omitempty" jsonschema:"required"`
+	Spec     corev1.PodSpec `json:"spec,omitempty"`
 }
 
 type Metadata struct {