nvcl-operator Deployment runs in the nvcl-system namespace, the Hub sees the executor as online, and you can deploy nodes from the UI.
The Operator is the Kubernetes executor: it runs each node as a StatefulSet of pods and reports status back to the Hub. Choose it when you already run Kubernetes, want pod-level isolation, or plan to scale fleets. For the executor concept and the Agent-vs-Operator choice, see Executors.
Prerequisites
- Kubernetes — a cluster serving
networking.k8s.io/v1(Ingress, NetworkPolicy). The chart declares nokubeVersionfloor. - Cluster-admin at install time — the chart creates a namespaced
Role/RoleBindingand, for cluster telemetry, a small cluster-scopedClusterRolethat reads node capacity. - A storage class suitable for blockchain workloads — typically a CSI provider with
WaitForFirstConsumerbinding, fast NVMe-backed for heavy chains. - Outbound HTTPS from the Operator pod to the Hub (
https://hub.novacula.io). No inbound ports are needed. - An executor API key, created via Connect Executor (Operator kind) — see Connect an executor.
- (Optional) cert-manager with a ClusterIssuer — only if you’ll expose node RPC via proxy with automatic TLS. See RPC exposure.
Steps
Run the Helm command
From the Connect Executor screen in the UI, copy the exact Helm command. There’s no
helm repo add — the chart is an OCI ref. It installs the Operator in hub mode (it syncs to the Hub each tick) and renders the Hub token into a Secret. It looks like this:image.tagpins the Operator version;gateway.tagpins the matching per-node RPC-auth gateway sidecar (same version) — required once any node uses RPC-key auth.hub.urlandhub.tokenare the Hub connection;hub.nameis the executor’s identity in the Hub (defaults to the Helm release name).--set source=crdswitches to standalone/GitOps mode (reconcileNodeCRs in-namespace, no Hub); the default ishub.
- A single-replica
Deploymentnvcl-operator(+ServiceAccount), running the operator withrun --config /etc/nvcl/operator.toml. - A
Secretnvcl-operator-configholdingoperator.toml(with the Hub token) — mounted at/etc/nvcl/operator.toml. - A namespaced
Role+RoleBindingnvcl-operatorcoveringstatefulsets,configmaps/secrets/services/persistentvolumeclaims,ingresses/networkpolicies,pods/pods/log, andnovacula.ionodes(+/status); with self-update on, it also patches this Deployment (viaresourceNames). - A small cluster-scoped
ClusterRole+ binding that reads node capacity for cluster telemetry (disable with--set clusterNodeRead=false).
Confirm online in the UI
online within seconds.If it stays offline:- Check Operator logs for auth errors.
- Confirm outbound HTTPS to the Hub URL.
- Verify
hub.tokenis theexc_key from the Connect Executor step.
What lives in the cluster
Static (chart-managed, in the release namespace):persistentvolumeclaims).
Exposing node RPC
Each node’s RPC exposure is set per node (see RPC exposure); the Operator materializes it:- Direct → a
NodePortorLoadBalancerService (your choice). - Proxy → an
Ingressat your domain, with TLS via cert-manager when you set a ClusterIssuer, and optional RPC-key auth through the gateway sidecar. - Closed → internal
ClusterIPonly.
proxy.* values (see below).
Operating
Deployment image. Run helm upgrade only for chart-level changes (RBAC, resources, values).
Configuration (Helm values)
The chart composesoperator.toml from its values and renders it into the Secret. Common values:
- The namespace the Operator watches and deploys nodes into is the Helm release namespace (
--namespace). - Per-node settings (resources, config/CLI overrides, RPC exposure) aren’t Helm values — set them per node in the UI. See Edit node configuration.
Hardening
- Keep the Hub token secret — it lives in the
nvcl-operator-configSecret; restrict who can read Secrets innvcl-system. - Let the Hub own the image when self-update is on — pinning
image.tagand thenhelm upgrade --reuse-valuesre-applies the pin and can undo a self-update. Either let self-update own the image, or manage it only via Helm. - Restrict egress from
nvcl-systemto the Hub URL (and per-chain image/binary sources) if you run NetworkPolicies.
Next steps
- Deploy a node onto your fresh executor.