Update NVCF Account Quota Limits
This runbook updates the account quota limits for the nvcf-default account
post installation. Use this when an operation fails with an error like:
The following limits can be updated using the same method:
Prerequisites
To use nvcf-cli (the simpler path), you need:
nvcf-cliinstalled and authenticated against the target cluster
To use curl directly, you need:
kubectlcurljq- Cluster access with permission to create service account tokens
- Access to the
nvcfandvault-systemnamespaces
The NVCF API and OpenBao services must be reachable through kubectl port-forward.
Update Runtime Account Limits Using nvcf-cli
If nvcf-cli is available and configured, use the admin accounts update
subcommand:
Sibling flags for other limits:
Run nvcf-cli admin accounts update --help for the full flag list.
Retry the operation that previously failed.
Update Runtime Account Limits Using curl
Port-forward the NVCF API:
In another terminal, port-forward OpenBao:
Create an audience-bound service account token for the bootstrap service account:
Log in to OpenBao using that service account token:
Generate an NVCF admin JWT using the OpenBao signing role:
Patch one or more account limits in a single request. Include only the fields you want to change:
To update multiple limits at once:
Expected success response:
Verify the updated limits:
Retry the operation that previously failed after confirming the new limits are reflected.
Persist Future Bootstrap Limits
The runtime fix is the PATCH above. To prevent future installs or account
bootstrap runs from using the old defaults, also update the Helm values:
If upgrading the existing Helm release directly, use the same chart source that was used for installation:
Note: the account bootstrap job creates the account and treats an existing
account as success. Updating Helm values alone may not change an already-created
nvcf-default account, so apply the runtime PATCH when changing an existing
deployment.
Troubleshooting
If the account patch returns 401, the JWT is expired. Regenerate ADMIN_TOKEN.
If the account patch returns 403, the token is valid but does not have enough
privilege. Use the OpenBao-signed nvcf-api-admin token, not a normal function
management token.
If VAULT_TOKEN is null, confirm SA_TOKEN was created in the same terminal:
If the length is 0, recreate SA_TOKEN and retry the OpenBao login.