Helmfile Installation
This section covers manual Helmfile installation of the NVCF control plane and GPU cluster components for self-hosted NVCF deployments.
For a fresh install, start with the Quickstart. Use this Helmfile guide when you need explicit release control, partial recovery, upgrades, or direct access to Helmfile values.
This guide assumes you have already downloaded and extracted the
nvcf-self-managed-stack Helmfile bundle (see
download-nvcf-self-managed-stack). Control-plane
commands run from inside that directory unless otherwise noted. The directory
contains the control-plane Helmfile definitions, environment templates, and
sample configurations referenced throughout.
GPU clusters use the compute-plane Makefile in
deploy/stacks/nvcf-compute-plane. It registers one GPU cluster at a time and
installs the NVCA operator into that cluster.
Clone the public repository before the GPU cluster steps:
Namespace Requirements
Each control-plane Helm chart must be installed into a specific namespace. These namespace assignments are fixed and must not be changed because service-to-service cluster DNS addressing and Vault (OpenBao) authentication claims depend on this layout.
Installing a chart into the wrong namespace will cause authentication failures such as
error validating claims: claim "/kubernetes.io/namespace" does not match any associated bound claim values.
If you see this error, verify that every release is deployed in the namespace shown above.
Prerequisites
Required Tools and Software
The following tools must be installed on your deployment machine:
kubectlhelm>= 3.12helmfile>= 1.1.0 (recommended:1.1.x)helm-diffplugin >=3.11
Avoid Helmfile 1.2.x. Helmfile 1.2.0 removed sequential execution mode, which
the NVCF stack requires for ordered deployments. Use version 1.1.x for
compatibility with the commands in this guide.
Helmfile 1.3.0+ re-introduced sequential execution via the --sequential-helmfiles flag, but the command syntax differs from the 1.1.x examples shown here. If you choose to use 1.3.0+, add --sequential-helmfiles to every helmfile apply and helmfile sync command.
- A kubernetes cluster (CSP agnostic or on-prem).
- Gateway API ingress prepared as described in Gateway quickstart if you are exposing NVCF through Gateway API
- Artifacts must be available in a registry that your Kubernetes cluster can access. This can be the
nvcf-onpremregistry for NVCF control plane service artifacts, but function containers and helm charts must be configured to a user-managed registry. See self-hosted-artifact-manifest and self-hosted-image-mirroring. - The
nvcf-self-managed-stackrepository must be downloaded to your local machine (see download-nvcf-self-managed-stack).
Install helm-diff plugin
kubectl version must match your cluster within one minor version. Using a
kubectl version that is more than one minor version ahead of your Kubernetes
cluster will cause kubectl apply and kubectl patch commands to fail, not
just warn, due to stricter server-side field validation in newer clients.
This is especially common on macOS with Homebrew, where brew install kubectl
or brew upgrade can silently install a version much newer than your cluster.
Verify before proceeding:
If your client is too new, install a matching version directly from the Kubernetes release page.
Access Requirements
-
kubectlconfigured to the kubernetes cluster you are deploying to -
Personal NGC API Key from ngc.nvidia.com authenticated with
nvcf-onpremorganization only if you pull artifacts directly from NGC or use NGC as your registry -
Registry credentials for your container registry (ECR, NGC, etc.). See third-party-registries-self-hosted for setup instructions
-
Local Helm/Docker authentication to your container registry where NVCF charts are stored. Helmfile pulls OCI charts during deployment, so your local environment must be authenticated. Examples:
- AWS ECR:
aws ecr get-login-password --region <region> | helm registry login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com - NGC:
docker login nvcr.io -u '$oauthtoken' -p <NGC_API_KEY> - Other registries: Use
docker loginorhelm registry loginas appropriate for your registry
- AWS ECR:
If you are using NGC as your registry, you will use your NGC API key when generating the base64 registry credential in Step 3. Exporting NGC_API_KEY is optional and only needed if you prefer to reuse it in commands.
Installation Steps
The installation flow is as follows.
- Prepare Gateway API ingress
- Configure your environment file (
environments/<environment-name>.yaml) - Configure your secrets file (
secrets/<environment-name>-secrets.yaml) - Configure image pull secrets (skip if using a CSP registry with built-in credential helpers)
- Deploy the NVCF control plane components
- Verify the control plane
- Register each GPU cluster with the control plane
- Install the NVCA operator on each GPU cluster
Step 1. Prepare Gateway API ingress
Complete Gateway quickstart before you configure and apply the Helmfile stack.
Keep these values from the Gateway quickstart:
Use GATEWAY_ADDR as global.domain in your environment file. Use the Gateway
names, namespaces, and listener names from Gateway quickstart in
ingress.gatewayApi.gateways.
Split or multi-cluster gRPC invocation is not enabled by default. If you need workers in a compute cluster to reach grpc-proxy in the control-plane cluster, complete gRPC Invocation Enablement before you deploy or sync the control plane.
The Gateway address is embedded throughout your deployment. The domain value
in your environment file, the Gateway API HTTPRoutes/TCPRoutes, and service
discovery all depend on this address. If the Gateway or its underlying load
balancer is deleted and recreated (e.g., due to a TCPRoute misconfiguration), a
new address will be assigned.
If the address changes after deployment, you must update the domain in your
environment file and re-sync the affected releases. See
Recovering from Gateway Address Changes
for the procedure.
Step 2. Configure your environment file (environments/<environment-name>.yaml)
Environment configuration files define how NVCF is deployed in your specific environment. They are YAML files that provide values to the Helm charts.
Set HELMFILE_ENV to your environment name and copy the base configuration.
The filename must match HELMFILE_ENV because Helmfile uses it to select the
environment file. The template below shows the values to configure for Amazon
EKS (cp-env-eks-example.yaml).
Configuration Template (Amazon EKS Environment)
The following example shows a typical configuration for Amazon EKS:
domain and ingress Configuration
The domain and ingress sections of the environment file are used to configure the external access to the NVCF control plane.
If using the above example directly for EKS, replace GATEWAY_ADDR with the Gateway load balancer address from Gateway quickstart.
If using the above example directly for EKS, your ingress configuration would look like this:
nodeSelectors Configuration
The nodeSelectors section of the environment file is used to configure the nodes on which the NVCF control plane components are deployed. Disable this unless you have a cluster with node selectors pre-configured on node pools within your cluster.
If your cluster uses dedicated node labels for NVCF workloads, enable this section with the following configuration:
cassandra Resource Tuning
Cassandra needs enough memory to complete first boot, commit-log replay, and the schema migration hooks. The default self-managed stack uses cassandra.resourcesPreset: xlarge, which maps to a Bitnami Cassandra preset with a 3 GiB memory request and a 6 GiB memory limit. Do not use the small preset for cloud installs. It can OOM-kill Cassandra during initialization and cause migration failures.
Common preset values:
All listed presets include a 50Mi ephemeral-storage request and 2Gi ephemeral-storage limit.
If Cassandra pods restart with OOMKilled, or the cassandra-migrations job fails with a consistency-level error while Cassandra pods are restarting, increase the preset in your environment file:
Then apply the change to just Cassandra:
For local development, a lower preset may be acceptable when the environment also reduces Cassandra to one replica. For cloud installs, start with xlarge or higher and tune from there.
helm and image Configuration
The helm and image sections tell NVCF which registries to pull Helm charts and container images from.
helm.sources: The OCI registry where NVCF Helm charts are stored. Helmfile pulls charts from here at deploy time (requires local authentication. See Access Requirements).image: The container registry where NVCF service images are stored. Kubernetes pulls images from here at runtime.
If you have mirrored NVCF artifacts to your own registry (e.g., ECR), update both helm.sources and image to point to your mirror. See self-hosted-image-mirroring for details on mirroring artifacts.
When upgrading to a new nvcf-self-managed-stack version, re-mirror all artifacts before running helmfile sync. Each stack release may introduce new or updated container images and Helm charts. If these are not present in your private registry, pods will fail with ImagePullBackOff. For split installs, mirror both the control-plane and compute-plane stack resources listed in the self-hosted-artifact-manifest.
Pulling directly from NGC is the recommended approach and avoids the need to
manually mirror artifacts on every upgrade. If your environment permits it,
configure helm.sources and image to point to the NGC registry (nvcr.io)
and use your NGC API key for authentication. This ensures you always have access
to the latest artifacts without additional mirroring steps.
These settings control where images are pulled from, not how Kubernetes authenticates to pull them. If your image registry is private, you may also need to configure image pull secrets — see Step 4.
Quick start summary: If you are using the example EKS environment YAML directly and followed Gateway quickstart, you only need to change:
domain: ReplaceGATEWAY_ADDRwith the Gateway load balancer addresshelm.sources.registryandhelm.sources.repository: Point to your Helm chart registryimage.registryandimage.repository: Point to your container image registry
Overriding Helm Chart Values
Overriding Helm Chart Values
The environment file (environments/<environment-name>.yaml) controls global
settings like domain, image, and nodeSelectors. However, you may need to
override values for a specific Helm chart, for example to increase Cassandra
memory limits or change an image tag for one service.
Helmfile releases support a values property that passes values through to the underlying helm install/helm upgrade command. To add chart-specific overrides, edit the release definition in the appropriate file under helmfile.d/ and add a values block:
When a release inherits from a template (<<: *dependency), specifying values
on the release replaces the template’s values list. YAML merge does not append
lists. You must re-include global.yaml.gotmpl and the secrets file.
The values block is a list of YAML mappings. Keys correspond to the chart’s values.yaml structure. For example, to override a deeply nested value:
Values defined here take the highest precedence, overriding both the environment
file and global.yaml.gotmpl. Use helmfile template to preview the rendered
manifests after adding overrides, then apply to a single release:
Worker Image Version Overrides
The NVCF API uses the worker image versions in its nvcf.sidecars.*
configuration. To pin worker sidecars for one Helmfile deployment, add an inline
remote-config override to the api release in helmfile.d/02-core.yaml.gotmpl:
The ${nvcf.sidecars.hostname} and ${nvcf.sidecars.repository} placeholders
resolve from the stack image registry and repository settings. Re-include
global.yaml.gotmpl and the secrets file because defining values on the
release replaces the inherited values list. Keep the existing needs entry on
the release.
Step 3. Configure your secrets file (secrets/<environment-name>-secrets.yaml)
Secrets configuration contains any sensitive data required for NVCF operation. The image pull secret credentials you insert here will be used to bootstrap the NVCF API with registry credentials for all worker components (function sidecars), function containers and helm charts.
These credentials will then be used for function deployments. Note that if the registry credentials are not correct you can always update them using the steps in third-party-registries-self-hosted.
Copy the secrets template using the same HELMFILE_ENV value from Step 2. The
filename must match HELMFILE_ENV because Helmfile loads the corresponding
secrets file. The example below shows the required structure
(example-secrets.yaml). You must
replace all instances of REPLACE_WITH_BASE64_DOCKER_CREDENTIAL with your
actual base64-encoded registry credentials.
NVCF supports these registries for function containers (set in api.accountBootstrap.registryCredentials): ACR (Azure), ECR (AWS), NVCR (NVIDIA), VolcEngine CR, JFrog/Artifactory, and Harbor.
Generating Base64-encoded Registry Credentials
Registry credentials must be base64-encoded in the format username:password. For detailed instructions on setting up credentials for specific registries (including IAM user creation for ECR), see third-party-registries-self-hosted.
NGC Registry
Amazon ECR
VolcEngine CR
Step 4. Configure image pull secrets (conditional)
Skip this step if you have mirrored NVCF artifacts to a CSP-managed registry (e.g., ECR) and are using a CSP-managed registry with built-in credential helpers (e.g., AWS ECR with IAM node roles, GKE Artifact Registry with Workload Identity, Azure ACR with managed identity). Kubernetes can pull images automatically in those environments.
The secrets file you configured in Step 3 handles API bootstrap registry credentials. These allow the NVCF API service to pull user function containers at runtime. Separately, Kubernetes itself needs image pull secrets to pull the NVCF control plane service images (API, SIS, Cassandra, etc.) from your registry.
If your image registry is private and your cluster nodes do not have built-in credential helpers, you must create Kubernetes docker-registry secrets in each NVCF namespace and configure the helmfile to reference them.
- Create the pull secret in each NVCF namespace (create-nvcr-pull-secrets.sh):
For registries other than NGC, replace --docker-server, --docker-username, and --docker-password with your registry credentials.
- Reference the secret in your Helmfile environment. The Helmfile propagates
imagePullSecretsto all NVCF charts automatically. Add the secret name to your environment YAML (e.g.environments/<your-env>.yaml):
This replaces any need for a separate admission controller or policy engine to inject pull secrets.
Step 5. Deploy the NVCF control plane components
Set kubectl context to your cluster.
Ensure your local environment is authenticated to the container registry where your NVCF Helm charts are stored (see Access Requirements). Helmfile pulls OCI charts during deployment and will fail if not authenticated.
Before deploying, preview the rendered Kubernetes manifests:
This command will:
- Render all Helm charts with your environment and secrets
- Run validation hooks
- Display the resulting Kubernetes manifests
Review the output carefully to ensure:
- Container image references are correct
- Storage classes match your clusters
Deploy the self-managed stack:
The initial deployment takes approximately 5-10 minutes for local development and 10-20 minutes for cloud deployments.
Deployment Progression and Monitoring
Helmfile will deploy services in the correct order with dependencies:
Phase 1: dependency layer (5-10 minutes)
- NATS messaging service
- OpenBao (secrets management)
- Cassandra (database)
- Helmfile selector:
release-group=dependencies
Phase 2: control-plane services (5-10 minutes)
- NVCF API Service
- SIS (Spot Instance Service)
- gRPC Proxy
- Invocation Service
- API Keys Service
- ESS API
- Notary Service
- Admin Issuer Proxy
- Helmfile selector:
release-group=services
Monitor for account bootstrap failures. Once Helmfile reaches Phase 3, open a
separate terminal and watch events in the nvcf namespace:
The account bootstrap job runs as a post-install hook and is the most common failure point, usually due to environment or secrets misconfiguration. If it fails, see Recovering from Partial Deployments for recovery steps.
Phase 3: ingress configuration (1-2 minutes)
- Gateway API Routes (if enabled)
- Helmfile selector:
release-group=ingress
GPU clusters are installed after the control plane succeeds. Use Step 7. Configure the compute-plane Helmfile environment and Step 8. Register and install each GPU cluster for the split compute-plane bundle.
Open a separate terminal to monitor the deployment progress:
Monitor each deployment phase:
Cassandra initialization pods showing Error is expected. The
cassandra-initialize-cluster job runs multiple pods in parallel and retries
on failure. It is normal to see one or more pods with Error status. The
deployment is healthy as long as at least one initialization pod reaches
Completed and the cassandra-migrations job completes successfully.
If any pod remains in Pending, ContainerCreating, or ImagePullBackOff state for more than 5 minutes, see self-hosted-troubleshooting for issue identification commands and solutions.
Recovering from Partial Deployments
Do not attempt to fix a partially failed deployment by re-running helmfile sync or helmfile apply. Helm releases in a failed state will skip initialization hooks on subsequent runs, leading to incomplete deployments that appear successful but don’t function correctly.
Redeploying dependencies if needed:
If a dependency service (Cassandra, NATS, OpenBao) fails or gets stuck, you can safely redeploy it individually:
Recovering from services failures without destroying dependencies:
If the release-group=services deployment hangs or fails (for example, account bootstrap failure due to secrets misconfiguration), you can recover without destroying your dependencies.
- Monitor for failures:
In a separate terminal, watch events in the nvcf namespace:
- Check the account bootstrap logs if it failed:
The bootstrap job auto-deletes after ~5 minutes. Monitor events to catch failures in real-time.
- Check the NVCF API logs for detailed error messages:
-
Fix the root cause, for example correct your
secrets/<environment-name>-secrets.yamlfile. -
Destroy the services and downstream releases:
- Clean up the service namespaces:
- Recreate namespaces and labels. Gateway API routing requires these labels:
- Re-sync services. This triggers fresh post-install hooks:
- Sync remaining releases after services succeed:
Full restart if dependencies are also broken:
If dependencies are corrupted or you prefer a clean slate, follow the complete Uninstalling steps, fix your configuration, then redeploy from Step 1.
Enabling Vanity Gateway
Vanity Gateway is optional and disabled by default. It is available only in
stack packages that include the Vanity Gateway addon. If your extracted stack
package does not contain a vanity-gateway release and vanityGateway route
values, skip this section until you use a stack package that includes them.
Enable it only when you need a customer-facing hostname or path mapping layer in front of the standard NVCF service routes.
In stack packages that include the addon, set the value shape in your environment file:
By default, the route host is vanity.<domain> and the backend is
vanity-gateway.nvcf:8080. Put deployment-specific host and path mappings under
addons.vanityGateway.mappingConfig. If your deployment needs custom vanity
hosts, use the route hostname overrides supported by your stack package and
create matching DNS records.
After confirming your stack package includes the vanity-gateway release,
preview and apply the service plus gateway routes:
Verify only when the addon is present and enabled:
Recovering from Gateway Address Changes
If your Gateway or its underlying load balancer was deleted and recreated (e.g., due to a TCPRoute misconfiguration or infrastructure change), the external address will change. Services that depend on the domain value — including Gateway API routes, SIS cluster registration, API hostname resolution, and the optional Vanity Gateway route — will break until the new address is propagated.
- Get the new Gateway address:
- Update your environment file with the new address:
- Re-sync ingress and services that depend on the domain:
- Verify routes are using the new address:
If you encounter issues during deployment, consult the self-hosted-troubleshooting guide for common problems and solutions.
Step 6: Verify the Installation
Verify the installation is successful by checking the pods are running and the helm releases are successful.
Verify API Connectivity (Optional)
If you configured Gateway API ingress, you can verify the NVCF API is accessible by running the following commands.
- Set up environment variables:
- Generate an admin token:
- List functions. The list should be empty initially:
Step 7. Configure the compute-plane Helmfile environment
Use deploy/stacks/nvcf-compute-plane from the source repository for each GPU
cluster. The compute-plane Helmfile installs helm-nvca-operator and wires it
to the control plane values returned by cluster registration.
Create an environment file in the compute-plane directory. Use the same Helm chart and image registry mirror as the control plane. Set the service URLs to addresses reachable from the GPU cluster. If the GPU cluster reaches the control plane through one load balancer with hostname-based Gateway routing, keep the URL pointed at the load balancer and set the host-header overrides to the route hostnames.
If your GPU cluster can resolve per-service DNS names directly, set the service URLs to those names and omit the host-header override fields.
Create the pull secret in nvca-operator on the GPU cluster before installing
NVCA. Helmfile references the secret from global.imagePullSecrets, and the
operator propagates it to the managed namespaces after installation.
Step 8. Register and install each GPU cluster
Register each GPU cluster before installing NVCA. Registration discovers the GPU cluster’s OIDC issuer and JWKS, records them with SIS/ICMS, and writes the cluster identity values that the operator chart consumes.
Use KUBECONFIG_FILE for multi-cluster installs. It makes both registration and
Helmfile target the GPU cluster instead of the control-plane cluster.
For a complete Amazon EKS example, see the
CSP End-to-End Example.
The compute-plane Makefile runs nvcf-cli init before cluster register. Point
NVCF_CLI_CONFIG at a CLI config that can reach the control-plane gateway.
Run the compute-plane target from the repository root. The target writes
deploy/stacks/nvcf-compute-plane/registration/<gpu-cluster-name>-register-values.yaml.
Install the NVCA operator on that GPU cluster. The install target copies the
registration file into out/ and runs Helmfile with
HELMFILE_ENV=<environment-name>.
Verify the operator and backend on the GPU cluster:
For a multi-cluster EKS install, this is the expected GPU cluster validation:
the control plane is installed, each GPU cluster is registered with its own
kubeconfig, the NVCA Operator is installed on that GPU cluster, and the
NVCFBackend reports a healthy agent. Repeat registration, install, and health
checks for each GPU cluster. Function execution also requires worker pods on the
GPU cluster to reach the control-plane worker endpoints. Do not use function
deployment or invocation as the acceptance check until those endpoints are
reachable from the GPU cluster.
Repeat Step 8 for each additional GPU cluster. Use a unique CLUSTER_NAME for
each cluster.
Next Steps
After the control plane and GPU clusters are installed, proceed to Self-Managed Clusters for NVCA operations and troubleshooting.
Uninstalling
This will delete all NVCF resources including data stored in persistent volumes. Ensure you have backups of any important data.
To remove the NVCF installation:
After helmfile destroy completes, clean up the namespaces:
To also remove the Gateway infrastructure created by Gateway quickstart: