Helm Chart

Quick Install

helm repo add nora https://getnora-io.github.io/helm-charts
helm repo update
helm install nora nora/nora -n nora-system --create-namespace

This deploys NORA with local storage (10 Gi PVC), GC enabled, and ClusterIP service on port 4000.

values.yaml Reference

Image

Key	Default	Description
image.repository	ghcr.io/getnora-io/nora	Container image
image.tag	"" (Chart appVersion)	Image tag override
image.pullPolicy	IfNotPresent	Pull policy
imagePullSecrets	[]	Registry pull secrets

Service & Ingress

Key	Default	Description
service.type	ClusterIP	Service type
service.port	4000	Service port
ingress.enabled	false	Enable Ingress
ingress.className	""	Ingress class
ingress.annotations	{}	Ingress annotations
ingress.hosts	see values.yaml	Host rules
ingress.tls	[]	TLS configuration

Persistence

Key	Default	Description
persistence.enabled	true	Enable PVC
persistence.size	10Gi	Volume size
persistence.storageClass	""	StorageClass (empty = default)
persistence.accessModes	[ReadWriteOnce]	PVC access modes

NORA Configuration

Key	Default	Description
config.server.host	0.0.0.0	Bind address
config.server.port	4000	Listen port
config.storage.mode	local	Storage backend: local or s3
config.storage.path	/data/storage	Data path
config.docker.proxy_timeout	60	Docker upstream timeout (s)
config.docker.upstreams	[]	Docker upstream registries
config.gc.enabled	true	Enable garbage collection
config.gc.interval	86400	GC interval (s)
config.retention.enabled	false	Enable retention policies
config.retention.interval	86400	Retention interval (s)

Secrets & Environment

Key	Default	Description
existingSecret	""	Existing Secret with secrets.toml key (for private registry credentials)
extraEnv	[]	Extra env vars — native Kubernetes env spec
extraEnvFrom	[]	Extra envFrom entries (secretRef / configMapRef)

Resources & Scheduling

Key	Default	Description
resources.requests.cpu	100m	CPU request
resources.requests.memory	128Mi	Memory request
resources.limits.memory	512Mi	Memory limit
nodeSelector	{}	Node selector
tolerations	[]	Tolerations
affinity	{}	Affinity rules

Pod Security

Key	Default	Description
podSecurityContext.fsGroup	1000	Pod filesystem group
securityContext.runAsNonRoot	true	Non-root enforcement
securityContext.runAsUser	1000	Container UID
securityContext.readOnlyRootFilesystem	true	Read-only root FS

---

Configuration Patterns

1. Simple env var

extraEnv:
  - name: NORA_AUTH_ENABLED
    value: "true"
  - name: NORA_RATE_LIMIT_ENABLED
    value: "false"

2. Secret reference (single key)

extraEnv:
  - name: NORA_STORAGE_S3_ACCESS_KEY
    valueFrom:
      secretKeyRef:
        name: s3-credentials
        key: access-key
  - name: NORA_STORAGE_S3_SECRET_KEY
    valueFrom:
      secretKeyRef:
        name: s3-credentials
        key: secret-key

3. Bulk injection from Secret

Inject all keys from a Secret as env vars:

extraEnvFrom:
  - secretRef:
      name: nora-all-secrets

4. existingSecret for private registry credentials

Keep Docker upstream credentials out of values.yaml. Create a Secret with a secrets.toml key:

apiVersion: v1
kind: Secret
metadata:
  name: nora-registry-creds
stringData:
  secrets.toml: |
    [[docker.upstreams]]
    url = "https://private.registry.io"
    auth = "user:token"

Then reference it:

existingSecret: nora-registry-creds

These upstreams merge with config.docker.upstreams. The Secret wins for duplicate URLs.

5. ConfigMap reference

extraEnvFrom:
  - configMapRef:
      name: nora-feature-flags

---

Ingress Example

nginx Ingress Controller

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
  hosts:
    - host: registry.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: nora-tls
      hosts:
        - registry.example.com

Contour HTTPProxy

Use raw manifests — see Kubernetes examples.

---

S3 Storage Example

config:
  storage:
    mode: s3
    path: /data/storage  # local cache path

extraEnv:
  - name: NORA_STORAGE_S3_URL
    value: "https://s3.amazonaws.com"
  - name: NORA_STORAGE_BUCKET
    value: "nora-registry"
  - name: NORA_STORAGE_S3_REGION
    value: "us-east-1"
  - name: NORA_STORAGE_S3_ACCESS_KEY
    valueFrom:
      secretKeyRef:
        name: s3-credentials
        key: access-key
  - name: NORA_STORAGE_S3_SECRET_KEY
    valueFrom:
      secretKeyRef:
        name: s3-credentials
        key: secret-key

---

Migration from v0.1.8

Chart v0.1.9 replaces env and secrets with extraEnv and extraEnvFrom.

Before (v0.1.8):

env:
  NORA_AUTH_ENABLED: "true"
secrets:
  NORA_STORAGE_S3_SECRET_KEY: "my-key"

After (v0.1.9):

extraEnv:
  - name: NORA_AUTH_ENABLED
    value: "true"
  - name: NORA_STORAGE_S3_SECRET_KEY
    valueFrom:
      secretKeyRef:
        name: my-s3-secret
        key: secret-key

Why: The old secrets map stored sensitive values in values.yaml — an anti-pattern for GitOps. extraEnv with secretKeyRef keeps secrets in Kubernetes Secrets where they belong.

---

Uninstall

helm uninstall nora -n nora-system

Caution

This does not delete the PVC. Data persists until you manually remove it:

kubectl delete pvc -n nora-system -l app.kubernetes.io/name=nora

---

See Also

• Settings Reference — all NORA environment variables
• Production Guide — reverse proxy, TLS, systemd
• Kubernetes Examples — raw manifests, Kustomize
• Source code