Server Node Operator Installation

The Server node will run Fuzzball Orchestrate, which is deployed as a K8s operator. We must therefore begin by obtaining and installing the operator.

First, we need an access key to obtain artifacts from Depot. You will receive this key from the CIQ sales/support team upon subscribing to Fuzzball. Save it somewhere safe (with appropriate permission so that only you can access it).

Now you can use the Depot access key to login to the registry using Helm.

# DEPOT_USER="" # populate with your username for CIQ Depot

# ACCESS_KEY="" # populate with the Depot key obtained from the CIQ sales/support team

# helm registry login depot.ciq.com --username "${DEPOT_USER}" --password "${ACCESS_KEY}"

Once you have logged into the depot registry, you can install the Fuzzball operator. You can replace the VERSION below if you need a different version of Fuzzball to be installed. (You can find different Fuzzball versions by signing into Portal and looking at Fuzzball under “my products”.)

# VERSION="v3.4.0"

# CHART="oci://depot.ciq.com/fuzzball/fuzzball-images/helm/fuzzball-operator"

# STORAGE_CLASS="longhorn" # adjust this if you are using a different StorageClass

# helm upgrade --install fuzzball-operator "${CHART}" \
  --namespace fuzzball-system --create-namespace \
  --version "${VERSION}" \
  --set "image.tag=${VERSION}" \
  --set "imagePullSecrets.name=repository-ciq-com" \
  --set "imagePullSecrets.inline.registry=depot.ciq.com" \
  --set "imagePullSecrets.inline.username=${DEPOT_USER}" \
  --set "imagePullSecrets.inline.password=${ACCESS_KEY}" \
  --set "storageClassName=${STORAGE_CLASS}"

After executing this command, you can check that the operator is installed properly with the following commands:

# kubectl get pvc -n fuzzball-system
NAME                                   STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   VOLUMEATTRIBUTESCLASS   AGE
fuzzball-operator-controller-manager   Bound    pvc-dfc2f2c3-8df0-4ec8-8503-2d927b13402e   20Gi       RWO            longhorn       <unset>                 11s

This will show that the fuzzball-operator-controller-manager is Bound to a volume.

# kubectl get crd fuzzballorchestrate.deployment.ciq.com
NAME                                     CREATED AT
fuzzballorchestrate.deployment.ciq.com   2025-12-11T21:42:25Z

This command shows that a new custom resource has been defined.

# kubectl get pod -n fuzzball-system
NAME                                                    READY   STATUS    RESTARTS   AGE
fuzzball-operator-controller-manager-6dd9bd7f56-hnb9b   2/2     Running   0          81s

This will show that 2/2 pods instantiating the fuzzball-operator-controller-manager are running. (It might take a few minutes to complete, so don’t worry if there are initially 0/3 ready.)

You can also inspect the configuration of the operator with the following command:

# helm get values -n fuzzball-system fuzzball-operator
USER-SUPPLIED VALUES:
image:
  repository: depot.ciq.com/fuzzball/fuzzball-images/fuzzball-operator
  tag: v3.4.0
imagePullSecrets:
  inline:
    password: <YOUR_PASSWORD_HERE>
    registry: depot.ciq.com
    username: dgodlove@ciq.com
  name: repository-ciq-com
storageClassName: longhorn

You can rerun the helm upgrade command if you want to update your version of Fuzzball or to change selected settings.

Customizing Resource Names

Most Kubernetes resources created by the chart derive their name from a computed prefix. The prefix is determined as follows:

If fullnameOverride is set, the prefix is exactly that value.
Otherwise, the effective name is nameOverride if set, or the chart name (fuzzball-operator).
If the release name already contains the effective name, the prefix is the release name alone. Otherwise, the prefix is <release-name>-<effective-name>.

Two optional Helm values control this behavior:

nameOverride: Substitutes an alternative chart name in step 2. For example, --set nameOverride=fbop with release name fuzzball-operator produces the prefix fuzzball-operator-fbop (release does not contain fbop), so the Deployment becomes fuzzball-operator-fbop-controller-manager.
fullnameOverride: Skips the release name entirely and sets the prefix directly. For example, --set fullnameOverride=fbop always produces fbop-controller-manager regardless of the release name.

The table below summarizes how these values combine with the release name to form resource prefixes:

`--set` flags	Release name	Result prefix
(none)	`fuzzball-operator`	`fuzzball-operator`
(none)	`fb`	`fb-fuzzball-operator`
`nameOverride=fbop`	`fuzzball-operator`	`fuzzball-operator-fbop`
`nameOverride=fbop`	`fbop`	`fbop`
`fullnameOverride=fbop`	(any)	`fbop`

Each affected resource appends a stable suffix to this prefix:

Suffix	Resource(s)
`-controller-manager`	Deployment, ServiceAccount, PersistentVolumeClaim
`-controller-manager-metrics-service`	Service
`-controller-manager-registry`	Service (only when `airgap.enabled=true`)
`-leader-election-role`	Role
`-leader-election-rolebinding`	RoleBinding
`-manager-rolebinding`	ClusterRoleBinding
`-proxy-rolebinding`	ClusterRoleBinding
`-update-crd-sa`	ServiceAccount (post-upgrade hook)
`-update-crd-role`	ClusterRole (post-upgrade hook)
`-update-resources`	ClusterRoleBinding (post-upgrade hook)
`-update-crds-job`	Job (post-upgrade hook)

The following resources are not affected by nameOverride or fullnameOverride:
CRDs (fuzzballorchestrate.deployment.ciq.com, fuzzballfederate.deployment.ciq.com) — Kubernetes enforces <plural>.<group> naming and these cannot be renamed.
ClusterRoles fuzzball-metrics-reader and fuzzball-proxy-role — fixed names generated by the kubebuilder/kube-rbac-proxy scaffolding.
imagePullSecrets Secret — controlled by imagePullSecrets.name, not the fullname helper.

Now that we have the operator installed, you can create a configuration to support the deployment of Fuzzball Orchestrate.