Enterprise

NetBoxEnterprise CRD Reference

The NetBoxEnterprise custom resource defines a complete NetBox Enterprise deployment. The nbe-operator watches these resources and reconciles them into the appropriate Kubernetes objects.

API Details:

Field	Value
Group	`netboxlabs.com`
Version	`v1alpha1`
Kind	`NetBoxEnterprise`
Scope	Namespaced
Short name	`nbe`

Full CRD: netboxenterprises.netboxlabs.com-v2.0.0.yaml

Minimal Example

apiVersion: netboxlabs.com/v1alpha1
kind: NetBoxEnterprise
metadata:
  name: netbox
  namespace: netbox
spec:
  netbox:
    replicas: 1
    worker:
      replicas: 1
  postgresql:
    external: false
  redis:
    external: false

Full Example

apiVersion: netboxlabs.com/v1alpha1
kind: NetBoxEnterprise
metadata:
  name: netbox
  namespace: netbox
spec:
  suspend: false
  maintenanceMode: false
  backups: false

  labels:
    app.kubernetes.io/managed-by: netbox-operator

  imagePullSecrets:
    - netbox-enterprise-registry

  netbox:
    replicas: 2
    httpPort: 8080
    mediaStorageSize: "10Gi"
    urls:
      - "https://netbox.example.com"
    resources:
      cpu: 500
      memory: 1024
    limits:
      cpu: 2000
      memory: 2048
    worker:
      replicas: 2
      resources:
        cpu: 200
        memory: 256
      limits:
        cpu: 1000
        memory: 1500
    config:
      metricsEnabled: true
      allowedHosts:
        - "*"

  postgresql:
    external: false
    instances: 2
    version: "18"
    storageSize: "20Gi"

  redis:
    external: false
    clusterSize: 3
    persistence: true

  diode:
    enabled: true
    reconciler:
      replicas: 1
    ingester:
      replicas: 1
    auth:
      replicas: 1
    hydra:
      replicas: 1
    config:
      reconciler:
        autoApplyChangesets: false
        logLevel: INFO

Spec Reference

Top-Level Fields

Field	Type	Default	Description
`suspend`	bool	`false`	Pause reconciliation — existing workloads keep running
`maintenanceMode`	bool	`false`	Scale down all app components, keep databases running
`backups`	bool	`false`	Enable Velero backup integration (Enterprise license required)
`labels`	map[string]string	—	Labels applied to all managed resources
`annotations`	map[string]string	—	Annotations applied to all managed resources
`imagePullPolicy`	string	`Always`	Default image pull policy
`imagePullSecrets`	[]string	—	Pull secrets for private registries
`registry`	string	—	Default container registry URL
`clusterDnsSuffix`	string	—	Kubernetes cluster DNS suffix (defaults to `cluster.local`)

`spec.postgresqlProfiles`

Named PostgreSQL connection profiles that components can reference by name. This avoids duplicating host, port, and TLS settings across components when they share the same database server.

postgresqlProfiles:
  netbox:
    host: db.example.com
    port: 5432
    username: netbox
    tlsConfig:
      sslmode: verify-full
      keychainCaCertificates: ['pgo']

Field	Type	Default	Description
`postgresqlProfiles.<name>.host`	string	—	PostgreSQL hostname
`postgresqlProfiles.<name>.port`	uint16	—	PostgreSQL port
`postgresqlProfiles.<name>.username`	string	—	PostgreSQL username
`postgresqlProfiles.<name>.tlsConfig`	object	—	TLS configuration (see PostgreSQL TLS)

PostgreSQL Profile `tlsConfig`

Field	Type	Default	Description
`sslmode`	enum	`prefer`	`disable`, `allow`, `prefer`, `require`, `verify-ca`, `verify-full`
`insecureSkipVerify`	bool	`false`	Skip TLS verification
`keychainCaCertificates`	[]string	—	CA names from `tlsKeychain`
`keychainClientCertificate`	string	—	Client cert name from `tlsKeychain`

note

When CA certificates are configured via keychainCaCertificates, libpq verifies the server certificate even with sslmode: require (effectively upgrading it to verify-ca behavior). This is because the operator sets PGSSLROOTCERT when CA certificates are provided. If you need require without verification, omit the CA certificates.

`spec.netbox`

Required. NetBox application deployment configuration.

Field	Type	Default	Description
`replicas`	uint8	`1`	Web application replicas (0–255)
`httpPort`	uint16	`8080`	HTTP port
`statusPort`	uint16	`8081`	Health check port
`mediaStorageSize`	string	`10Gi`	Media PVC size
`scriptsStorageSize`	string	`1Gi`	Scripts PVC size
`storageClassName`	string	—	Storage class override
`urls`	[]string	—	External URLs (configures ingress)
`registry`	string	—	Container registry override
`imagePullPolicy`	string	`Always`	Image pull policy
`resources.cpu`	int	`200`	CPU request (millicores)
`resources.memory`	int	`750`	Memory request (MiB)
`limits.cpu`	int	`1000`	CPU limit (millicores)
`limits.memory`	int	`1500`	Memory limit (MiB)
`env`	[]EnvVar	—	Environment variables
`yamlEnv`	string	—	YAML string of env vars

`spec.netbox.image`

Field	Type	Default	Description
`registry`	string	`ghcr.io`	Container registry
`repository`	string	`netbox-community/netbox`	Image repository
`tag`	string	Chart-dependent	Image tag
`digest`	string	—	Image digest for pinning
`pullPolicy`	string	`Always`	Pull policy

`spec.netbox.worker` (Required)

Field	Type	Default	Description
`replicas`	uint8	`1`	Worker replicas
`resources.cpu`	int	`100`	CPU request (millicores)
`resources.memory`	int	`128`	Memory request (MiB)
`limits.cpu`	int	`1000`	CPU limit (millicores)
`limits.memory`	int	`1500`	Memory limit (MiB)

`spec.netbox.config`

Field	Type	Default	Description
`allowedHosts`	[]string	`['*']`	Django allowed hosts
`metricsEnabled`	bool	`false`	Expose `/metrics` endpoint
`customPythonConfig`	string	—	Inline custom Python config
`customPythonConfigRef`	ConfigMapKeySelector	—	ConfigMap ref for Python config
`secretKey`	SecretKeySelector	Auto-generated	Django secret key
`emailPassword`	SecretKeySelector	—	Email password
`superuser`	object	Auto-generated	Superuser credentials (all 4 fields required if set)
`storage.s3.enabled`	bool	`false`	Enable S3 media storage
`storage.s3.tlsConfig`	object	—	S3 TLS/mTLS configuration (see S3 TLS)

S3 Storage TLS

The storage.s3.tlsConfig field uses the keychain TLS pattern for custom CA certificates and client certificates (mTLS):

Field	Type	Default	Description
`tlsConfig.insecureSkipVerify`	bool	`false`	Skip SSL certificate verification
`tlsConfig.keychainCaCertificates`	[]string	—	CA names from `tlsKeychain` for server verification
`tlsConfig.keychainClientCertificate`	string	—	Client cert name from `tlsKeychain` for mTLS

`spec.postgresql`

Required. PostgreSQL database configuration.

Field	Type	Default	Description
`external`	bool	`false`	Use external PostgreSQL
`instances`	uint8	`1`	PGO replica count (internal only)
`version`	string	`18`	PostgreSQL major version
`storageSize`	string	`4Gi`	Storage per instance
`storageClassName`	string	—	Storage class
`registry`	string	—	Image registry override
`postgresqlProfile`	string	—	Name of a profile from `postgresqlProfiles` for host, port, and TLS config

`spec.redis`

Required. Redis cache/queue configuration.

Field	Type	Default	Description
`external`	bool	`false`	Use external Redis
`name`	string	`redis`	Instance name
`clusterSize`	uint8	`1`	Redis replicas
`persistence`	bool	`true`	Enable persistence
`requireAuth`	bool	`false`	Require authentication
`resources.cpu`	int	`250`	CPU request (millicores)
`resources.memory`	int	`256`	Memory request (MiB)
`storageClassName`	string	—	Storage class

`spec.redis.tlsConfig`

Field	Type	Default	Description
`insecureSkipVerify`	bool	`false`	Skip TLS verification
`keychainCaCertificates`	[]string	—	CA names from `tlsKeychain`
`keychainClientCertificate`	string	—	Client cert name from `tlsKeychain`

`spec.diode`

Optional. Diode data ingestion pipeline.

Field	Type	Default	Description
`enabled`	bool	`true`	Enable Diode
`reconciler.replicas`	uint8	`1`	Reconciler replicas
`ingester.replicas`	uint8	`1`	Ingester replicas
`auth.replicas`	uint8	`1`	Auth replicas
`hydra.replicas`	uint8	`1`	Hydra replicas
`hydra.autoMigrate`	bool	`true`	Auto-run Hydra DB migrations
`hydra.postgresqlProfile`	string	—	PostgreSQL profile for Hydra's database connection

Each component also has resources, limits, annotations, labels, extraEnvs, and image fields. Service account names are auto-generated from the cluster name (e.g., {name}-diode-ingester) unless explicitly overridden.

`spec.diode.config.reconciler`

Field	Type	Default	Description
`autoApplyChangesets`	bool	`true`	Auto-apply change sets
`logLevel`	enum	`INFO`	`INFO`, `DEBUG`, `WARN`, `ERROR`
`databaseName`	string	`diode`	PostgreSQL database
`databaseUser`	string	`diode`	PostgreSQL user
`migrationEnabled`	bool	`true`	Run DB migrations
`redisDb`	uint8	`0`	Redis database number
`redisStreamDb`	uint8	`1`	Redis stream database
`rateLimitRps`	uint8	`20`	Rate limit (req/sec)
`postgres.postgresqlProfile`	string	—	PostgreSQL profile for Diode's database connection

`spec.tlsKeychain`

Centralized TLS certificate management.

`spec.tlsKeychain.caCertificateSecrets[]`

Field	Type	Default	Description
`name`	string	Required	Logical name (referenced in `tlsConfig`)
`secret`	string	Same as `name`	Kubernetes secret name
`key`	string	`ca.crt`	Key within the secret

`spec.tlsKeychain.clientCertificateSecrets[]`

Field	Type	Default	Description
`name`	string	Required	Logical name
`secret`	string	Same as `name`	Kubernetes secret name
`certKey`	string	`tls.crt`	Certificate key
`privateKey`	string	`tls.key`	Private key

`spec.extraCaCertificates`

Additional CA certificates to trust system-wide. Added to the system trust store of all NetBox components and merged into every service-specific CA bundle (PostgreSQL, Redis).

extraCaCertificates:
  - name: internal-ca-secret
    key: ca.crt

Next Steps

Status & Conditions — Understanding cluster health
Configuration — Helm values reference

Minimal Example​

Full Example​

Spec Reference​

Top-Level Fields​

spec.postgresqlProfiles​

PostgreSQL Profile tlsConfig​

spec.netbox​

spec.netbox.image​

spec.netbox.worker (Required)​

spec.netbox.config​

S3 Storage TLS​

spec.postgresql​

spec.redis​

spec.redis.tlsConfig​

spec.diode​

spec.diode.config.reconciler​

spec.tlsKeychain​

spec.tlsKeychain.caCertificateSecrets[]​

spec.tlsKeychain.clientCertificateSecrets[]​

spec.extraCaCertificates​

Next Steps​