Skip to main content
The tero-edge Helm chart deploys Edge as a DaemonSet, renders config.json and policies.json into a ConfigMap, and (optionally) wires up HTTP policy sync with API-key auth. The chart is published two ways — an OCI registry and a classic HTTP Helm repository — pick whichever your tooling prefers.

Install

No helm repo add needed — reference the chart by its OCI URL:
helm upgrade --install tero-edge oci://ghcr.io/usetero/charts/tero-edge \
  --version <chart-version> \
  -n tero-system --create-namespace \
  -f values.yaml
List available versions:
helm show chart oci://ghcr.io/usetero/charts/tero-edge --version <chart-version>
OCI support is built into Helm 3.8+. Older clients need export HELM_EXPERIMENTAL_OCI=1.
Both sources publish identical charts from the same release, so values.yaml and every flag below behave the same regardless of which you choose.

Configure

Create a values.yaml with the policy-sync connection and the service identity the control plane uses to scope policies: Pick the tab for your Datadog region — the upstreamUrl and metricsUrl change per region; everything else is identical.
values.yaml
tero:
  url: https://sync.usetero.com
  apiKey: "" # it is recommended to use an existing secret instead
  existingSecret:
    name: ""
    key: ""

config:
  upstreamUrl: https://agent-http-intake.logs.datadoghq.com
  metricsUrl: https://api.datadoghq.com

  # Service identity sent on every policy sync. The control plane scopes and
  # matches policies to this service, so set name/namespace/version.
  service:
    name: edge
    namespace: production
    version: 1.0.0
    resourceAttributes:
      - key: deployment.environment
        value: production
    labels:
      - key: team
        value: platform

Authentication

Setting tero.url automatically configures the HTTP policy provider. Provide the API key one of two ways — never both:
MethodValues
Inline (chart-managed Secret)tero.apiKey: <key>
Existing Secrettero.existingSecret.name + tero.existingSecret.key
# Reference a Secret you manage instead of an inline key:
tero:
  url: https://sync.usetero.com
  existingSecret:
    name: tero-edge-api
    key: api-key
Without tero.url, Edge loads policies only from the local file provider — no remote policy sync.

Values

The keys you’ll touch most. For every chart value (image, scheduling, service account, ingress), see the chart’s README.md.
KeyDefaultDescription
tero.url""Control plane base URL; setting it enables HTTP policy sync
tero.apiKey""Inline API key (chart creates the Secret)
tero.existingSecret.name""Name of a Secret you manage instead of tero.apiKey
tero.existingSecret.keyapi-keyKey within that Secret holding the API key
config.upstreamUrlhttps://agent-http-intake.logs.datadoghq.comLogs intake endpoint (set per Datadog region)
config.metricsUrlhttps://api.datadoghq.comMetrics endpoint (set per Datadog region)
config.logLevelinfoEdge log level
config.maxBodySize1048576Max request body in bytes
config.maxConnections256Max concurrent connections; dominant memory cap (≈ maxConnections × maxBodySize)
config.maxDecodedBytesnullPost-decompression body ceiling; defaults to maxBodySize
config.workerCountnullhttpz event-loop workers (null = default 1)
config.threadPoolCountnullhttpz handler threads (null = default 32; scales per-thread memory)
config.service.name""Service name sent on policy sync (omitted if empty)
config.service.namespace""Service namespace sent on policy sync
config.service.version""Service version sent on policy sync
config.service.resourceAttributes[]OTel resource attributes ({key, value}) sent on policy sync
config.service.labels[]Free-form labels ({key, value}) sent on policy sync
policiesJSON[]Local policies rendered to the file provider (raw JSON objects)

Verify

kubectl -n tero-system rollout status ds/tero-edge
kubectl -n tero-system port-forward ds/tero-edge 8080:8080 &
curl http://localhost:8080/_health
A 200 OK from /_health confirms Edge is running. Edge’s own Prometheus metrics are available at /_edge/metrics.

Upgrade and uninstall

# Upgrade to a new chart version (re-uses your values.yaml)
helm upgrade tero-edge <source> --version <chart-version> \
  -n tero-system -f values.yaml

# Uninstall
helm uninstall tero-edge -n tero-system
See the Configuration reference for every config.* field, and Operations for probes, resource sizing, and graceful shutdown.

Next Steps

Configuration

Full configuration reference

Operations

Probes, resources, and shutdown