Kubernetes
Memgraph can be deployed on Kubernetes. The easiest way to do that is with Helm, the package manager for Kubernetes. Helm uses a packaging format called charts. A chart is a collection of files that describe a related set of Kubernetes resources.
Currently, we prepared and released the following charts:
- Memgraph standalone Helm chart
- Memgraph high availability Helm chart
- Memgraph Lab Helm chart
- Memgraph MCP Helm chart
The Helm charts are published on Artifact Hub. For details on the implementation of the Helm charts, check Memgraph Helm charts repository.
Due to numerous possible use cases and deployment setups via Kubernetes, the provided Helm charts are a starting point you can modify according to your needs. This page will highlight some of the specific parts of the Helm charts that you might want to adjust.
Memgraph standalone Helm chart
Memgraph is a stateful application (database), hence the Helm chart for
standalone
Memgraph is
configured to deploy Memgraph as a Kubernetes StatefulSet workload.
It will deploy a single Memgraph instance in a single pod.
Typically, when deploying a stateful application like Memgraph, a StatefulSet
workload is used to ensure that each pod has a unique identity and stable
network identity. When deploying Memgraph, it is also necessary to define a
PersistentVolumeClaims to store the data
directory (/var/lib/memgraph).
This enables the data to be persisted even if the pod is restarted or deleted.
Storage configuration
By default, the Helm chart will create a PersistentVolumeClaim (PVC) for
storage and logs. If the storage class for PVC is not defined, PVC will use the
default one available in the cluster. The storage class can be configured in the
values.yaml file. To avoid losing your data, make sure you have Retain
reclaim policy set on your storage class. If you delete PersistentVolumeClaim
without having Retain reclaim policy, you will lose your data because
PersistentVolume will get deleted too. The alternative to creating a new
storage class is to patch your existing storage class by applying the Retain
policy. This is necessary because the default Kubernetes policy is Delete. The
patching can be done using the following bash script:
#!/bin/bash
# Get all Persistent Volume names
PVS=$(kubectl get pv --no-headers -o custom-columns=":metadata.name")
# Loop through each PV and patch it
for pv in $PVS; do
echo "Patching PV: $pv"
kubectl patch pv $pv -p '{"spec":{"persistentVolumeReclaimPolicy":"Retain"}}'
done
echo
An example of a storage class for AWS EBS volumes:
```yaml
storageClass:
name: "gp2"
provisioner: "kubernetes.io/aws-ebs"
storageType: "gp2"
fsType: "ext4"
reclaimPolicy: "Retain"
volumeBindingMode: "Immediate"Default template for a storage class is part of the Helm chart and can be found
in the repository. If you don’t want to create a new storage class, set
storageClass.create to false.
More details on the configuration options can be found in the configuration section.
Secrets
The Helm chart allows you to use Kubernetes secrets to store Memgraph
credentials. By default, the secrets are disabled. If you want to use secrets,
you can enable them in the values.yaml file.
The secrets are prepared to work for environment variables MEMGRAPH_USER and MEMGRAPH_PASSWORD.
Probes
Memgraph standalone chart uses startup, readiness and liveness probes. The startup probe is used to determine when a container application has started. The liveness probe is used to determine when a container should be restarted. The readiness probe is used to determine when a container is ready to start accepting traffic. The startup probe will succeed only after the recovery of the Memgraph has finished. Liveness and readiness probes will start after the startup probe succeeds. By default, the startup probe has to succeed within 2 hours. If the recovery from backup takes longer than that, update the configuration to the value that is high enough. The liveness and readiness probe have to succeed at least once in 5 minutes for a pod to be considered ready.
System configuration
The Helm chart will set the linux kernel vm.max_map_count parameter to 524288 by default
to ensure Memgraph won’t run into issues with memory mapping.
The vm.max_map_count parameter is a kernel parameter that specifies the maximum number of memory map areas a process may have.
This change will be applied to all nodes in the cluster. If you want to disable this feature, you can set sysctlInitContainer.enabled to false in the values.yaml file.
Installing Memgraph standalone Helm chart
To include a standalone Memgraph into your Kubernetes cluster, you need to add the repository and install Memgraph.
The steps below will work in the Minikube environment, but you can also use them in other Kubernetes environments with minor adjustments.
Add the repository
Add the Memgraph Helm chart repository to your local Helm setup by running the following command:
helm repo add memgraph https://memgraph.github.io/helm-chartsMake sure to update the repository to fetch the latest Helm charts available:
helm repo updateInstall Memgraph
To install Memgraph Helm chart, run the following command:
helm install <release-name> memgraph/memgraphReplace <release-name> with the name of the release you chose.
When installing a chart, it’s best practice to specify the exact version you want to use. Using the latest tag can lead to issues, as a pod restart may pull a newer image, potentially causing unexpected changes or incompatibilities.
Install Memgraph standalone chart with minikube
If you are installing Memgraph standalone chart locally with minikube, we are strongly recommending to enable csi-hostpath-driver and use its storage class. Otherwise,
you could have problems with attaching PVCs to pods.
- Enable
csi-hostpath-driver
minikube addons disable storage-provisioner
minikube addons disable default-storageclass
minikube addons enable volumesnapshots
minikube addons enable csi-hostpath-driver- Create a storage class with
csi-hostpath-driveras a provider (file sc.yaml)
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: csi-hostpath-delayed
provisioner: hostpath.csi.k8s.io
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: Delete-
kubectl apply -f sc.yaml -
Set
storageClassNametocsi-hostpath-delayedinvalues.yaml
Access Memgraph
Once Memgraph is installed, you can access it using the provided services and
endpoints, such as various client libraries, command-line
interface mgconsole or visual user interface Memgraph
Lab.
Monitoring
Memgraph’s standalone chart integrates with Kubernetes monitoring tools through:
- The
kube-prometheus-stackHelm chart - Memgraph’s Prometheus exporter
The chart kube-prometheus-stack should be installed independently from HA chart with the following command:
helm install kube-prometheus-stack prometheus-community/kube-prometheus-stack \
-f kube_prometheus_stack_values.yaml \
--namespace monitoring \
--create-namespacekube_prometheus_stack_values.yaml is optional. A template is available in the upstream chart’s repository.
If you install the kube-prometheus-stack in a non-default namespace, allow cross-namespace scraping. You can allow this by adding the following configuration to your kube_prometheus_stack_values.yaml file:
prometheus:
prometheusSpec:
serviceMonitorSelectorNilUsesHelmValues: falseIn order to use Memgraph’s Prometheus exporter and ServiceMonitor make sure to update values.yaml configuration file:
prometheus:
enabled: true
namespace: monitoring
memgraphExporter:
port: 9115
pullFrequencySeconds: 5
repository: memgraph/mg-exporter
tag: 0.2.1
serviceMonitor:
kubePrometheusStackReleaseName: kube-prometheus-stack
interval: 15sIf you set prometheus.enabled to false, resources from charts/memgraph/templates/mg-exporter.yaml will still be installed into the monitoring namespace.
Refer to the configuration table later in the document for details on all parameters.
To uninstall kube-prometheus-stack, run:
helm uninstall kube-prometheus-stack --namespace monitoringNOTE: The stack’s CRDs are not deleted automatically and must be removed manually:
kubectl delete crd alertmanagerconfigs.monitoring.coreos.com
kubectl delete crd alertmanagers.monitoring.coreos.com
kubectl delete crd podmonitors.monitoring.coreos.com
kubectl delete crd probes.monitoring.coreos.com
kubectl delete crd prometheusagents.monitoring.coreos.com
kubectl delete crd prometheuses.monitoring.coreos.com
kubectl delete crd prometheusrules.monitoring.coreos.com
kubectl delete crd scrapeconfigs.monitoring.coreos.com
kubectl delete crd servicemonitors.monitoring.coreos.com
kubectl delete crd thanosrulers.monitoring.coreos.comRemote metrics and logs
The standalone chart can also ship:
- metrics to a remote Prometheus-compatible backend via
vmagentRemote(remote_write) - logs to a Loki-compatible backend via
vectorRemote
This is useful when your observability stack lives in a separate cluster or in a managed service.
Prerequisites:
- keep
prometheus.enabled: truesomg-exporteris deployed - for standalone deployments, enable Memgraph monitoring endpoints:
service.enableHttpMonitoring: trueservice.enableWebsocketMonitoring: true
- when
vectorRemote.enabled: true, add--monitoring-port=<service.websocketPortMonitoring>and--monitoring-address=0.0.0.0tomemgraphConfig - if you only need remote shipping and do not want duplicate scraping from kube-prometheus, set
prometheus.serviceMonitor.enabled: false
Example values.yaml:
prometheus:
enabled: true
namespace: monitoring
serviceMonitor:
enabled: false
service:
enableHttpMonitoring: true
enableWebsocketMonitoring: true
memgraphConfig:
- "--data-directory=/var/lib/memgraph/mg_data"
- "--also-log-to-stderr=true"
- "--monitoring-port=7444"
- "--monitoring-address=0.0.0.0"
vmagentRemote:
enabled: true
namespace: monitoring
remoteWrite:
url: "https://<prom-remote-write>/api/v1/write"
# Optional: only set basicAuth when your remote_write endpoint requires basic auth.
basicAuth:
secretName: monitoring-basic-auth
usernameKey: username
passwordKey: password
externalLabels:
cluster_id: "memgraph-standalone"
service_name: "memgraph"
cluster_env: "dev"
vectorRemote:
enabled: true
logsEndpoint: "https://<loki-endpoint>"
# Optional: only set auth when your endpoint requires basic auth.
auth:
secretName: monitoring-basic-auth
usernameKey: username
passwordKey: password
extraLabels:
cluster_id: "memgraph-standalone"
service_name: "memgraph"
cluster_env: "dev"
role: "standalone"Create credentials secret in the namespace where vmagent runs (usually monitoring):
kubectl create secret generic monitoring-basic-auth -n monitoring \
--from-literal=username='<username>' \
--from-literal=password='<password>'For the standalone Vector sidecar, create the same secret in the Memgraph release namespace as well:
kubectl create secret generic monitoring-basic-auth -n <memgraph-namespace> \
--from-literal=username='<username>' \
--from-literal=password='<password>'Kubernetes infrastructure metrics
vmagentRemote can additionally scrape Kubernetes infrastructure metrics
(kube-state-metrics, node-exporter, kubelet) required by
kube-prometheus-stack Kubernetes and Node dashboards, and remote-write them
to your centralized monitoring cluster.
Enable Kubernetes scraping by extending your existing vmagentRemote values:
vmagentRemote:
# ... existing fields (enabled, remoteWrite, externalLabels) ...
kubernetes:
enabled: true
kubeStateMetrics:
enabled: true
jobName: kube-state-metrics
targets:
- kube-prometheus-stack-kube-state-metrics.monitoring.svc.cluster.local:8080
nodeExporter:
enabled: true
jobName: node-exporter
targets:
- kube-prometheus-stack-prometheus-node-exporter.monitoring.svc.cluster.local:9100
kubelet:
enabled: true
jobName: kubelet
metricsPath: /metrics/cadvisor
apiServerAddress: kubernetes.default.svc:443
insecureSkipVerify: falseNotes:
- RBAC and
ServiceAccountresources are created only when an enabled scrape job requires Kubernetes API access (for examplekubelet.enabled=trueornodeExporter.useKubernetesDiscovery=true). - Keep
jobNamevalues aligned with dashboard and recording-rule expectations unless you also update those queries. - Dashboards that rely on precomputed recording-rule series still require rule evaluation in your monitoring stack.
A ready-to-use example values file is available in the Helm charts repository:
examples/remote-monitoring/values-standalone-k8s-metrics.yaml.
Node affinity
The chart exposes the full Kubernetes nodeAffinity spec via the nodeAffinity
parameter. This allows you to constrain which nodes Memgraph Pods can be
scheduled on based on node labels, using both requiredDuringSchedulingIgnoredDuringExecution
and preferredDuringSchedulingIgnoredDuringExecution rules.
Breaking change in chart version 0.2.17: The affinity.nodeKey and affinity.nodeValue parameters have been
replaced by nodeAffinity. If you were using the old parameters, update your values.yaml
to use the new nodeAffinity configuration.
Example values.yaml configuration:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: topology.kubernetes.io/zone
operator: In
values:
- antarctica-east1
- antarctica-west1
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: my-organization/node-performance
operator: In
values:
- bestFor more information, see the Kubernetes documentation on node affinity.
External access with LoadBalancer
By default, the standalone Helm chart creates a ClusterIP service, which is
only accessible from within the Kubernetes cluster. If you need to access
Memgraph from outside the cluster (e.g., from a local developer machine), you
can enable an additional LoadBalancer service.
To enable the LoadBalancer service, set service.loadBalancer.enabled to true
in your values.yaml file:
service:
loadBalancer:
enabled: true
type: LoadBalancer
enableBolt: trueThe LoadBalancer service uses the same ports as the main service (Bolt,
WebSocket monitoring, HTTP monitoring) but exposes them externally. You can
restrict access using loadBalancerSourceRanges:
service:
loadBalancer:
enabled: true
loadBalancerSourceRanges:
- 1.2.3.4/32
- 10.0.0.0/8Additional options like externalTrafficPolicy, ipFamilyPolicy, and
ipFamilies are available for fine-grained network configuration. See the
configuration table for all parameters.
Configuration options
The following table lists the configurable parameters of the Memgraph standalone chart and their default values.
| Parameter | Description | Default |
|---|---|---|
image.repository | Memgraph Docker image repository. | docker.io/memgraph/memgraph |
image.tag | Specific tag for the Memgraph Docker image. Overrides the image tag whose default is chart’s app version. | "" (chart’s app version) |
image.pullPolicy | Image pull policy. | IfNotPresent |
imagePullSecrets | List of image pull secrets. Leave empty to disable. | [] |
replicaCount | Number of Memgraph StatefulSet replicas. | 1 |
nodeAffinity | spec.affinity.nodeAffinity field for the Memgraph Pod. | {} |
priorityClassName | Indicates the importance of the Pod relative to other Pods. | null |
nodeSelector | Node selector for Pod scheduling. | {} |
tolerations | Pod tolerations. | [] |
service.type | Kubernetes service type (ClusterIP, NodePort, LoadBalancer). | ClusterIP |
service.enableBolt | Enable the Bolt port on the main service. | true |
service.boltPort | Bolt port. If changed, update ports in probes as well. | 7687 |
service.enableWebsocketMonitoring | Enable the websocket monitoring port on the main service. | false |
service.websocketPortMonitoring | Websocket monitoring port. | 7444 |
service.enableHttpMonitoring | Enable the HTTP monitoring port on the main service. | false |
service.httpPortMonitoring | HTTP monitoring port. | 9091 |
service.annotations | Annotations to add to the main service. | {} |
service.labels | Labels to add to the main service. | {} |
service.loadBalancer.enabled | Create an additional Service (default type LoadBalancer) for external access using the same ports as the main service. | false |
service.loadBalancer.type | Type of the additional external-access service. | LoadBalancer |
service.loadBalancer.enableBolt | Expose the Bolt port through the additional service. | true |
service.loadBalancer.enableWebsocketMonitoring | Expose the websocket monitoring port through the additional service. | false |
service.loadBalancer.enableHttpMonitoring | Expose the HTTP monitoring port through the additional service. | false |
service.loadBalancer.annotations | Annotations for the additional service. | {} |
service.loadBalancer.labels | Labels for the additional service. | {} |
service.loadBalancer.externalTrafficPolicy | externalTrafficPolicy for the additional service. | null |
service.loadBalancer.ipFamilyPolicy | ipFamilyPolicy for the additional service. | null |
service.loadBalancer.ipFamilies | ipFamilies for the additional service. | null |
service.loadBalancer.loadBalancerSourceRanges | Restrict traffic to the specified client IP ranges (only applies if the cloud provider supports it). | null |
persistentVolumeClaim.createStorageClaim | Create a PVC for data storage. If false, use existingClaim or storageVolumeName. | true |
persistentVolumeClaim.storageClassName | Storage class for the data PVC. Use a Retain reclaim policy to preserve data when the release is deleted. | local-path |
persistentVolumeClaim.storageSize | Size of the data PVC. Must be at least 4x the maximum dataset size to accommodate snapshots and WAL files. | 10Gi |
persistentVolumeClaim.libStorageAccessMode | Access mode for the data PVC. | ReadWriteOnce |
persistentVolumeClaim.existingClaim | Name of an existing PVC to use when createStorageClaim is false. | memgraph-0 |
persistentVolumeClaim.storageVolumeName | Existing volume to back the PVC. | "" |
persistentVolumeClaim.createLogStorage | Create a PVC for logs. If false, logs are only written to stdout/stderr. | true |
persistentVolumeClaim.logStorageClassName | Storage class for the log PVC. | local-path |
persistentVolumeClaim.logStorageSize | Size of the log PVC. | 1Gi |
persistentVolumeClaim.createUserClaim | Create a dynamic PVC for user files (configs, certificates, etc.). | false |
persistentVolumeClaim.userStorageClassName | Storage class for the user PVC. | "" |
persistentVolumeClaim.userStorageSize | Size of the user PVC. | 1Gi |
persistentVolumeClaim.userStorageAccessMode | Access mode for the user PVC. | ReadWriteOnce |
persistentVolumeClaim.userMountPath | Mount path for the user PVC inside the container. | "" |
persistentVolumeClaim.createCoreDumpsClaim | Create a PVC for core dumps. | false |
persistentVolumeClaim.coreDumpsStorageClassName | Storage class for the core dumps PVC. | "" |
persistentVolumeClaim.coreDumpsStorageSize | Size of the core dumps PVC. | 10Gi |
persistentVolumeClaim.coreDumpsMountPath | Mount path for the core dumps PVC. | /var/core/memgraph |
storageClass.create | Create a new StorageClass for data and logs. | false |
storageClass.name | Name of the created StorageClass. | memgraph-generic-storage-class |
storageClass.provisioner | StorageClass provisioner (change for production: AWS ebs.csi.aws.com, GCP pd.csi.storage.gke.io, Azure disk.csi.azure.com). | k8s.io/minikube-hostpath |
storageClass.storageType | StorageClass storage type (e.g. gp2, pd-standard, StandardSSD_LRS). | hostPath |
storageClass.fsType | Filesystem type for the StorageClass. | ext4 |
storageClass.reclaimPolicy | Reclaim policy for the StorageClass. | Retain |
storageClass.volumeBindingMode | Volume binding mode for the StorageClass. | Immediate |
memgraphConfig | List of Memgraph CLI flags passed at startup. See configuration settings. | ["--data-directory=/var/lib/memgraph/mg_data", "--also-log-to-stderr=true"] |
memgraphUserId | The user ID hardcoded in Memgraph and MAGE images. | 101 |
memgraphGroupId | The group ID hardcoded in Memgraph and MAGE images. | 103 |
secrets.enabled | Enable the use of Kubernetes secrets for Memgraph credentials. | false |
secrets.name | Name of the Kubernetes secret containing Memgraph credentials. | memgraph-secrets |
secrets.userKey | Key in the secret whose value is passed to the MEMGRAPH_USER environment variable. | USER |
secrets.passwordKey | Key in the secret whose value is passed to the MEMGRAPH_PASSWORD environment variable. | PASSWORD |
memgraphEnterpriseLicense | Memgraph Enterprise license key. | "" |
memgraphOrganizationName | Organization name associated with the Enterprise license. | "" |
statefulSetAnnotations | Annotations to add to the StatefulSet. | {} |
podAnnotations | Annotations to add to the Pod. | {} |
extraEnv | Additional environment variables passed to the Memgraph container. | [] |
resources | CPU/Memory resource requests/limits. Left empty by default. | {} |
serviceAccount.create | Whether a service account should be created. | true |
serviceAccount.annotations | Annotations to add to the service account. | {} |
serviceAccount.name | Name of the service account to use. If empty and create is true, a name is generated. | "" |
container.terminationGracePeriodSeconds | Grace period for Pod termination. Increase this when --storage-snapshot-on-exit is enabled so the on-exit snapshot has time to finish before SIGKILL. | 1800 |
container.readinessProbe.tcpSocket.port | Port used for the readiness TCP probe. Keep aligned with service.boltPort. | 7687 |
container.readinessProbe.failureThreshold | Failure threshold for the readiness probe. | 20 |
container.readinessProbe.timeoutSeconds | Timeout (seconds) for the readiness probe. | 10 |
container.readinessProbe.periodSeconds | Period (seconds) for the readiness probe. | 5 |
container.readinessProbe.initialDelaySeconds | Initial delay (seconds) for the readiness probe. | 0 |
container.livenessProbe.tcpSocket.port | Port used for the liveness TCP probe. Keep aligned with service.boltPort. | 7687 |
container.livenessProbe.failureThreshold | Failure threshold for the liveness probe. | 20 |
container.livenessProbe.timeoutSeconds | Timeout (seconds) for the liveness probe. | 10 |
container.livenessProbe.periodSeconds | Period (seconds) for the liveness probe. | 5 |
container.livenessProbe.initialDelaySeconds | Initial delay (seconds) for the liveness probe. | 0 |
container.startupProbe.tcpSocket.port | Port used for the startup TCP probe. Keep aligned with service.boltPort. | 7687 |
container.startupProbe.failureThreshold | Failure threshold for the startup probe. Increase if recovery takes longer than 2 hours. | 1440 |
container.startupProbe.timeoutSeconds | Timeout (seconds) for the startup probe. | 1 |
container.startupProbe.periodSeconds | Period (seconds) for the startup probe. | 5 |
container.startupProbe.initialDelaySeconds | Initial delay (seconds) for the startup probe. | 0 |
customQueryModules | List of custom query modules mounted into the Memgraph container and loaded at startup. Each item requires volume (ConfigMap name) and file. | [] |
lifecycleHooks | Container lifecycle hooks for the Memgraph container. | {} |
extraVolumes | Additional volumes mounted into the Pod. | [] |
extraVolumeMounts | Additional volume mounts for the Memgraph container. | [] |
sysctlInitContainer.enabled | Enable the init container that sets vm.max_map_count. | true |
sysctlInitContainer.maxMapCount | Value to set for vm.max_map_count. | 524289 |
sysctlInitContainer.image.repository | Image repository for the sysctl init container. | docker.io/library/busybox |
sysctlInitContainer.image.tag | Image tag for the sysctl init container. | latest |
sysctlInitContainer.image.pullPolicy | Image pull policy for the sysctl init container. | IfNotPresent |
initContainers | Additional init containers to add to the Memgraph Pod. | [] |
prometheus.enabled | Deploy Kubernetes resources for Memgraph’s Prometheus exporter. | false |
prometheus.namespace | Namespace where the exporter and kube-prometheus-stack resources are installed. | monitoring |
prometheus.memgraphExporter.port | Port on which Memgraph’s Prometheus exporter is exposed. | 9115 |
prometheus.memgraphExporter.pullFrequencySeconds | How often the exporter pulls data from Memgraph. | 5 |
prometheus.memgraphExporter.repository | Image repository for Memgraph’s Prometheus exporter. | docker.io/memgraph/prometheus-exporter |
prometheus.memgraphExporter.tag | Image tag for Memgraph’s Prometheus exporter. | 0.2.1 |
prometheus.serviceMonitor.enabled | Deploy a ServiceMonitor object for Prometheus scraping. | true |
prometheus.serviceMonitor.kubePrometheusStackReleaseName | Release name under which kube-prometheus-stack is installed. | kube-prometheus-stack |
prometheus.serviceMonitor.interval | How often Prometheus pulls data from Memgraph’s exporter. | 15s |
vmagentRemote.enabled | Deploy a vmagent Deployment that scrapes mg-exporter and remote-writes to a Prometheus-compatible endpoint. | false |
vmagentRemote.namespace | Namespace for the vmagent Deployment and its resources. Defaults to prometheus.namespace when empty. | "" |
vmagentRemote.image.repository | vmagent image repository. | victoriametrics/vmagent |
vmagentRemote.image.tag | vmagent image tag. | v1.139.0 |
vmagentRemote.image.pullPolicy | vmagent image pull policy. | IfNotPresent |
vmagentRemote.remoteWrite.url | Prometheus remote_write URL. Required when vmagentRemote.enabled=true. | "" |
vmagentRemote.remoteWrite.basicAuth.secretName | Kubernetes Secret holding basic-auth credentials for remote_write. When empty, basic auth is not configured. | "" |
vmagentRemote.remoteWrite.basicAuth.usernameKey | Key in the basic-auth Secret holding the username. | username |
vmagentRemote.remoteWrite.basicAuth.passwordKey | Key in the basic-auth Secret holding the password. | password |
vmagentRemote.scrapeInterval | Global scrape_interval applied to vmagent scrape jobs. | 15s |
vmagentRemote.externalLabels | External labels attached to every scraped sample before remote-write. | {} |
vmagentRemote.resources | Resource requests/limits for the vmagent container. | {} |
vmagentRemote.httpPort | vmagent local HTTP listen port for metrics/debug (the remote-write target is remoteWrite.url). | 8429 |
vmagentRemote.kubernetes.enabled | Enable scraping of Kubernetes infrastructure metrics used by kube-prometheus dashboards. | false |
vmagentRemote.kubernetes.kubeStateMetrics.enabled | Scrape kube-state-metrics. | true |
vmagentRemote.kubernetes.kubeStateMetrics.jobName | Prometheus job label for kube-state-metrics. Keep aligned with dashboard/recording-rule expectations. | kube-state-metrics |
vmagentRemote.kubernetes.kubeStateMetrics.targets | Static scrape targets for kube-state-metrics. | [kube-prometheus-stack-kube-state-metrics.monitoring.svc.cluster.local:8080] |
vmagentRemote.kubernetes.nodeExporter.enabled | Scrape node-exporter. | true |
vmagentRemote.kubernetes.nodeExporter.jobName | Prometheus job label for node-exporter. | node-exporter |
vmagentRemote.kubernetes.nodeExporter.useKubernetesDiscovery | Discover node-exporter pods via Kubernetes SD so namespace/pod/node labels are present for recording rules. | false |
vmagentRemote.kubernetes.nodeExporter.podMetricsPort | Pod port used by Kubernetes SD to match node-exporter pods. | "9100" |
vmagentRemote.kubernetes.nodeExporter.appNameLabel | Expected value of app.kubernetes.io/name on node-exporter pods. | prometheus-node-exporter |
vmagentRemote.kubernetes.nodeExporter.appInstanceLabel | Expected value of app.kubernetes.io/instance on node-exporter pods. | kube-prometheus-stack-prometheus-node-exporter |
vmagentRemote.kubernetes.nodeExporter.targets | Static fallback targets for node-exporter when useKubernetesDiscovery=false. | [kube-prometheus-stack-prometheus-node-exporter.monitoring.svc.cluster.local:9100] |
vmagentRemote.kubernetes.kubelet.enabled | Scrape kubelet metrics via the Kubernetes API server node proxy. | true |
vmagentRemote.kubernetes.kubelet.jobName | Prometheus job label for kubelet. Keep as kubelet so kube-prometheus dashboards and recording rules continue to match. | kubelet |
vmagentRemote.kubernetes.kubelet.metricsPath | Metrics path for the primary kubelet scrape (cAdvisor). | /metrics/cadvisor |
vmagentRemote.kubernetes.kubelet.additionalMetricsEnabled | Enable a second kubelet scrape job for /metrics alongside the cAdvisor job. | true |
vmagentRemote.kubernetes.kubelet.additionalJobName | Prometheus job label for the additional kubelet scrape. | kubelet-metrics |
vmagentRemote.kubernetes.kubelet.additionalMetricsPath | Metrics path for the additional kubelet scrape. | /metrics |
vmagentRemote.kubernetes.kubelet.apiServerAddress | Kubernetes API server address used to proxy kubelet scrapes. | kubernetes.default.svc:443 |
vmagentRemote.kubernetes.kubelet.insecureSkipVerify | Skip TLS verification of the kube-apiserver serving cert when scraping kubelet. | false |
If you enable the --storage-snapshot-on-exit
flag via memgraphConfig, Memgraph creates a full snapshot of the database
during shutdown. Snapshot creation time scales with dataset size and can
exceed the default 30-minute container.terminationGracePeriodSeconds.
If the grace period is shorter than the time needed to write the on-exit
snapshot, Kubernetes will SIGKILL Memgraph mid-write, leaving the snapshot
incomplete. Benchmark the snapshot time on a representative dataset and set
container.terminationGracePeriodSeconds to comfortably cover it.
For all available database settings, refer to the configuration settings docs.
Memgraph high availability Helm chart
Please continue on our Memgraph high availability Helm chart setup.
Memgraph Lab Helm chart
A Helm chart for deploying Memgraph Lab on Kubernetes.
Installing the Memgraph Lab Helm chart
To install the Memgraph Lab Helm chart, follow the steps below:
helm install <release-name> memgraph/memgraph-labReplace <release-name> with a name of your choice for the release.
Changing the default chart values
To change the default chart values, run the command with the specified set of flags:
helm install <resource-name> memgraph/memgraph-lab --set <flag1>=<value1>,<flag2>=<value2>,...Or you can modify a values.yaml file and override the desired values:
helm install <resource-name> memgraph/memgraph-lab -f values.yamlGateway API support
The Memgraph Lab Helm chart supports the Kubernetes Gateway API for external access. When enabled, the chart creates an HTTPRoute resource to route HTTP(S) traffic to Memgraph Lab. You can either let the chart create its own Gateway or attach the route to a pre-existing one.
Before enabling Gateway API, you must have a Gateway API controller (e.g., Envoy Gateway, Istio, Cilium) installed in your cluster, and a GatewayClass resource must exist. The chart does not create a GatewayClass — you must create it yourself or use one provided by your controller installation. See the HA chart Gateway API prerequisites for detailed setup instructions.
Chart-managed Gateway
To let the chart create a Gateway with an HTTPRoute:
gateway:
enabled: true
gatewayClassName: "eg"
listeners:
- name: lab-http
port: 80
protocol: HTTPFor HTTPS with TLS termination:
gateway:
enabled: true
gatewayClassName: "eg"
listeners:
- name: lab-https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- name: lab-tls-secretExisting (external) Gateway
To attach an HTTPRoute to a pre-existing Gateway (for example, a shared Gateway that also serves the HA chart):
gateway:
enabled: true
existingGatewayName: "memgraph-gateway"When the existing Gateway uses different listener names than the chart defaults, use httpRoute.sectionNames to specify which listener names the route should attach to:
gateway:
enabled: true
existingGatewayName: "memgraph-gateway"
httpRoute:
sectionNames:
- lab-httpYou can also configure host-based routing with httpRoute.hostnames:
gateway:
enabled: true
existingGatewayName: "memgraph-gateway"
httpRoute:
sectionNames:
- lab-http
hostnames:
- lab.example.comA standalone Gateway manifest with pre-configured listeners for both Lab and HA is available in the Helm charts repository. Deploy it with kubectl apply -f gateway.yaml before installing the charts with existingGatewayName.
Configuration options
The following table lists the configurable parameters of the Memgraph Lab chart and their default values.
| Parameter | Description | Default |
|---|---|---|
image.repository | Memgraph Lab Docker image repository | docker.io/memgraph/lab |
image.tag | Specific tag for the Memgraph Lab Docker image. Overrides the image tag whose default is chart version. | "" (Defaults to chart’s app version) |
image.pullPolicy | Image pull policy | IfNotPresent |
replicaCount | Number of Memgraph Lab instances to run. | 1 |
service.type | Kubernetes service type | ClusterIP |
service.port | Kubernetes service port | 3000 |
service.targetPort | Kubernetes service target port | 3000 |
service.protocol | Protocol used by the service | TCP |
service.annotations | Annotations to add to the service | {} |
podAnnotations | Annotations to add to the pod | {} |
resources | CPU/Memory resource requests/limits. Left empty by default. | {} (See note on uncommenting) |
serviceAccount.create | Specifies whether a service account should be created | true |
serviceAccount.annotations | Annotations to add to the service account | {} |
serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated. | "" |
secrets.enabled | Enable the use of Kubernetes secrets. Will be injected as env variables. | false |
secrets.name | The name of the Kubernetes secret that will be used. | memgraph-secrets |
secrets.keys | Keys from the secrets.name that will be stored as env variables inside the pod. | [] |
gateway.enabled | Enable Gateway API external access. | false |
gateway.gatewayClassName | Name of a pre-existing GatewayClass. Required when creating a new Gateway. | "" |
gateway.existingGatewayName | Name of an existing Gateway to attach routes to. Skips Gateway creation. | "" |
gateway.existingGatewayNamespace | Namespace of the existing Gateway. Defaults to release namespace. | "" |
gateway.annotations | Annotations for the Gateway resource. | {} |
gateway.labels | Labels for the Gateway resource. | {} |
gateway.listeners | List of Gateway listeners with name, port, protocol, and optional tls configuration. | [{name: lab-http, port: 80, protocol: HTTP}] |
gateway.httpRoute.sectionNames | Listener names to attach to on the Gateway. If empty, derived from listeners[].name. | [] |
gateway.httpRoute.hostnames | Hostnames for the HTTPRoute. | [] |
gateway.httpRoute.matches | HTTPRoute match rules. | [{path: {type: PathPrefix, value: /}}] |
Memgraph Lab can be further configured with environment variables in your
values.yaml file.
env:
- name: QUICK_CONNECT_MG_HOST
value: memgraph
- name: QUICK_CONNECT_MG_PORT
value: "7687"
- name: KEEP_ALIVE_TIMEOUT_MS
value: 65000In case you added Nginx Ingress service or web server for a reverse proxy, update the following proxy timeout annotations to avoid potential timeouts:
proxy_read_timeout X;
proxy_connect_timeout X;
proxy_send_timeout X;where X is the number of seconds the connection (request query) can be alive.
Additionally, update the Memgraph Lab KEEP_ALIVE_TIMEOUT_MS environment
variable to a higher value to ensure that Memgraph Lab stays connected to Memgraph
when running queries over 65 seconds.
Refer to the Memgraph Lab documentation for details on how to configure Memgraph Lab.
Memgraph MCP Helm chart
A Helm chart for deploying the Memgraph MCP server on Kubernetes. The MCP server exposes Memgraph to LLM clients via the Model Context Protocol, so you can connect agentic applications running in your cluster to a Memgraph backend.
The chart deploys the MCP server as a Deployment fronted by a ClusterIP
Service on port 8000. The server connects to a Memgraph instance over Bolt
using the URL configured via the MEMGRAPH_URL environment variable; Memgraph
itself is not deployed by this chart, so install it separately (for example with
the standalone or
HA chart) before installing
memgraph-mcp.
Installing the Memgraph MCP Helm chart
Before installing, review the env and authSecret sections in
values.yaml. The defaults assume Memgraph is reachable at
bolt://memgraph-data-0:7687 and that no authentication is required
(authSecret.enabled=false).
To install the chart against an unauthenticated Memgraph instance, run:
helm install <release-name> memgraph/memgraph-mcpReplace <release-name> with a name of your choice for the release.
If your Memgraph deployment requires authentication, create a Kubernetes
secret with the credentials and enable authSecret:
kubectl create secret generic mcp-auth-secret \
--from-literal=MEMGRAPH_USER=<your-user> \
--from-literal=MEMGRAPH_PASSWORD=<your-password>
helm install <release-name> memgraph/memgraph-mcp \
--set authSecret.enabled=trueThe secret name and key names are configurable via authSecret.name,
authSecret.userKey, and authSecret.passwordKey.
Changing the default chart values
To change the default chart values, run the command with the specified set of flags:
helm install <release-name> memgraph/memgraph-mcp --set <flag1>=<value1>,<flag2>=<value2>,...Or modify a values.yaml file and override the desired values:
helm install <release-name> memgraph/memgraph-mcp -f values.yamlConnecting the MCP server to Memgraph
The MCP server is configured through environment variables passed via the
env list in values.yaml. The most important variables are:
| Variable | Description | Default |
|---|---|---|
MEMGRAPH_URL | Bolt URL of the target Memgraph instance. | bolt://memgraph-data-0:7687 |
MEMGRAPH_DATABASE | Memgraph database the MCP server connects to. | memgraph |
MCP_SERVER | MCP server implementation to run. Alternatives: server, memgraph-experimental. | server |
MCP_TRANSPORT | Transport used by the MCP server. Alternatives: streamable-http, stdio. | streamable-http |
MCP_READ_ONLY | Enable read-only mode, blocking write operations (CREATE, MERGE, DELETE, SET, DROP). | true |
Example values.yaml snippet connecting the MCP server to a standalone
Memgraph release named memgraph in the same namespace:
env:
- name: MEMGRAPH_URL
value: bolt://memgraph:7687
- name: MEMGRAPH_DATABASE
value: memgraph
- name: MCP_SERVER
value: server
- name: MCP_TRANSPORT
value: streamable-http
- name: MCP_READ_ONLY
value: "true"
authSecret:
enabled: true
name: mcp-auth-secret
userKey: MEMGRAPH_USER
passwordKey: MEMGRAPH_PASSWORDOnce installed, the MCP server is available inside the cluster at
http://<release-name>-memgraph-mcp:8000/mcp. To reach it from outside the
cluster, use kubectl port-forward or override service.type to expose the
service through a NodePort or LoadBalancer.
Configuration options
The following table lists the configurable parameters of the Memgraph MCP chart and their default values.
| Parameter | Description | Default |
|---|---|---|
replicaCount | Number of MCP server replicas. | 1 |
image.repository | MCP server Docker image repository. | docker.io/memgraph/mcp-memgraph |
image.tag | Specific tag for the MCP server Docker image. | 0.1.13 |
image.pullPolicy | Image pull policy. | IfNotPresent |
imagePullSecrets | List of image pull secrets for pulling from private registries. | [] |
nameOverride | Override the chart name. | "" |
fullnameOverride | Override the fully qualified app name. | "" |
podAnnotations | Annotations to add to the Pod. | {} |
podLabels | Labels to add to the Pod. | {} |
defaultPodSecurityContext | Default Pod-level security context applied when podSecurityContext is empty. Runs as the Memgraph 101:103 user, non-root, with RuntimeDefault seccomp. | See values.yaml |
podSecurityContext | Pod-level security context. Overrides defaultPodSecurityContext when set. | {} |
defaultSecurityContext | Default container-level security context applied when securityContext is empty. Drops all capabilities, read-only root filesystem, non-root. | See values.yaml |
securityContext | Container-level security context. Overrides defaultSecurityContext when set. | {} |
initContainers | Additional init containers to run before the main container starts. | [] |
service.type | Kubernetes service type. | ClusterIP |
service.port | Service port exposed by the MCP server. | 8000 |
service.targetPort | Container port the service targets. Defaults to the named http port that tracks service.port. | http |
service.annotations | Annotations to add to the service. | {} |
resources | CPU/Memory resource requests/limits for the MCP container. | {cpu: 100m, memory: 128Mi} (requests and limits) |
extraContainers | Additional containers (sidecars) to add to the Pod. Each entry is a full container spec. | [] |
nodeSelector | Node selector for Pod scheduling. | {} |
tolerations | Pod tolerations. | [] |
affinity | Pod affinity rules. | {} |
livenessProbe | Liveness probe configuration. Rendered through tpl, so values may reference other Helm values. | GET /health on http, 15s delay, 10s period, 20 failures, 10s timeout |
readinessProbe | Readiness probe configuration. Rendered through tpl, so values may reference other Helm values. | GET /health on http, 15s delay, 10s period, 20 failures, 10s timeout |
env | Environment variables passed to the MCP container. Controls MEMGRAPH_URL, MEMGRAPH_DATABASE, MCP_SERVER, MCP_TRANSPORT, and MCP_READ_ONLY. | See values.yaml |
authSecret.enabled | Inject MEMGRAPH_USER and MEMGRAPH_PASSWORD from a Kubernetes secret. | false |
authSecret.name | Name of the Kubernetes secret holding Memgraph credentials. | mcp-auth-secret |
authSecret.userKey | Key in the secret whose value is passed to the MEMGRAPH_USER environment variable. | MEMGRAPH_USER |
authSecret.passwordKey | Key in the secret whose value is passed to the MEMGRAPH_PASSWORD environment variable. | MEMGRAPH_PASSWORD |
Refer to the MCP documentation for details on how to use the Memgraph MCP server with LLM clients.