OptionTypeDescriptionDefault Value
clickhousestructConfiguration for the Clickhouse deployment, which stores logs from OTel collectors. See the Bitnami Clickhouse Helm chart for the complete set of values.
clickhouse.authstructAuthentication configuration
clickhouse.auth.existingSecretstringName of existing secret to use for authenticationclickhouse-auth
clickhouse.auth.existingSecretKeystringKey in existing secret to use for authenticationpassword
clickhouse.enabledboolSet to false to disable the clickhouse dependency.false
clickhouse.fullnameOverridestringOverride the full name, used for the service and the statefulsetclickhouse
clickhouse.keeperstructKeeper configuration
clickhouse.keeper.enabledboolSet to false to disable the zookeeper dependency.false
clickhouse.replicaCountintNumber of replicas1
clickhouse.shardsintNumber of shards to create1
clickhouse.zookeeperstructZookeeper configuration
clickhouse.zookeeper.enabledboolSet to false to disable the zookeeper dependency.false
commonstruct
commonstructCommon values shared across components. When applicable, these can be overridden in specific components.
common.addonNamespacestringNamespace to install add-on components into, such as the Gloo external auth and rate limiting services.gloo-mesh-addons
common.adminNamespacestringNamespace to install control plane components into. The admin namespace also contains global configuration, such as Workspace, global overrides WorkspaceSettings, and KubernetesCluster resources.
common.clusterstringName of the cluster. Be sure to modify this value to match your cluster’s name.
common.clusterDomainstringThe local cluster domain suffix this cluster is configured with. Defaults to ‘cluster.local’.
common.devModeboolSet to true to enable development mode for the logger, which can cause panics. Do not use in production.false
common.insecureboolPermit unencrypted and unauthenticated communication between Gloo control and data planes. Do not use in production.false
common.leaderElectionboolEnable leader election for the high-availability deployment.true
common.prometheusBearerTokenFilestringThe path to the file that contains the bearer token that is used by the Gloo UI to authenticate to the Prometheus server. To connect the Gloo UI to the built-in Prometheus server in OpenShift, use /var/run/secrets/kubernetes.io/serviceaccount/token. Otherwise, set this field only when you use a custom HTTPS Prometheus server.
common.prometheusCAFilestringThe path to the file that contains the public CA certificate that is used by the Gloo UI to verify the Prometheus server’s certificate. To connect the Gloo UI to the built-in Prometheus server in OpenShift, use /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. Otherwise, set this field only when you use a custom HTTPS Prometheus server.
common.prometheusClientCertSecretNamestring(deprecated) The name of the secret that contains the Prometheus client TLS certificates used to identify the UI client to the Prometheus server. The secret must be in the same namespace as the gloo-mesh-ui pod. Set this field only when you use a custom HTTPS Prometheus server.
common.prometheusSkipTLSVerifyboolSet this field to true to disable verification of the Prometheus server TLS certificate. Set this field only when you use a custom HTTPS Prometheus server.false
common.prometheusUrlstringThe address for the Prometheus server. If you want to connect the Gloo UI to the built-in Prometheus server in OpenShift, use https://thanos-querier.openshift-monitoring.svc:9091.http://prometheus-server
common.readOnlyGeneratedResourcesboolIf true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI.false
common.verboseboolEnable verbose/debug logging.false
demostructDemo-specific features that improve quick setups. Do not use in production.
demo.manageAddonNamespaceboolAutomatically create the add-on namespace set in ‘common.addonNamespace’.false
experimentalstructExperimental features for Gloo Platform. Disabled by default. Do not use in production.
experimental.ambientEnabledboolAllow Gloo Mesh to create Istio Ambient Mesh resources.false
experimental.asyncStatusWritesboolEnable asynchronous writing of statuses to Kubernetes objects.false
extAuthServicestructConfiguration for the Gloo external authentication service.
extAuthService.enabledboolEnable the Gloo external authentication service.false
extAuthService.extAuthstructConfiguration for the extauth service.
extAuthService.extAuth.apiKeyStoragestructConfiguration for the deployed extauth service.
extAuthService.extAuth.apiKeyStorage.configmap[string, interface]The ApiKeyStorage configuration. To configure access to Redis use the RedisOptions. Currently, only redis is supported.null
extAuthService.extAuth.apiKeyStorage.config.<MAP_KEY>interfaceThe ApiKeyStorage configuration. To configure access to Redis use the RedisOptions. Currently, only redis is supported.
extAuthService.extAuth.apiKeyStorage.enabledboolEnable API key storage.false
extAuthService.extAuth.apiKeyStorage.namestringThe permanent storage to be used. Currently, only redis is supported.
extAuthService.extAuth.apiKeyStorage.redisstructConfiguration for using a Redis instance for authentication.
extAuthService.extAuth.apiKeyStorage.redis.authstructValues for the authentication details.
extAuthService.extAuth.apiKeyStorage.redis.auth.enabledboolConnect to the Redis instance with a passwordfalse
extAuthService.extAuth.apiKeyStorage.redis.auth.passwordKeystringThe secret key containing the password to use for authentication
extAuthService.extAuth.apiKeyStorage.redis.auth.secretNamestringName of the k8s secret that contains the password
extAuthService.extAuth.apiKeyStorage.redis.auth.usernameKeystringThe secret key containing the username to use for authentication
extAuthService.extAuth.apiKeyStorage.secretKeystringThe secret key to hash the API key with.
extAuthService.extAuth.floatingUserIDboolSet to true to use a floating user ID.false
extAuthService.extAuth.headersToRedact[][]stringHeaders that will be redacted in the server logs.[“authorization”]
extAuthService.extAuth.healthCheckFailTimeoutintWhen receiving a termination signal, the pod waits this amount of seconds for a request that it can use to notify Envoy that it should fail the health check for this endpoint. If no request is received within this interval, the server will shutdown gracefully. The interval should be greater than the active health check interval configured in Envoy for this service.15
extAuthService.extAuth.healthCheckHttpPathstringPath for Envoy health checks./healthcheck
extAuthService.extAuth.healthLivenessCheckHttpPathstringPath for liveness health checks./livenesscheck
extAuthService.extAuth.imagestructValues for the extauth image.
extAuthService.extAuth.image.pullPolicystringImage pull policy.IfNotPresent
extAuthService.extAuth.image.registrystringImage registry.gcr.io/gloo-mesh
extAuthService.extAuth.image.repositorystringImage name (repository).ext-auth-service
extAuthService.extAuth.image.tagstringVersion tag for the container.0.51.8
extAuthService.extAuth.leaderElectionEnabledboolEnable leader election for ext-auth-service.true
extAuthService.extAuth.logLevelstringSeverity level to collect logs for.INFO
extAuthService.extAuth.namespacedRbac[][]structScopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource.[{“resources”:[],“namespaces”:[]}]
extAuthService.extAuth.namespacedRbac[].namespaces[][]string
extAuthService.extAuth.namespacedRbac[].resources[][]string
extAuthService.extAuth.opaServerstructConfiguration for the optional OPA server sidecar.
extAuthService.extAuth.opaServer.additionalOpaEnvmap[string, string]Additional OPA environment variables{}
extAuthService.extAuth.opaServer.additionalOpaEnv.<MAP_KEY>stringAdditional OPA environment variables
extAuthService.extAuth.opaServer.configYamlstringOPA configuration yaml file
extAuthService.extAuth.opaServer.enabledboolEnable the OPA server.false
extAuthService.extAuth.opaServer.imagestructValues for the sidecar OPA Server image.
extAuthService.extAuth.opaServer.image.pullPolicystringImage pull policy.IfNotPresent
extAuthService.extAuth.opaServer.image.registrystringImage registry.openpolicyagent
extAuthService.extAuth.opaServer.image.repositorystringImage name (repository).opa
extAuthService.extAuth.opaServer.image.tagstringVersion tag for the container.0.64.1
extAuthService.extAuth.otelCollectorZipkinEndpointstringProvide to the OpenTelemetry collector zipkin endpoint in your cluster to enable trace generation.
extAuthService.extAuth.pluginDirectorystringDirectory in which the server expects Go plugin .so files./auth-plugins/
extAuthService.extAuth.replicasintNumber of replicas to create1
extAuthService.extAuth.resourcesstructValues for the container resource requests.
extAuthService.extAuth.resources.requestsstructMinimum amount of compute resources required. For more info, see the Kubernetes documentation.
extAuthService.extAuth.resources.requests.cpustringAmount of CPU resource.125m
extAuthService.extAuth.resources.requests.memorystringAmount of memory resource.256Mi
extAuthService.extAuth.runAsUserintUser ID for the containers to run as.10101
extAuthService.extAuth.servicestructConfiguration for the deployed extauth service.
extAuthService.extAuth.service.annotationsmap[string, string]Kubernetes service annotations.{}
extAuthService.extAuth.service.annotations.<MAP_KEY>stringKubernetes service annotations.
extAuthService.extAuth.service.debugNodePortintOnly relevant if the service is of type NodePort.32001
extAuthService.extAuth.service.debugPortintPort on the extauth server to pull logs from.9091
extAuthService.extAuth.service.grpcNodePortintOnly relevant if the service is of type NodePort.32000
extAuthService.extAuth.service.grpcPortintPort the extauth server listens on for gRPC requests.8083
extAuthService.extAuth.service.healthNodePortintOnly relevant if the service is of type NodePort.32002
extAuthService.extAuth.service.healthPortintPort the extauth server listens on for health checks.8082
extAuthService.extAuth.service.typestringKubernetes service type.ClusterIP
extAuthService.extAuth.signingKeystringProvide the server’s secret signing key. If empty, a random key is generated.
extAuthService.extAuth.signingKeyFilestructMount the secret as a file rather than pass the signing key as a environment variable. To ensure maximum security by default, the file is limited to 0440 permissions and the fsGroup matches the runAsGroup.
extAuthService.extAuth.signingKeyFile.enabledboolMount the secret as a file.false
extAuthService.extAuth.signingKeyFile.fileModeintFile permission.288
extAuthService.extAuth.signingKeyFile.fsGroupintGroup ID for volume ownership.10101
extAuthService.extAuth.signingKeyFile.groupSettingEnabledboolSet to true to use a volume group.true
extAuthService.extAuth.signingKeyFile.runAsGroupintGroup ID for the container to run as.10101
extAuthService.extAuth.signingKeyFile.runAsUserintUser ID for the container to run as.10101
extAuthService.extAuth.userIdHeaderstringUser ID header.
extAuthService.extAuth.watchNamespacestringNamespaces to watch in your cluster. If omitted or empty, all namespaces are watched.
extAuthService.extraLabelsmap[string, string]Extra key-value pairs to add to the labels data of the extauth deployment.null
extAuthService.extraLabels.<MAP_KEY>stringExtra key-value pairs to add to the labels data of the extauth deployment.
extAuthService.extraTemplateAnnotationsmap[string, string]Extra annotations to add to the extauth service pods.{“proxy.istio.io/config”:"{ "holdApplicationUntilProxyStarts": true }"}
extAuthService.extraTemplateAnnotations.<MAP_KEY>stringExtra annotations to add to the extauth service pods.
extAuthService.extraTemplateAnnotations.proxy.istio.io/configstringExtra annotations to add to the extauth service pods.{ “holdApplicationUntilProxyStarts”: true }
glooAgentstruct
glooAgentstructConfiguration for the Gloo agent.
glooAgentstructConfiguration for the glooAgent deployment.
glooAgent.accessLogsBufferSizeintNumber of access logs to buffer per Envoy proxy.50
glooAgent.deploymentOverridesstructArbitrary overrides for the component’s deployment template.
glooAgent.devModeboolSet to true to enable development mode for the logger, which can cause panics. Do not use in production.false
glooAgent.enabledboolConfiguration for the Gloo agent.false
glooAgent.enabledboolDeploy a Gloo agent to the cluster.false
glooAgent.enabledboolEnable creation of the deployment/service.true
glooAgent.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“K8S_MEM_LIMIT”,“valueFrom”:{“resourceFieldRef”:{“resource”:“limits.memory”,“divisor”:“1”}}}]
glooAgent.extraEnvsstructExtra environment variables for the container
glooAgent.floatingUserIdboolAllow the pod to be assigned a dynamic user ID. Required for OpenShift installations.false
glooAgent.imagestructContainer image.
glooAgent.image.pullPolicystringImage pull policy.IfNotPresent
glooAgent.image.pullSecretstringImage pull secret.
glooAgent.image.registrystringImage registry.gcr.io/gloo-mesh
glooAgent.image.repositorystringImage name (repository).gloo-mesh-agent
glooAgent.image.tagstringVersion tag for the container image.
glooAgent.insecureboolPermit unencrypted and unauthenticated communication between Gloo control and data planes. Do not use in production.false
glooAgent.istiodSidecarstructConfiguration for the istiod sidecar deployment.
glooAgent.istiodSidecar.createRoleBindingboolCreate the cluster role binding for the istiod sidecar. Set this value to ’true’ only when using the Vault integration.false
glooAgent.istiodSidecar.istiodServiceAccountstructObject reference for the istiod service account.
glooAgent.istiodSidecar.istiodServiceAccount.namestringistiod
glooAgent.istiodSidecar.istiodServiceAccount.namespacestringistio-system
glooAgent.leaderElectionboolEnable leader election for the high-availability deployment.false
glooAgent.maxGrpcMessageSizestringMaximum message size for gRPC messages sent and received by the management server.4294967295
glooAgent.metricsBufferSizeintNumber of metrics messages to buffer per Envoy proxy.50
glooAgent.namespacedRbac[][]structScopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource.[{“resources”:[],“namespaces”:[]}]
glooAgent.namespacedRbac[].namespaces[][]string
glooAgent.namespacedRbac[].resources[][]string
glooAgent.portsmap[string, uint32]Service ports as a map from port name to port number.{“grpc”:9977,“healthcheck”:8090,“http”:9988,“stats”:9091}
glooAgent.ports.<MAP_KEY>uint32Service ports as a map from port name to port number.
glooAgent.ports.grpcuint32Service ports as a map from port name to port number.9977
glooAgent.ports.healthcheckuint32Service ports as a map from port name to port number.8090
glooAgent.ports.httpuint32Service ports as a map from port name to port number.9988
glooAgent.ports.statsuint32Service ports as a map from port name to port number.9091
glooAgent.readOnlyGeneratedResourcesboolIf true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI.false
glooAgent.relaystructConfiguration for securing relay communication between the workload agents and the management server.
glooAgent.relay.authoritystringSNI name in the authority/host header used to connect to relay forwarding server. Must match server certificate CommonName. Do not change the default value.gloo-mesh-mgmt-server.gloo-mesh
glooAgent.relay.clientTlsSecretstructCustom certs: Secret containing client TLS certs used to identify the Gloo agent to the management server. If you do not specify a clientTlssSecret, you must specify a tokenSecret and a rootTlsSecret.
glooAgent.relay.clientTlsSecret.namestringrelay-client-tls-secret
glooAgent.relay.clientTlsSecret.namespacestring
glooAgent.relay.clientTlsSecretRotationGracePeriodRatiostringThe ratio of the client TLS certificate lifetime to when the management server starts the certificate rotation process.
glooAgent.relay.rootTlsSecretstructSecret containing a root TLS cert used to verify the management server cert. The secret can also optionally specify a ’tls.key’, which is used to generate the agent client cert.
glooAgent.relay.rootTlsSecret.namestringrelay-root-tls-secret
glooAgent.relay.rootTlsSecret.namespacestring
glooAgent.relay.serverAddressstringAddress and port by which gloo-mesh-mgmt-server in the Gloo control plane can be accessed by the Gloo workload agents.
glooAgent.relay.tokenSecretstructSecret containing a shared token for authenticating Gloo agents when they first communicate with the management server. A token secret is not needed with ACM certs.
glooAgent.relay.tokenSecret.keystringKey value of the data within the Kubernetes secret.token
glooAgent.relay.tokenSecret.namestringName of the Kubernetes secret.relay-identity-token-secret
glooAgent.relay.tokenSecret.namespacestringNamespace of the Kubernetes secret.
glooAgent.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“50m”,“memory”:“128Mi”}}
glooAgent.runAsUseruint32Static user ID to run the containers as. Unused if floatingUserId is ’true’.10101
glooAgent.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooAgent.serviceOverridesstructArbitrary overrides for the component’s service template.
glooAgent.serviceTypestringKubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”.ClusterIP
glooAgent.sidecarsmap[string, struct]Optional configuration for the deployed containers.{}
glooAgent.sidecars.<MAP_KEY>structOptional configuration for the deployed containers.
glooAgent.sidecars.<MAP_KEY>.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.
glooAgent.sidecars.<MAP_KEY>.extraEnvsstructExtra environment variables for the container
glooAgent.sidecars.<MAP_KEY>.imagestructContainer image.
glooAgent.sidecars.<MAP_KEY>.image.pullPolicystringImage pull policy.
glooAgent.sidecars.<MAP_KEY>.image.pullSecretstringImage pull secret.
glooAgent.sidecars.<MAP_KEY>.image.registrystringImage registry.
glooAgent.sidecars.<MAP_KEY>.image.repositorystringImage name (repository).
glooAgent.sidecars.<MAP_KEY>.image.tagstringVersion tag for the container image.
glooAgent.sidecars.<MAP_KEY>.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.
glooAgent.sidecars.<MAP_KEY>.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooAgent.verboseboolEnable verbose/debug logging.false
glooMgmtServerstruct
glooMgmtServerstructConfiguration for the Gloo management server.
glooMgmtServerstructConfiguration for the glooMgmtServer deployment.
glooMgmtServer.cloudResourcesDiscoverystructConfiguration for automatic discovery of CloudResources.
glooMgmtServer.cloudResourcesDiscovery.enabledboolEnable automated discovery of CloudResources, such as AWS Lambda functions, based on CloudProvider configuration.true
glooMgmtServer.cloudResourcesDiscovery.pollingIntervaluint16Polling interval (in seconds) for calling AWS when attempting to discover CloudResources.10
glooMgmtServer.concurrencyuint16Concurrency to use for translation operations.10
glooMgmtServer.createGlobalWorkspaceboolSingle-cluster setups only: Create a global workspace that selects all namespaces, and create default workspace settings.false
glooMgmtServer.deploymentOverridesstructArbitrary overrides for the component’s deployment template.
glooMgmtServer.devModeboolSet to true to enable development mode for the logger, which can cause panics. Do not use in production.false
glooMgmtServer.enableClusterLoadBalancingboolExperimental: Enable cluster load balancing. The management server replicas attempt to auto-balance the number of registered workload clusters, based on the number of replicas and the number of total clusters. For example, the server might disconnect a workload cluster if the number of connected clusters is greater than the allotted number.false
glooMgmtServer.enabledboolDeploy the gloo-mesh-mgmt-server.false
glooMgmtServer.enabledboolEnable creation of the deployment/service.true
glooMgmtServer.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“POD_UID”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.uid”}}},{“name”:“K8S_MEM_LIMIT”,“valueFrom”:{“resourceFieldRef”:{“resource”:“limits.memory”,“divisor”:“1”}}},{“name”:“LICENSE_KEY”,“valueFrom”:{“secretKeyRef”:{“name”:“gloo-mesh-enterprise-license”,“key”:“key”,“optional”:true}}},{“name”:“REDIS_USERNAME”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“username”,“optional”:true}}},{“name”:“REDIS_PASSWORD”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“password”,“optional”:true}}}]
glooMgmtServer.extraEnvsstructExtra environment variables for the container
glooMgmtServer.floatingUserIdboolAllow the pod to be assigned a dynamic user ID. Required for OpenShift installations.false
glooMgmtServer.imagestructContainer image.
glooMgmtServer.image.pullPolicystringImage pull policy.IfNotPresent
glooMgmtServer.image.pullSecretstringImage pull secret.
glooMgmtServer.image.registrystringImage registry.gcr.io/gloo-mesh
glooMgmtServer.image.repositorystringImage name (repository).gloo-mesh-mgmt-server
glooMgmtServer.image.tagstringVersion tag for the container image.
glooMgmtServer.insecureboolPermit unencrypted and unauthenticated communication between Gloo control and data planes. Do not use in production.false
glooMgmtServer.leaderElectionboolEnable leader election for the high-availability deployment.false
glooMgmtServer.maxGrpcMessageSizestringMaximum message size for gRPC messages sent and received by the management server.4294967295
glooMgmtServer.namespacedRbac[][]structScopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource.[{“resources”:[],“namespaces”:[]}]
glooMgmtServer.namespacedRbac[].namespaces[][]string
glooMgmtServer.namespacedRbac[].resources[][]string
glooMgmtServer.portsmap[string, uint32]Service ports as a map from port name to port number.{“grpc”:9900,“healthcheck”:8090}
glooMgmtServer.ports.<MAP_KEY>uint32Service ports as a map from port name to port number.
glooMgmtServer.ports.grpcuint32Service ports as a map from port name to port number.9900
glooMgmtServer.ports.healthcheckuint32Service ports as a map from port name to port number.8090
glooMgmtServer.readOnlyGeneratedResourcesboolIf true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI.false
glooMgmtServer.registerClusterboolSet up the management cluster with the Gloo management server and a simple workspace that selects all registered clusters and namespaces by default. This way, you can get started quickly for single cluster or testing setups. For multicluster or production setups, use your own fine-grained workspaces instead. To complete your installation, make sure to enable all other Gloo components that you want, including the Gloo agent.false
glooMgmtServer.relaystructConfiguration for certificates to secure server-agent relay communication. Required only for multicluster setups.
glooMgmtServer.relay.disableCaboolTo disable relay CA functionality, set to true. Set to true only when you supply your custom client certs to the agents for relay mTLS. The gloo-mesh-mgmt-server pod will not require a token secret or the signing cert secret. The agent pod will not require the token secret, but will fail without a client cert.false
glooMgmtServer.relay.disableCaCertGenerationboolDo not auto-generate self-signed CA certificates. Set to true only when you supply own.false
glooMgmtServer.relay.disableTokenGenerationboolDo not create the relay token Kubernetes secret. Set to true only when you supply own.false
glooMgmtServer.relay.pushRbacboolPush RBAC resources to the management server. Required for multicluster RBAC in the Gloo UI.true
glooMgmtServer.relay.signingTlsSecretstructSecret containing TLS certs used to sign CSRs created by workload agents.
glooMgmtServer.relay.signingTlsSecret.namestringrelay-tls-signing-secret
glooMgmtServer.relay.signingTlsSecret.namespacestring
glooMgmtServer.relay.tlsSecretstructSecret containing client TLS certs used to secure the management server.
glooMgmtServer.relay.tlsSecret.namestringrelay-server-tls-secret
glooMgmtServer.relay.tlsSecret.namespacestring
glooMgmtServer.relay.tokenSecretstructSecret containing a shared token for authenticating Gloo agents when they first communicate with the management server.
glooMgmtServer.relay.tokenSecret.keystringKey value of the data within the Kubernetes secret.token
glooMgmtServer.relay.tokenSecret.namestringName of the Kubernetes secret.relay-identity-token-secret
glooMgmtServer.relay.tokenSecret.namespacestringNamespace of the Kubernetes secret.
glooMgmtServer.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“125m”,“memory”:“1Gi”}}
glooMgmtServer.runAsUseruint32Static user ID to run the containers as. Unused if floatingUserId is ’true’.10101
glooMgmtServer.safeModeboolIf set to true: In the event that Redis restarts and has its cache deleted, the Gloo management server halts translation. Translation does not resume until the agents in each workload cluster reconnect to the management server and the Redis cache is re-populated. Then, the management server resumes translation and provides an updated output snapshot back to the agents. Until translation resumes, the agents use the last provided output snapshot. This way, the agents only apply and modify your resources based on a complete translation context. The default setting is false.false
glooMgmtServer.safeStartWindowintThe time in seconds to halt translation. During this time, the Gloo management server does not translate any input snapshots until the agents in each workload cluster connect and send their input snapshot are re-populated in the Redis cache. After this time expires, the Gloo management server resumes translation, even if input snapshots from some agents are missing in Redis. Note that this setting is ignored if safeMode is set to true. To disable the safeStartWindow option, set the time to ‘0’ (zero). Keep in mind that if safeMode is also disabled (which is the default), the Gloo management server starts translation immediately after getting an input snapshot from an agent. The management server does not wait for other agents, which can lead to translation without the complete context across your workload clusters. The default value is 180 seconds.180
glooMgmtServer.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooMgmtServer.serviceAccountstructService account configuration to use for the management server deployment.
glooMgmtServer.serviceAccount.extraAnnotationsmap[string, string]Extra annotations to add to the service account.null
glooMgmtServer.serviceAccount.extraAnnotations.<MAP_KEY>stringExtra annotations to add to the service account.
glooMgmtServer.serviceOverridesstructArbitrary overrides for the component’s service template.
glooMgmtServer.serviceTypestringKubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”.LoadBalancer
glooMgmtServer.sidecarsmap[string, struct]Optional configuration for the deployed containers.{}
glooMgmtServer.sidecars.<MAP_KEY>structOptional configuration for the deployed containers.
glooMgmtServer.sidecars.<MAP_KEY>.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.
glooMgmtServer.sidecars.<MAP_KEY>.extraEnvsstructExtra environment variables for the container
glooMgmtServer.sidecars.<MAP_KEY>.imagestructContainer image.
glooMgmtServer.sidecars.<MAP_KEY>.image.pullPolicystringImage pull policy.
glooMgmtServer.sidecars.<MAP_KEY>.image.pullSecretstringImage pull secret.
glooMgmtServer.sidecars.<MAP_KEY>.image.registrystringImage registry.
glooMgmtServer.sidecars.<MAP_KEY>.image.repositorystringImage name (repository).
glooMgmtServer.sidecars.<MAP_KEY>.image.tagstringVersion tag for the container image.
glooMgmtServer.sidecars.<MAP_KEY>.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.
glooMgmtServer.sidecars.<MAP_KEY>.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooMgmtServer.statsPortuint32Port on the management server deployment to pull stats from.9091
glooMgmtServer.verboseboolEnable verbose/debug logging.false
glooNetworkstructGloo Network configuration options.
glooNetwork.agentstructValues for the Gloo Network Agent DaemonSet.
glooNetwork.agent.bpfRootstringFile path where eBPF programs run./sys/fs/bpf
glooNetwork.agent.debugboolRun the Network agent in debug mode.false
glooNetwork.agent.fullnamestringName of the Network agent deployment.gloo-network-agent
glooNetwork.agent.imagestructValues for the Network agent image.
glooNetwork.agent.image.hubstringImage registry.us-docker.pkg.dev
glooNetwork.agent.image.pullPolicystringImage pull policy.Always
glooNetwork.agent.image.repositorystringImage name (repository).gloo-mesh/gloo-network-agent-8d33bc4d8c7a/gloo-network-agent
glooNetwork.agent.image.tagstringVersion tag for the container.0.2.3
glooNetwork.agent.resourcesstructValues for the container and init container.
glooNetwork.agent.resources.containerstructResource values for the container.
glooNetwork.agent.resources.container.limitstructMaximum amount of compute resources allowed. For more info, see the Kubernetes documentation.
glooNetwork.agent.resources.container.limit.cpustringAmount of CPU resource.300m
glooNetwork.agent.resources.container.limit.memorystringAmount of memory resource.200Mi
glooNetwork.agent.resources.container.requeststructMinimum amount of compute resources required. For more info, see the Kubernetes documentation.
glooNetwork.agent.resources.container.request.cpustringAmount of CPU resource.100m
glooNetwork.agent.resources.container.request.memorystringAmount of memory resource.200Mi
glooNetwork.agent.resources.initstructResource values for the init container.
glooNetwork.agent.resources.init.limitstructMaximum amount of compute resources allowed. For more info, see the Kubernetes documentation.
glooNetwork.agent.resources.init.limit.cpustringAmount of CPU resource.300m
glooNetwork.agent.resources.init.limit.memorystringAmount of memory resource.50Mi
glooNetwork.agent.resources.init.requeststructMinimum amount of compute resources required. For more info, see the Kubernetes documentation.
glooNetwork.agent.resources.init.request.cpustringAmount of CPU resource.100m
glooNetwork.agent.resources.init.request.memorystringAmount of memory resource.50Mi
glooNetwork.agent.revisionHistoryLimitintNumber of old ReplicaSets for the agent deployment you want to retain.10
glooNetwork.enabledboolInstall the Gloo Network-specific agent functionality only if you provided a Gloo Network license key.false
glooPortalServerstruct
glooPortalServerstructConfiguration for the glooPortalServer deployment.
glooPortalServer.apiKeyStoragestructConfigure backend storage for API keys.
glooPortalServer.apiKeyStorage.redisstructConfiguration for using a Redis instance for authentication.
glooPortalServer.apiKeyStorage.redis.addressstringAddress to use when connecting to the Redis instance. To use the default Redis deployment, specify ‘redis.gloo-mesh.svc.cluster.local:6379’.
glooPortalServer.apiKeyStorage.redis.authstructOptional authentication values to use when connecting to the Redis instance
glooPortalServer.apiKeyStorage.redis.auth.enabledboolConnect to the Redis instance with a passwordfalse
glooPortalServer.apiKeyStorage.redis.auth.passwordKeystringThe secret key containing the password to use for authentication
glooPortalServer.apiKeyStorage.redis.auth.secretNamestringName of the k8s secret that contains the password
glooPortalServer.apiKeyStorage.redis.auth.usernameKeystringThe secret key containing the username to use for authentication
glooPortalServer.apiKeyStorage.redis.certsstructConfiguration for TLS verification when connecting to the Redis instance
glooPortalServer.apiKeyStorage.redis.certs.caCertKeystringThe secret key containing the ca cert
glooPortalServer.apiKeyStorage.redis.certs.enabledboolEnable a secure network connection to the Redis instance via TLSfalse
glooPortalServer.apiKeyStorage.redis.certs.secretNamestringName of the k8s secret that contains the certs
glooPortalServer.apiKeyStorage.redis.connectionstructOptional connection parameters
glooPortalServer.apiKeyStorage.redis.connection.connMaxIdleTimestringThe maximum amount of time a connection may be idle. Should be less than server’s timeout. Default is 30 minutes. -1 disables idle timeout check.30m
glooPortalServer.apiKeyStorage.redis.connection.connMaxLifetimestringThe maximum amount of time a connection may be reused. If <= 0, connections are not closed due to a connection’s age.0
glooPortalServer.apiKeyStorage.redis.connection.contextTimeoutEnabledboolContextTimeoutEnabled controls whether the client respects context timeouts and deadlines.false
glooPortalServer.apiKeyStorage.redis.connection.dialTimeoutstringDial timeout for establishing new connections. Default is 5 seconds.5s
glooPortalServer.apiKeyStorage.redis.connection.idleTimeoutstringDeprecated: in favor of ‘connMaxIdleTime’. Amount of time after which client closes idle connections. Should be less than server’s timeout. Default is 30 minutes. -1 disables idle timeout check.30m
glooPortalServer.apiKeyStorage.redis.connection.masterNamestringThe master name. Only needed for sentinel mode.
glooPortalServer.apiKeyStorage.redis.connection.maxConnAgestringDeprecated: in favor of using ‘connMaxLifetime’. Connection age at which client retires (closes) the connection. Default is to not close aged connections.0
glooPortalServer.apiKeyStorage.redis.connection.maxIdleConnsintMaximum number of idle connections.0
glooPortalServer.apiKeyStorage.redis.connection.maxRedirectsintThe maximum number of retries before giving up. Command is retried on network errors and MOVED/ASK redirects. Default is 3 retries.3
glooPortalServer.apiKeyStorage.redis.connection.maxRetriesintMaximum number of retries before giving up. Default is 3. -1 disables retries.3
glooPortalServer.apiKeyStorage.redis.connection.maxRetryBackoffstringMaximum backoff between each retry. Default is 512 milliseconds. -1 disables backoff.512ms
glooPortalServer.apiKeyStorage.redis.connection.minIdleConnsintMinimum number of idle connections which is useful when establishing new connection is slow.0
glooPortalServer.apiKeyStorage.redis.connection.minRetryBackoffstringMinimum backoff between each retry. Default is 8 milliseconds. -1 disables backoff.8ms
glooPortalServer.apiKeyStorage.redis.connection.poolFifoboolType of connection pool. true for FIFO pool. false for LIFO pool. Note that FIFO has higher overhead compared to LIFO.false
glooPortalServer.apiKeyStorage.redis.connection.poolSizeintMaximum number of socket connections. Default is 10 connections per every available CPU as reported by runtime.GOMAXPROCS.0
glooPortalServer.apiKeyStorage.redis.connection.poolTimeoutstringAmount of time client waits for connection if all connections are busy before returning an error. Default is ReadTimeout + 1 second.4s
glooPortalServer.apiKeyStorage.redis.connection.readOnlyboolEnables read-only commands on slave nodes. Default is false.false
glooPortalServer.apiKeyStorage.redis.connection.readTimeoutstringTimeout for socket reads. if reached, commands will fail with a timeout instead of blocking. Default is 3 seconds. -1 disables timeout. 0 uses the default value.3s
glooPortalServer.apiKeyStorage.redis.connection.routeByLatencyboolAllows routing read-only commands to the closest master or slave node. It automatically enables ReadOnly.false
glooPortalServer.apiKeyStorage.redis.connection.routeRandomlyboolAllows routing read-only commands to the random master or slave node. It automatically enables ReadOnly.false
glooPortalServer.apiKeyStorage.redis.connection.writeTimeoutstringTimeout for socket writes. If reached, commands will fail with a timeout instead of blocking. Default is ReadTimeout.3s
glooPortalServer.apiKeyStorage.redis.dbintDB to connect to0
glooPortalServer.apiKeyStorage.secretKeystringThe string value that you want to use to hash API keys before they are stored in the backing database.change this
glooPortalServer.apiKeyStorage.typestringBackend storage for API keys. Currently, redis is supported.redis
glooPortalServer.deploymentOverridesstructArbitrary overrides for the component’s deployment template.
glooPortalServer.devModeboolSet to true to enable development mode for the logger, which can cause panics. Do not use in production.false
glooPortalServer.enabledboolDeploy the Portal server for Gloo Platform Portal to the cluster.false
glooPortalServer.enabledboolEnable creation of the deployment/service.true
glooPortalServer.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“APIKEY_STORAGE_SECRET_KEY”,“valueFrom”:{“secretKeyRef”:{“name”:“portal-storage-secret-key”,“key”:“key”}}},{“name”:“REDIS_USERNAME”,“valueFrom”:{“secretKeyRef”:{“name”:“portal-redis-credentials”,“key”:“username”,“optional”:true}}},{“name”:“REDIS_PASSWORD”,“valueFrom”:{“secretKeyRef”:{“name”:“portal-redis-credentials”,“key”:“password”,“optional”:true}}}]
glooPortalServer.extraEnvsstructExtra environment variables for the container
glooPortalServer.floatingUserIdboolAllow the pod to be assigned a dynamic user ID. Required for OpenShift installations.false
glooPortalServer.imagestructContainer image.
glooPortalServer.image.pullPolicystringImage pull policy.IfNotPresent
glooPortalServer.image.pullSecretstringImage pull secret.
glooPortalServer.image.registrystringImage registry.gcr.io/gloo-mesh
glooPortalServer.image.repositorystringImage name (repository).gloo-mesh-portal-server
glooPortalServer.image.tagstringVersion tag for the container image.
glooPortalServer.portsmap[string, uint32]Service ports as a map from port name to port number.{“http”:8080}
glooPortalServer.ports.<MAP_KEY>uint32Service ports as a map from port name to port number.
glooPortalServer.ports.httpuint32Service ports as a map from port name to port number.8080
glooPortalServer.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“50m”,“memory”:“128Mi”}}
glooPortalServer.runAsUseruint32Static user ID to run the containers as. Unused if floatingUserId is ’true’.10101
glooPortalServer.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooPortalServer.serviceOverridesstructArbitrary overrides for the component’s service template.
glooPortalServer.serviceTypestringKubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”.ClusterIP
glooPortalServer.sidecarsmap[string, struct]Optional configuration for the deployed containers.{}
glooPortalServer.sidecars.<MAP_KEY>structOptional configuration for the deployed containers.
glooPortalServer.sidecars.<MAP_KEY>.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.
glooPortalServer.sidecars.<MAP_KEY>.extraEnvsstructExtra environment variables for the container
glooPortalServer.sidecars.<MAP_KEY>.imagestructContainer image.
glooPortalServer.sidecars.<MAP_KEY>.image.pullPolicystringImage pull policy.
glooPortalServer.sidecars.<MAP_KEY>.image.pullSecretstringImage pull secret.
glooPortalServer.sidecars.<MAP_KEY>.image.registrystringImage registry.
glooPortalServer.sidecars.<MAP_KEY>.image.repositorystringImage name (repository).
glooPortalServer.sidecars.<MAP_KEY>.image.tagstringVersion tag for the container image.
glooPortalServer.sidecars.<MAP_KEY>.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.
glooPortalServer.sidecars.<MAP_KEY>.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooPortalServer.verboseboolEnable verbose/debug logging.false
glooSpireServerstruct
glooSpireServerstructConfiguration for the glooSpireServer deployment.
glooSpireServer.controllerstruct
glooSpireServer.controllerstructSidecar controller configuration.
glooSpireServer.controller.leaderElectionboolEnable leader election for the controller. Enabling this will ensure there is only one active controller.true
glooSpireServer.controller.verboseboolEnable verbose/debug logging.true
glooSpireServer.deploymentOverridesstructArbitrary overrides for the component’s deployment template.
glooSpireServer.enabledboolEnable SPIRE server component.false
glooSpireServer.enabledboolEnable creation of the deployment/service.true
glooSpireServer.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}}]
glooSpireServer.extraEnvsstructExtra environment variables for the container
glooSpireServer.floatingUserIdboolAllow the pod to be assigned a dynamic user ID. Required for OpenShift installations.false
glooSpireServer.imagestructContainer image.
glooSpireServer.image.pullPolicystringImage pull policy.IfNotPresent
glooSpireServer.image.pullSecretstringImage pull secret.
glooSpireServer.image.registrystringImage registry.ghcr.io/spiffe
glooSpireServer.image.repositorystringImage name (repository).spire-server
glooSpireServer.image.tagstringVersion tag for the container image.
glooSpireServer.pluginsstructPlugins configuration.
glooSpireServer.plugins.datastorestructDatastore configuration
glooSpireServer.plugins.datastore.connectionStringstringConnection string for the database./run/spire/data/datastore.sqlite3
glooSpireServer.plugins.datastore.databaseTypestringDatabase type: postgres, mysql, or sqlite3.sqlite3
glooSpireServer.plugins.nodeAttestorstructNode attestor configuration
glooSpireServer.plugins.nodeAttestor.awsstructAWS node attestor configuration.
glooSpireServer.plugins.nodeAttestor.aws.accessKeyIdstringAWS access key ID for long term credentials. Defaults to AWS_ACCESS_KEY_ID environment variable.
glooSpireServer.plugins.nodeAttestor.aws.assumeRolestringThe ARN of the role to assume when making AWS API calls.
glooSpireServer.plugins.nodeAttestor.aws.disableInstanceProfileSelectorsboolDisables retrieving the attesting instance profile information that is used in the selectors. Useful in cases where the server cannot reach iam.amazonaws.com. Defaults to false.false
glooSpireServer.plugins.nodeAttestor.aws.enabledboolEnables the AWS node attestor. Defaults to false.false
glooSpireServer.plugins.nodeAttestor.aws.secretAccessKeystringAWS secret access key for long term credentials. Defaults to AWS_SECRET_ACCESS_KEY environment variable.
glooSpireServer.plugins.nodeAttestor.aws.skipBlockDeviceboolSkip anti-tampering mechanism which checks to make sure that the underlying root volume has not been detached prior to attestation. Defaults to false.false
glooSpireServer.plugins.nodeAttestor.gcpstructGCP node attestor configuration.
glooSpireServer.plugins.nodeAttestor.gcp.allowedLabelKeys[][]stringList of instance label keys that are allowed to be used in selectors.null
glooSpireServer.plugins.nodeAttestor.gcp.allowedMetadataKeys[][]stringList of instance metadata keys that are allowed to be used in selectors.null
glooSpireServer.plugins.nodeAttestor.gcp.allowedProjectIds[][]stringList of Project IDs from which nodes can be attested.null
glooSpireServer.plugins.nodeAttestor.gcp.enabledboolEnables the GCP node attestor. Defaults to false.false
glooSpireServer.plugins.nodeAttestor.gcp.maxMetadataValueSizeuint16Maximum instance metadata value size considered by the node attestor. Defaults to 128 KiB.128
glooSpireServer.plugins.nodeAttestor.gcp.useInstanceMetadataboolIf true, instance metadata is fetched from the Google Compute Engine API and used to augment the node selectors produced by the node attestor. Defaults to true.true
glooSpireServer.plugins.upstreamAuthoritystructUpstream authority configuration
glooSpireServer.plugins.upstreamAuthority.certManagerstructUpstream authority cert-manager configuration.
glooSpireServer.plugins.upstreamAuthority.certManager.enabledboolEnables the cert-manager upstream authority plugin. Defaults to false.false
glooSpireServer.plugins.upstreamAuthority.certManager.issuerGroupstringThe group of the issuer to reference in CertificateRequests. Defaults to ‘cert-manager.io’ if empty.cert-manager.io
glooSpireServer.plugins.upstreamAuthority.certManager.issuerKindstringThe kind of the issuer to reference in CertificateRequests. Defaults to ‘Issuer’ if empty.Issuer
glooSpireServer.plugins.upstreamAuthority.certManager.issuerNamestringThe name of the issuer to reference in CertificateRequests.
glooSpireServer.plugins.upstreamAuthority.certManager.namespacestringThe namespace to create CertificateRequests for signing.
glooSpireServer.plugins.upstreamAuthority.diskstructUpstream authority disk configuration.
glooSpireServer.plugins.upstreamAuthority.disk.bundleFilePathstringPath to the PEM encoded upstream authority root certificate file. If SPIRE is using self-signed CA, this can be left unset./run/spire/certs/root-cert.pem
glooSpireServer.plugins.upstreamAuthority.disk.certFilePathstringPath to the PEM encoded upstream authority certificate file./run/spire/certs/cert-chain.pem
glooSpireServer.plugins.upstreamAuthority.disk.enabledboolEnables the disk upstream authority plugin. Defaults to true.true
glooSpireServer.plugins.upstreamAuthority.disk.keyFilePathstringPath to the PEM encoded upstream authority key file./run/spire/certs/ca-key.pem
glooSpireServer.portsmap[string, uint32]Service ports as a map from port name to port number.{“api”:8081}
glooSpireServer.ports.<MAP_KEY>uint32Service ports as a map from port name to port number.
glooSpireServer.ports.apiuint32Service ports as a map from port name to port number.8081
glooSpireServer.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“50m”,“memory”:“128Mi”}}
glooSpireServer.runAsUseruint32Static user ID to run the containers as. Unused if floatingUserId is ’true’.10101
glooSpireServer.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooSpireServer.serverstructServer configuration.
glooSpireServer.server.agentTtlstringTTL for the SPIRE agent SVIDs specified as number and unit suffix, such as 1h for 1 hour. Defaults to 48 hours.48h
glooSpireServer.server.caTtlstringTTL for the SPIRE server CA specified as number and unit suffix, such as 87600h for 87600 hours.87600h
glooSpireServer.server.defaultX509SvidTtlstringDefault TTL for all X509 SVIDs specified as number and unit suffix, such as 1h for 1 hour. Defaults to 48 hours.48h
glooSpireServer.server.logLevelstringLog level of SPIRE server.DEBUG
glooSpireServer.server.trustDomainstringTrust domain of SPIRE server.cluster.local
glooSpireServer.serviceOverridesstructArbitrary overrides for the component’s service template.
glooSpireServer.serviceTypestringKubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”.ClusterIP
glooSpireServer.sidecarsmap[string, struct]Optional configuration for the deployed containers.{“glooSpireController”:{“image”:{“repository”:“gloo-mesh-spire-controller”,“registry”:“gcr.io/gloo-mesh”,“pullPolicy”:“IfNotPresent”},“env”:[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}}],“extraEnvs”:{},“resources”:{“requests”:{“cpu”:“50m”,“memory”:“128Mi”}}}}
glooSpireServer.sidecars.<MAP_KEY>structOptional configuration for the deployed containers.
glooSpireServer.sidecars.<MAP_KEY>.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.
glooSpireServer.sidecars.<MAP_KEY>.extraEnvsstructExtra environment variables for the container
glooSpireServer.sidecars.<MAP_KEY>.imagestructContainer image.
glooSpireServer.sidecars.<MAP_KEY>.image.pullPolicystringImage pull policy.
glooSpireServer.sidecars.<MAP_KEY>.image.pullSecretstringImage pull secret.
glooSpireServer.sidecars.<MAP_KEY>.image.registrystringImage registry.
glooSpireServer.sidecars.<MAP_KEY>.image.repositorystringImage name (repository).
glooSpireServer.sidecars.<MAP_KEY>.image.tagstringVersion tag for the container image.
glooSpireServer.sidecars.<MAP_KEY>.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.
glooSpireServer.sidecars.<MAP_KEY>.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooSpireServer.sidecars.glooSpireControllerstructOptional configuration for the deployed containers.
glooSpireServer.sidecars.glooSpireController.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}}]
glooSpireServer.sidecars.glooSpireController.extraEnvsstructExtra environment variables for the container
glooSpireServer.sidecars.glooSpireController.imagestructContainer image.
glooSpireServer.sidecars.glooSpireController.image.pullPolicystringImage pull policy.IfNotPresent
glooSpireServer.sidecars.glooSpireController.image.pullSecretstringImage pull secret.
glooSpireServer.sidecars.glooSpireController.image.registrystringImage registry.gcr.io/gloo-mesh
glooSpireServer.sidecars.glooSpireController.image.repositorystringImage name (repository).gloo-mesh-spire-controller
glooSpireServer.sidecars.glooSpireController.image.tagstringVersion tag for the container image.
glooSpireServer.sidecars.glooSpireController.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“50m”,“memory”:“128Mi”}}
glooSpireServer.sidecars.glooSpireController.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooUistruct
glooUistructConfiguration for the glooUi deployment.
glooUi.authstructConfigure authentication for the UI.
glooUi.auth.backendstringAuthentication backend to use. ‘oidc’ is supported.
glooUi.auth.enabledboolRequire authentication to access the UI.false
glooUi.auth.oidcstructSettings for the OpenID Connect (OIDC) backend. The helm values here will end up in the Dashboard CR spec.authn.oidc field.
glooUi.auth.oidc.appUrlstringURL that the UI for OIDC app is available at, from the DNS and other ingress settings that expose OIDC app UI service.
glooUi.auth.oidc.clientIdstringOIDC client ID
glooUi.auth.oidc.clientSecretstringPlaintext OIDC client secret, which will be encoded in base64 and stored in a secret named the value of ‘clientSecretName’.
glooUi.auth.oidc.clientSecretNamestringName for the secret that will contain the client secret. Defaults to ‘dashboard’
glooUi.auth.oidc.issuerUrlstringIssuer URL from the OIDC provider, such as ‘https://.<provider_url>/’.
glooUi.auth.oidc.sessionstructSession storage configuration. If omitted, a cookie is used.
glooUi.auth.oidc.session.backendstringBackend to use for auth session storage. ‘cookie’ and ‘redis’ are supported.cookie
glooUi.auth.oidc.session.redisstructRedis instance configuration.
glooUi.auth.oidc.session.redis.hoststringThe host at which the Redis instance is accessible. To use the default Redis deployment, specify ‘gloo-mesh-redis.gloo-mesh:6379’.gloo-mesh-redis.gloo-mesh:6379
glooUi.auth.requestTimeoutintRequest timeout for external auth requests in seconds.2
glooUi.deploymentOverridesstructArbitrary overrides for the component’s deployment template.
glooUi.enabledboolDeploy the gloo-mesh-ui.false
glooUi.enabledboolEnable creation of the deployment/service.true
glooUi.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“LICENSE_KEY”,“valueFrom”:{“secretKeyRef”:{“name”:“gloo-mesh-enterprise-license”,“key”:“key”,“optional”:true}}},{“name”:“REDIS_USERNAME”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“username”,“optional”:true}}},{“name”:“REDIS_PASSWORD”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“password”,“optional”:true}}},{“name”:“K8S_MEM_LIMIT”,“valueFrom”:{“resourceFieldRef”:{“resource”:“limits.memory”,“divisor”:“1”}}}]
glooUi.extraEnvsstructExtra environment variables for the container
glooUi.floatingUserIdboolAllow the pod to be assigned a dynamic user ID. Required for OpenShift installations.false
glooUi.imagestructContainer image.
glooUi.image.pullPolicystringImage pull policy.IfNotPresent
glooUi.image.pullSecretstringImage pull secret.
glooUi.image.registrystringImage registry.gcr.io/gloo-mesh
glooUi.image.repositorystringImage name (repository).gloo-mesh-apiserver
glooUi.image.tagstringVersion tag for the container image.
glooUi.ipVersionstringConfigure IP version to ipv4, ipv6 or dualStack. Defaults to dualStack.dualStack
glooUi.licenseSecretNamestringProvide license keys in a secret in the adminNamespace of the management cluster, instead of in the license key fields.
glooUi.namespacedRbac[][]structScopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource.[{“resources”:[],“namespaces”:[]}]
glooUi.namespacedRbac[].namespaces[][]string
glooUi.namespacedRbac[].resources[][]string
glooUi.portsmap[string, uint32]Service ports as a map from port name to port number.{“console”:8090,“grpc”:10101,“healthcheck”:8081}
glooUi.ports.<MAP_KEY>uint32Service ports as a map from port name to port number.
glooUi.ports.consoleuint32Service ports as a map from port name to port number.8090
glooUi.ports.grpcuint32Service ports as a map from port name to port number.10101
glooUi.ports.healthcheckuint32Service ports as a map from port name to port number.8081
glooUi.prometheusBearerTokenFilestringThe path to the file that contains the bearer token that is used by the Gloo UI to authenticate to the Prometheus server. To connect the Gloo UI to the built-in Prometheus server in OpenShift, use /var/run/secrets/kubernetes.io/serviceaccount/token. Otherwise, set this field only when you use a custom HTTPS Prometheus server.
glooUi.prometheusCAFilestringThe path to the file that contains the public CA certificate that is used by the Gloo UI to verify the Prometheus server’s certificate. To connect the Gloo UI to the built-in Prometheus server in OpenShift, use /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. Otherwise, set this field only when you use a custom HTTPS Prometheus server.
glooUi.prometheusClientCertSecretNamestring(deprecated) The name of the secret that contains the Prometheus client TLS certificates used to identify the UI client to the Prometheus server. The secret must be in the same namespace as the gloo-mesh-ui pod. Set this field only when you use a custom HTTPS Prometheus server.
glooUi.prometheusSkipTLSVerifyboolSet this field to true to disable verification of the Prometheus server TLS certificate. Set this field only when you use a custom HTTPS Prometheus server.false
glooUi.prometheusUrlstringThe address for the Prometheus server. If you want to connect the Gloo UI to the built-in Prometheus server in OpenShift, use https://thanos-querier.openshift-monitoring.svc:9091.
glooUi.readOnlyGeneratedResourcesboolIf true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI.false
glooUi.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}}
glooUi.runAsUseruint32Static user ID to run the containers as. Unused if floatingUserId is ’true’.10101
glooUi.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooUi.serviceOverridesstructArbitrary overrides for the component’s service template.
glooUi.serviceTypestringKubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”.ClusterIP
glooUi.settingsNamestringName of the UI settings object to use.settings
glooUi.sidecarsmap[string, struct]Optional configuration for the deployed containers.{“console”:{“image”:{“repository”:“gloo-mesh-ui”,“registry”:“gcr.io/gloo-mesh”,“pullPolicy”:“IfNotPresent”},“env”:null,“extraEnvs”:{},“resources”:{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}}},“envoy”:{“image”:{“repository”:“gloo-mesh-envoy”,“registry”:“gcr.io/gloo-mesh”,“pullPolicy”:“IfNotPresent”},“env”:[{“name”:“ENVOY_UID”,“value”:“0”}],“extraEnvs”:{},“resources”:{“requests”:{“cpu”:“500m”,“memory”:“256Mi”}}}}
glooUi.sidecars.<MAP_KEY>structOptional configuration for the deployed containers.
glooUi.sidecars.<MAP_KEY>.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.
glooUi.sidecars.<MAP_KEY>.extraEnvsstructExtra environment variables for the container
glooUi.sidecars.<MAP_KEY>.imagestructContainer image.
glooUi.sidecars.<MAP_KEY>.image.pullPolicystringImage pull policy.
glooUi.sidecars.<MAP_KEY>.image.pullSecretstringImage pull secret.
glooUi.sidecars.<MAP_KEY>.image.registrystringImage registry.
glooUi.sidecars.<MAP_KEY>.image.repositorystringImage name (repository).
glooUi.sidecars.<MAP_KEY>.image.tagstringVersion tag for the container image.
glooUi.sidecars.<MAP_KEY>.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.
glooUi.sidecars.<MAP_KEY>.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooUi.sidecars.consolestructOptional configuration for the deployed containers.
glooUi.sidecars.console.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.null
glooUi.sidecars.console.extraEnvsstructExtra environment variables for the container
glooUi.sidecars.console.imagestructContainer image.
glooUi.sidecars.console.image.pullPolicystringImage pull policy.IfNotPresent
glooUi.sidecars.console.image.pullSecretstringImage pull secret.
glooUi.sidecars.console.image.registrystringImage registry.gcr.io/gloo-mesh
glooUi.sidecars.console.image.repositorystringImage name (repository).gloo-mesh-ui
glooUi.sidecars.console.image.tagstringVersion tag for the container image.
glooUi.sidecars.console.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}}
glooUi.sidecars.console.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooUi.sidecars.envoystructOptional configuration for the deployed containers.
glooUi.sidecars.envoy.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“ENVOY_UID”,“value”:“0”}]
glooUi.sidecars.envoy.extraEnvsstructExtra environment variables for the container
glooUi.sidecars.envoy.imagestructContainer image.
glooUi.sidecars.envoy.image.pullPolicystringImage pull policy.IfNotPresent
glooUi.sidecars.envoy.image.pullSecretstringImage pull secret.
glooUi.sidecars.envoy.image.registrystringImage registry.gcr.io/gloo-mesh
glooUi.sidecars.envoy.image.repositorystringImage name (repository).gloo-mesh-envoy
glooUi.sidecars.envoy.image.tagstringVersion tag for the container image.
glooUi.sidecars.envoy.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“500m”,“memory”:“256Mi”}}
glooUi.sidecars.envoy.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
glooUi.tracingstructConfigure the tracing page for the UI if the default jaeger tracing UI is not being used.
glooUi.tracing.basePathstringBase path the tracing UI expects to be rendered on.
glooUi.tracing.endpointstringEndpoint of the tracing UI that will be embedded on the tracing page.
glooUi.tracing.portint32Port of the tracing UI that will be embedded on the tracing page.0
glooUi.verboseboolEnable verbose/debug logging.false
istioInstallationsstructConfiguration for deploying managed Istio control plane and gateway installations by using the Istio lifecycle manager.
istioInstallations.controlPlanestructConfiguration for the managed Istio control plane instance.
istioInstallations.controlPlane.enabledboolInstall the managed Istio control plane instance in the cluster.true
istioInstallations.controlPlane.installations[][]structList of Istio control plane installations.[{“revision”:“auto”,“clusters”:null,“istioOperatorSpec”:{}}]
istioInstallations.controlPlane.installations[].clusters[][]ptrClusters to install the Istio control planes in.
istioInstallations.controlPlane.installations[].clusters[].defaultRevisionboolWhen set to true, the installation for this revision is applied as the active Istio installation in the cluster. Resources with the ‘istio-injection=true’ label entry use this revision. You might change this setting for Istio installations during a canary upgrade. For more info, see the upgrade docs.
istioInstallations.controlPlane.installations[].clusters[].namestringName of the cluster to install Istio into. Must match the registered cluster name.
istioInstallations.controlPlane.installations[].clusters[].trustDomainstringTrust domain value for this cluster’s Istio installation mesh config. Defaults to the cluster’s name.
istioInstallations.controlPlane.installations[].istioOperatorSpecstructIstioOperator specification for the control plane. For more info, see the IstioOperatorSpec reference.
istioInstallations.controlPlane.installations[].revisionstringIstio revision for this installation, such as ‘1-18’. Label workload resources with ‘istio.io/rev=$REVISION’ to use this installation. Defaults to ‘AUTO’, which installs the default supported version of the Solo distribution of Istio.
istioInstallations.eastWestGateways[][]structConfiguration for the managed east-west gateway.null
istioInstallations.eastWestGateways[].enabledboolInstall the gateway in the cluster.
istioInstallations.eastWestGateways[].installations[][]structList of Istio gateway installations. For more info, see the GatewayInstallation reference.
istioInstallations.eastWestGateways[].installations[].clusters[][]ptrClusters to install the gateway in.
istioInstallations.eastWestGateways[].installations[].clusters[].activeGatewayboolWhen set to true, the installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the upgrade docs.
istioInstallations.eastWestGateways[].installations[].clusters[].namestringName of the cluster to install the gateway into. Must match the registered cluster name.
istioInstallations.eastWestGateways[].installations[].clusters[].trustDomainstringTrust domain value for this cluster’s Istio installation mesh config. Defaults to the cluster’s name.
istioInstallations.eastWestGateways[].installations[].controlPlaneRevisionstringOptional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created.
istioInstallations.eastWestGateways[].installations[].gatewayRevisionstringIstio revision for this installation, such as ‘1-18’. Defaults to ‘AUTO’, which installs the default supported version of the Solo distribution of Istio.
istioInstallations.eastWestGateways[].installations[].istioOperatorSpecstructIstioOperator specification for the gateway. For more info, see the IstioOperatorSpec reference.
istioInstallations.eastWestGateways[].namestringName of the gateway. Must be unique.
istioInstallations.enabledboolEnable managed Istio installations.false
istioInstallations.northSouthGateways[][]structConfiguration for the managed north-south (ingress) gateway. Requires a Gloo Gateway license.[{“name”:“istio-ingressgateway”,“enabled”:true,“installations”:[{“gatewayRevision”:“auto”,“clusters”:null,“istioOperatorSpec”:{}}]}]
istioInstallations.northSouthGateways[].enabledboolInstall the gateway in the cluster.
istioInstallations.northSouthGateways[].installations[][]structList of Istio gateway installations. For more info, see the GatewayInstallation reference.
istioInstallations.northSouthGateways[].installations[].clusters[][]ptrClusters to install the gateway in.
istioInstallations.northSouthGateways[].installations[].clusters[].activeGatewayboolWhen set to true, the installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the upgrade docs.
istioInstallations.northSouthGateways[].installations[].clusters[].namestringName of the cluster to install the gateway into. Must match the registered cluster name.
istioInstallations.northSouthGateways[].installations[].clusters[].trustDomainstringTrust domain value for this cluster’s Istio installation mesh config. Defaults to the cluster’s name.
istioInstallations.northSouthGateways[].installations[].controlPlaneRevisionstringOptional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created.
istioInstallations.northSouthGateways[].installations[].gatewayRevisionstringIstio revision for this installation, such as ‘1-18’. Defaults to ‘AUTO’, which installs the default supported version of the Solo distribution of Istio.
istioInstallations.northSouthGateways[].installations[].istioOperatorSpecstructIstioOperator specification for the gateway. For more info, see the IstioOperatorSpec reference.
istioInstallations.northSouthGateways[].namestringName of the gateway. Must be unique.
jaegerstructConfiguration for the Gloo Platform Jaeger instance. See the Jaeger Helm chart for the complete set of values.
jaeger.agentmap[string, interface]{“enabled”:false}
jaeger.agent.<MAP_KEY>interface
jaeger.agent.enabledinterface
jaeger.allInOnemap[string, interface]{“args”:["–query.base-path=/tracing-ui"],“enabled”:true,“extraEnv”:[{“name”:“MEMORY_MAX_TRACES”,“value”:“3000”}]}
jaeger.allInOne.<MAP_KEY>interface
jaeger.allInOne.argsinterface
jaeger.allInOne.enabledinterface
jaeger.allInOne.extraEnvinterface
jaeger.collectormap[string, interface]{“enabled”:false}
jaeger.collector.<MAP_KEY>interface
jaeger.collector.enabledinterface
jaeger.enabledboolEnable installation of Jaeger sub-chart. For demo purposes only.false
jaeger.fullnameOverridestringgloo-jaeger
jaeger.provisionDataStoremap[string, interface]{“cassandra”:false,“elasticsearch”:false,“kafka”:false}
jaeger.provisionDataStore.<MAP_KEY>interface
jaeger.provisionDataStore.cassandrainterface
jaeger.provisionDataStore.elasticsearchinterface
jaeger.provisionDataStore.kafkainterface
jaeger.querymap[string, interface]{“enabled”:false}
jaeger.query.<MAP_KEY>interface
jaeger.query.enabledinterface
jaeger.storagemap[string, interface]{“type”:“memory”}
jaeger.storage.<MAP_KEY>interface
jaeger.storage.typeinterface
legacyMetricsPipelinestructConfiguration for the legacy metrics pipeline, which is unsupported in Gloo Platform version 2.4 and later.
legacyMetricsPipeline.enabledboolSet to false to disable the legacy telemetry pipeline.false
licensingstructGloo Platform product licenses.
licensing.glooGatewayLicenseKeystringGloo Gateway license key.
licensing.glooMeshLicenseKeystringGloo Mesh Enterprise license key.
licensing.glooNetworkLicenseKeystringGloo Network license key.
licensing.glooTrialLicenseKeystringGloo trial license key, for a trial installation of all products.
licensing.licenseKeystringDeprecated: Legacy Gloo Mesh Enterprise license key. Use individual product license fields, the trial license field, or a license secret instead.
licensing.licenseSecretNamestringProvide license keys in a secret in the adminNamespace of the management cluster, instead of in the license key fields.license-keys
postgresqlstructConfiguration for PostgreSQL. See the Bitnami Postgresql Helm chart for the complete set of values
postgresql.enabledboolWhether to enabled PostgreSQL dependencyfalse
postgresql.fullnameOverridestringOverride the full name of PostgreSQL componentspostgresql
prometheusmapHelm values for configuring Prometheus. See the Prometheus Helm chart for the complete set of values.
rateLimiterstructConfiguration for the Gloo rate limiting service.
rateLimiter.enabledboolEnable the Gloo rate limiting service.false
rateLimiter.extraLabelsmap[string, string]Extra key-value pairs to add to the labels data of the rate limiter deployment.null
rateLimiter.extraLabels.<MAP_KEY>stringExtra key-value pairs to add to the labels data of the rate limiter deployment.
rateLimiter.extraTemplateAnnotationsmap[string, string]Extra annotations to add to the rate limiter service pods.{“proxy.istio.io/config”:"{ "holdApplicationUntilProxyStarts": true }"}
rateLimiter.extraTemplateAnnotations.<MAP_KEY>stringExtra annotations to add to the rate limiter service pods.
rateLimiter.extraTemplateAnnotations.proxy.istio.io/configstringExtra annotations to add to the rate limiter service pods.{ “holdApplicationUntilProxyStarts”: true }
rateLimiter.rateLimiterstructConfiguration for the rate limiter.
rateLimiter.rateLimiter.imagestructValues for the rate limiter image.
rateLimiter.rateLimiter.image.pullPolicystringImage pull policy.IfNotPresent
rateLimiter.rateLimiter.image.registrystringImage registry.gcr.io/gloo-mesh
rateLimiter.rateLimiter.image.repositorystringImage name (repository).rate-limiter
rateLimiter.rateLimiter.image.tagstringVersion tag for the container.0.10.6
rateLimiter.rateLimiter.installClusterRolesboolIf true, use ClusterRoles. If false, use Roles.true
rateLimiter.rateLimiter.logLevelstringSeverity level to collect logs for.INFO
rateLimiter.rateLimiter.portsstructPorts for the rate limiter service.
rateLimiter.rateLimiter.ports.debuguint32Port on the rate limiter to pull logs from.9091
rateLimiter.rateLimiter.ports.grpcuint32Port the rate limiter listens on for gRPC requests.8083
rateLimiter.rateLimiter.ports.readyuint32Port the rate limiter listens on for readiness checks.8084
rateLimiter.rateLimiter.readyPathstringPath for readiness checks./ready
rateLimiter.rateLimiter.resourcesstructValues for the container resource requests.
rateLimiter.rateLimiter.resources.requestsstructMinimum amount of compute resources required. For more info, see the Kubernetes documentation.
rateLimiter.rateLimiter.resources.requests.cpustringAmount of CPU resource.125m
rateLimiter.rateLimiter.resources.requests.memorystringAmount of memory resource.256Mi
rateLimiter.rateLimiter.servicestructConfiguration for the deployed rate limiter service.
rateLimiter.rateLimiter.service.annotationsmap[string, string]Kubernetes service annotations.{}
rateLimiter.rateLimiter.service.annotations.<MAP_KEY>stringKubernetes service annotations.
rateLimiter.rateLimiter.watchNamespacestringNamespaces to watch in your cluster. If omitted or empty, all namespaces are watched.
rateLimiter.redisstructConfiguration for using a Redis instance for authentication.
rateLimiter.redis.authstructValues for the authentication details.
rateLimiter.redis.auth.enabledboolUse the default Redis instance for authentication.false
rateLimiter.redis.auth.passwordKeystringKey that contains the password.redis-password
rateLimiter.redis.auth.secretNamestringName of the secret that contains the username and password.redis-secrets
rateLimiter.redis.auth.usernameKeystringKey that contains the username. If Redis doesn’t have an explicit username, specify ‘default’.redis-username
rateLimiter.redis.certsstructProvide a CA cert for the rate limiter and Redis instance (if enabled) to use.
rateLimiter.redis.certs.caCertstringFile name that contains the CA cert.redis.crt
rateLimiter.redis.certs.enabledboolEnable the rate limiter and Redis instance (if enabled) to use the CA cert you provide.false
rateLimiter.redis.certs.mountPointstringMount path for the certs./etc/tls
rateLimiter.redis.certs.secretNamestringName of the secret for the CA cert.redis-certs-keys
rateLimiter.redis.certs.signingKeystringFile name that contains the signing key. Only relevant for the Redis instance.redis.key
rateLimiter.redis.clusteredboolSet to true if your Redis instance runs in clustered mode.false
rateLimiter.redis.enabledboolInstall the default Redis instance.true
rateLimiter.redis.floatingUserIdboolSet to true to use a floating user ID.false
rateLimiter.redis.hostnamestringHostname clients use to connect to the Redis instance.redis
rateLimiter.redis.imagestructValues for the Redis image.
rateLimiter.redis.image.pullPolicystringImage pull policy.IfNotPresent
rateLimiter.redis.image.registrystringImage registry.docker.io
rateLimiter.redis.image.repositorystringImage name (repository).redis
rateLimiter.redis.image.tagstringVersion tag for the container.7.2.4-alpine
rateLimiter.redis.resourcesstructValues for the container resource requests.
rateLimiter.redis.resources.requestsstructMinimum amount of compute resources required. For more info, see the Kubernetes documentation.
rateLimiter.redis.resources.requests.cpustringAmount of CPU resource.125m
rateLimiter.redis.resources.requests.memorystringAmount of memory resource.256Mi
rateLimiter.redis.runAsUserintUser ID to run Redis as.999
rateLimiter.redis.servicestructValues for the Redis service.
rateLimiter.redis.service.dbintSelect the Redis logical database having the specified zero-based numeric index.0
rateLimiter.redis.service.namestringName for the Redis service.redis
rateLimiter.redis.service.portintPort for the Redis service.6379
rateLimiter.redis.service.socketstring‘unix’, ’tcp’, or ’tls’ are supported.tcp
redisstructRedis configuration options.
redis.addressstringAddress to use when connecting to the Redis instance. To use the default Redis deployment, specify ‘redis.gloo-mesh.svc.cluster.local:6379’.gloo-mesh-redis.gloo-mesh:6379
redis.authstructOptional authentication values to use when connecting to the Redis instance
redis.auth.enabledboolConnect to the Redis instance with a passwordfalse
redis.auth.passwordKeystringThe secret key containing the password to use for authenticationpassword
redis.auth.secretNamestringName of the k8s secret that contains the passwordredis-auth-secrets
redis.auth.usernameKeystringThe secret key containing the username to use for authenticationusername
redis.certsstructConfiguration for TLS verification when connecting to the Redis instance
redis.certs.caCertKeystringThe secret key containing the ca cert
redis.certs.enabledboolEnable a secure network connection to the Redis instance via TLSfalse
redis.certs.secretNamestringName of the k8s secret that contains the certsredis-certs
redis.connectionstructOptional connection parameters
redis.connection.connMaxIdleTimestringThe maximum amount of time a connection may be idle. Should be less than server’s timeout. Default is 30 minutes. -1 disables idle timeout check.5m0s
redis.connection.connMaxLifetimestringThe maximum amount of time a connection may be reused. If <= 0, connections are not closed due to a connection’s age.0
redis.connection.contextTimeoutEnabledboolContextTimeoutEnabled controls whether the client respects context timeouts and deadlines.false
redis.connection.dialTimeoutstringDial timeout for establishing new connections. Default is 5 seconds.5s
redis.connection.idleTimeoutstringDeprecated: in favor of ‘connMaxIdleTime’. Amount of time after which client closes idle connections. Should be less than server’s timeout. Default is 30 minutes. -1 disables idle timeout check.5m0s
redis.connection.masterNamestringThe master name. Only needed for sentinel mode.
redis.connection.maxConnAgestringDeprecated: in favor of using ‘connMaxLifetime’. Connection age at which client retires (closes) the connection. Default is to not close aged connections.0
redis.connection.maxIdleConnsintMaximum number of idle connections.0
redis.connection.maxRedirectsintThe maximum number of retries before giving up. Command is retried on network errors and MOVED/ASK redirects. Default is 3 retries.3
redis.connection.maxRetriesintMaximum number of retries before giving up. Default is 3. -1 disables retries.3
redis.connection.maxRetryBackoffstringMaximum backoff between each retry. Default is 512 milliseconds. -1 disables backoff.512ms
redis.connection.minIdleConnsintMinimum number of idle connections which is useful when establishing new connection is slow.0
redis.connection.minRetryBackoffstringMinimum backoff between each retry. Default is 8 milliseconds. -1 disables backoff.8ms
redis.connection.poolFifoboolType of connection pool. true for FIFO pool. false for LIFO pool. Note that FIFO has higher overhead compared to LIFO.false
redis.connection.poolSizeintMaximum number of socket connections. Default is 10 connections per every available CPU as reported by runtime.GOMAXPROCS.0
redis.connection.poolTimeoutstringAmount of time client waits for connection if all connections are busy before returning an error. Default is ReadTimeout + 1 second.
redis.connection.readOnlyboolEnables read-only commands on slave nodes. Default is false.false
redis.connection.readTimeoutstringTimeout for socket reads. if reached, commands will fail with a timeout instead of blocking. Default is 3 seconds. -1 disables timeout. 0 uses the default value.3s
redis.connection.routeByLatencyboolAllows routing read-only commands to the closest master or slave node. It automatically enables ReadOnly.false
redis.connection.routeRandomlyboolAllows routing read-only commands to the random master or slave node. It automatically enables ReadOnly.false
redis.connection.writeTimeoutstringTimeout for socket writes. If reached, commands will fail with a timeout instead of blocking. Default is ReadTimeout.3s
redis.dbintDB to connect to0
redis.deploymentstruct
redis.deploymentstructConfiguration for the deployment deployment.
redis.deployment.addrstringDeprecated: Use ‘redis.address’ instead.
redis.deployment.deploymentOverridesstructArbitrary overrides for the component’s deployment template.
redis.deployment.enabledboolDeploy the default Redis instance.true
redis.deployment.enabledboolEnable creation of the deployment/service.true
redis.deployment.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.[{“name”:“MASTER”,“value”:“true”}]
redis.deployment.extraEnvsstructExtra environment variables for the container
redis.deployment.floatingUserIdboolAllow the pod to be assigned a dynamic user ID. Required for OpenShift installations.false
redis.deployment.floatingUserIdboolSet to true to use a floating user ID.false
redis.deployment.imagestructContainer image.
redis.deployment.image.pullPolicystringImage pull policy.IfNotPresent
redis.deployment.image.pullSecretstringImage pull secret.
redis.deployment.image.registrystringImage registry.docker.io
redis.deployment.image.repositorystringImage name (repository).redis
redis.deployment.image.tagstringVersion tag for the container image.
redis.deployment.ioThreadsintThe number of I/O threads to use. Use this setting to allocate threads dedicated to performing I/O tasks to maximize overall Redis performance. The minimum valid value for this setting is 1. When you change this setting, make sure to also change the CPU requests and CPU limits for the Redis pod to one CPU core per I/O thread. See https://github.com/redis/redis/blob/7.2/redis.conf for more details.1
redis.deployment.portsmap[string, uint32]Service ports as a map from port name to port number.{“redis”:6379}
redis.deployment.ports.<MAP_KEY>uint32Service ports as a map from port name to port number.
redis.deployment.ports.redisuint32Service ports as a map from port name to port number.6379
redis.deployment.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}}
redis.deployment.runAsUseruint32Static user ID to run the containers as. Unused if floatingUserId is ’true’.10101
redis.deployment.runAsUserintUser ID to run Redis as.999
redis.deployment.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.{“capabilities”:{“drop”:[“ALL”]},“runAsUser”:999,“runAsNonRoot”:true,“readOnlyRootFilesystem”:true,“allowPrivilegeEscalation”:false}
redis.deployment.serviceOverridesstructArbitrary overrides for the component’s service template.
redis.deployment.serviceTypestringKubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”.ClusterIP
redis.deployment.sidecarsmap[string, struct]Optional configuration for the deployed containers.{}
redis.deployment.sidecars.<MAP_KEY>structOptional configuration for the deployed containers.
redis.deployment.sidecars.<MAP_KEY>.env[]sliceEnvironment variables for the container. For more info, see the Kubernetes documentation.
redis.deployment.sidecars.<MAP_KEY>.extraEnvsstructExtra environment variables for the container
redis.deployment.sidecars.<MAP_KEY>.imagestructContainer image.
redis.deployment.sidecars.<MAP_KEY>.image.pullPolicystringImage pull policy.
redis.deployment.sidecars.<MAP_KEY>.image.pullSecretstringImage pull secret.
redis.deployment.sidecars.<MAP_KEY>.image.registrystringImage registry.
redis.deployment.sidecars.<MAP_KEY>.image.repositorystringImage name (repository).
redis.deployment.sidecars.<MAP_KEY>.image.tagstringVersion tag for the container image.
redis.deployment.sidecars.<MAP_KEY>.resourcesstructContainer resource requirements. For more info, see the Kubernetes documentation.
redis.deployment.sidecars.<MAP_KEY>.securityContextstructContainer security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation.
telemetryCollectorstructConfiguration for the Gloo Platform Telemetry Collector. See the OpenTelemetry Helm chart for the complete set of values.
telemetryCollectorCustomizationstructOptional customization for the Gloo Platform Telemetry Collector.
telemetryCollectorCustomization.compatibleServiceboolOTel Collector service excluding the field internalTrafficPolicy, compatible with k8s < 1.26false
telemetryCollectorCustomization.disableDefaultPipelineboolDeprecated in favor of the pipelines field, which allows selectively enabling or customizing pipelines. Disables the default metrics/ui pipeline.false
telemetryCollectorCustomization.enableCloudMetadataProcessingboolEnable scraping of network information from the compute instance that the collector agent runs on.false
telemetryCollectorCustomization.extraExportersstructConfiguration for extra exporters, such as to forward your data to a third-party provider. Exporters can forward the data to a destination on the local or remote network.
telemetryCollectorCustomization.extraExporters.clickhousemap[string, interface]An exporter to forward data to Clickhouse.{“database”:“default”,“endpoint”:“tcp://clickhouse.gloo-mesh.svc:9000?dial_timeout=10s\u0026compress=lz4”,“logs_table_name”:“gloo_api_logs”,“password”:“default”,“retry_on_failure”:{“enabled”:true,“initial_interval”:“1s”,“max_elapsed_time”:“5m”,“max_interval”:“30s”},“timeout”:“5s”,“ttl_days”:3,“username”:“default”}
telemetryCollectorCustomization.extraExporters.clickhouse.<MAP_KEY>interfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.databaseinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.endpointinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.logs_table_nameinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.passwordinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.retry_on_failureinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.timeoutinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.ttl_daysinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExporters.clickhouse.usernameinterfaceAn exporter to forward data to Clickhouse.
telemetryCollectorCustomization.extraExtensionsmap[string, interface]Configuration for extensions to the collector. Extensions are used to add additional functionality to the collector.null
telemetryCollectorCustomization.extraExtensions.<MAP_KEY>interfaceConfiguration for extensions to the collector. Extensions are used to add additional functionality to the collector.
telemetryCollectorCustomization.extraPipelinesmap[string, interface]Specify any added receivers, processors, or exporters in an extra pipeline.null
telemetryCollectorCustomization.extraPipelines.<MAP_KEY>interfaceSpecify any added receivers, processors, or exporters in an extra pipeline.
telemetryCollectorCustomization.extraProcessorsstructConfiguration for extra processors to drop and generate new data. Processors transform data before it is forwarded to downstream processors and/or exporters. For more information, see the OTel documentation.
telemetryCollectorCustomization.extraProcessors.batchmap[string, interface]The batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.{“send_batch_max_size”:3000,“send_batch_size”:2000,“timeout”:“600ms”}
telemetryCollectorCustomization.extraProcessors.batch.<MAP_KEY>interfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryCollectorCustomization.extraProcessors.batch.send_batch_max_sizeinterfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryCollectorCustomization.extraProcessors.batch.send_batch_sizeinterfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryCollectorCustomization.extraProcessors.batch.timeoutinterfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryCollectorCustomization.extraProcessors.batch/logsstructThe batch log processor accepts logs and places them into batches. For more information, see Batch Processor.
telemetryCollectorCustomization.extraProcessors.batch/logs.metadata_cardinality_limitintthe maximum number of batcher instances that will be created through a distinct combination of MetadataKeys.0
telemetryCollectorCustomization.extraProcessors.batch/logs.metadata_keys[][]stringList of clients. Metadata keys that will be used to form distinct batchers. If this setting is empty a single batcher instance will be used. When a batcher instance is full, it will be sent and a new batcher instance will be created.[]
telemetryCollectorCustomization.extraProcessors.batch/logs.send_batch_max_sizeintThe maximum size of a batch. If the batch size is larger than this value, the batch is sent.100
telemetryCollectorCustomization.extraProcessors.batch/logs.send_batch_sizeintThe maximum number of traces or metrics to include in a batch.100
telemetryCollectorCustomization.extraProcessors.batch/logs.timeoutstringThe maximum amount of time to wait for a batch to be filled before sending it anyway.5s
telemetryCollectorCustomization.extraProcessors.memory_limitermap[string, interface]The memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.{“check_interval”:“1s”,“limit_percentage”:85,“spike_limit_percentage”:10}
telemetryCollectorCustomization.extraProcessors.memory_limiter.<MAP_KEY>interfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryCollectorCustomization.extraProcessors.memory_limiter.check_intervalinterfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryCollectorCustomization.extraProcessors.memory_limiter.limit_percentageinterfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryCollectorCustomization.extraProcessors.memory_limiter.spike_limit_percentageinterfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryCollectorCustomization.extraReceiversstructConfiguration for extra receivers, such as to scrape extra Prometheus targets. Receivers listen on a network port to receive telemetry data.
telemetryCollectorCustomization.extraReceivers.filelog/access_logsmap[string, interface]The file log receive tails and parses logs from files. For more information, see File Log Receiver.{“include”:["/var/log/pods//istio-proxy/.log"],“include_file_name”:false,“include_file_path”:true,“operators”:[{“expr”:“body matches "^[^{}]*$"”,“type”:“filter”},{“id”:“get-format”,“routes”:[{“expr”:“body matches "^\\{"”,“output”:“parser-docker”},{“expr”:“body matches "^[^ Z]+ "”,“output”:“parser-crio”},{“expr”:“body matches "^[^ Z]+Z"”,“output”:“parser-containerd”}],“type”:“router”},{“id”:“parser-crio”,“output”:“extract_metadata_from_filepath”,“regex”:"^(?P\u003ctime\u003e[^ Z]+) (?P\u003cstream\u003estdout
telemetryCollectorCustomization.extraReceivers.filelog/access_logs.<MAP_KEY>interfaceThe file log receive tails and parses logs from files. For more information, see File Log Receiver.
telemetryCollectorCustomization.extraReceivers.filelog/access_logs.includeinterfaceThe file log receive tails and parses logs from files. For more information, see File Log Receiver.
telemetryCollectorCustomization.extraReceivers.filelog/access_logs.include_file_nameinterfaceThe file log receive tails and parses logs from files. For more information, see File Log Receiver.
telemetryCollectorCustomization.extraReceivers.filelog/access_logs.include_file_pathinterfaceThe file log receive tails and parses logs from files. For more information, see File Log Receiver.
telemetryCollectorCustomization.extraReceivers.filelog/access_logs.operatorsinterfaceThe file log receive tails and parses logs from files. For more information, see File Log Receiver.
telemetryCollectorCustomization.pipelinesstructSelectively enable, disable, or customize any of the default pipelines.
telemetryCollectorCustomization.pipelines.logs/cilium_flowsstructConfigure the collection of cilium flows.
telemetryCollectorCustomization.pipelines.logs/cilium_flows.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryCollectorCustomization.pipelines.logs/cilium_flows.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryCollectorCustomization.pipelines.logs/cilium_flows.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“otlp”]
telemetryCollectorCustomization.pipelines.logs/cilium_flows.pipeline.processors[][]stringList of processors to use in the pipeline.[“batch/logs”,“resource/cluster_context”]
telemetryCollectorCustomization.pipelines.logs/cilium_flows.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“hubble”]
telemetryCollectorCustomization.pipelines.logs/istio_access_logsstructA pre-defined pipeline that collects Istio access logs. This pipeline is disabled by default.
telemetryCollectorCustomization.pipelines.logs/istio_access_logs.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryCollectorCustomization.pipelines.logs/istio_access_logs.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryCollectorCustomization.pipelines.logs/istio_access_logs.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“otlp”]
telemetryCollectorCustomization.pipelines.logs/istio_access_logs.pipeline.processors[][]stringList of processors to use in the pipeline.[“batch/logs”]
telemetryCollectorCustomization.pipelines.logs/istio_access_logs.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“filelog/access_logs”]
telemetryCollectorCustomization.pipelines.metrics/ciliumstructThe metrics pipeline collects extra cilium metrics and is exportable for use in custom pipelines such as Grafana.
telemetryCollectorCustomization.pipelines.metrics/cilium.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryCollectorCustomization.pipelines.metrics/cilium.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryCollectorCustomization.pipelines.metrics/cilium.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“otlp”]
telemetryCollectorCustomization.pipelines.metrics/cilium.pipeline.processors[][]stringList of processors to use in the pipeline.[“memory_limiter”,“transform/keep_hubble_labels”,“transform/keep_cilium_labels”,“batch”]
telemetryCollectorCustomization.pipelines.metrics/cilium.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“prometheus”]
telemetryCollectorCustomization.pipelines.metrics/otlp_relaystructA pre-defined pipeline that allows otlp telemetry from other collectors to be relayed to the otel gateway. This pipeline is disabled by default
telemetryCollectorCustomization.pipelines.metrics/otlp_relay.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryCollectorCustomization.pipelines.metrics/otlp_relay.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryCollectorCustomization.pipelines.metrics/otlp_relay.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“otlp”]
telemetryCollectorCustomization.pipelines.metrics/otlp_relay.pipeline.processors[][]stringList of processors to use in the pipeline.null
telemetryCollectorCustomization.pipelines.metrics/otlp_relay.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“otlp”]
telemetryCollectorCustomization.pipelines.metrics/uistructThe metrics/ui pipeline collects the metrics that are required for the Gloo UI graph. This pipeline is enabled by default.
telemetryCollectorCustomization.pipelines.metrics/ui.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.true
telemetryCollectorCustomization.pipelines.metrics/ui.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryCollectorCustomization.pipelines.metrics/ui.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“otlp”]
telemetryCollectorCustomization.pipelines.metrics/ui.pipeline.processors[][]stringList of processors to use in the pipeline.[“memory_limiter”,“filter/min”,“batch”,“transform/keep_istio_labels”,“transform/keep_otelcol_labels”,“gloo_metrics_processor”]
telemetryCollectorCustomization.pipelines.metrics/ui.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“prometheus”]
telemetryCollectorCustomization.pipelines.traces/istiostructA pre-defined pipeline that collects traces to observe and monitor requests.
telemetryCollectorCustomization.pipelines.traces/istio.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryCollectorCustomization.pipelines.traces/istio.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryCollectorCustomization.pipelines.traces/istio.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“otlp”]
telemetryCollectorCustomization.pipelines.traces/istio.pipeline.processors[][]stringList of processors to use in the pipeline.[“batch”]
telemetryCollectorCustomization.pipelines.traces/istio.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“jaeger”,“opencensus”,“otlp”,“zipkin”]
telemetryCollectorCustomization.serverNamestringSNI and certificate subject alternative name used in the collector certificate.gloo-telemetry-gateway.gloo-mesh
telemetryCollectorCustomization.telemetrymap[string, interface]Configure the service telemetry (logs and metrics) as described in the otel-collector docs.{“metrics”:{“address”:“0.0.0.0:8888”}}
telemetryCollectorCustomization.telemetry.<MAP_KEY>interfaceConfigure the service telemetry (logs and metrics) as described in the otel-collector docs.
telemetryCollectorCustomization.telemetry.metricsinterfaceConfigure the service telemetry (logs and metrics) as described in the otel-collector docs.
telemetryGatewaystructConfiguration for the Gloo Platform Telemetry Gateway. See the OpenTelemetry Helm chart for the complete set of values.
telemetryGatewayCustomizationstructOptional customization for the Gloo Platform Telemetry Gateway.
telemetryGatewayCustomization.compatibleServiceboolOTel Collector service excluding the field internalTrafficPolicy, compatible with k8s < 1.26false
telemetryGatewayCustomization.disableCertGenerationboolDisable cert generation for the Gloo Platform Telemetry Gateway.false
telemetryGatewayCustomization.disableDefaultPipelineboolDeprecated in favor of the pipelines field, which allows selectively enabling or customizing pipelines. Disables the default metrics/prometheus pipeline.false
telemetryGatewayCustomization.extraExportersstructConfiguration for extra exporters, such as to forward your data to a third-party provider. Exporters can forward the data to a destination on the local or remote network.
telemetryGatewayCustomization.extraExporters.clickhousemap[string, interface]An exporter to forward data to Clickhouse.{“database”:“default”,“endpoint”:“tcp://clickhouse.gloo-mesh.svc:9000?dial_timeout=10s\u0026compress=lz4”,“logs_table_name”:“gloo_api_logs”,“password”:“default”,“retry_on_failure”:{“enabled”:true,“initial_interval”:“1s”,“max_elapsed_time”:“5m”,“max_interval”:“30s”},“timeout”:“5s”,“ttl_days”:3,“username”:“default”}
telemetryGatewayCustomization.extraExporters.clickhouse.<MAP_KEY>interfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.databaseinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.endpointinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.logs_table_nameinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.passwordinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.retry_on_failureinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.timeoutinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.ttl_daysinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExporters.clickhouse.usernameinterfaceAn exporter to forward data to Clickhouse.
telemetryGatewayCustomization.extraExtensionsmap[string, interface]Configuration for extensions to the gateway. Extensions are used to add additional functionality to the gateway.null
telemetryGatewayCustomization.extraExtensions.<MAP_KEY>interfaceConfiguration for extensions to the gateway. Extensions are used to add additional functionality to the gateway.
telemetryGatewayCustomization.extraPipelinesmap[string, interface]Specify any added receivers, processors, or exporters in an extra pipeline.null
telemetryGatewayCustomization.extraPipelines.<MAP_KEY>interfaceSpecify any added receivers, processors, or exporters in an extra pipeline.
telemetryGatewayCustomization.extraProcessorsstructConfiguration for extra processors to drop and generate new data. Processors transform data before it is forwarded to downstream processors and/or exporters. For more information, see the OTel documentation.
telemetryGatewayCustomization.extraProcessors.batchmap[string, interface]The batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.{“send_batch_max_size”:3000,“send_batch_size”:2000,“timeout”:“600ms”}
telemetryGatewayCustomization.extraProcessors.batch.<MAP_KEY>interfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryGatewayCustomization.extraProcessors.batch.send_batch_max_sizeinterfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryGatewayCustomization.extraProcessors.batch.send_batch_sizeinterfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryGatewayCustomization.extraProcessors.batch.timeoutinterfaceThe batch processor accepts spans, metrics, or logs and places them into batches. For more information, see Batch Processor.
telemetryGatewayCustomization.extraProcessors.batch/logsstructThe batch log processor accepts logs and places them into batches. For more information, see Batch Processor.
telemetryGatewayCustomization.extraProcessors.batch/logs.metadata_cardinality_limitintthe maximum number of batcher instances that will be created through a distinct combination of MetadataKeys.0
telemetryGatewayCustomization.extraProcessors.batch/logs.metadata_keys[][]stringList of clients. Metadata keys that will be used to form distinct batchers. If this setting is empty a single batcher instance will be used. When a batcher instance is full, it will be sent and a new batcher instance will be created.[]
telemetryGatewayCustomization.extraProcessors.batch/logs.send_batch_max_sizeintThe maximum size of a batch. If the batch size is larger than this value, the batch is sent.100
telemetryGatewayCustomization.extraProcessors.batch/logs.send_batch_sizeintThe maximum number of traces or metrics to include in a batch.100
telemetryGatewayCustomization.extraProcessors.batch/logs.timeoutstringThe maximum amount of time to wait for a batch to be filled before sending it anyway.5s
telemetryGatewayCustomization.extraProcessors.memory_limitermap[string, interface]The memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.{“check_interval”:“1s”,“limit_percentage”:85,“spike_limit_percentage”:10}
telemetryGatewayCustomization.extraProcessors.memory_limiter.<MAP_KEY>interfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryGatewayCustomization.extraProcessors.memory_limiter.check_intervalinterfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryGatewayCustomization.extraProcessors.memory_limiter.limit_percentageinterfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryGatewayCustomization.extraProcessors.memory_limiter.spike_limit_percentageinterfaceThe memory limiter processor is used to prevent out of memory situations on the collector. For more information, see Memory Limiter Processor.
telemetryGatewayCustomization.extraReceiversmap[string, interface]Configuration for extra receivers, such as to scrape extra Prometheus targets. Receivers listen on a network port to receive telemetry data.null
telemetryGatewayCustomization.extraReceivers.<MAP_KEY>interfaceConfiguration for extra receivers, such as to scrape extra Prometheus targets. Receivers listen on a network port to receive telemetry data.
telemetryGatewayCustomization.pipelinesstructSelectively enable, disable, or customize any of the default pipelines.
telemetryGatewayCustomization.pipelines.logs/clickhousestructA pre-defined pipeline that forwards Istio access logs that the collector agents receive to Clickhouse.
telemetryGatewayCustomization.pipelines.logs/clickhouse.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryGatewayCustomization.pipelines.logs/clickhouse.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryGatewayCustomization.pipelines.logs/clickhouse.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“clickhouse”]
telemetryGatewayCustomization.pipelines.logs/clickhouse.pipeline.processors[][]stringList of processors to use in the pipeline.[“batch/logs”]
telemetryGatewayCustomization.pipelines.logs/clickhouse.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“otlp”]
telemetryGatewayCustomization.pipelines.logs/redis_streamstructConfigure the exporting of telemetry into redis streams.
telemetryGatewayCustomization.pipelines.logs/redis_stream.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryGatewayCustomization.pipelines.logs/redis_stream.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryGatewayCustomization.pipelines.logs/redis_stream.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“redisstream”]
telemetryGatewayCustomization.pipelines.logs/redis_stream.pipeline.processors[][]stringList of processors to use in the pipeline.[“batch/logs”]
telemetryGatewayCustomization.pipelines.logs/redis_stream.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“otlp”]
telemetryGatewayCustomization.pipelines.metrics/prometheusstructA pre-defined pipeline that collects metrics from various sources, such as the Gloo management server, Gloo Platform, Istio, Cilium, and the Gloo OTel pipeline, and makes this data available to the built-in Prometheus server.
telemetryGatewayCustomization.pipelines.metrics/prometheus.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.true
telemetryGatewayCustomization.pipelines.metrics/prometheus.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryGatewayCustomization.pipelines.metrics/prometheus.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“prometheus”]
telemetryGatewayCustomization.pipelines.metrics/prometheus.pipeline.processors[][]stringList of processors to use in the pipeline.[“memory_limiter”,“batch”]
telemetryGatewayCustomization.pipelines.metrics/prometheus.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“otlp”,“prometheus”]
telemetryGatewayCustomization.pipelines.traces/jaegerstructA pre-defined pipeline that collects traces to observe and monitor traffic requests, and makes them available to the built-in Jaeger tracing platform demo.
telemetryGatewayCustomization.pipelines.traces/jaeger.enabledboolDetermines whether the Gloo OTel pipeline is enabled or disabled.false
telemetryGatewayCustomization.pipelines.traces/jaeger.pipelinestructThe configuration of the Gloo OTel pipeline.
telemetryGatewayCustomization.pipelines.traces/jaeger.pipeline.exporters[][]stringList of exporters to use in the pipeline.[“otlp/jaeger”]
telemetryGatewayCustomization.pipelines.traces/jaeger.pipeline.processors[][]stringList of processors to use in the pipeline.[“batch”]
telemetryGatewayCustomization.pipelines.traces/jaeger.pipeline.receivers[][]stringList of receivers to use in the pipeline.[“otlp”]
telemetryGatewayCustomization.reloadTlsCertificatestructInterval of time between reloading the TLS certificate of the telemetry gateway.
telemetryGatewayCustomization.reloadTlsCertificate.nanosint320
telemetryGatewayCustomization.reloadTlsCertificate.secondsint640
telemetryGatewayCustomization.serverNamestringSNI and certificate subject alternative name used in the telemetry gateway certificate.gloo-telemetry-gateway.gloo-mesh
telemetryGatewayCustomization.telemetrymap[string, interface]Configure the service telemetry (logs and metrics) as described in the otel-collector docs.{“metrics”:{“address”:“0.0.0.0:8888”}}
telemetryGatewayCustomization.telemetry.<MAP_KEY>interfaceConfigure the service telemetry (logs and metrics) as described in the otel-collector docs.
telemetryGatewayCustomization.telemetry.metricsinterfaceConfigure the service telemetry (logs and metrics) as described in the otel-collector docs.