Configuration property reference

This section lists all of the configuration properties that you can use to customize the runtime plane of your Apigee hybrid deployment.

Filter this page

To filter the properties displayed on this page, select Basic (most common properties) or Advanced (properties that rarely need changing):

Display   configuration properties on this page.

Top-level properties

The following table describes the top-level properties in the overrides.yaml file. These are properties that do not belong to another object, and apply at the org or environment level:

Property Type Description
axHashSalt Advanced

Introduced in version: 1.3.0

Default value: Your organization name

Optional

The name of a Kubernetes secret that contains a salt used when computing hashes to obfuscate user data before it is sent to Apigee analytics. If you do not specify a salt value, iloveapis123 is used by default. Create the secret with the salt value as its input. You can use the same salt across multiple clusters to ensure consistent hashing results between the clusters.

Apigee uses SHA512 to hash the original value before sending data from the runtime plane to the control plane.

See: Obfuscate user data for analytics.

contractProvider Advanced Introduced in version: 1.0.0

Default value: https://apigee.googleapis.com

Defines the API path for all APIs in your installation.

Required if your hybrid installation is using Data residency in the following format:

contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com

Where CONTROL_PLANE_LOCATION is the location where control plane data like proxy bundles are stored. For a list see Available Apigee API control plane regions.

For example:

contractProvider: https://us-apigee.googleapis.com
gcpProjectID Advanced Deprecated: For v1.2.0 and later, use gcp.projectID instead.

Introduced in version: 1.0.0

Default value: none

Required

ID of your Google Cloud project. Works with k8sClusterName (deprecated) and gcpRegion (deprecated) to identify the project and determine where the apigee-logger and the apigee-metrics push their data.

gcpRegion Advanced Deprecated: For v1.2.0 and later, use gcp.region instead.

Introduced in version: 1.0.0

Default value: us-central1

Required

The closet Google Cloud region or zone of your Kubernetes cluster. Works with gcpProjectID (deprecated) and k8sClusterName (deprecated) to identify the project and determine where the apigee-logger and the apigee-metrics push their data.

hub Advanced Introduced in version: 1.11.0

Default value: None

The URL of a private image container repository used to pull images for all apigee components from a private repo.

hub provides a default path for all Apigee hybrid components. If you are using a private repository, use hub to set the repository URL for all components rather than using the individual image.url property for each component. Only configure indivisual URLs if you are using a separate repository for a specific component.

The image path for each individual component will be the value of hub plus the image name and tag for the component.

For example, if the value of hub private-docker-host.example.com, individual components will automatically resolve the image path:

hub: private-docker-host.example.com

as:

## an example of internal component vs 3rd party
containers:
- name: apigee-udca
  image: private-docker-host.example.com/apigee-udca:1.13.2
  imagePullPolicy: IfNotPresent

containers:
- name: apigee-ingressgateway
  image: private-docker-host.example.com/apigee-asm-ingress:1.18.7-asm.4-distroless
  imagePullPolicy: IfNotPresent

The other components will follow a similar pattern.

Use apigee-pull-push --list to see the current repository URL for all components.

See Use a private image repository with Apigee hybrid.

You can override image URL for components individualy with the following properties:

imagePullSecrets.name Advanced Introduced in version: 1.0.0

Default value: None

Kubernetes secret name configured as docker-registry type; used to pull images from private repo.

instanceID Basic Introduced in version: 1.3.0

Default value: None

Required

A unique identifier for this installation.

A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters in length.

k8sClusterName Advanced Deprecated: For v1.2.0 and later, use k8sCluster.name and k8sCluster.region instead.

Introduced in version: 1.0.0

Default value: None

Name of the Kubernetes (K8S) procluster where your hybrid project is running. Works with gcpProjectID (deprecated) and gcpRegion (deprecated) to identify the project and determine where the apigee-logger and the apigee-metrics push their data.

kmsEncryptionKey Advanced Introduced in version: 1.0.0

Default value: defaults.org.kmsEncryptionKey

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

Local file system path for the Apigee KMS data's encryption key.

kmsEncryptionPath Advanced Introduced in version: 1.2.0

Default value: None

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

The path to a file containing a base64-encoded encryption key. See Data encryption.

kmsEncryptionSecret.key Advanced Introduced in version: 1.2.0

Default value: None

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

The key of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

kmsEncryptionSecret.name Advanced Introduced in version: 1.2.0

Default value: None

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

The name of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

kvmEncryptionKey Advanced Introduced in version: 1.0.0

Default value: defaults.org.kmsEncryptionKey

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

Local file system path for the Apigee KVM data's encryption key.

kvmEncryptionPath Advanced Introduced in version: 1.2.0

Default value: None

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

The path to a file containing a base64-encoded encryption key. See Data encryption.

kvmEncryptionSecret.key Advanced Introduced in version: 1.2.0

Default value: None

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

The key of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

kvmEncryptionSecret.name Advanced Introduced in version: 1.2.0

Default value: None

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

The name of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

multiOrgCluster Advanced Introduced in version: 1.10.0

Default value: false

For multi-org clusters, this property enables the organization's metrics to be exported to the project listed in the gcp.projectID property. Apply this setting in the overrides file for each organization in a multi-org cluster. For more information, see Adding multiple hybrid orgs to a cluster.

namespace Basic Introduced in version: 1.0.0

Default value: apigee

The namespace of your Kubernetes cluster where the Apigee components will be installed.

org Basic

Introduced in version: 1.0.0

Default value: None

Required

The hybrid-enabled organization that was provisioned for you by Apigee during the hybrid installation. An organization is the top-level container in Apigee. It contains all your API proxies and related resources. If the value is empty, you must update it with your org name once you have created it.

orgScopedUDCA Advanced Introduced in version: 1.8.0

Default value: true

Enables the Universal Data Collection Agent service (UDCA) at the org level, that extracts analytics, monetization and debug (trace) and sends it to the Unified Analytics Platform (UAP) which resides in the Control Plane.

Org-scoped UDCA uses a single Google service account for all Apigee environments. The service account needs to have the Apigee Analytics Agent (roles/apigee.analyticsAgent) role.

Specify the path to the service account key file with the udca.serviceAccountPath property or provide the key in a Kubernetes secret with the udca.serviceAccountRef property in your overrides.yaml configuration file.

If you prefer to use a separate UDCA agent for each environment, set orgScopedUDCA: false and set the values for envs[].serviceAccountPaths.udca and envs[].serviceAccountSecretRefs.udca.

See also: udca.

revision Advanced Introduced in version: 1.0.0

Default value: "1132" (Your Apigee hybrid version without periods. For example for version 1.12.0, the default value is "1120".)

Apigee hybrid supports rolling Kubernetes updates, which allow deployment updates to take place with zero downtime by incrementally updating Pod instances with new ones.

When updating certain YAML overrides that result in underlying Kubernetes PodTemplateSpec change, the revision override property must also be changed in the customer's override.yaml. This is required for the underlying Kubernetes ApigeeDeployment (AD) controller to conduct a safe rolling update of from the previous version to the new version. You can use any lowercase text value, eg: blue, a, 1.0.0

When the revision property is changed and applied, a rolling update will occur for all components

Changes to properties of the following objects require an update to revision:

For more information, see Rolling updates.

serviceAccountSecretProviderClass Advanced Introduced in version: 1.12.0

Default value: None

The name of the organization-specific secret provider class (SecretProviderClass) used for storing service account keys in Vault.

See Storing service account keys in Hashicorp Vault.

validateOrg Advanced Introduced in version: 1.8.0

Default value: true

Enables strict validation of the link between the Apigee Org and Google Cloud project and checks for the existence of environment groups.

See also org

validateServiceAccounts Advanced Introduced in version: 1.0.0

Default value: true

Enables strict validation of service account permissions. This uses Cloud Resource Manager API method testIamPermissions to verify that the provided service account has the required permissions. In the case of service accounts for an Apigee Org, the project ID check is the one mapped to the Organization. For Metrics and Logger, the project checked is based on the gcpProjectID overrides.yaml configuration.

See also gcpProjectID

ao

Apigee Operators (AO) creates and updates low level Kubernetes and Istio resources that are required to deploy and maintain a component. For example, the controller carries out the release of message processors.

The following table describes the properties of the apigee-operators ao object:

Property Type Description
ao.args.disableIstioConfigInAPIServer Advanced Introduced in version: 1.8.0

Default value: true

Stops Apigee from supplying configuration to customer-installed Cloud Service Mesh.

  • Set to true for hybrid installations using Apigee ingress gateway.
  • Set to false for hybrid installations using Cloud Service Mesh (Apigee hybrid versions 1.8 and earlier).
ao.args.disableManagedClusterRoles Advanced Introduced in version: 1.10.0

Default value: true

When true (the default), Apigee hybrid does not manage Kubernetes ClusterRole and ClursterRoleBinding directly. If you have a process that requires managing these resources, the process must be performed by a user with the correct permissions to do so.

ao.image.pullPolicy Advanced Introduced in version: 1.2.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

ao.image.tag Advanced Introduced in version: 1.2.0

Default value: 1.13.2

The version label for this service's Docker image.

ao.image.url Advanced Introduced in version: 1.2.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

ao.resources.limits.cpu Advanced Introduced in version: 1.2.0

Default value: 250m

The CPU limit for the resource in a Kubernetes container, in millicores.

ao.resources.limits.memory Advanced Introduced in version: 1.2.0

Default value: 256Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

ao.resources.requests.cpu Advanced Introduced in version: 1.2.0

Default value: 250m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

ao.resources.requests.memory Advanced Introduced in version: 1.2.0

Default value: 256Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

ao.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

ao.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

ao.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

ao.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

ao.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

apigeeIngressGateway

Configures the Apigee ingress gateway for Apigee Hybrid. Use apigeeIngressGateway properties to apply common configuration to all instances of the Apigee ingress gateway.

See ingressGateways to configure individual instances uniquely.

Apply changes to apigeeIngressGateway properties with the apigee-org chart.

The following table describes the properties of the apigeeIngressGateway object:

Property Type Description
apigeeIngressGateway.image.pullPolicy Advanced Introduced in version: 1.11.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

apigeeIngressGateway.image.tag Advanced Introduced in version: 1.11.0

Default value: 1.18.7-asm.4-distroless

The version label for this service's Docker image.

apigeeIngressGateway.image.url Advanced Introduced in version: 1.11.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

apigeeIngressGateway.nodeSelector.key Advanced Introduced in version: 1.11.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes for ingress gateway services.

See Configuring dedicated node pools.

apigeeIngressGateway.nodeSelector.value Advanced Introduced in version: 1.11.0

Default value: None

Optional node selector label value used to target dedicated Kubernetes nodes for ingress gateway services and override the nodeSelector.apigeeData settings.

See nodeSelector.

apigeeIngressGateway.replicaCountMax Basic Introduced in version: 1.11.0

Default value: 4

The maximum number of pods that hybrid can automatically add for the ingress gateway available for autoscaling.

apigeeIngressGateway.replicaCountMin Basic Introduced in version: 1.11.0

Default value: 2

The minimum number of pods for the ingress gateway available for autoscaling.

apigeeIngressGateway.targetCPUUtilizationPercentage Advanced Introduced in version: 1.10.5, 1.11.2, 1.12.1

Default value: 75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up to apigeeIngressGateway.replicaCountMax.

For more information on scaling in Kubernetes, see Horizontal Pod Autoscaling in the Kubernetes documentation.

apigeeIngressGateway.tolerations.effect Advanced Introduced in version: 1.11.0

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.key Advanced Introduced in version: 1.11.0

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.operator Advanced Introduced in version: 1.11.0

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.tolerationSeconds Advanced Introduced in version: 1.11.0

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.value Advanced Introduced in version: 1.11.0

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

cassandra

Defines the hybrid service that manages the runtime data repository. This repository stores application configurations, distributed quota counters, API keys, and OAuth tokens for applications running on the gateway.

For more information, see StorageClass configuration.

The following table describes the properties of the cassandra object:

Property Type Description
cassandra.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

cassandra.auth.admin.password Basic Introduced in version: 1.0.0

Default value: iloveapis123

Required

Password for the Cassandra administrator. The admin user is used for any administrative activities performed on the Cassandra cluster, such as backup and restore.

cassandra.auth.ddl.password Basic Introduced in version: 1.0.0

Default value: iloveapis123

Required

Password for the Cassandra Data Definition Language (DDL) user. Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.

cassandra.auth.default.password Basic Introduced in version: 1.0.0

Default value: iloveapis123

Required

The password for the default Cassandra user created when Authentication is enabled. This password must be reset when configuring Cassandra authentication. See Configuring TLS for Cassandra.

cassandra.auth.dml.password Basic Introduced in version: 1.0.0

Default value: iloveapis123

Required

Password for the Cassandra Data Manipulation Language (DML) user. The DML user is used by the client communication to read and write data to Cassandra.

cassandra.auth.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

cassandra.auth.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

cassandra.auth.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

cassandra.auth.jmx.password Basic Introduced in version: 1.4.0

Default value: iloveapis123

Required

Password for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

cassandra.auth.jmx.username Basic Introduced in version: 1.4.0

Default value: jmxuser

Required

Username for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

cassandra.auth.jolokia.password Basic Introduced in version: 1.4.0

Default value: iloveapis123

Required

Password for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

cassandra.auth.jolokia.username Basic Introduced in version: 1.4.0

Default value: apigee

Required

Username for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

cassandra.auth.secret Basic Introduced in version: 1.3.3

Default value: None

The name of the file stored in a Kubernetes secret that contains the Cassandra users and passwords. You can create the secret using following the following instructions: Create the Secret.

See also:

cassandra.auth.secretProviderClass Advanced Introduced in version: 1.10.3

Default value: None

The Cassandra secret storage policy. When set, it must match the SecretProviderClass which references the external secret provider, like Hashicorp Vault. When unset, Apigee hybrid uses either the usernames and passwords stored in:

or the Kubernetes secret stored in:

See Storing Cassandra secrets in Hashicorp Vault for instructions to create the policy.

cassandra.backup.cloudProvider Advanced Introduced in version: 1.0.0

Default value: GCP

The name of a backup provider. Supported values: GCP, HYBRID, and CSI. Set the value to:

  • GCP to store backup archives on Google Cloud Storage.
  • HYBRID to store backup archives on a remote SSH server.
  • CSI (recommended) to utilize Kubernetes CSI Volume Snapshots for backup. For information on CSI backup and restore for cloud platforms such as Google Cloud, AWS, and Azure, see CSI backup and restore.
cassandra.backup.dbStorageBucket Advanced Introduced in version: 1.0.0

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to GCP.

The name of an existing Google Cloud Storage bucket that will be used to store backup archives. See Creating buckets if you need to create one.

cassandra.backup.enabled Advanced Introduced in version: 1.0.0

Default value: false

Data backup is not enabled by default. To enable, set to true.

See Cassandra backup and recovery.

cassandra.backup.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

cassandra.backup.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

cassandra.backup.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

cassandra.backup.keyfile Advanced Introduced in version: 1.3.0

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to HYBRID.

The path on your local file system to the SSH private key file.

cassandra.backup.schedule Advanced Introduced in version: 1.0.0

Default value: 0 2 * * *

The schedule for the backup cron job.

See Cassandra backup and recovery.

cassandra.backup.server Advanced Introduced in version: 1.3.0

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to HYBRID.

The IP address of your remote SSH backup server.

cassandra.backup.serviceAccountPath Advanced Introduced in version: 1.0.0

Default value: None

Path to a Google Service Account key file that has the Storage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used for uploading backup archives to a specified cassandra.backup.dbStorageBucket.

If backup is enabled and cassandra.backup.cloudProvider is set to GCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to upload backup archives:

cassandra.backup.serviceAccountRef Advanced Introduced in version: 1.2.0

Default value: None

The name of an existing Kubernetes secret that stores the content of a Google Service Account key file that has the Storage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used for uploading backup archives to a specified cassandra.backup.dbStorageBucket.

If backup is enabled and cassandra.backup.cloudProvider is set to GCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to upload backup archives:

cassandra.backup.storageDirectory Advanced Introduced in version: 1.3.0

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to HYBRID.

Can either be an absolute or relative path to the apigee user's home directory.

The name of the backup directory on your backup SSH server.

cassandra.clusterName Basic Introduced in version: 1.0.0

Default value: apigeecluster

Specifies the name of the Cassandra cluster.

cassandra.datacenter Basic Introduced in version: 1.0.0

Default value: dc-1

Specifies the datacenter of the Cassandra node.

cassandra.dnsPolicy Basic Introduced in version: 1.1.1

Default value: None

When you set hostNetwork to true, the DNS policy is set to ClusterFirstWithHostNet for you.

cassandra.externalSeedHost Basic Introduced in version: 1.0.0

Default value: None

Hostname or IP of a Cassandra cluster node. If not set, the Kubernetes local service is used.

cassandra.heapNewSize Basic Introduced in version: 1.0.0

Default value: 100M

The amount of JVM system memory allocated to newer objects, in megabytes.

cassandra.hostNetwork Basic Introduced in version: 1.1.1

Default value: false

Enables the Kubernetes hostNetwork feature. Apigee uses this feature in multi-region installations to communicate between pods if the pod network namespace does not have connectivity between clusters (the clusters are running in "island network mode"), which is the default case in non-GKE installations, including Google Distributed Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.

Set cassandra.hostNetwork to false for single region installations and multi-region installations with connectivity between pods in different clusters, for example GKE installations.

Set cassandra.hostNetwork to true for multi-region installations with no communication between between pods in different clusters, for example Google Distributed Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift installations. See Multi-region deployment: Prerequisites.

When true, DNS policy is automatically set to ClusterFirstWithHostNet.

cassandra.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

cassandra.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

cassandra.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

cassandra.maxHeapSize Advanced Introduced in version: 1.0.0

Default value: 512M

The upper limit of JVM system memory available for Cassandra operations, in megabytes.

cassandra.multiRegionSeedHost Basic Introduced in version: 1.0.0

Default value: None

IP address of an existing Cassandra cluster used to expand the existing cluster to a new region. See Configure the multi-region seed host.

cassandra.nodeSelector.key Advanced Introduced in version: 1.0.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes for cassandra data services.

See Configuring dedicated node pools.

cassandra.nodeSelector.value Advanced Introduced in version: 1.0.0

Default value: None

Optional node selector label value used to target dedicated Kubernetes nodes for cassandra data services and override the nodeSelector.apigeeData settings.

See nodeSelector.

cassandra.port Advanced Introduced in version: 1.0.0

Default value: 9042

Port number used to connect to cassandra.

cassandra.rack Basic Introduced in version: 1.0.0

Default value: ra-1

Specifies the rack of the Cassandra node.

cassandra.readinessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 2

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

cassandra.readinessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 0

The number of seconds after a container is started before a readiness probe is initiated.

cassandra.readinessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 10

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

cassandra.readinessProbe.successThreshold Advanced Introduced in version: 1.0.0

Default value: 1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

cassandra.readinessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 5

The number of seconds after which a liveness probe times out. The minimum value is 1.

cassandra.replicaCount Basic Introduced in version: 1.0.0

Default value: 1

Cassandra is a replicated database. This property specifies the number of Cassandra nodes employed as a StatefulSet.

cassandra.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

cassandra.resources.requests.memory Advanced Introduced in version: 1.0.0

Default value: 1Gi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

cassandra.restore.cloudProvider Advanced Introduced in version: 1.0.0

Default value: GCP

The name of a restore provider. Supported values: GCP, HYBRID, and CSI. Set the value to:

  • GCP to restore data from a backup stored on Google Cloud Storage.
  • HYBRID to restore data from a backup stored on a remote SSH server.
  • CSI (recommended) to utilize Kubernetes CSI Volume Snapshots for restore. For information on CSI backup and restore for cloud platforms such as Google Cloud, AWS, and Azure, see CSI backup and restore.
cassandra.restore.dbStorageBucket Advanced Introduced in version: 1.0.0

Default value: None

Required if restore is enabled and cassandra.restore.cloudProvider is set to GCP.

The name of a Google Cloud Storage bucket that stores backup archives to be used for data restoration.

cassandra.restore.enabled Advanced Introduced in version: 1.0.0

Default value: false

Data restoration is not enabled by default. To enable, set to true.

See Cassandra backup and recovery.

cassandra.restore.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

cassandra.restore.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

cassandra.restore.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

cassandra.restore.serviceAccountPath Advanced Introduced in version: 1.0.0

Default value: None

Path to a Google Service Account key file that has the Storage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used to download backup archives from a specified cassandra.restore.dbStorageBucket.

If restore is enabled and cassandra.restore.cloudProvider is set to GCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to download backup archives for restoration:

cassandra.restore.serviceAccountRef Advanced Introduced in version: 1.2.0

Default value: None

The name of an existing Kubernetes secret that stores the content of a Google Service Account key file that has the Storage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used to download backup archives from a specified cassandra.restore.dbStorageBucket.

If restore is enabled and cassandra.restore.cloudProvider is set to GCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to download backup archives for restoration:

cassandra.restore.snapshotTimestamp Advanced Introduced in version: 1.0.0

Default value: None

Required if restore is enabled.

Timestamp of the backup that should be restored.

cassandra.sslCertPath Basic Introduced in version: 1.2.0

Default value: None

The path on your system to a TLS certificate file.

cassandra.sslKeyPath Basic Introduced in version: 1.2.0

Default value: None

The path on your system to the TLS private key file.

cassandra.sslRootCAPath Basic Introduced in version: 1.2.0

Default value: None

The certificate chain to the root CA (certificate authority).

cassandra.storage.capacity Basic Introduced in version: 1.0.0

Default value: 10Gi

Required if storage.storageclass is specified

Specifies the disk size required, in mebibytes (Mi) or gibibytes (Gi).

cassandra.storage.storageclass Basic Introduced in version: 1.0.0

Default value: None

Specifies the class of on-prem storage being used.

cassandra.terminationGracePeriodSeconds Advanced Introduced in version: 1.0.0

Default value: 300

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

cassandra.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

cassandra.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

cassandra.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

cassandra.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

cassandra.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

certManager

Apigee uses cert-manager for certificate validation.

The following table describes the properties of the certManager object:

Property Type Description
certManager.namespace Advanced Introduced in version: 1.9.0

Default value: cert-manager

The namespace for cert-manager.

See Running cert-manager in a custom namespace.

connectAgent

Apigee Connect allows the Apigee hybrid management plane to connect securely to the MART service in the runtime plane without requiring you to expose the MART endpoint on the internet.

The following table describes the properties of the connectAgent object:

Property Type Description
connectAgent.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

connectAgent.gsa Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the Google IAM service account (GSA) for connectAgent to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have set gcp.workloadIdentity.enabled to true.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-mart@my-hybrid-project.iam.gserviceaccount.com

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

connectAgent.logLevel Advanced Introduced in version: 1.2.0

Default value: INFO

The level of log reporting. Values can be:

  • INFO: Informational messages in addition to warning, error, and fatal messages. Most useful for debugging.
  • WARNING: Non-fatal warnings in addition to error and fatal messages.
  • ERROR: Internal errors and errors that are not returned to the user in addition to fatal messages.
  • FATAL: Unrecoverable errors and events that cause Apigee Connect to crash.
connectAgent.image.pullPolicy Advanced Introduced in version: 1.2.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

connectAgent.image.tag Advanced Introduced in version: 1.2.0

Default value: 1.13.2

The version label for this service's Docker image.

connectAgent.image.url Advanced Introduced in version: 1.2.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

connectAgent.replicaCountMax Basic Introduced in version: 1.2.0

Default value: 5

Maximum number of replicas available for autoscaling.

connectAgent.replicaCountMin Basic Introduced in version: 1.2.0

Default value: 1

Minimum number of replicas available for autoscaling.

In production, you may want to increase replicaCountMin to 1, to have a greater number of connections to the control plane for reliability and scalability.

connectAgent.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 512m

The CPU limit for the resource in a Kubernetes container, in millicores.

connectAgent.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 512Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

connectAgent.resources.requests.cpu Advanced Introduced in version: 1.11.0

Default value: 100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

connectAgent.resources.requests.memory Advanced Introduced in version: 1.2.0

Default value: 30Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

connectAgent.server Advanced Introduced in version: 1.2.0

Default value: apigeeconnect.googleapis.com:443

The location of the server and port for this service.

connectAgent.serviceAccountPath Basic Introduced in version: 1.1.1

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

Path to Google Service Account key file for the apigee-mart service account.

In most installations, the value of connectAgent.serviceAccountPath must match the value of mart.serviceAccountPath.

connectAgent.serviceAccountRef Basic Introduced in version: 1.2.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

In most installations, the value of connectAgent.serviceAccountRef must match the value of mart.serviceAccountRef.

connectAgent.targetCPUUtilizationPercentage Advanced Introduced in version: 1.2.0

Default value: 75

Target CPU utilization for the Apigee Connect agent on the pod. The value of this field enables Apigee Connect to auto-scale when CPU utilization reaches this value, up to replicaCountMax.

connectAgent.terminationGracePeriodSeconds Advanced Introduced in version: 1.2.0

Default value: 600

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

connectAgent.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

connectAgent.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

connectAgent.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

connectAgent.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

connectAgent.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

defaults

The Default encryption keys for the Apigee hybrid installation.

The following table describes the properties of the defaults object:

Property Type Description
defaults.org.kmsEncryptionKey Basic Introduced in version: 1.0.0

Default value: aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the org in KMS.

defaults.org.kvmEncryptionKey Basic Introduced in version: 1.0.0

Default value: aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the org in KVM.

defaults.env.kmsEncryptionKey Basic Introduced in version: 1.0.0

Default value: aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the environment (env) in KMS.

defaults.env.kvmEncryptionKey Basic Introduced in version: 1.0.0

Default value: aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the environment (env) in KVM.

defaults.env.cacheEncryptionKey Basic Introduced in version: 1.0.0

Default value: aWxvdmVhcGlzMTIzNDU2Nw==

Default cache encryption key for the environment (env).

diagnostic

The settings for the Diagnostic collector tool.

See Using the Diagnostic collector

The following table describes the properties of the diagnostic object:

Property Type Description
diagnostic.bucket Basic Introduced in version: 1.6.0

Default value: None

Required

The name of the Google Cloud storage bucket where your diagnostic data will be deposited.

See Creating storage buckets.

diagnostic.container Basic Introduced in version: 1.6.0

Default value: None

Required

This specifies which type of pod you are capturing data from. The values can be one of:

  • "apigee-cassandra" captures data about the Cassandra databgase. The istio-cassandra pods runs in the apigee namespace.
  • "apigee-mart-server" captures data about MART. The apigee-mart-server pods runs in the apigee namespace.
  • "apigee-runtime" captures data about the Message Processor. The apigee-runtime pods runs in the apigee namespace.
  • "apigee-synchronizer" captures data about the Synchronizer. The apigee-synchronizer pods runs in the apigee namespace.
  • "apigee-udca" captures data about UDCA. The apigee-udca pods runs in the apigee namespace.
  • "apigee-watcher" captures data about Watcher. The apigee-watcher pods runs in the apigee namespace.
  • "istio-proxy" captures data about the Istio ingress gateway. The istio-proxy pods runs in the istio-system namespace.
diagnostic.loggingDetails.logDuration Basic Introduced in version: 1.6.0

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set with operation: "LOGGING")

The duration in milliseconds of the log data collected. A typical value is 30000.

See diagnostic.operation

diagnostic.loggingDetails.loggerNames[] Basic Introduced in version: 1.6.0

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set with operation: "LOGGING")

Specifies by name which loggers to collect data from. For Apigee hybrid version 1.6.0, the only value supported is ALL, meaning all loggers. For example:

diagnostic:
 loggingDetails:
   loggerNames:
   - ALL
diagnostic.loggingDetails.logLevel Basic Introduced in version: 1.6.0

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set with operation: "LOGGING")

Specifies the granularity of the logging data to collect. In Apigee hybrid 1.6, Only FINE is supported.

diagnostic.namespace Basic Introduced in version: 1.6.0

Default value: None

Required

The Kubernetes namespace in which the pods you are collecting data on reside. The namespace must be the correct one for the container you specify with diagnostic.container:

apigee for

  • apigee-runtime
  • apigee-synchronizer
  • apigee-udca
  • apigee-watcher
  • apigee-cassandra
  • apigee-mart-server

istio-system for

  • istio-proxy
diagnostic.operation Basic Introduced in version: 1.6.0

Default value: None

Required

Specifies whether to collect all statistics or just logs.

Values are:

diagnostic.podNames[] Basic Introduced in version: 1.6.0

Default value: None

Required

The names of the Kubernetes pods for which you are collecting data. For example:

diagnostic:
 podNames:
 - apigee-runtime-eng-hybrid-example-3b2ebf3-150-8vfoj-2wcjn
 - apigee-runtime-eng-hybrid-example-3b2ebf3-150-8vfoj-6xzn2
diagnostic.serviceAccountPath Basic Introduced in version: 1.6.0

Default value: None

Required

The path to a service account key file (.json) for the service account with the Storage Admin role (roles/storage.admin). In most Apigee hybrid installations, this is the apigee-cassandra service account.

See About service accounts.

diagnostic.tcpDumpDetails.maxMsgs Basic Introduced in version: 1.6.0

Default value: None

One of either diagnostic.tcpDumpDetails.maxMsgs or diagnostic.tcpDumpDetails.timeoutInSeconds is Required if you are using diagnostic.tcpDumpDetails.

Sets the maximum number of tcpDump messages to collect. Apigee recommends a maximum value no greater than 1000.

diagnostic.tcpDumpDetails.timeoutInSeconds Basic Introduced in version: 1.6.0

Default value: None

One of either diagnostic.tcpDumpDetails.maxMsgs or diagnostic.tcpDumpDetails.timeoutInSeconds is Required if you are using diagnostic.tcpDumpDetails.

Sets the amount of time in seconds to wait for tcpDump to return messages.

diagnostic.threadDumpDetails.delayInSeconds Basic Introduced in version: 1.6.0

Default value: None

Both diagnostic.threadDumpDetails.delayInSeconds and diagnostic.threadDumpDetails.iterations are Required if you are using diagnostic.threadDumpDetails.

The delay in seconds between collecting each thread dump.

diagnostic.threadDumpDetails.iterations Basic Introduced in version: 1.6.0

Default value: None

Both diagnostic.threadDumpDetails.delayInSeconds and diagnostic.threadDumpDetails.iterations are Required if you are using diagnostic.threadDumpDetails.

The number of jstack thread dump iterations to collect.

envs

Defines an array of environments to which you can deploy your API proxies. Each environment provides an isolated context or sandbox for running API proxies.

Your hybrid-enabled organization must have at least one environment.

For more information, see About environments.

The following table describes the properties of the envs object:

Property Type Description
envs[].cacheEncryptionKey Basic Introduced in version: 1.0.0

Default value: None

One of either cacheEncryptionKey, cacheEncryptionPath, or cacheEncryptionSecret is required.

A base64-encoded encryption key. See Data encryption.

envs[].cacheEncryptionPath Basic Introduced in version: 1.2.0

Default value: None

One of either cacheEncryptionKey, cacheEncryptionPath, or cacheEncryptionSecret is required.

The path to a file containing a base64-encoded encryption key. See Data encryption.

envs[].cacheEncryptionSecret.key Basic Introduced in version: 1.2.0

Default value: None

One of either cacheEncryptionKey, cacheEncryptionPath, or cacheEncryptionSecret is required.

The key of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

envs[].cacheEncryptionSecret.name Basic Introduced in version: 1.2.0

Default value: None

One of either cacheEncryptionKey, or cacheEncryptionPath, or cacheEncryptionSecret is required.

The name of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

envs[].components.runtime.replicaCountMax Basic Introduced in version: 1.9.3

Default value: 4

Maximum number of replicas for autoscaling. Overrides runtime.replicaCountMax if specified.

envs[].components.runtime.replicaCountMin Basic Introduced in version: 1.9.3

Default value: 1

Minimum number of replicas for autoscaling. Overrides runtime.replicaCountMin if specified.

envs[].components.synchronizer.replicaCountMax Basic Introduced in version: 1.9.3

Default value: 4

Maximum number of replicas for autoscaling. Overrides synchronizer.replicaCountMax if specified.

envs[].components.synchronizer.replicaCountMin Basic Introduced in version: 1.9.3

Default value: 1

Minimum number of replicas for autoscaling. Overrides synchronizer.replicaCountMin if specified.

envs[].components.udca.replicaCountMax Basic Introduced in version: 1.9.3

Default value: 4

Maximum number of replicas for autoscaling. Overrides udca.replicaCountMax if specified.

envs[].components.udca.replicaCountMin Basic Introduced in version: 1.9.3

Default value: 1

Minimum number of replicas for autoscaling. Overrides udca.replicaCountMin if specified.

envs.gsa.runtime Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the runtime Google IAM service account to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts.

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

envs.gsa.synchronizer Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the synchronizer Google IAM service account to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts.

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

envs.gsa.udca Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the udca Google IAM service account for env-scoped udca to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts.

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

envs[].hostAliases[] Basic Introduced in version: 1.2.0

Default value: None

Deprecated: Starting in Hybrid version 1.4 the runtime plane receives this information from the management plane. See About environments and environment groups.

envs[].httpProxy.host Basic Introduced in version: 1.2.0

Default value: None

Specifies the host name or IP address where the HTTP proxy is running.

List httpProxy properties in the order scheme, host, port. For example:

envs:
  - name: test
    httpProxy:
      scheme: HTTP
      host: 10.12.0.47
      port: 3128
      ...

See also: Configure forward proxying for API proxies.

envs[].httpProxy.port Basic Introduced in version: 1.2.0

Default value: None

Specifies the port on which the HTTP proxy is running. If this property is omitted, by default it uses port 80 for HTTP and port 443 for HTTPS.

envs[].httpProxy.scheme Basic Introduced in version: 1.2.0

Default value: HTTPS

Specifies the type of the HTTP proxy as HTTP or HTTPS. By default, it uses HTTPS.

envs[].httpProxy.username Basic Introduced in version: 1.2.0

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a username.

envs[].httpProxy.password Basic Introduced in version: 1.2.0

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a password.

envs[].name Basic Introduced in version: 1.0.0

Default value: None

Required

Apigee environment name to be synchronized.

envs[].pollInterval Advanced Introduced in version: 1.0.0

Default value: None

Interval used for polling organization and environment synchronization changes, in seconds.

envs[].port Advanced Introduced in version: 1.0.0

Default value: None

TCP port number for HTTPS traffic.

envs[].serviceAccountPaths.runtime Basic Introduced in version: 1.4.0

Default value: None

Path to file on local system to a Google Service Account key with the Cloud Trace Agent role, usually the apigee-runtime service account. See the About service accounts for the default names of the service accounts and their assigned roles.

envs[].serviceAccountPaths.synchronizer Basic Introduced in version: 1.0

Default value: None

Path to file on local system to a Google Service Account key with the Apigee Synchronizer Manager role.

envs[].serviceAccountPaths.udca Basic Introduced in version: 1.0

Default value: None

Path to file on local system to a Google Service Account key with the Apigee Analytic Agent role.

Only set this property if orgScopedUDCA is set to false.

envs[].serviceAccountSecretProviderClass Advanced Introduced in version: 1.12.0

Default value: None

The name of the environment-specific secret provider class (SecretProviderClass) used for storing service account keys in Vault.

See Storing service account keys in Hashicorp Vault.

envs[].serviceAccountSecretRefs.runtime Basic Introduced in version: 1.4.0

Default value: None

The name of a Kubernetes secret. You must create the secret using a Google Service Account key with the Cloud Trace Agent role as its input.

envs[].serviceAccountSecretRefs.synchronizer Basic Introduced in version: 1.2.0

Default value: None

The name of a Kubernetes secret. You must create the secret using a Google Service Account key with the Apigee Synchronizer Manager role as its input.

envs[].serviceAccountSecretRefs.udca Basic Introduced in version: 1.2.0

Default value: None

The name of a Kubernetes secret. You must create the secret using a Google Service Account key with the Apigee Analytic Agent role as its input.

Only set this property if orgScopedUDCA is set to false.

envs[].sslCertPath Basic Introduced in version: 1.2.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

The path on your system to a TLS certificate file.

envs[].sslKeyPath Basic Introduced in version: 1.2.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

The path on your system to the TLS private key file.

envs[].sslSecret Basic Introduced in version: 1.2.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

gcp

Identifies the Google Cloud project ID and region where the apigee-logger and the apigee-metrics push their data.

The following table describes the properties of the gcp object:

Property Type Description
gcp.federatedWorkloadIdentity.audience Basic Introduced in version: 1.12.0

Default value: None

The allowed audience of the Workload Identity Provider on non-GKE platforms.

See Enabling Workload Identity Federation on AKS and EKS.

gcp.federatedWorkloadIdentity.credentialSourceFile Basic Introduced in version: 1.12.0

Default value: None

The filename and path to the credential source file used by Workload Identity Federation to obtain the credentials for the service accounts. This is the value you provide for credential-source-file when you configure Workload Identity Federation with the create-cred-config command.

See Enabling Workload Identity Federation on AKS and EKS.

gcp.federatedWorkloadIdentity.enabled Basic Introduced in version: 1.12.0

Default value: false

Enables Workload Identity Federation on non-GKE platforms. Must not be set true if gcp.workloadIdentity.enabled is set to true in the same cluster.

See Enabling Workload Identity Federation on AKS and EKS.

gcp.projectID Basic Introduced in version: 1.2.0

Default value: None

Required

Identifies the Google Cloud project where apigee-logger and the apigee-metrics push their data.

gcp.projectIDRuntime Basic Introduced in version: 1.2.0

Default value: None

Identifies the runtime Kubernetes cluster project.

The projectIDRuntime property is optional. If not used, it is assumed that the projectID value is used for both the Apigee organization's Google Cloud project and the runtime K8S cluster's project.

gcp.region Basic Introduced in version: 1.2.0

Default value: us-central1

Required

Identifies the Google Cloud region where the apigee-logger and the apigee-metrics push their data.

gcp.workloadIdentity.enabled Basic Introduced in version: 1.10.0

Default value:false

Helm only: Enables using Workload Identity on GKE. Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.

Must not be set true if gcp.federatedWorkloadIdentity.enabled is set to true in the same cluster.

When enabled is false, the default, Apigee uses the IAM service accounts for each Apigee hybrid component. See About service accounts.

When workloadIdentityEnabled is true, Apigee uses Kubernetes service accounts and maps them to the appropriate IAM service accounts for each component. Specify the IAM service accounts to map to the Kubernetes service accounts with:

gcp.workloadIdentity.gsa Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the Google IAM service account (GSA) for all components to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have set gcp.workloadIdentity.enabled to true.

gcp.workloadIdentity.gsa applies to all hybrid components. If you specify a value for gcp.workloadIdentity.gsa, you do not need to provide a GSA for any individual hybrid components. If you do supply a GSA for an individual component, that component's GSA overrides gcp.workloadIdentity.gsa for that component only.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-non-prod@my-hybrid-project.iam.gserviceaccount.com

See Enabling Workload Identity on GKE.

gcp.workloadIdentityEnabled Basic Introduced in version: 1.4.0

Default value:false

apigeectl only: Enables using Workload Identity. Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.

When workloadIdentityEnabled is false, the default, Apigee uses the IAM service accounts for each Apigee hybrid component. See About service accounts.

When workloadIdentityEnabled is true, Apigee uses Kubernetes service accounts instead of IAM service accounts and will ignore the following configuration properties:

httpProxy

httpProxy provides configuration parameters for an HTTP forward proxy server. When configured in overrides.yaml, all internet communication for the Apigee Connect, Logger, MART, Metrics, Synchronizer, and UDCA components pass through the proxy server.

See also: connectAgent, logger, mart, metrics, synchronizer, and udca.

The following table describes the properties of the httpProxy object:

Property Type Description
httpProxy.host Basic Introduced in version: 1.1.1

Default value: None

The hostname of the HTTP Proxy.

httpProxy.port Basic Introduced in version: 1.1.1

Default value: None

The port of the HTTP Proxy.

httpProxy.scheme Basic Introduced in version: 1.1.1

Default value: HTTPS

The scheme used by the proxy. Values can be HTTP or HTTPS. Values must be uppercase only.

httpProxy.username Basic Introduced in version: 1.1.1

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a username.

httpProxy.password Basic Introduced in version: 1.1.1

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a password.

ingressGateways

Configures each individual instance of the Apigee ingress gateway. Use these properties when you want to manage individual instances separately by ingressGateways[].name.

See apigeeIngressGateway to apply common configuration across all instances of the Apigee ingress gateway.

Apply changes to ingressGateways properties with the apigee-org chart.

The following table describes the properties of the ingressGateways object:

Property Type Description
ingressGateways[].name Basic Introduced in version: 1.8.0

Default value: None

Required

The name of ingress gateway. Other services will use this name to address traffic to the gateway. The name must meet the following requirements:

  • have a maximum length of 17 characters
  • contain only lowercase alphanumeric characters, '-' or '.'
  • start with an alphanumeric character
  • end with an alphanumeric character

For more information, see DNS Subdomain Names in the Kubernetes documentation.

ingressGateways[].resources.limits.cpu Advanced Introduced in version: 1.8.0

Default value: 2000m

The CPU limit for the resource, in millicores.

ingressGateways[].resources.limits.memory Advanced Introduced in version: 1.8.0

Default value: 1Gi

The memory limit for the resource, in mebibytes.

ingressGateways[].resources.requests.cpu Advanced Introduced in version: 1.8.0

Default value: 300m

The CPU needed for normal operation of the resource, in millicores.

ingressGateways[].resources.requests.memory Advanced Introduced in version: 1.8.0

Default value: 128Mi

The memory needed for normal operation of the resource, in mebibytes.

ingressGateways[].replicaCountMax Basic Introduced in version: 1.8.0

Default value: 10

The maximum number of pods that hybrid can automatically add for the ingress gateway available for autoscaling.

ingressGateways[].replicaCountMin Basic Introduced in version: 1.8.0

Default value: 2

The minimum number of pods for the ingress gateway available for autoscaling.

ingressGateways[].svcAnnotations Basic Introduced in version: 1.8.0

Default value: None

Optional key/value map used to annotate the ingress gateway on platforms that support annotation. For example:

ingressGateways:
  svcAnnotations:
    networking.gke.io/load-balancer-type: "Internal"
ingressGateways[].svcLoadBalancerIP Basic Introduced in version: 1.8.0

Default value: None

On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP address, this property is ignored.

ingressGateways[].svcType Basic Introduced in version: 1.8.1

Default value: LoadBalancer

Used to change the type of the default k8s service for ingress deployment. Set the value to ClusterIP if you want to disable creation of default load balancer. Possible values:

  • ClusterIP
  • LoadBalancer
ingressGateways[].targetCPUUtilizationPercentage Advanced Introduced in version: 1.10.5, 1.11.2, 1.12.1

Default value: 75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up to ingressGateways[].replicaCountMax.

For more information on scaling in Kubernetes, see Horizontal Pod Autoscaling in the Kubernetes documentation.

ingressGateways[].tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

ingressGateways[].tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

ingressGateways[].tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

ingressGateways[].tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

ingressGateways[].tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

istiod

Configures the Apigee ingress.

The following table describes the properties of the istiod object:

Property Type Description
istiod.accessLogFile Advanced Introduced in version: 1.8.0

Default value: /dev/stdout

The file address for the ingress access log, for example /dev/stdout.

Leaving this value undefined disables access logging.

istiod.accessLogFormat Advanced Introduced in version: 1.8.0

The format for the ingress access log.

Leaving this value undefined results in using the proxy's default access log format.

Default access log format:

'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

The following is a copy of the default access log format with line breaks added for readability.

'{"start_time":"%START_TIME%",
  "remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%",
  "user_agent":"%REQ(USER-AGENT)%",
  "host":"%REQ(:AUTHORITY)%",
  "request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%",
  "request_time":"%DURATION%",
  "status":"%RESPONSE_CODE%",
  "status_details":"%RESPONSE_CODE_DETAILS%",
  "bytes_received":"%BYTES_RECEIVED%",
  "bytes_sent":"%BYTES_SENT%",
  "upstream_address":"%UPSTREAM_HOST%",
  "upstream_response_flags":"%RESPONSE_FLAGS%",
  "upstream_response_time":"%RESPONSE_DURATION%",
  "upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
  "upstream_cluster":"%UPSTREAM_CLUSTER%",
  "x_forwarded_for":"%REQ(X-FORWARDED-FOR)%",
  "request_method":"%REQ(:METHOD)%",
  "request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
  "request_protocol":"%PROTOCOL%",
  "tls_protocol":"%DOWNSTREAM_TLS_VERSION%",
  "request_id":"%REQ(X-REQUEST-ID)%",
  "sni_host":"%REQUESTED_SERVER_NAME%",
  "apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
istiod.forwardClientCertDetails Advanced Introduced in version: 1.9.2

Default value: SANITIZE_SET

Determines how the Envoy proxy (for the Apigee ingress gateway) handles the x-forwarded-client-cert (XFCC) HTTP header.

Possible values are:

  • SANITIZE_SET (default) When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
  • FORWARD_ONLY When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request only.
  • APPEND_FORWARD When the client connection is mTLS, append the client certificate information to the request's XFCC header and forward it.
  • SANITIZE Do not forward the XFCC header.
  • ALWAYS_FORWARD_ONLY Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.

For more information on these values, see the Envoy documentation for Enum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails.

If you change this setting after installing Hybrid, apply it with apigeectl init and then restart your Apigee ingress gateway pods.

istiod.healthCheckUserAgents Advanced Introduced in version: 1.12.0

Default values:

- "GoogleStackdriverMonitoring-UptimeChecks(https://cloud.google.com/monitoring)"
- "Edge Health Probe"

Enables non-Google Cloud loadbalancers to check the ingress gateway's health check endpoints (/healthz/ingress and /healthz) by overriding the default user-agent allow list in hybrid.

To override the default user agents specified, use the following syntax, inserting the custom user agents:

istiod:
  healthCheckUserAgents: 
  - "CUSTOM_USER_AGENT_1"
  - "CUSTOM_USER_AGENT_2"

To remove the user agent requirement, use the following:

istiod:
  healthCheckUserAgents: []

istiod.image.pullPolicy Advanced Introduced in version: 1.8.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

istiod.image.tag Advanced Introduced in version: 1.8.0

Default value: 1.18.7-asm.4-distroless

The version label for this service's Docker image.

istiod.image.url Advanced Introduced in version: 1.8.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

istiod.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

istiod.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

istiod.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

istiod.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

istiod.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

k8sCluster

Identifies Kubernetes cluster where the hybrid runtime is installed.

The following table describes the properties of the k8sCluster object:

Property Type Description
k8sCluster.name Basic Introduced in version: 1.2.0

Default value: None

The name of the Kubernetes cluster where the hybrid runtime is installed.

k8sCluster.region Basic Introduced in version: 1.2.0

Default value: None

Identifies the Google Cloud region in which your Kubernetes cluster was created.

kubeRBACProxy

Identifies where Apigee should look for Kubernetes role-based access controls.

The following table describes the properties of the kubeRBACProxy object:

Property Type Description
kubeRBACProxy.image.pullPolicy Advanced Introduced in version: 1.2.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

kubeRBACProxy.image.tag Advanced Introduced in version: 1.2.0

Default value: v0.14.2

The version label for this service's Docker image.

kubeRBACProxy.image.url Advanced Introduced in version: 1.2.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

kubeRBACProxy.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 500m

The CPU limit for the resource in a Kubernetes container, in millicores.

kubeRBACProxy.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 128Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

kubeRBACProxy.resources.requests.cpu Advanced Introduced in version: 1.11.0

Default value: 5m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

kubeRBACProxy.resources.requests.memory Advanced Introduced in version: 1.11.0

Default value: 64Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

logger

Defines the service that manages operational logs. All of the Apigee hybrid services that run in your Kubernetes cluster output this information.

For more information, see Logging overview.

The following table describes the properties of the logger object:

Property Type Description
logger.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

logger.bufferChunkSize Advanced Introduced in version: 1.12.0

Default value: 256k

The initial buffer size to read log files.

logger.bufferMaxSize Advanced Introduced in version: 1.12.0

Default value: 104857600

The limit of the buffer size per monitored file. Files exceeding this limit are removed from the monitored file list.

logger.bufferMemoryLimit Advanced Introduced in version: 1.12.0

Default value: 150MB

The limit of memory that logger can consumed. If reach, the logger will momentarily pause reading more data until the existing data is flushed in memory.

logger.enabled Basic Introduced in version: 1.0.0

Default value: false

Enables or disables logging on the cluster. For non-GKE set to true, for GKE on Google Cloud or Google Distributed Cloudset to false.

logger.envVars Basic Introduced in version: 1.8.5

Default value: None

Allows you to include the NO_PROXY Fluent Bit environment variable, which specifies URLs for which traffic is not routed through the HTTP proxy. The NO_PROXY variable should be defined as a comma-separated string of host names, in the format:

logger:
  ...
  envVars:
    NO_PROXY: '<comma-separated-values>'

for example:

  envVars:
    NO_PROXY: 'kubernetes.default.svc,oauth2.googleapis.com,logging.googleapis.com'

Use envVars: NO_PROXY optionally when you have HTTP forward proxy enabled.

See NO_PROXY in the Fluent Bit documentation.

logger.flushInterval Advanced Introduced in version: 1.12.0

Default value: 1

The interval to wait before invoking the next buffer flushed, in seconds.

logger.gsa Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the apigee-logger Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have set gcp.workloadIdentity.enabled to true.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-logger@my-hybrid-project.iam.gserviceaccount.com

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

logger.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

logger.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.9.9

The version label for this service's Docker image.

logger.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

logger.livenessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 3

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

logger.livenessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 0

The number of seconds after a container is started before a liveness probe is initiated.

logger.livenessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 60

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

logger.livenessProbe.successThreshold Advanced Introduced in version: 1.0.0

Default value: 1

The minimum consecutive successes needed for a liveness probe to be considered successful after a failure. The minimum value is 1.

logger.livenessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

logger.nodeSelector.key Basic Introduced in version: 1.0.0

Default value: apigee.com/apigee-logger-enabled

Required

Node selector label key used to target dedicated Kubernetes nodes for logger runtime services.

See Configuring dedicated node pools.

logger.nodeSelector.value Basic Introduced in version: 1.0.0

Default value: true

Required

Node selector label value used to target dedicated Kubernetes nodes for logger runtime services.

See Configuring dedicated node pools.

logger.resources.limits.cpu Advanced Introduced in version: 1.0.0

Default value: 200m

The CPU limit for the resource in a Kubernetes container, in millicores.

logger.resources.limits.memory Advanced Introduced in version: 1.0.0

Default value: 500Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

logger.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

logger.resources.requests.memory Advanced Introduced in version: 1.0.0

Default value: 250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

logger.serviceAccountPath Basic Introduced in version: 1.0.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

Path to Google Service Account key file with Logs Writer role.

logger.serviceAccountRef Basic Introduced in version: 1.2.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

logger.storageMaxChunks Advanced Introduced in version: 1.12.0

Default value: 128

The maximum number of chunks that can be up in memory. Chunks exceeding the limit will be saved in the file system.

logger.terminationGracePeriodSeconds Advanced Introduced in version: 1.0.0

Default value: 30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

logger.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

logger.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

logger.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

logger.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

logger.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

mart

Defines the MART (Management API for RunTime data) service, which acts as an API provider for public Apigee APIs so that you can access and manage runtime data entities such as KMS (API Keys and OAuth tokens), KVM, Quota, and API products.

The following table describes the properties of the mart object:

Property Type Description
mart.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

mart.gsa Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the apigee-mart Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have set gcp.workloadIdentity.enabled to true.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-mart@my-hybrid-project.iam.gserviceaccount.com

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

mart.hostAlias Basic Introduced in version: 1.0.0

Default value: None

The host alias pointing to the MART object. You can set this property to * or a fully-qualified domain name.

mart.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

mart.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

mart.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

mart.initCheckCF.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 10m

The amount of CPU resources allocated to the initialization check of the Cloud Foundry process.

mart.livenessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 12

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

mart.livenessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 15

The number of seconds after a container is started before a liveness probe is initiated.

mart.livenessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

mart.livenessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

mart.metricsURL Basic Introduced in version: 1.0.0

Default value: /v1/server/metrics

mart.nodeSelector.key Basic Introduced in version: 1.0.0

Default value: None

Optional node selector label key for targeting Kubernetes nodes for mart runtime services. If you do not specify a key for mart.nodeselector, then your runtime uses the node specified in the nodeSelector object.

See Configuring dedicated node pools.

mart.nodeSelector.value Basic Introduced in version: 1.0.0

Default value: None

Optional node selector label value for targeting Kubernetes nodes for mart runtime services. See also the nodeSelector object.

See Configuring dedicated node pools.

mart.readinessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 2

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

mart.readinessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 15

The number of seconds after a container is started before a readiness probe is initiated.

mart.readinessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

mart.readinessProbe.successThreshold Advanced Introduced in version: 1.0.0

Default value: 1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

mart.readinessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

mart.replicaCountMax Basic Introduced in version: 1.0.0

Default value: 5

Maximum number of replicas available for autoscaling.

mart.replicaCountMin Basic Introduced in version: 1.0.0

Default value: 1

Minimum number of replicas available for autoscaling.

mart.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 2000m

The CPU limit for the resource in a Kubernetes container, in millicores.

mart.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 5Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

mart.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

mart.resources.requests.memory Advanced Introduced in version: 1.0.0

Default value: 512Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

mart.serviceAccountPath Basic Introduced in version: 1.1.1

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

Path to Google Service Account key file with no role.

mart.serviceAccountRef Basic Introduced in version: 1.2.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

mart.sslCertPath Basic Introduced in version: 1.0.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

Local file system path for loading and encoding the SSL cert to a Secret.

mart.sslKeyPath Basic Introduced in version: 1.0.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

Local file system path for loading and encoding the SSL key to a Secret.

mart.sslSecret Basic Introduced in version: 1.2.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

mart.targetCPUUtilizationPercentage Advanced Introduced in version: 1.0.0

Default value: 75

Target CPU utilization for the MART process on the pod. The value of this field enables MART to auto-scale when CPU utilization reaches this value, up to replicaCountMax.

mart.terminationGracePeriodSeconds Advanced Introduced in version: 1.0.0

Default value: 30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

mart.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

mart.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

mart.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

mart.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

mart.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

metrics

Defines the service that collects operations metrics. You can use metrics data to monitor the health of Hybrid services, to set up alerts, and so on.

For more information, see Metrics collection overview.

The following table describes the properties of the metrics object:

Property Type Description
metrics.adapter.image.pullPolicy Advanced Introduced in version: 1.8.1

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

metrics.adapter.image.tag Advanced Introduced in version: 1.8.1

Default value: v0.11.0

The version label for this service's Docker image.

metrics.adapter.image.url Advanced Introduced in version: 1.8.1

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

metrics.aggregator.resources.requests.cpu Advanced Introduced in version: 1.4.0

Default value: 500m

The CPU needed for normal operation of the aggregator in a Kubernetes container, in millicores.

metrics.aggregator.resources.requests.memory Advanced Introduced in version: 1.4.0

Default value: 512Mi

The memory needed for normal operation of the aggregator in a Kubernetes container, in mebibytes.

metrics.aggregator.resources.limits.cpu Advanced Introduced in version: 1.4.0

Default value: 500m

The CPU limit for the aggregator resource in a Kubernetes container, in millicores.

metrics.aggregator.resources.limits.memory Advanced Introduced in version: 1.4.0

Default value: 3Gi

The memory limit for the aggregator resource in a Kubernetes container, in gibibytes.

metrics.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

metrics.app.resources.requests.cpu Advanced Introduced in version: 1.4.0

Default value: 500m

The CPU needed for normal operation of the app in a Kubernetes container, in millicores.

metrics.app.resources.requests.memory Advanced Introduced in version: 1.4.0

Default value: 512Mi

The memory needed for normal operation of the app in a Kubernetes container, in mebibytes.

metrics.app.resources.limits.cpu Advanced Introduced in version: 1.4.0

Default value: 500m

The CPU limit for the app resource in a Kubernetes container, in millicores.

metrics.app.resources.limits.memory Advanced Introduced in version: 1.4.0

Default value: 1Gi

The memory limit for the app resource in a Kubernetes container, in gibibytes.

metrics.appStackdriverExporter.resources.requests.cpu Advanced Introduced in version: 1.7.0

Default value: 128m

The CPU needed for normal operation of the stackdriverExporter in a Kubernetes container, in millicores.

metrics.appStackdriverExporter.resources.requests.memory Advanced Introduced in version: 1.7.0

Default value: 512Mi

The memory needed for normal operation of the stackdriverExporter in a Kubernetes container, in mebibytes.

metrics.appStackdriverExporter.resources.limits.cpu Advanced Introduced in version: 1.7.0

Default value: 500m

The CPU limit for the stackdriverExporter resource in a Kubernetes container, in millicores.

metrics.appStackdriverExporter.resources.limits.memory Advanced Introduced in version: 1.7.0

Default value: 1Gi

The memory limit for the stackdriverExporter resource in a Kubernetes container, in gibibytes.

metrics.collector.envVars Basic Introduced in version: 1.13

Default value: None

Allows you to pass in and override environment variables in OpenTelemetry. For example, you can define HTTP_PROXY, HTTPS_PROXY, or NO_PROXY to have its requests pass through the proxy server.

The HTTP_PROXY variable can be defined as a string containing the host name, in the format:

metrics:
...
  EnvVars:
    HTTP_PROXY: '<host-name>'

for example:

  EnvVars:
    HTTP_PROXY: 'http://1.1.1.1:80'

The HTTPS_PROXY variable can be defined as a string containing the host name, in the format:

metrics:
...
  EnvVars:
    HTTPS_PROXY: '<host-name>'

for example:

  EnvVars:
    HTTPS_PROXY: 'https://1.1.1.1:80'

The NO_PROXY variable should be defined as a comma-separated string of host names, in the format:

metrics:
...
envVars:
  NO_PROXY: '<comma-separated-values>'

for example:

envVars:
  NO_PROXY: 'https://1.1.1.1:80, https://1.1.1.1:81'

Use envVars: HTTP_PROXY, envVars: HTTPS_PROXY, or envVars: NO_PROXY optionally when you have HTTP forward proxy enabled.

See Proxy support in the OpenTelemetry documentation.

metrics.collector.imagePullPolicy Advanced Introduced in version: 1.12.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Use a private image repository with Apigee hybrid .

metrics.collector.image.tag Basic Introduced in version: 1.12.0

Default value: v0.93.0

The version label for this service's Docker image.

metrics.collector.image.url Basic Introduced in version: 1.12.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

metrics.collector.resources.requests.cpu Advanced Introduced in version: 1.12.0

Default value: 500m

The CPU needed for normal operation of the app in a Kubernetes container, in millicores.

metrics.collector.resources.requests.memory Advanced Introduced in version: 1.12.0

Default value: 512Mi

The memory needed for normal operation of the app in a Kubernetes container, in mebibytes.

metrics.collector.resources.limits.cpu Advanced Introduced in version: 1.12.0

Default value: 500m

The CPU limit for the app resource in a Kubernetes container, in millicores.

metrics.collector.resources.limits.memory Advanced Introduced in version: 1.12.0

Default value: 1Gi

The memory limit for the app resource in a Kubernetes container, in gibibytes.

metrics.collector.livenessProbe.failureThreshold Advanced Introduced in version: 1.12.0

Default value: 5

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

metrics.collector.livenessProbe.initialDelaySeconds Advanced Introduced in version: 1.12.0

Default value: 30

The number of seconds after a container is started before a liveness probe is initiated.

metrics.collector.livenessProbe.periodSeconds Advanced Introduced in version: 1.12.0

Default value: 10

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

metrics.collector.livenessProbe.successThreshold Advanced Introduced in version: 1.12.0

Default value: 1

The minimum consecutive successes needed for a liveness probe to be considered successful after a failure. The minimum value is 1.

metrics.collector.livenessProbe.timeoutSeconds Advanced Introduced in version: 1.12.0

Default value: 5

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.collector.readinessProbe.failureThreshold Advanced Introduced in version: 1.12.0

Default value: 3

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

metrics.collector.readinessProbe.initialDelaySeconds Advanced Introduced in version: 1.12.0

Default value: 30

The number of seconds after a container is started before a readiness probe is initiated.

metrics.collector.readinessProbe.periodSeconds Advanced Introduced in version: 1.12.0

Default value: 10

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

metrics.collector.readinessProbe.successThreshold Advanced Introduced in version: 1.12.0

Default value: 1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

metrics.collector.readinessProbe.timeoutSeconds Advanced Introduced in version: 1.12.0

Default value: 5

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.disablePrometheusPipeline Basic Introduced in version: 1.12.0

Default value: true

Metrics for ProxyV2 and TargetV2 monitored resources are not emitted when set to true. Use metrics for Proxy and Target monitored resources instead.

metrics.enabled Basic Introduced in version: 1.0.0

Default value: true

Enables Apigee metrics. Set to true to enable metrics. Set to false to disable metrics.

metrics.gsa Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the apigee-metrics Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have set gcp.workloadIdentity.enabled to true.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-metrics@my-hybrid-project.iam.gserviceaccount.com

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

metrics.nodeSelector.key Basic Introduced in version: 1.0.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes for metrics runtime services.

See Configuring dedicated node pools.

metrics.nodeSelector.value Basic Introduced in version: 1.0.0

Default value: None

Required

Node selector label value used to target dedicated Kubernetes nodes for metrics runtime services.

See Configuring dedicated node pools.

metrics.prometheus.containerPort Advanced Introduced in version: 1.0.0

Default value: 9090

The port to connect to the Prometheus metrics service.

metrics.prometheus.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

metrics.prometheus.image.tag Advanced Introduced in version: 1.0.0

Default value: v2.45.0

The version label for this service's Docker image.

metrics.prometheus.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

metrics.prometheus.livenessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 6

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

metrics.prometheus.livenessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

metrics.prometheus.livenessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 3

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.prometheus.readinessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 120

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

metrics.prometheus.readinessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

metrics.prometheus.readinessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 3

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.prometheus.sslCertPath Basic Introduced in version: 1.0.0

Default value: None

Required

Path to the SSL cert for the Prometheus metrics collection process. Prometheus is a tool Apigee can use for collecting and processing metrics.

See:

metrics.prometheus.sslKeyPath Basic Introduced in version: 1.0.0

Default value: None

Required

Path to the SSL Key for the Prometheus metrics collection process. Prometheus is a tool Apigee can use for collecting and processing metrics.

See:

metrics.proxy.resources.requests.cpu Advanced Introduced in version: 1.4.0

Default value: 500m

The CPU needed for normal operation of the proxy in a Kubernetes container, in millicores.

metrics.proxy.resources.requests.memory Advanced Introduced in version: 1.4.0

Default value: 512Mi

The memory needed for normal operation of the proxy in a Kubernetes container, in mebibytes.

metrics.proxy.resources.limits.cpu Advanced Introduced in version: 1.4.0

Default value: 500m

The CPU limit for the proxy resource in a Kubernetes container, in millicores.

metrics.proxy.resources.limits.memory Advanced Introduced in version: 1.4.0

Default value: 1Gi

The memory limit for the proxy resource in a Kubernetes container, in gibibytes.

metrics.proxyStackdriverExporter.resources.requests.cpu Advanced Introduced in version: 1.7.0

Default value: 128m

The CPU needed for normal operation of the stackdriverExporter in a Kubernetes container, in millicores.

metrics.proxyStackdriverExporter.resources.requests.memory Advanced Introduced in version: 1.7.0

Default value: 512Mi

The memory needed for normal operation of the stackdriverExporter in a Kubernetes container, in mebibytes.

metrics.proxyStackdriverExporter.resources.limits.cpu Advanced Introduced in version: 1.7.0

Default value: 500m

The CPU limit for the stackdriverExporter resource in a Kubernetes container, in millicores.

metrics.proxyStackdriverExporter.resources.limits.memory Advanced Introduced in version: 1.7.0

Default value: 1Gi

The memory limit for the stackdriverExporter resource in a Kubernetes container, in gibibytes.

metrics.proxyURL Basic Introduced in version: 1.0.0

Default value: None

URL for the metrics process sidecar proxy in the Kubernetes cluster.

metrics.sdSidecar.containerPort Advanced Introduced in version: 1.0.0

Default value: 9091

The port for connecting to the Cloud Monitoring metrics service.

metrics.sdSidecar.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when Kubelet pulls this service's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists
  • Always: Always pull the policy, even if it already exists

    For more information, see Updating images.

metrics.sdSidecar.image.tag Advanced Introduced in version: 1.0.0

Default value: v0.9.0

The version label for this service's Docker image.

metrics.sdSidecar.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

metrics.serviceAccountPath Basic Introduced in version: 1.0.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

Path to Google Service Account key file with Monitoring Metric Writer role.

metrics.serviceAccountRef Basic Introduced in version: 1.2.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

metrics.stackdriverExporter.resources.requests.cpu Advanced Introduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8, metrics:stackdriverExporter has been replaced with metrics:appStackdriverExporter and metrics:proxyStackdriverExporter. See:

metrics.stackdriverExporter.resources.requests.memory Advanced Introduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8, metrics:stackdriverExporter has been replaced with metrics:appStackdriverExporter and metrics:proxyStackdriverExporter. See:

metrics.stackdriverExporter.resources.limits.cpu Advanced Introduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8, metrics:stackdriverExporter has been replaced with metrics:appStackdriverExporter and metrics:proxyStackdriverExporter. See:

metrics.stackdriverExporter.resources.limits.memory Advanced Introduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8, metrics:stackdriverExporter has been replaced with metrics:appStackdriverExporter and metrics:proxyStackdriverExporter. See:

metrics.terminationGracePeriodSeconds Advanced Introduced in version: 1.0.0

Default value: 300

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

metrics.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

metrics.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

metrics.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

metrics.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

metrics.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

mintTaskScheduler

mintTaskScheduler is the cron job to schedule monetization tasks, like recurring fee calculation on a periodic basis.

The following table describes the properties of the mintTaskScheduler object:

Property Type Description
mintTaskScheduler.image.pullPolicy Advanced Introduced in version: 1.7.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

mintTaskScheduler.image.tag Advanced Introduced in version: 1.7.0

Default value: 1.13.2

The version label for this service's Docker image.

mintTaskScheduler.image.url Advanced Introduced in version: 1.7.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

mintTaskScheduler.resources.limits.cpu Advanced Introduced in version: 1.1.0

Default value: 2000m

The CPU limit for the resource in a Kubernetes container, in millicores.

mintTaskScheduler.resources.limits.memory Advanced Introduced in version: 1.1.0

Default value: 4Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

mintTaskScheduler.resources.requests.cpu Advanced Introduced in version: 1.7.0

Default value: 500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

mintTaskScheduler.resources.requests.memory Advanced Introduced in version: 1.7.0

Default value: 512Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

mintTaskScheduler.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

newDataPipeline

newDataPipeline determines if Apigee hybrid uses the new data pipeline for the runtime components to write data directly to the control plane. This property is required for data residency-enabled hybrid orgs at v1.13.1 or later. Do not attempt to use the new data pipeline feature with non data residency-enabled orgs; only new orgs created on hybrid v1.13.1 can use this new feature. See also Using data residency with Apigee hybrid.

The following table describes the properties of the newDataPipeline object:

Property Type Description
newDataPipeline.debugSession Advanced Introduced in version: 1.13.1

Default value: false

Determines if the new Pub/Sub data pipeline is enabled. Set this property to true to use the new data pipeline (required for new hybrid v1.13.1 orgs with data residency-enabled). Leave it set to false to disable the new data pipeline. For more information, see Analytics and debug data collection with data residency.

newDataPipeline.analytics Advanced Introduced in version: 1.13.1

Default value: false

Determines if analytics use the new Pub/Sub data pipeline. Set this to true to enable analytics to use the new data pipeline (required for new hybrid v1.13.1 orgs with data residency-enabled). Leave it set to false to force analytics to use the old data pipeline. For more information, see Analytics and debug data collection with data residency.

nodeSelector

The nodeSelector object defines the node for your Apigee instance. Behind the scenes Apigee hybrid takes care to map the label key/value for apigeeRuntime and apigeeData to the individual Istio and MART components when you install or upgrade the apigee-org and apigee-ingress-manager charts. You can override this for individual objects in the mart:nodeSelector property.

The following table describes the properties of the nodeSelector object:

Property Type Description
nodeSelector.apigeeData.key Advanced Introduced in version: 1.0.0

Default value: cloud.google.com/gke-nodepool

ApigeeData is the node for the Cassandra database. Node selector label key for targeting Kubernetes nodes for working with Apigee services data.

See Configure dedicated node pools.

nodeSelector.apigeeData.value Advanced Introduced in version: 1.0.0

Default value: apigee-data

apigee-data is the node for the Cassandra database. Node selector label value for targeting Kubernetes nodes for working with Apigee services data.

See Configure dedicated node pools.

nodeSelector.apigeeRuntime.key Advanced Introduced in version: 1.0.0

Default value: cloud.google.com/gke-nodepool

Apigee Runtime is the node for the runtime environment for the project. Node selector label key for targeting Kubernetes nodes for Apigee runtime services.

See Configure dedicated node pools.

nodeSelector.apigeeRuntime.value Advanced Introduced in version: 1.0.0

Default value: apigee-runtime

apigee-runtime is the node for the runtime environment for the project. Node selector label value for targeting Kubernetes nodes for Apigee runtime services.

See Configure dedicated node pools.

nodeSelector.requiredForScheduling Advanced Introduced in version: 1.0.0

Default value: true

The requiredForScheduling property defaults to true. When true, it means that if Kubernetes cannot find nodes with the label key/value that is configured then the underlying Pods will not get scheduled on VM worker nodes.

For production, nodeSelector.requiredForScheduling should be set to true.

See Configure dedicated node pools.

redis

The following table describes the properties of the redis object:

Property Type Description
redis.auth.password Basic Introduced in version: 1.6.0

Default value: iloveapis123

Required

Password for the Redis administrator. The admin user is used for any administrative activities performed on the Redis cluster.

redis.auth.secret Basic Introduced in version: 1.9.1

Default value: None

The name of the file stored in a Kubernetes secret that contains the password for the Redis administrator. The secret file should contain the key:

data:
    redis.auth.password: encoded_value

See also:

redis.envoy.image.pullPolicy Advanced Introduced in version: 1.6.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

redis.envoy.image.tag Advanced Introduced in version: 1.6.0

Default value: v1.27.0

The version label for this service's Docker image.

redis.envoy.image.url Advanced Introduced in version: 1.6.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

redis.image.pullPolicy Advanced Introduced in version: 1.6.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

redis.image.tag Advanced Introduced in version: 1.6.0

Default value: 1.13.2

The version label for this service's Docker image.

redis.image.url Advanced Introduced in version: 1.6.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

redis.replicaCount Basic Introduced in version: 1.6.0

Default value: 2

Redis is a replicated storage. This property specifies the number of Redis nodes employed as a StatefulSet.

redis.resources.requests.cpu Advanced Introduced in version: 1.6.0

Default value: 500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

redis.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

redis.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

redis.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

redis.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

redis.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

runtime

The following table describes the properties of the runtime object:

Property Type Description
runtime.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

runtime.envVars Basic Introduced in version: 1.13.1

Default value: None

Allows you to supply additional env variables to the runtime component in a key-value pair:

runtime:
  envVars:
    KEY_1: VALUE_N
    ... ...
    KEY_N: VALUE_N

for example:

runtime:
  envVars:
    RUNTIME_ENV_VAR1: "value of runtime env-var 1"
    RUNTIME_ENV_VAR2: "value of runtime env-var 2"
runtime.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

runtime.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

runtime.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

runtime.livenessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

runtime.livenessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 60

The number of seconds after a container is started before a liveness probe is initiated.

runtime.livenessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

runtime.livenessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

runtime.nodeSelector.key Basic Introduced in version: 1.0.0

Default value: None

Optional Node selector label key for targeting Kubernetes nodes for runtime services.

See nodeSelector property.

runtime.nodeSelector.value Basic Introduced in version: 1.0.0

Default value: None

Node selector label value for targeting Kubernetes nodes for runtime services.

See Configuring dedicated node pools.

runtime.readinessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 2

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

runtime.readinessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 60

The number of seconds after a container is started before a readiness probe is initiated.

runtime.readinessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

runtime.readinessProbe.successThreshold Advanced Introduced in version: 1.0.0

Default value: 1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

runtime.readinessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

runtime.replicaCountMax Basic Introduced in version: 1.0.0

Default value: 4

Maximum number of replicas available for autoscaling.

runtime.replicaCountMin Basic Introduced in version: 1.0.0

Default value: 1

Minimum number of replicas available for autoscaling.

runtime.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 4000m

The CPU limit for the resource in a Kubernetes container, in millicores.

runtime.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 6Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

runtime.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

runtime.resources.requests.memory Advanced Introduced in version: 1.0.0

Default value: 512Mi (see note below)

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes (Mi) or Gibibytes (Gi).

runtime.service.type Advanced Introduced in version: 1.0.0

Default value: ClusterIP

The type of service. You can set this to a service other than ClusterIP; for example, LoadBalancer.

runtime.targetCPUUtilizationPercentage Advanced Introduced in version: 1.0.0

Default value: 75

Target CPU utilization for the runtime process on the pod. The value of this field enables the runtime to auto-scale when CPU utilization reaches this value, up to replicaCountMax.

runtime.terminationGracePeriodSeconds Advanced Introduced in version: 1.0.0

Default value: 180

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

runtime.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

runtime.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

runtime.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

runtime.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

runtime.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

synchronizer

Ensures that the Message Processors are kept up to date with the latest deployed API proxy bundles. To do this, the Synchronizer polls the management plane; when a new contract is detected, the Synchronizer sends it to the runtime plane. By default, Synchronizer stores environment configuration data in Cassandra.

For more information, see Configure the Synchronizer.

The following table describes the properties of the synchronizer object:

Property Type Description
synchronizer.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

synchronizer.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

synchronizer.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

synchronizer.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

synchronizer.livenessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

synchronizer.livenessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 0

The number of seconds after a container is started before a liveness probe is initiated.

synchronizer.livenessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

synchronizer.livenessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

synchronizer.nodeSelector.key Basic Introduced in version: 1.0.0

Default value: None

Required

Optional node selector label key for targeting Kubernetes nodes for synchronizer runtime services.

See nodeSelector.

synchronizer.nodeSelector.value Basic Introduced in version: 1.0.0

Default value: None

Optional node selector label value used for targeting Kubernetes nodes for synchronizer runtime services.

See nodeSelector.

synchronizer.pollInterval Advanced Introduced in version: 1.0.0

Default value: 60

The length of time that Synchronizer waits between polling operations. Synchronizer polls Apigee control plane services to detect and pull new runtime contracts.

synchronizer.readinessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 2

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

synchronizer.readinessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 0

The number of seconds after a container is started before a readiness probe is initiated.

synchronizer.readinessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

synchronizer.readinessProbe.successThreshold Advanced Introduced in version: 1.0.0

Default value: 1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

synchronizer.readinessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

synchronizer.replicaCount Basic Introduced in version: 1.0.0

Deprecated: Starting in Hybrid version 1.2, manage the Synchronizer replica count with: synchronizer.replicaCountMax and synchronizer.replicaCountMin

synchronizer.replicaCountMax Basic Introduced in version: 1.2.0

Default value: 4

Maximum number of replicas for autoscaling.

synchronizer.replicaCountMin Basic Introduced in version: 1.2.0

Default value: 1

Minimum number of replicas for autoscaling.

synchronizer.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 2000m

The CPU limit for the resource in a Kubernetes container, in millicores.

synchronizer.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 5Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

synchronizer.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

synchronizer.resources.requests.memory Advanced Introduced in version: 1.0.0

Default value: 1Gi

The memory needed for normal operation of the resource in a Kubernetes container, in gigabytes.

synchronizer.serviceAccountPath Basic Introduced in version: 1.0.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

Path to Google Service Account key file with Apigee Synchronizer Manager role.

synchronizer.serviceAccountRef Basic Introduced in version: 1.2.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

synchronizer.serviceAccountSecret Basic Introduced in version: 1.1.0

Default value: None

The name of a Kubernetes secret. You must create the secret using a Google Service Account key with the Apigee Synchronizer Manager role as its input.

synchronizer.targetCPUUtilizationPercentage Advanced Introduced in version: 1.0.0

Default value: 75

Target CPU utilization for the Synchronizer process on the pod. The value of this field enables Synchronizer to auto-scale when CPU utilization reaches this value, up to replicaCountMax.

synchronizer.terminationGracePeriodSeconds Advanced Introduced in version: 1.0.0

Default value: 30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

synchronizer.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

synchronizer.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

synchronizer.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

synchronizer.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

synchronizer.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

udca

(Universal Data Collection Agent) Defines the service that runs within the data collection pod in the runtime plane. This service extracts analytics and deployment status data and sends it to the Unified Analytics Platform (UAP).

For more information, see Analytics and deployment status data collection.

The following table describes the properties of the udca object:

Property Type Description
udca.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

udca.fluentd.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

udca.fluentd.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.9.12-2

The version label for this service's Docker image.

udca.fluentd.image.url Advanced Introduced in version: 1.0.0

Default value: gcr.io/apigee-release/hybrid/apigee-stackdriver-logging-agent

The location of the Docker image for this service.

udca.fluentd.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 1000m

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.fluentd.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 500Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.fluentd.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

udca.fluentd.resources.requests.memory Advanced Introduced in version: 1.0.0

Default value: 250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

udca.gsa Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the apigee-udca Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have set gcp.workloadIdentity.enabled to true.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-udca@my-hybrid-project.iam.gserviceaccount.com

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

udca.image.pullPolicy Advanced Introduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

udca.image.tag Advanced Introduced in version: 1.0.0

Default value: 1.13.2

The version label for this service's Docker image.

udca.image.url Advanced Introduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

udca.jvmXms Advanced Introduced in version: 1.0.0

Deprecated: Starting in Hybrid version 1.8, udca.jvmXms is no longer used.

udca.jvmXmx Advanced Introduced in version: 1.0.0

Deprecated: Starting in Hybrid version 1.8, udca.jvmXmx is no longer used.

udca.livenessProbe.failureThreshold Advanced Introduced in version: 1.0.0

Default value: 2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

udca.livenessProbe.initialDelaySeconds Advanced Introduced in version: 1.0.0

Default value: 0

The number of seconds after a container is started before a liveness probe is initiated.

udca.livenessProbe.periodSeconds Advanced Introduced in version: 1.0.0

Default value: 5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

udca.livenessProbe.timeoutSeconds Advanced Introduced in version: 1.0.0

Default value: 1

The number of seconds after which a liveness probe times out. The minimum value is 1.

udca.nodeSelector.key Basic Introduced in version: 1.0.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes for udca runtime services.

See Configuring dedicated node pools.

udca.nodeSelector.value Basic Introduced in version: 1.0.0

Default value: None

Required

Node selector label value used to target dedicated Kubernetes nodes for udca runtime services.

See Configuring dedicated node pools.

udca.pollingIntervalInSec Advanced Introduced in version: 1.0.0

Default value: 1

The length of time, in seconds, that UDCA waits between polling operations. UDCA polls the data directory on the data collection pod's file system to detect new files to be uploaded.

udca.replicaCountMax Basic Introduced in version: 1.0.0

Default value: 4

The maximum number of pods that hybrid can automatically add for the UDCA deployment. Because UDCA is implemented as a ReplicaSet, the pods are replicas.

It is recommended to set udca.replicaCountMax to a maximum number of replicas per environment times the number of environments in your Apigee org. For example, if you want to allow at most 4 replicas per environment and you have 3 environments, set udca.replicaCountMax: 12.

udca.replicaCountMin Basic Introduced in version: 1.0.0

Default value: 1

The minimum number of pods for the UDCA deployment. Because UDCA is implemented as a ReplicaSet, the pods are replicas.

If the CPU usage goes above udca.targetCPUUtilizationPercentage, then hybrid will gradually increase the number of pods, up to udca.replicaCountMax.

udca.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 1000m

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 2Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.resources.requests.cpu Advanced Introduced in version: 1.0.0

Default value: 250m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

udca.resources.requests.memory Advanced Introduced in version: 1.0.0

Default value: 250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

udca.revision Advanced Introduced in version: 1.0.0

Default value: v1

A static value that is populated in a label to enable canary deployments.

udca.serviceAccountPath Basic Introduced in version: 1.0.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

Path to Google Service Account key file with Apigee Analytics Agent role.

udca.serviceAccountRef Basic Introduced in version: 1.2.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

udca.targetCPUUtilizationPercentage Advanced Introduced in version: 1.0.0

Default value: 75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources. Hybrid uses the combined utilization of all containers in the data collection pod (both fluentd and UDCA) to calculate the current utilization.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up to udca.replicaCountMax.

udca.terminationGracePeriodSeconds Advanced Introduced in version: 1.0.0

Default value: 600

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

udca.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

udca.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

udca.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

udca.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

udca.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

virtualhosts

The virtualhosts property is a required configuration property. Virtual hosts allow Apigee hybrid to handle API requests to a specified environment group..

For more information, see Configure virtual hosts.

The following table describes the properties of the virtualhosts object:

Property Type Description
virtualhosts[].additionalGateways Basic Introduced in version: 1.2.0

Default value: None

A list of Istio Gateways to route traffic to.

virtualhosts[].cipherSuites[] Advanced Introduced in version: 1.9.2

Default value: None

This property configures the TLS ciphers used in the ingress gateway. Below is a list of the ciphers enabled by default in OpenSSL format. You can find more information about the supported ciphers in the documentation for the Boring FIPS build of Envoy. A blank value defaults to the cipher suites supported by the Boring FIPS build of Envoy.

Enabled by default for TLS v.1.3 (you cannot override TLS 1.3 ciphersuites):

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

Enabled by default for TLS v.1.2:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

If you want to enable older versions of TLS in your Apigee ingress gateway deployment, use the virtualhosts.minTLSProtocolVersion along withthe virtualhosts.cipherSuites property.

For example, to enable TLS v.1.1:

virtualhosts:
- name: ENV_GROUP_NAME
  minTLSProtocolVersion: "1.1"
  cipherSuites:
  - "ECDHE-ECDSA-AES128-GCM-SHA256"
  - "ECDHE-RSA-AES128-GCM-SHA256"
  - "ECDHE-ECDSA-AES256-GCM-SHA384"
  - "ECDHE-RSA-AES256-GCM-SHA384"
  - "ECDHE-ECDSA-CHACHA20-POLY1305"
  - "ECDHE-RSA-CHACHA20-POLY1305"
  - "ECDHE-ECDSA-AES128-SHA"
  - "ECDHE-RSA-AES128-SHA"
  - "ECDHE-ECDSA-AES256-SHA"
  - "ECDHE-RSA-AES256-SHA"
...
virtualhosts[].name Basic Introduced in version: 1.2.0

Default value: None

Required

The name of the virtual host.

virtualhosts[].maxTLSProtocolVersion Basic Introduced in version: 1.3.0

Default value: None

The maximum version of the TLS protocol Envoy can select. Envoy automatically uses the optimal TLS protocol version between virtualhosts[].minTLSProtocolVersion and virtualhosts[].maxTLSProtocolVersion.

The value must be in the form of a number. For example:

virtualhosts:
  - name: default
    maxTLSProtocolVersion: "1.3"

Where the number represents the TLS version number in the form #.#. In the example above, "1.3" represents the Istio TLS version TLSV1_3.

See also ServerTLSSettings.TLSProtocol in the Istio documentation.

virtualhosts[].minTLSProtocolVersion Basic Introduced in version: 1.3.0

Default value: None

The minimum version of the TLS protocol Envoy can select. Envoy automatically uses the optimal TLS protocol version between virtualhosts[].minTLSProtocolVersion and virtualhosts[].maxTLSProtocolVersion.

The value must be in the form of a number. For example:

virtualhosts:
  - name: default
    minTLSProtocolVersion: "1.2"

Where the number represents the TLS version number in the form #.#. In the example above, 1.2 represents the Istio TLS version TLSV1_2.

See also ServerTLSSettings.TLSProtocol in the Istio documentation.

virtualhosts[].selector Basic Introduced in version: 1.2.0

Default value: app: apigee-ingressgateway

Required

A key-value selector-value pair for pointing to different ingress selectors.

  • apigee-ingressgateway: for Apigee hybrid installations using Apigee ingress gateway.
  • istio-ingressgateway: for Apigee hybrid installations using Cloud Service Mesh (Apigee hybrid versions 1.8 and earlier).

If no selector label is supplied, the configuration is supplied to Apigee ingress gateway.

virtualhosts[].sslCertPath Basic Introduced in version: 1.2.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

The path on your system to a TLS certificate file.

virtualhosts[].sslKeyPath Basic Introduced in version: 1.2.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

The path on your system to the TLS private key file.

virtualhosts[].sslSecret Basic Introduced in version: 1.2.0

Default value: None

Either sslCertPath/sslKeyPath or sslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

watcher

The watcher property is a required configuration property. The watcher is a process that watches for configuration changes and triggers their application to the runtime plane.

The following table describes the properties of the watcher object:

Property Type Description
watcher.annotations Advanced Introduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

watcher.args.enableIssueScanning Advanced Introduced in version: 1.10.0

Default value: true

Enables or disables Automated issue surfacing. When true, Watcher automatically scans the control plane and Kubernetes API server state to determine if there are any configuration issues.

Set to false to disable Automated issue surfacing. For more information, see Automated issue surfacing.

watcher.args.enableLeaderElect Advanced Introduced in version: 1.13.0

Default value: true

When true (the default) watcher.args.enableLeaderElect selects a single watcher pod to manage and report the routing information. Limiting this to a single pod is required to prevent downtime during upgrades or rollback. During these events, multiple versions of watcher can be running simultaneously. Each Watcher instance may have different route creation logic, which can cause downtime.watcher.replicaCountMax.

watcher.args.issueScanInterval Advanced Introduced in version: 1.10.0

Default value: 60

The interval in seconds for how often Watcher scans the runtime plane for automated issue surfacing. For more information, see Automated issue surfacing.

watcher.gsa Advanced Introduced in version: 1.10.0

Default value: None

Helm only: The email address of the apigee-watcher Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have set gcp.workloadIdentity.enabled to true.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-watcher@my-hybrid-project.iam.gserviceaccount.com

See Enabling Workload Identity on GKE or Enabling Workload Identity Federation on AKS and EKS.

watcher.image.pullPolicy Advanced Introduced in version: 1.4.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

watcher.image.tag Advanced Introduced in version: 1.4.0

Default value: 1.13.2

The version label for this service's Docker image.

watcher.image.url Advanced Introduced in version: 1.4.0

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

watcher.replicaCountMax Basic Introduced in version: 1.3.0

Default value: 1

The maximum number of watcher replicas. This should be kept at 1 to avoid conflicts.

Apigee hybrid uses one watcher pod per installation. Leader election automatically selects one watcher pod. Additional watcher pod replicas will be forced into an unstable state. See watcher.args.enableLeaderElect.

watcher.replicaCountMin Basic Introduced in version: 1.3.0

Default value: 1

The minimum number of watcher replicas.

watcher.resources.limits.cpu Advanced Introduced in version: 1.11.0

Default value: 1000m

The CPU limit for the resource in a Kubernetes container, in millicores.

watcher.resources.limits.memory Advanced Introduced in version: 1.11.0

Default value: 2Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

watcher.serviceAccountPath Basic Introduced in version: 1.3.0

Default value: None

Required.

Path to Google Service Account key file with Apigee Runtime Agent role.

watcher.serviceAccountRef Advanced Introduced in version: 1.3.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

watcher.tolerations.effect Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

See Taints and Tolerations: Concepts for details.

watcher.tolerations.key Advanced Introduced in version: 1.10.1

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

watcher.tolerations.operator Advanced Introduced in version: 1.10.1

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

  • Equal matches the value set in value.
  • Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

watcher.tolerations.tolerationSeconds Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

watcher.tolerations.value Advanced Introduced in version: 1.10.1

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.