Introduced in version: 1.3.0

Default value:Your organization name

Optional

The name of aKubernetes secret that contains a hashing salt value used to encryptobfuscated user data sent to Apigee analytics. If you do not specify a salt value, your organization name is used by default.Create the secret with the salt value as its input. You can use the same salt across multiple clusters to ensure consistent hashing results between the clusters.

Default value:https://apigee.googleapis.com

Defines the API path for all APIs in your installation.

Introduced in version: 1.0.0

Default value:none

Required

ID of your Google Cloud project. Works withk8sClusterName (deprecated) andgcpRegion (deprecated) to identify the project and determine where theapigee-logger and theapigee-metrics push their data.

Introduced in version: 1.0.0

Default value:us-central1

Required

The closet Google Cloud region or zone of your Kubernetes cluster. Works withgcpProjectID (deprecated) andk8sClusterName (deprecated) to identify the project and determine where theapigee-logger and theapigee-metrics push their data.

Default value: None

Kubernetes secret name configured as docker-registry type; used to pull images from private repo.

Default value: None

Required

A unique identifier for this installation.

A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters in length.

Introduced in version: 1.0.0

Default value: None

Name of the Kubernetes (K8S) procluster where your hybrid project is running. Works withgcpProjectID (deprecated) andgcpRegion (deprecated) to identify the project and determine where theapigee-logger and theapigee-metrics push their data.

Default value:defaults.org.kmsEncryptionKey

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

Local file system path for the ApigeeKMS data's encryption key.

Default value: None

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

The path to a file containing a base64-encoded encryption key. SeeData encryption.

Default value: None

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

The key of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

Default value: None

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

The name of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

Default value:defaults.org.kmsEncryptionKey

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

Local file system path for the ApigeeKVM data's encryption key.

Default value: None

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

The path to a file containing a base64-encoded encryption key. SeeData encryption.

Default value: None

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

The key of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

Default value: None

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

The name of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

Default value:apigee

The namespace of your Kubernetes cluster where the Apigee components will be installed.

Introduced in version: 1.0.0

Default value: None

Required

The hybrid-enabled organization that was provisioned for you by Apigee during the hybrid installation. An organization is the top-level container in Apigee. It contains all your API proxies and related resources. If the value is empty, you must update it with your org name once you have created it.

Default value:true

Enables the Universal Data Collection Agent service (UDCA) at the org level, that extracts analytics, monetization and debug (trace) and sends it to the Unified Analytics Platform (UAP) which resides in the Control Plane.

If you prefer to use a separate UDCA agent for each environment, setorgScopedUDCA: false and set the values forenvs[].serviceAccountPaths.udca andenvs[].serviceAccountSecretRefs.udca.

See also:udca.

Default value:v120

Apigee hybrid supports rolling Kubernetes updates, which allow deployment updates to take place with zero downtime by incrementally updating Pod instances with new ones.

When updating certain YAML overrides that result in underlying KubernetesPodTemplateSpec change, therevision override property must also be changed in the customer'soverride.yaml. This is required for the underlying KubernetesApigeeDeployment (AD) controller to conduct a safe rolling update of from the previous version to the new version. You can use any lowercase text value, eg:blue,a,1.0.0

• nodeSelector
• envs
• imagePullSecrets
• gcpProjectID
• k8sClusterName
• contractProvider
• org

For more information, seeRolling updates.

Default value:true

Enables strict validation of the link between the Apigee Org and GCP project and checks for the existence of environment groups.

See alsoorg

Default value:true

Enables strict validation of service account permissions. This uses Cloud Resource Manager API methodtestIamPermissions to verify that the provided service account has the required permissions. In the case of service accounts for an Apigee Org, the project ID check is the one mapped to the Organization. For Metrics and Logger, the project checked is based on thegcpProjectIDoverrides.yaml configuration.

See alsogcpProjectID

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:iloveapis123

Required

Password for the Cassandra administrator. The admin user is used for any administrative activities performed on the Cassandra cluster.

Default value:iloveapis123

Required

Password for the Cassandra Data Definition Language (DDL) user. Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.

Default value:iloveapis123

Required

The password for the default Cassandra user created when Authentication is enabled. This password must be reset when configuring Cassandra authentication. SeeConfiguring TLS for Cassandra.

Default value:iloveapis123

Required

Password for the Cassandra Data Manipulation Language (DML) user. The DML user is used by the client communication to read and write data to Cassandra.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra-client

The location of the Docker image for this service.

Default value:iloveapis123

Required

Password for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

Default value:jmxuser

Required

Username for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

Default value:iloveapis123

Required

Password for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

Default value:apigee

Required

Username for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

Default value: None

The name of the file stored in a Kubernetes secret that contains the Cassandra users and passwords. You can create the secret using following the following instructions:Create the Secret.

See also:

• Storing data in a Kubernetes secret
• Secrets in the Kubernetes documentation
• Creating a Secret Using kubectl in the Kubernetes documentation

Default value:GCP

Required if backup is enabled.

Cloud provider for backup storage.

You can set the value to eitherGCP orHYBRID. Set the value toGCP if you want to store the backup on Google Cloud Storage, andHYBRID if you want to store the backup on a remote server.

Default value: None

Required if backup is enabled.

Cloud storage bucket for the backup data.

Default value:false

Data backup is not enabled by default. To enable, set totrue.

SeeCassandra backup and recovery.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-cassandra-backup-utility

The location of the Docker image for this service.

Default value:0 2 * * *

The schedule for the cron job.

SeeCassandra backup and recovery.

Default value: None

One of eitherbackup.serviceAccountPath orbackup.serviceAccountRef is required if backup is enabled.

Path to Google Service Account key file withStorage Object Admin role.

Default value: None

One of eitherbackup.serviceAccountPath orbackup.serviceAccountRef is required if backup is enabled.

Default value:apigeecluster

Specifies the name of the Cassandra cluster.

Default value:dc-1

Specifies the datacenter of the Cassandra node.

Default value: None

Note: In Apigee hybrid v1.3, this property is no longer supported.

When you sethostNetwork to true, the DNS policy is set toClusterFirstWithHostNet for you.

Default value: None

Hostname or IP of a Cassandra cluster node. If not set, the Kubernetes local service is used.

Default value:100M

The amount ofJVM system memory allocated to newer objects, in megabytes.

Default value:false

Enables the KuberneteshostNetwork feature. Apigee uses this feature in multi-region installations to communicate between pods if the pod network namespace does not have connectivity between clusters (the clusters are running in "island network mode"), which is the default case in non-GKE installations, including GKE on-prem, GKE on AWS, Anthos on bare metal, AKS, EKS, and OpenShift.

Setcassandra.hostNetwork tofalse for single region installations and multi-region installations with connectivity between pods in different clusters, for example GKE installations.

Setcassandra.hostNetwork totrue for multi-region installations with no communication between between pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, AKS, EKS, and OpenShift installations. SeeMulti-region deployment: Prerequisites.

Whentrue,DNS policy is automatically set toClusterFirstWithHostNet.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra

The location of the Docker image for this service.

Default value:512M

The upper limit ofJVM system memory available for Cassandra operations, in megabytes.

Default value: None

IP address of an existing Cassandra cluster used to expand the existing cluster to a new region. SeeConfigure the multi-region seed host.

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes forcassandra data services.

See Configuring dedicated node pools.

Default value: None

Optional node selector label value used to target dedicated Kubernetes nodes forcassandra data services and override thenodeSelector.apigeeData settings.

SeenodeSelector.

Default value:9042

Port number used to connect to cassandra.

Default value:ra-1

Specifies the rack of the Cassandra node.

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

Default value:0

The number of seconds after a container is started before a readiness probe is initiated.

Default value:10

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

Default value:5

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value:1

Cassandra is a replicated database. This property specifies the number of Cassandra nodes employed as aStatefulSet.

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:1Gi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value:GCP

Required if restore is enabled.

Cloud provider for backup storage.

Default value: None

Required if restore is enabled.

Cloud storage bucket for the backup data to restore.

Default value:false

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-cassandra-backup-utility

The location of the Docker image for this service.

Default value: None

One of eitherrestore.serviceAccountPath orrestore.serviceAccountRef is required if restore is enabled.

Path to Google Service Account key file withStorage Object Admin role.

Default value: None

One of eitherrestore.serviceAccountPath orrestore.serviceAccountRef is required if restore is enabled.

Default value: None

Required if restore is enabled.

Timestamp of the backup that should be restored.

Default value:admin account

Cassandra username used for schema backup restoration. If not specified, the admin user will be used.

Default value: None

The path on your system to a TLS certificate file.

Default value: None

The path on your system to the TLS private key file.

Default value: None

The certificate chain to the root CA (certificate authority).

Default value:50Gi

Required ifstorage.storageclass is specified

Specifies the disk size required, in mebibytes.

Default value: None

Specifies the class of on-prem storage being used.

Default value:300

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:apigeeconnect.googleapis.com:443

The location of the server and port for this service.

Default value:INFO

The level of log reporting. Values can be:

• INFO: Informational messages in addition to warning, error, and fatal messages. Most useful for debugging.
• WARNING: Non-fatal warnings in addition to error and fatal messages.
• ERROR: Internal errors and errors that are not returned to the user in addition to fatal messages.
• FATAL: Unrecoverable errors and events that cause Apigee Connect to crash.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-connect-agent

The location of the Docker image for this service. Check thevalues.yaml file for the specific URL.

Default value:5

Maximum number of replicas available for autoscaling.

Default value:1

Minimum number of replicas available for autoscaling.

In production, you may want to increasereplicaCountMin to 3, to have a greater number of connections to the control plane for reliability and scalability.

Default value:100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:30Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value:75

Target CPU utilization for the Apigee Connect agent on the pod. The value of this field enables Apigee Connect to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

Default value:600

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value: None

Required

The name of the Google Cloud storage bucket where your diagnostic data will be deposited.

SeeCreating storage buckets.

Default value: None

Required

This specifies which type of pod you are capturing data from. The values can be one of:

• "apigee-cassandra" captures data about the Cassandra databgase. The istio-cassandra pods runs in the apigee namespace.
• "apigee-mart-server" captures data about MART. The apigee-mart-server pods runs in the apigee namespace.
• "apigee-runtime" captures data about the Message Processor. The apigee-runtime pods runs in the apigee namespace.
• "apigee-synchronizer" captures data about the Synchronizer. The apigee-synchronizer pods runs in the apigee namespace.
• "apigee-udca" captures data about UDCA. The apigee-udca pods runs in the apigee namespace.
• "apigee-watcher" captures data about Watcher. The apigee-watcher pods runs in the apigee namespace.
• "istio-proxy" captures data about the Istio ingress gateway. The istio-proxy pods runs in the istio-system namespace.

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set withoperation: "LOGGING")

The duration in milliseconds of the log data collected. A typical value is30000.

Seediagnostic.operation

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set withoperation: "LOGGING")

Specifies by name which loggers to collect data from. For Apigee hybrid version 1.6.0, the only value supported isALL, meaning all loggers. For example:

diagnostic:loggingDetails:loggerNames:-ALL

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set withoperation: "LOGGING")

Specifies the granularity of the logging data to collect. In Apigee hybrid 1.6, OnlyFINE is supported.

Default value: None

Required

The Kubernetes namespace in which the pods you are collecting data on reside. The namespace must be the correct one for the container you specify withdiagnostic.container:

apigee for

• apigee-runtime
• apigee-synchronizer
• apigee-udca
• apigee-watcher
• apigee-cassandra
• apigee-mart-server

istio-system for

• istio-proxy

Default value: None

Required

Specifies whether to collect all statistics or just logs.

Values are:

• "ALL"
• "LOGGING"

  If you setdiagnostic.operation to"LOGGING", the following properties are required:

  • diagnostic.loggingDetails.logDuration
  • diagnostic.loggingDetails.loggerNames
  • diagnostic.loggingDetails.logLevel

Default value: None

Required

The names of the Kubernetes pods for which you are collecting data. For example:

diagnostic:podNames:-apigee-runtime-eng-hybrid-example-3b2ebf3-150-8vfoj-2wcjn-apigee-runtime-eng-hybrid-example-3b2ebf3-150-8vfoj-6xzn2

Default value: None

Required

The path to a service account key file (.json) for the service account with the Storage Admin role (roles/storage.admin). In most Apigee hybrid installations, this is theapigee-cassandra service account.

SeeAbout service accounts.

Default value: None

One of eitherdiagnostic.tcpDumpDetails.maxMsgs ordiagnostic.tcpDumpDetails.timeoutInSeconds isRequired if you are usingdiagnostic.tcpDumpDetails.

Sets the maximum number oftcpDump messages to collect. Apigee recommends a maximum value no greater than1000.

Default value: None

One of eitherdiagnostic.tcpDumpDetails.maxMsgs ordiagnostic.tcpDumpDetails.timeoutInSeconds isRequired if you are usingdiagnostic.tcpDumpDetails.

Sets the amount of time in seconds to wait fortcpDump to return messages.

Default value: None

Bothdiagnostic.threadDumpDetails.delayInSeconds anddiagnostic.threadDumpDetails.iterations areRequired if you are usingdiagnostic.threadDumpDetails.

The delay in seconds between collecting each thread dump.

Default value: None

Bothdiagnostic.threadDumpDetails.delayInSeconds anddiagnostic.threadDumpDetails.iterations areRequired if you are usingdiagnostic.threadDumpDetails.

The number of jstack thread dump iterations to collect.

Default value: None

One of eithercacheEncryptionKey,cacheEncryptionPath, orcacheEncryptionSecret is required.

A base64-encoded encryption key. SeeData encryption.

Default value: None

One of eithercacheEncryptionKey,cacheEncryptionPath, orcacheEncryptionSecret is required.

The path to a file containing a base64-encoded encryption key. SeeData encryption.

Default value: None

One of eithercacheEncryptionKey,cacheEncryptionPath, orcacheEncryptionSecret is required.

The key of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

Default value: None

One of eithercacheEncryptionKey, orcacheEncryptionPath, orcacheEncryptionSecret is required.

The name of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

Default value: None

Deprecated: Starting in Hybrid version 1.4 the runtime plane receives this information from the management plane. SeeAbout environments and environment groups.

Default value: None

Specifies the host name or IP address where the HTTP proxy is running.

ListhttpProxy properties in the orderscheme,host,port. For example:

envs:  - name: test    httpProxy:      scheme: HTTP      host: 10.12.0.47      port: 3128      ...

See also:Configure forward proxying for API proxies.

Default value: None

Specifies the port on which the HTTP proxy is running. If this property is omitted, by default it uses port80 for HTTP and port443 for HTTPS.

Default value: None

Specifies the type of the HTTP proxy as HTTP or HTTPS. By default, it uses "HTTP".

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a username.

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a password.

Default value: None

Required

Apigee environment name to be synchronized.

Default value: None

Interval used for polling organization and environment synchronization changes, in seconds.

Default value: None

TCP port number for HTTPS traffic.

Default value: None

Path to file on local system to a Google Service Account key with theCloud Trace Agent role, usually theapigee-runtime service account. See theAbout service accounts for the default names of the service accounts and their assigned roles.

Default value: None

Path to file on local system to a Google Service Account key with theApigee Synchronizer Manager role.

Default value: None

Path to file on local system to a Google Service Account key with theApigee Analytic Agent role.

Only set this property iforgScopedUDCA is set tofalse.

Default value: None

The name of aKubernetes secret. You mustcreate the secret using a Google Service Account key with theCloud Trace Agent role as its input.

Default value: None

The name of aKubernetes secret. You mustcreate the secret using a Google Service Account key with theApigee Synchronizer Manager role as its input.

Default value: None

The name of aKubernetes secret. You mustcreate the secret using a Google Service Account key with theApigee Analytic Agent role as its input.

Only set this property iforgScopedUDCA is set tofalse.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to a TLS certificate file.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to the TLS private key file.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

• Storing data in a Kubernetes secret
• Secrets in the Kubernetes documentation
• Creating a Secret Using kubectl in the Kubernetes documentation

Default value: None

Required

Identifies the Google Cloudregion where theapigee-logger and theapigee-metrics push their data.

Default value: None

Required

Identifies the Google Cloud project whereapigee-logger and theapigee-metrics push their data.

Default value: None

Identifies the runtime Kubernetes cluster project.

TheprojectIDRuntime property is optional. If not used, it is assumed that theprojectID value is used for both the Apigee organization's Google Cloud project and the runtime K8S cluster's project.

Default value:false

Enables using Workload Identity. Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.

WhenworkloadIdentityEnabled isfalse, the default, Apigee uses the IAM service accounts for each Apigee hybrid component. SeeAbout service accounts.

WhenworkloadIdentityEnabled istrue, Apigee uses Kubernetes service accounts instead of IAM service accounts and will ignore the following configuration properties:

• validateServiceAccounts
• cassandra.backup.serviceAccountPath
• cassandra.backup.serviceAccountRef
• cassandra.restore.serviceAccountPath
• cassandra.restore.serviceAccountRef
• envs[].serviceAccountPaths.*
• logger.serviceAccountPath
• logger.serviceAccountRef
• mart.serviceAccountPath
• mart.serviceAccountRef
• metrics.serviceAccountPath
• metrics.serviceAccountRef
• synchronizer.serviceAccountPath
• synchronizer.serviceAccountRef
• udca.serviceAccountPath
• udca.serviceAccountRef
• watcher.serviceAccountPath
• watcher.serviceAccountRef

Default value: None

The hostname of the HTTP Proxy.

Default value: None

The port of the HTTP Proxy.

Default value:HTTPS

The scheme used by the proxy. Values can beHTTP orHTTPS. Values must be uppercase only.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.11.2-asm.17

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-asm-ingress

The location of the Docker image for this service.

Default value: None

Required

The name of ingress gateway. Other services will use this name to address traffic to the gateway. The name must meet the following requirements:

• have a maximum length of 17 characters
• contain only lowercase alphanumeric characters, '-' or '.'
• start with an alphanumeric character
• end with an alphanumeric character

For more information, seeDNS Subdomain Names in the Kubernetes documentation.

Default value:2000m

The CPU limit for the resource, in millicores.

Default value:1Gi

The memory limit for the resource, in mebibytes.

Default value:300m

The CPU needed for normal operation of the resource, in millicores.

Default value:128Mi

The memory needed for normal operation of the resource, in mebibytes.

Default value:10

The maximum number of pods that hybrid can automatically add for the ingress gateway available for autoscaling.

Default value:2

The minimum number of pods for the ingress gateway available for autoscaling.

Default value: None

Optional key/value map used to annotate the ingress gateway on platforms that support annotation. For example:

intressGateways:  svcAnnotations:    networking.gke.io/load-balancer-type: "Internal"

Default value: None

On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP address, this property is ignored.

Default value: LoadBalancer

Used to change the type of the default k8s service for ingress deployment. Set the value toClusterIP if you want to disable creation of default load balancer. Possible values:

• ClusterIP
• LoadBalancer

Default value:SANITIZE_SET

Determines how the Envoy proxy (for the Apigee ingress gateway) handles thex-forwarded-client-cert (XFCC) HTTP header.

Possible values are:

• SANITIZE_SET When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
• FORWARD_ONLY When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request only.
• APPEND_FORWARD When the client connection is mTLS, append the client certificate information to the request's XFCC header and forward it.
• SANITIZE (default) Do not forward the XFCC header.
• ALWAYS_FORWARD_ONLY Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.

For more information on these values, see the Envoy documentation forEnum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails.

If you change this setting after installing Hybrid, apply it withapigeectl init and then restart your Apigee ingress gateway pods.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.12.9-asm.3

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-asm-istiod

The location of the Docker image for this service.

Default value: None

The name of the Kubernetes cluster where the hybrid runtime is installed.

Default value: None

Identifies the Google Cloudregion in which your Kubernetes cluster was created.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:v0.11.0

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-kube-rbac-proxy

The location of the Docker image for this service.

If you do not want to use the Google Docker Hub, download the images and use the address where your docker images are hosted internally.

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:false

Enables or disables logging on the cluster. For non-GKE set totrue, for Anthos or GKE set tofalse.

Default value: None

Allows you to include theNO_PROXY Fluent Bit environment variable, which specifies URLs for which traffic is not routed through the HTTP proxy. TheNO_PROXY variable should be defined as a comma-separated string of host names, in the format:

logger:...EnvVars:  NO_PROXY: '<comma-separated-values>'

for example:

EnvVars:  NO_PROXY: 'kubernetes.default.svc,oauth2.googleapis.com,logging.googleapis.com'

UseEnvVars: NO_PROXY optionally when you have HTTP forward proxy enabled.

SeeNO_PROXY in the Fluent Bit documentation.

Default value:512k

The maximum size of a buffer chunk allowed, in kilobytes. Chunks exceeding the limit will be flushed to the output queue automatically.

Default value:6

The maximum length of the output queue. The default limit is 256 chunks.

Default value:5s

The interval to wait before invoking the next buffer flush, in seconds.

Default value:30

The maximum interval between write retries, in seconds.

Default value:2

The number of threads used to flush the buffer. The default is 1.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.9.9

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-fluent-bit

The location of the Docker image for this service.

Default value:3

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

Default value:0

The number of seconds after a container is started before a liveness probe is initiated.

Default value:60

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

Default value:1

The minimum consecutive successes needed for a liveness probe to be considered successful after a failure. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value:apigee.com/apigee-logger-enabled

Required

Node selector label key used to target dedicated Kubernetes nodes forlogger runtime services.

See Configuring dedicated node pools.

Default value:true

Required

Node selector label value used to target dedicated Kubernetes nodes forlogger runtime services.

See Configuring dedicated node pools.

Default value: None

URL of the customer's proxy server.

Default value:200m

The CPU limit for the resource in a Kubernetes container, in millicores.

Default value:500Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

Default value:100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withLogs Writer role.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Default value:30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value: None

The host alias pointing to theMART object. You can set this property to* or a fully-qualified domain name.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-mart-server

The location of the Docker image for this service. Check thevalues.yaml file for the specific URL.You can override this.

Default value:10m

The amount of CPU resources allocated to the initialization check of the Cloud Foundry process.

Default value:12

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

Default value:15

The number of seconds after a container is started before a liveness probe is initiated.

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value:/v1/server/metrics

Default value: None

Optional node selector label key for targeting Kubernetes nodes formart runtime services. If you do not specify a key for mart.nodeselector, then your runtime uses the node specified in thenodeSelector object.

See Configuring dedicated node pools.

Default value: None

Optional node selector label value for targeting Kubernetes nodes formart runtime services. See also thenodeSelector object.

See Configuring dedicated node pools.

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

Default value:15

The number of seconds after a container is started before a readiness probe is initiated.

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value:5

Maximum number of replicas available for autoscaling.

Default value:1

Minimum number of replicas available for autoscaling.

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:512Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withno role.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

Local file system path for loading and encoding the SSL cert to a Secret.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

Local file system path for loading and encoding the SSL key to a Secret.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

• Storing data in a Kubernetes secret
• Secrets in the Kubernetes documentation
• Creating a Secret Using kubectl in the Kubernetes documentation

Default value:75

Target CPU utilization for the MART process on the pod. The value of this field enables MART to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

Default value:30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:v0.9.1

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-prometheus-adapter

The location of the Docker image for this service.

Default value:500m

The CPU needed for normal operation of the aggregator in a Kubernetes container, in millicores.

Default value:512Mi

The memory needed for normal operation of the aggregator in a Kubernetes container, in mebibytes.

Default value:500m

The CPU limit for the aggregator resource in a Kubernetes container, in millicores.

Default value:3Gi

The memory limit for the aggregator resource in a Kubernetes container, in gibibytes.

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:500m

The CPU needed for normal operation of the app in a Kubernetes container, in millicores.

Default value:512Mi

The memory needed for normal operation of the app in a Kubernetes container, in mebibytes.

Default value:500m

The CPU limit for the app resource in a Kubernetes container, in millicores.

Default value:1Gi

The memory limit for the app resource in a Kubernetes container, in gibibytes.

Default value:128m

The CPU needed for normal operation of the stackdriverExporter in a Kubernetes container, in millicores.

Default value:512Mi

The memory needed for normal operation of the stackdriverExporter in a Kubernetes container, in mebibytes.

Default value:500m

The CPU limit for the stackdriverExporter resource in a Kubernetes container, in millicores.

Default value:1Gi

The memory limit for the stackdriverExporter resource in a Kubernetes container, in gibibytes.

Default value:true

Enables Apigee metrics. Set totrue to enable metrics. Set tofalse to disable metrics.

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes formetrics runtime services.

See Configuring dedicated node pools.

Default value: None

Required

Node selector label value used to target dedicated Kubernetes nodes formetrics runtime services.

See Configuring dedicated node pools.

Default value:48h

The amount of time Prometheus waits before removing old data from local storage, in hours.

Default value:9090

The port to connect to the Prometheus metrics service.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:v2.9.2

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-prom-prometheus

The location of the Docker image for this service.

Default value:6

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

Default value:3

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value:120

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

Default value:3

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value: None

Required

Path to the SSL cert for the Prometheus metrics collection process. Prometheus is a tool Apigee can use for collecting and processing metrics.

See:

• metrics
• For background information, thePrometheus website

Default value: None

Required

Path to the SSL Key for the Prometheus metrics collection process. Prometheus is a tool Apigee can use for collecting and processing metrics.

See:

• metrics
• For background information, thePrometheus website

Default value:500m

The CPU needed for normal operation of the proxy in a Kubernetes container, in millicores.

Default value:512Mi

The memory needed for normal operation of the proxy in a Kubernetes container, in mebibytes.

Default value:500m

The CPU limit for the proxy resource in a Kubernetes container, in millicores.

Default value:1Gi

The memory limit for the proxy resource in a Kubernetes container, in gibibytes.

Default value:128m

The CPU needed for normal operation of the stackdriverExporter in a Kubernetes container, in millicores.

Default value:512Mi

The memory needed for normal operation of the stackdriverExporter in a Kubernetes container, in mebibytes.

Default value:500m

The CPU limit for the stackdriverExporter resource in a Kubernetes container, in millicores.

Default value:1Gi

The memory limit for the stackdriverExporter resource in a Kubernetes container, in gibibytes.

Default value: None

URL for the metrics process sidecar proxy in the Kubernetes cluster.

Default value:9091

The port for connecting to the Cloud Monitoring metrics service.

Default value:IfNotPresent

Determines when Kubelet pulls this service's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists
• Always: Always pull the policy, even if it already exists

  For more information, see Updating images.

Default value:0.9.0

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-stackdriver-prometheus-sidecar

The location of the Docker image for this service.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withMonitoring Metric Writer role.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

• metrics.appStackdriverExporter.resources.requests.cpu
• metrics.proxyStackdriverExporter.resources.requests.cpu

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

• metrics.appStackdriverExporter.resources.requests.memory
• metrics.proxyStackdriverExporter.resources.requests.memory

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

• metrics.appStackdriverExporter.resources.limits.cpu
• metrics.proxyStackdriverExporter.resources.limits.cpu

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

• metrics.appStackdriverExporter.resources.limits.memory
• metrics.proxyStackdriverExporter.resources.limits.memory

Default value:300

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-mint-task-scheduler

The location of the Docker image for this service.

Default value:cloud.google.com/gke-nodepool

ApigeeData is the node for the Cassandra database. Node selector label key for targeting Kubernetes nodes for working with Apigee services data.

SeeConfigure dedicated node pools.

Default value:apigee-data

apigee-data is the node for the Cassandra database. Node selector label value for targeting Kubernetes nodes for working with Apigee services data.

SeeConfigure dedicated node pools.

Default value:cloud.google.com/gke-nodepool

Apigee Runtime is the node for the runtime environment for the project. Node selector label key for targeting Kubernetes nodes for Apigee runtime services.

SeeConfigure dedicated node pools.

Default value:apigee-runtime

apigee-runtime is the node for the runtime environment for the project. Node selector label value for targeting Kubernetes nodes for Apigee runtime services.

SeeConfigure dedicated node pools.

Default value: false

TherequiredForScheduling property defaults tofalse. If this value is overridden totrue, it means that if Kubernetes cannot find nodes with the label key/value that is configured then the underlying Pods will not get scheduled on VM worker nodes.

For production,nodeSelector.requiredForScheduling should be set to true.

SeeConfigure dedicated node pools.

Default value:iloveapis123

Required

Password for the Redis administrator. The admin user is used for any administrative activities performed on the Redis cluster.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:v1.22.2

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-envoy

The location of the Docker image for this service.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-redis

The location of the Docker image for this service.

Default value:2

Redis is a replicated storage. This property specifies the number of Redis nodes employed as aStatefulSet.

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:URL to your installation's image resource, for example:gcr.io/apigee-release/hybrid/apigee-runtime

The location of the Docker image for this service.

Default value:2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

Default value:60

The number of seconds after a container is started before a liveness probe is initiated.

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value: None

Optional Node selector label key for targeting Kubernetes nodes forruntime services.

SeenodeSelector property.

Default value: None

Node selector label value for targeting Kubernetes nodes forruntime services.

See Configuring dedicated node pools.

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

Default value:60

The number of seconds after a container is started before a readiness probe is initiated.

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value:4

Maximum number of replicas available for autoscaling.

Default value:1

Minimum number of replicas available for autoscaling.

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:512Mi (see note below)

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes (Mi) or Gibibytes (Gi).

Default value:ClusterIP

The type of service. You can set this to a service other than ClusterIP; for example,LoadBalancer.

Default value:75

Target CPU utilization for the runtime process on the pod. The value of this field enables the runtime to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

Default value:180

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-synchronizer

The location of the Docker image for this service.

Default value:2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

Default value:0

The number of seconds after a container is started before a liveness probe is initiated.

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value: None

Required

Optional node selector label key for targeting Kubernetes nodes forsynchronizer runtime services.

SeenodeSelector.

Default value: None

Optional node selector label value used for targeting Kubernetes nodes forsynchronizer runtime services.

SeenodeSelector.

Default value:60

The length of time that Synchronizer waits between polling operations. Synchronizer polls Apigee control plane services to detect and pull new runtime contracts.

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

Default value:0

The number of seconds after a container is started before a readiness probe is initiated.

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Deprecated: Starting in Hybrid version 1.2, manage the Synchronizer replica count with:synchronizer.replicaCountMax andsynchronizer.replicaCountMin

Default value:4

Maximum number of replicas for autoscaling.

Default value:1

Minimum number of replicas for autoscaling.

Default value:100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:1Gi

The memory needed for normal operation of the resource in a Kubernetes container, in gigabytes.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withApigee Synchronizer Manager role.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Default value:75

Target CPU utilization for the Synchronizer process on the pod. The value of this field enables Synchronizer to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

Default value:30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.9

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-stackdriver-logging-agent

The location of the Docker image for this service.

Default value:500m

The memory limit for the resource in a Kubernetes container, in mebibytes.

Default value:500Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-udca

The location of the Docker image for this service.

Deprecated: Starting in Hybrid version 1.8,udca.jvmXms is no longer used.

Deprecated: Starting in Hybrid version 1.8,udca.jvmXmx is no longer used.

Default value:2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

Default value:0

The number of seconds after a container is started before a liveness probe is initiated.

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes forudca runtime services.

See Configuring dedicated node pools.

Default value: None

Required

Node selector label value used to target dedicated Kubernetes nodes forudca runtime services.

See Configuring dedicated node pools.

Default value:1

The length of time, in seconds, that UDCA waits between polling operations. UDCA polls the data directory on the data collection pod's file system to detect new files to be uploaded.

Default value:4

The maximum number of pods that hybrid can automatically add for the UDCA deployment. Because UDCA is implemented as a ReplicaSet, the pods are replicas.

It is recommended to setudca.replicaCountMax to a maximum number of replicas per environment times the number of environments in your Apigee org. For example, if you want to allow at most 4 replicas per environment and you have 3 environments, setudca.replicaCountMax: 12.

Default value:1

The minimum number of pods for the UDCA deployment. Because UDCA is implemented as a ReplicaSet, the pods are replicas.

If the CPU usage goes aboveudca.targetCPUUtilizationPercentage, then hybrid will gradually increase the number of pods, up toudca.replicaCountMax.

Default value:500m

The memory limit for the resource in a Kubernetes container, in mebibytes.

Default value:500Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

Default value:250m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value:250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value:v1

A static value that is populated in a label to enable canary deployments.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withApigee Analytics Agent role.

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Default value:75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources. Hybrid uses the combined utilization of all containers in the data collection pod (both fluentd and UDCA) to calculate the current utilization.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up toudca.replicaCountMax.

Default value:600

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

Default value: None

A list of Istio Gateways to route traffic to.

Default value: None

The list of TLS ciphers. You can find the full list of supported ciphers in the documentation for theBoring FIPS build of Envoy. A blank value defaults to the cipher suites supported by the Boring FIPS build of Envoy.

For example, to support TLS v.1.1:

virtualhosts:- name: ENV_GROUP_NAME  minTLSProtocolVersion: "1.1"  cipherSuites:  - "ECDHE-ECDSA-AES128-GCM-SHA256"  - "ECDHE-RSA-AES128-GCM-SHA256"  - "ECDHE-ECDSA-AES256-GCM-SHA384"  - "ECDHE-RSA-AES256-GCM-SHA384"  - "ECDHE-ECDSA-CHACHA20-POLY1305"  - "ECDHE-RSA-CHACHA20-POLY1305"  - "ECDHE-ECDSA-AES128-SHA"  - "ECDHE-RSA-AES128-SHA"  - "ECDHE-ECDSA-AES256-SHA"  - "ECDHE-RSA-AES256-SHA"  ...

Default value: None

Required

The name of the virtual host.

Default value: None

Required

Deprecated: Starting in Hybrid version 1.4 the runtime plane receives this information from the management plane. SeeAbout environments and environment groups.

Default value: None

The maximum version of the TLS protocol Envoy can select. Envoy automatically uses the optimal TLS protocol version betweenvirtualhosts[].minTLSProtocolVersion andvirtualhosts[].maxTLSProtocolVersion.

The value must be in the form of a number. For example:

virtualhosts:  - name: default    maxTLSProtocolVersion: "1.3"

Where the number represents the TLS version number in the form#.#. In the example above,"1.3" represents the Istio TLS versionTLSV1_3.

See alsoServerTLSSettings.TLSProtocol in the Istio documentation.

Default value: None

The minimum version of the TLS protocol Envoy can select. Envoy automatically uses the optimal TLS protocol version betweenvirtualhosts[].minTLSProtocolVersion andvirtualhosts[].maxTLSProtocolVersion.

The value must be in the form of a number. For example:

virtualhosts:  - name: default    minTLSProtocolVersion: "1.2"

Where the number represents the TLS version number in the form#.#. In the example above,1.2 represents the Istio TLS versionTLSV1_2.

See alsoServerTLSSettings.TLSProtocol in the Istio documentation.

Default value:app: apigee-ingressgateway

Required

A key-value selector-value pair for pointing to different ingress selectors.

• apigee-ingressgateway: for Apigee hybrid installations using Apigee ingress gateway.
• istio-ingressgateway: for Apigee hybrid installations using Anthos Service Mesh.

If no selector label is supplied, the configuration is supplied to both Apigee ingress gateway and customer-installed Anthos Service Mesh.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to a TLS certificate file.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to the TLS private key file.

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

• Storing data in a Kubernetes secret
• Secrets in the Kubernetes documentation
• Creating a Secret Using kubectl in the Kubernetes documentation

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

Default value:1.8.8

The version label for this service's Docker image.

Default value:gcr.io/apigee-release/hybrid/apigee-watcher

he location of the Docker image for this service.

Default value:1

The maximum number of watcher replicas. This should be kept at1 to avoid conflicts.

Default value:1

The minimum number of watcher replicas.

Default value: None

Required.

Path to Google Service Account key file withApigee Runtime Agent role.

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.