Configuration property reference

You are currently viewing version 1.13 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

This section lists all of the configuration propertiesthat you can use to customize the runtime plane of your Apigee hybrid deployment.

Note: For instructions on how to add custom annotations, which are key/value maps used to attach metadata to Apigee hybrid Kubernetes pods, seeCustom annotations.

About configuration properties

You can override many configuration properties, if needed, by adding them toHYBRID_ROOT_DIR/overrides.yaml.

Tip: Apigee provides a small set of sample configurations that you can use for further guidance. SeeSample overrides file.

For example, to change the replica count minimum and maximum for the MART service, you could add this stanza tooverrides.yaml:

mart:replicaCountMin:3replicaCountMax:6

You can also find these config properties and their default settings inHYBRID_ROOT_INSTALL/1.0.0/values.yaml

For more information, seeManage runtime plane components.

Additionally, if you are configuring a deployment outside Google Cloud see Step 6: Create the overrides for information on setting these properties.

Filter this page

To filter the properties displayed on this page, selectBasic (most common properties) orAdvanced (properties that rarely need changing):

Display  configuration properties on this page.Caution: Do not change advanced properties without first testing them in lower environments and verifying them in the specific operating environment.

Top-level properties

The following table describes the top-level properties in theoverrides.yaml file. These are properties that do not belong to another object, and apply at the org or environment level:

PropertyTypeDescription
axHashSaltAdvanced

Introduced in version: 1.3.0

Default value:iloveapis123

Optional

The name of aKubernetes secret that contains a salt used when computing hashes toobfuscate user data before it is sent to Apigee analytics. If you do not specify a salt value,iloveapis123 is used by default.Create the secret with the salt value as its input. You can use the same salt across multiple clusters to ensure consistent hashing results between the clusters.

Apigee uses SHA512 to hash the original value before sending data from the runtime plane to the control plane.

See:Obfuscate user data for analytics.

contractProviderAdvancedIntroduced in version: 1.0.0

Default value:https://apigee.googleapis.com

Defines the API path for all APIs in your installation.

Required if your hybrid installation is usingData residency in the following format:

contractProvider: https://CONTROL_PLANE_LOCATION-apigee.googleapis.com

WhereCONTROL_PLANE_LOCATION is the location where control plane data like proxy bundles are stored. For a list seeAvailable Apigee API control plane regions.

For example:

contractProvider: https://us-apigee.googleapis.com
gcpProjectIDAdvancedDeprecated: For v1.2.0 and later, usegcp.projectID instead.

Introduced in version: 1.0.0

Default value:none

Required

ID of your Google Cloud project. Works withk8sClusterName (deprecated) andgcpRegion (deprecated) to identify the project and determine where theapigee-logger and theapigee-metrics push their data.

gcpRegionAdvancedDeprecated: For v1.2.0 and later, usegcp.region instead.

Introduced in version: 1.0.0

Default value:us-central1

Required

The closet Google Cloud region or zone of your Kubernetes cluster. Works withgcpProjectID (deprecated) andk8sClusterName (deprecated) to identify the project and determine where theapigee-logger and theapigee-metrics push their data.

hubAdvancedIntroduced in version: 1.11.0

Default value: None

The URL of a private image container repository used to pull images for all apigee components from a private repo.

hub provides a default path for all Apigee hybrid components. If you are using a private repository, usehub to set the repository URL for all components rather than using the individualimage.url property for each component. Only configure indivisual URLs if you are using a separate repository for a specific component.

The image path for each individual component will be the value ofhub plus the image name and tag for the component.

For example, if the value ofhubprivate-docker-host.example.com, individual components will automatically resolve the image path:

hub:private-docker-host.example.com

as:

## an example of internal component vs 3rd partycontainers:- name: apigee-udca  image: private-docker-host.example.com/apigee-udca:1.13.4  imagePullPolicy: IfNotPresentcontainers:- name: apigee-ingressgateway  image: private-docker-host.example.com/apigee-asm-ingress:1.18.7-asm.4-distroless  imagePullPolicy: IfNotPresent

The other components will follow a similar pattern.

Useapigee-pull-push --list to see the current repository URL for all components.

SeeUse a private image repository with Apigee hybrid.

You can override image URL for components individualy with the following properties:

imagePullSecrets.nameAdvancedIntroduced in version: 1.0.0

Default value: None

Kubernetes secret name configured as docker-registry type; used to pull images from private repo.

instanceIDBasicIntroduced in version: 1.3.0

Default value: None

Required

A unique identifier for this installation.

A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters in length.

You can create multiple organizations in the same cluster, but theinstanceID must be the same for all orgs in the same Kubernetes cluster. For multi-region installations, each region requires its own cluster (individual clusters do not span regions).
k8sClusterNameAdvancedDeprecated: For v1.2.0 and later, usek8sCluster.nameandk8sCluster.region instead.

Introduced in version: 1.0.0

Default value: None

Name of the Kubernetes (K8S) procluster where your hybrid project is running. Works withgcpProjectID (deprecated) andgcpRegion (deprecated) to identify the project and determine where theapigee-logger and theapigee-metrics push their data.

kmsEncryptionKeyAdvancedIntroduced in version: 1.0.0

Default value:defaults.org.kmsEncryptionKey

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

Local file system path for the ApigeeKMS data's encryption key.

kmsEncryptionPathAdvancedIntroduced in version: 1.2.0

Default value: None

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

The path to a file containing a base64-encoded encryption key. SeeData encryption.

kmsEncryptionSecret.keyAdvancedIntroduced in version: 1.2.0

Default value: None

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

The key of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

kmsEncryptionSecret.nameAdvancedIntroduced in version: 1.2.0

Default value: None

Optional. Use only one ofkmsEncryptionKey orkmsEncryptionPath orkmsEncryptionSecret.

The name of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

kvmEncryptionKeyAdvancedIntroduced in version: 1.0.0

Default value:defaults.org.kmsEncryptionKey

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

Local file system path for the ApigeeKVM data's encryption key.

kvmEncryptionPathAdvancedIntroduced in version: 1.2.0

Default value: None

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

The path to a file containing a base64-encoded encryption key. SeeData encryption.

kvmEncryptionSecret.keyAdvancedIntroduced in version: 1.2.0

Default value: None

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

The key of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

kvmEncryptionSecret.nameAdvancedIntroduced in version: 1.2.0

Default value: None

Optional. Use only one ofkvmEncryptionKey orkvmEncryptionPath orkvmEncryptionSecret.

The name of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

multiOrgClusterAdvancedIntroduced in version: 1.10.0

Default value:false

For multi-org clusters, this property enables the organization's metrics to be exported to the project listed in thegcp.projectID property. Apply this setting in the overrides file for each organization in a multi-org cluster. For more information, seeAdding multiple hybrid orgs to a cluster.

namespaceBasicIntroduced in version: 1.0.0

Default value:apigee

The namespace of your Kubernetes cluster where the Apigee components will be installed.

orgBasic

Introduced in version: 1.0.0

Default value: None

Required

The hybrid-enabled organization that was provisioned for you by Apigee during the hybrid installation. An organization is the top-level container in Apigee. It contains all your API proxies and related resources. If the value is empty, you must update it with your org name once you have created it.

orgScopedUDCAAdvancedIntroduced in version: 1.8.0

Default value:true

Enables the Universal Data Collection Agent service (UDCA) at the org level, that extracts analytics, monetization and debug (trace) and sends it to the Unified Analytics Platform (UAP) which resides in the Control Plane.

Org-scoped UDCA uses a single Google service account for all Apigee environments. The service account needs to have the Apigee Analytics Agent (roles/apigee.analyticsAgent) role.

Specify the path to the service account key file with theudca.serviceAccountPath property or provide the key in a Kubernetes secret with theudca.serviceAccountRef property in youroverrides.yaml configuration file.

If you prefer to use a separate UDCA agent for each environment, setorgScopedUDCA: false and set the values forenvs[].serviceAccountPaths.udca andenvs[].serviceAccountSecretRefs.udca.

See also:udca.

revisionAdvancedIntroduced in version: 1.0.0

Default value:"1134" (Your Apigee hybrid version without periods. For example for version 1.12.0, the default value is"1120".)

Apigee hybrid supports rolling Kubernetes updates, which allow deployment updates to take place with zero downtime by incrementally updating Pod instances with new ones.

When updating certain YAML overrides that result in underlying KubernetesPodTemplateSpec change, therevision override property must also be changed in the customer'soverride.yaml. This is required for the underlying KubernetesApigeeDeployment (AD) controller to conduct a safe rolling update of from the previous version to the new version. You can use any lowercase text value, eg:blue,a,1.0.0

Note:revision can accept only lowercase alpha characters, numbers, and punctuation.

When therevision property is changed and applied, a rolling update will occur for all components

Changes to properties of the following objects require an update torevision:

For more information, seeRolling updates.

serviceAccountSecretProviderClassAdvancedIntroduced in version: 1.12.0

Default value: None

The name of the organization-specific secret provider class (SecretProviderClass) used for storing service account keys in Vault.

SeeStoring service account keys in Hashicorp Vault.

validateOrgAdvancedIntroduced in version: 1.8.0

Default value:true

Enables strict validation of the link between the Apigee Org and Google Cloud project and checks for the existence of environment groups.

See alsoorg

validateServiceAccountsAdvancedIntroduced in version: 1.0.0

Default value:true

Enables strict validation of service account permissions. This uses Cloud Resource Manager API methodtestIamPermissions to verify that the provided service account has the required permissions. In the case of service accounts for an Apigee Org, the project ID check is the one mapped to the Organization. For Metrics and Logger, the project checked is based on thegcpProjectIDoverrides.yaml configuration.

See alsogcpProjectID

ao

Apigee Operators (AO) creates and updates low level Kubernetes and Istio resources that are required to deploy and maintain a component. For example, the controller carries out the release of message processors.

Note:In version 1.2.0, Apigee Operators replaces Apigee Deployment Admissionhook (ADAH) andApigee Deployment Controller (ADC).

The following table describes the properties of the apigee-operatorsao object:

PropertyTypeDescription
ao.args.disableIstioConfigInAPIServerAdvancedIntroduced in version: 1.8.0

Default value:true

Stops Apigee from supplying configuration to customer-installed Cloud Service Mesh.

  • Set totrue for hybrid installations using Apigee ingress gateway.
  • Set tofalse for hybrid installations using Cloud Service Mesh (Apigee hybrid versions 1.8 and earlier).
ao.args.disableManagedClusterRolesAdvancedIntroduced in version: 1.10.0

Default value:true

Whentrue (the default), Apigee hybrid does not manage KubernetesClusterRole andClursterRoleBinding directly. If you have a process that requires managing these resources, the process must be performed by a user with the correct permissions to do so.

ao.image.pullPolicyAdvancedIntroduced in version: 1.2.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

ao.image.tagAdvancedIntroduced in version: 1.2.0

Default value:1.13.4

The version label for this service's Docker image.

ao.image.urlAdvancedIntroduced in version: 1.2.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
ao.resources.limits.cpuAdvancedIntroduced in version: 1.2.0

Default value:250m

The CPU limit for the resource in a Kubernetes container, in millicores.

ao.resources.limits.memoryAdvancedIntroduced in version: 1.2.0

Default value:256Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

ao.resources.requests.cpuAdvancedIntroduced in version: 1.2.0

Default value:250m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

ao.resources.requests.memoryAdvancedIntroduced in version: 1.2.0

Default value:256Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

ao.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

ao.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

ao.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

ao.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

ao.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

apigeeIngressGateway

Configures the Apigee ingress gateway for Apigee Hybrid. UseapigeeIngressGateway properties to apply common configuration to all instances of the Apigee ingress gateway.

SeeingressGateways to configure individual instances uniquely.

Apply changes toapigeeIngressGateway properties with theapigee-org chart.

The following table describes the properties of theapigeeIngressGateway object:

PropertyTypeDescription
apigeeIngressGateway.image.pullPolicyAdvancedIntroduced in version: 1.11.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

apigeeIngressGateway.image.tagAdvancedIntroduced in version: 1.11.0

Default value:1.18.7-asm.4-distroless

The version label for this service's Docker image.

apigeeIngressGateway.image.urlAdvancedIntroduced in version: 1.11.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
apigeeIngressGateway.nodeSelector.keyAdvancedIntroduced in version: 1.11.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes for ingress gateway services.

See Configuring dedicated node pools.

apigeeIngressGateway.nodeSelector.valueAdvancedIntroduced in version: 1.11.0

Default value: None

Optional node selector label value used to target dedicated Kubernetes nodes for ingress gateway services and override thenodeSelector.apigeeData settings.

SeenodeSelector.

apigeeIngressGateway.replicaCountMaxBasicIntroduced in version: 1.11.0

Default value:4

The maximum number of pods that hybrid can automatically add for the ingress gateway available for autoscaling.

apigeeIngressGateway.replicaCountMinBasicIntroduced in version: 1.11.0

Default value:2

The minimum number of pods for the ingress gateway available for autoscaling.

apigeeIngressGateway.targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.10.5, 1.11.2, 1.12.1

Default value:75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up toapigeeIngressGateway.replicaCountMax.

For more information on scaling in Kubernetes, seeHorizontal Pod Autoscaling in the Kubernetes documentation.

apigeeIngressGateway.tolerations.effectAdvancedIntroduced in version: 1.11.0

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.keyAdvancedIntroduced in version: 1.11.0

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.operatorAdvancedIntroduced in version: 1.11.0

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.11.0

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

apigeeIngressGateway.tolerations.valueAdvancedIntroduced in version: 1.11.0

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

cassandra

Defines the hybrid service that manages the runtime data repository. This repository storesapplication configurations, distributed quota counters, API keys, and OAuth tokens for applicationsrunning on the gateway.

For more information, seeStorageClass configuration.

The following table describes the properties of thecassandra object:

Note: This #cassandra-storage-capacity property is deprecated starting from v1.12.0. Usecassandra.storage.storageSize instead.
PropertyTypeDescription
cassandra.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

cassandra.auth.admin.passwordBasicIntroduced in version: 1.0.0

Default value:iloveapis123

Required

Password for the Cassandra administrator. The admin user is used for any administrative activities performed on the Cassandra cluster, such as backup and restore.

cassandra.auth.ddl.passwordBasicIntroduced in version: 1.0.0

Default value:iloveapis123

Required

Password for the Cassandra Data Definition Language (DDL) user. Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.

cassandra.auth.default.passwordBasicIntroduced in version: 1.0.0

Default value:iloveapis123

Required

The password for the default Cassandra user created when Authentication is enabled. This password must be reset when configuring Cassandra authentication. SeeConfiguring TLS for Cassandra.

cassandra.auth.dml.passwordBasicIntroduced in version: 1.0.0

Default value:iloveapis123

Required

Password for the Cassandra Data Manipulation Language (DML) user. The DML user is used by the client communication to read and write data to Cassandra.

cassandra.auth.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

cassandra.auth.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

cassandra.auth.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
cassandra.auth.jmx.passwordBasicIntroduced in version: 1.4.0

Default value:iloveapis123

Required

Password for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

cassandra.auth.jmx.usernameBasicIntroduced in version: 1.4.0

Default value:jmxuser

Required

Username for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

cassandra.auth.jolokia.passwordBasicIntroduced in version: 1.4.0

Default value:iloveapis123

Required

Password for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

cassandra.auth.jolokia.usernameBasicIntroduced in version: 1.4.0

Default value:apigee

Required

Username for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

cassandra.auth.secretBasicIntroduced in version: 1.3.3

Default value: None

The name of the file stored in a Kubernetes secret that contains the Cassandra users and passwords. You can create the secret using following the following instructions:Create the Secret.

See also:

cassandra.auth.secretProviderClassAdvancedIntroduced in version: 1.10.3

Default value: None

The Cassandra secret storage policy. When set, it must match the SecretProviderClass which references the external secret provider, like Hashicorp Vault. When unset, Apigee hybrid uses either the usernames and passwords stored in:

or the Kubernetes secret stored in:

SeeStoring Cassandra secrets in Hashicorp Vault for instructions to create the policy.

cassandra.backup.cloudProviderAdvancedIntroduced in version: 1.0.0

Default value:GCP

The name of a backup provider. Supported values:GCP,HYBRID, andCSI. Set the value to:

  • GCP to store backup archives on Google Cloud Storage.
  • HYBRID to store backup archives on a remote SSH server.
  • CSI (recommended) to utilize Kubernetes CSIVolume Snapshots for backup. For information onCSI backup and restore for cloud platforms such as Google Cloud, AWS, and Azure, seeCSI backup and restore.
cassandra.backup.dbStorageBucketAdvancedIntroduced in version: 1.0.0

Default value: None

Required if backup is enabled andcassandra.backup.cloudProvider is set toGCP.

The name of an existing Google Cloud Storage bucket that will be used to store backup archives. See Creating buckets if you need to create one.

Note: Starting in Hybrid version 1.13, the bucket name doesn't need to be prefixed withgs://. Support for this prefix has been deprecated and will be removed in future releases.
cassandra.backup.enabledAdvancedIntroduced in version: 1.0.0

Default value:false

Data backup is not enabled by default. To enable, set totrue.

SeeCassandra backup and recovery.

cassandra.backup.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of theapigee-cassandra Google IAM service account (GSA) to associate with the cassandra backup Kubernetes service account when enabling Workload Identity on GKE clusters. Set this when you have setgcp.workloadIdentity.enabled totrue andcassandra.backup.enabled totrue.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-cassandra@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity Federation on GKE.

cassandra.backup.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

cassandra.backup.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

cassandra.backup.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
cassandra.backup.keyfileAdvancedIntroduced in version: 1.3.0

Default value: None

Required if backup is enabled andcassandra.backup.cloudProvider is set toHYBRID.

The path on your local file system to the SSH private key file.

cassandra.backup.scheduleAdvancedIntroduced in version: 1.0.0

Default value:0 2 * * *

The schedule for the backup cron job.

SeeCassandra backup and recovery.

cassandra.backup.serverAdvancedIntroduced in version: 1.3.0

Default value: None

Required if backup is enabled andcassandra.backup.cloudProvider is set toHYBRID.

The IP address of your remote SSH backup server.

cassandra.backup.serviceAccountPathAdvancedIntroduced in version: 1.0.0

Default value: None

Path to aGoogle Service Account key file that has theStorage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used for uploading backup archives to a specifiedcassandra.backup.dbStorageBucket.

If backup is enabled andcassandra.backup.cloudProvider is set toGCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to upload backup archives:

cassandra.backup.serviceAccountRefAdvancedIntroduced in version: 1.2.0

Default value: None

The name of an existing Kubernetes secret that stores the content of aGoogle Service Account key file that has theStorage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used for uploading backup archives to a specifiedcassandra.backup.dbStorageBucket.

If backup is enabled andcassandra.backup.cloudProvider is set toGCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to upload backup archives:

cassandra.backup.storageDirectoryAdvancedIntroduced in version: 1.3.0

Default value: None

Required if backup is enabled andcassandra.backup.cloudProvider is set toHYBRID.

Can either be an absolute or relative path to theapigee user's home directory.

The name of the backup directory on your backup SSH server.

cassandra.clusterNameBasicIntroduced in version: 1.0.0

Default value:apigeecluster

Specifies the name of the Cassandra cluster.

Note: For multi-region installs the value ofclusterName needs to match for all regions.
cassandra.datacenterBasicIntroduced in version: 1.0.0

Default value:dc-1

Specifies the datacenter of the Cassandra node.

cassandra.dnsPolicyBasicIntroduced in version: 1.1.1

Default value: None

Note: In Apigee hybrid v1.3, this property is no longer supported.

When you sethostNetwork to true, the DNS policy is set toClusterFirstWithHostNet for you.

cassandra.externalSeedHostBasicIntroduced in version: 1.0.0

Default value: None

Hostname or IP of a Cassandra cluster node. If not set, the Kubernetes local service is used.

cassandra.heapNewSizeBasicIntroduced in version: 1.0.0

Default value:100M

The amount ofJVM system memory allocated to newer objects, in megabytes.

cassandra.hostNetworkBasicIntroduced in version: 1.1.1

Default value:false

Enables the KuberneteshostNetwork feature. Apigee uses this feature in multi-region installations to communicate between pods if the pod network namespace does not have connectivity between clusters (the clusters are running in "island network mode"), which is the default case in non-GKE installations, including Google Distributed Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift.

Setcassandra.hostNetwork tofalse for single region installations and multi-region installations with connectivity between pods in different clusters, for example GKE installations.

Setcassandra.hostNetwork totrue for multi-region installations with no communication between between pods in different clusters, for example Google Distributed Cloud on VMware or bare metal, GKE on AWS, AKS, EKS, and OpenShift installations. SeeMulti-region deployment: Prerequisites.

Whentrue,DNS policy is automatically set toClusterFirstWithHostNet.

cassandra.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

cassandra.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

cassandra.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
cassandra.maxHeapSizeAdvancedIntroduced in version: 1.0.0

Default value:512M

The upper limit ofJVM system memory available for Cassandra operations, in megabytes.

cassandra.multiRegionSeedHostBasicIntroduced in version: 1.0.0

Default value: None

IP address of an existing Cassandra cluster used to expand the existing cluster to a new region. SeeConfigure the multi-region seed host.

cassandra.nodeSelector.keyAdvancedIntroduced in version: 1.0.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes forcassandra data services.

See Configuring dedicated node pools.

cassandra.nodeSelector.valueAdvancedIntroduced in version: 1.0.0

Default value: None

Optional node selector label value used to target dedicated Kubernetes nodes forcassandra data services and override thenodeSelector.apigeeData settings.

SeenodeSelector.

cassandra.portAdvancedIntroduced in version: 1.0.0

Default value:9042

Port number used to connect to cassandra.

cassandra.rackBasicIntroduced in version: 1.0.0

Default value:ra-1

Specifies the rack of the Cassandra node.

cassandra.readinessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

cassandra.readinessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:0

The number of seconds after a container is started before a readiness probe is initiated.

cassandra.readinessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:10

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

cassandra.readinessProbe.successThresholdAdvancedIntroduced in version: 1.0.0

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

cassandra.readinessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

The number of seconds after which a liveness probe times out. The minimum value is 1.

cassandra.replicaCountBasicIntroduced in version: 1.0.0

Default value:1

Cassandra is a replicated database. This property specifies the number of Cassandra nodes employed as aStatefulSet.

Note: The default value of1 is only acceptable for demo or test installations. For production installations, the value ofreplicaCount must be a multiple of3. To determine your desiredreplicaCount value, consider the following:
  • Estimate the traffic demands for your proxies.
  • Load test and make reasonable predictions of your CPU utilization.
  • You can specify differentreplicaCount values in different regions.
  • You can expand thereplicaCount in the future in your overrides file.
cassandra.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

cassandra.resources.requests.memoryAdvancedIntroduced in version: 1.0.0

Default value:1Gi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

cassandra.restore.cloudProviderAdvancedIntroduced in version: 1.0.0

Default value:GCP

The name of a restore provider. Supported values:GCP,HYBRID, andCSI. Set the value to:

  • GCP to restore data from a backup stored on Google Cloud Storage.
  • HYBRID to restore data from a backup stored on a remote SSH server.
  • CSI (recommended) to utilize Kubernetes CSIVolume Snapshots for restore. For information onCSI backup and restore for cloud platforms such as Google Cloud, AWS, and Azure, seeCSI backup and restore.
cassandra.restore.dbStorageBucketAdvancedIntroduced in version: 1.0.0

Default value: None

Required if restore is enabled andcassandra.restore.cloudProvider is set toGCP.

The name of a Google Cloud Storage bucket that stores backup archives to be used for data restoration.

Note: Starting in Hybrid version 1.13, the bucket name doesn't need to be prefixed withgs://. Support for this prefix has been deprecated and will be removed in future releases.
cassandra.restore.enabledAdvancedIntroduced in version: 1.0.0

Default value:false

Data restoration is not enabled by default. To enable, set totrue.

SeeCassandra backup and recovery.

cassandra.restore.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of theapigee-cassandra Google IAM service account (GSA) to associate with the cassandra restore Kubernetes service account when enabling Workload Identity on GKE clusters. Set this when you have setgcp.workloadIdentity.enabled totrue andcassandra.restore.enabled totrue.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-cassandra@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity Federationon GKE.

cassandra.restore.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

cassandra.restore.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

cassandra.restore.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
cassandra.restore.serviceAccountPathAdvancedIntroduced in version: 1.0.0

Default value: None

Path to aGoogle Service Account key file that has theStorage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used to download backup archives from a specifiedcassandra.restore.dbStorageBucket.

If restore is enabled andcassandra.restore.cloudProvider is set toGCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to download backup archives for restoration:

cassandra.restore.serviceAccountRefAdvancedIntroduced in version: 1.2.0

Default value: None

The name of an existing Kubernetes secret that stores the content of aGoogle Service Account key file that has theStorage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used to download backup archives from a specifiedcassandra.restore.dbStorageBucket.

If restore is enabled andcassandra.restore.cloudProvider is set toGCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to download backup archives for restoration:

cassandra.restore.snapshotTimestampAdvancedIntroduced in version: 1.0.0

Default value: None

Required if restore is enabled.

Timestamp of the backup that should be restored.

cassandra.sslCertPathBasicIntroduced in version: 1.2.0

Default value: None

The path on your system to a TLS certificate file.

Note: For each configured environment, the Common Name (CN) in the cert must match the domain in thehostAliases[] property. For example, if the CN is*.example.com, thehostAliases[] could befoo.example.com orbar.example.com.

cassandra.sslKeyPathBasicIntroduced in version: 1.2.0

Default value: None

The path on your system to the TLS private key file.

cassandra.sslRootCAPathBasicIntroduced in version: 1.2.0

Default value: None

The certificate chain to the root CA (certificate authority).

cassandra.storage.capacityBasicIntroduced in version: 1.0.0

Default value:10Gi

Required ifstorage.storageclass is specified

Specifies the disk size required, in mebibytes (Mi) or gibibytes (Gi).

cassandra.storage.storageclassBasicIntroduced in version: 1.0.0

Default value: None

Specifies the class of on-prem storage being used.

cassandra.storage.storageSizeBasicIntroduced in version: 1.11.0

Default value:10Gi

Required ifstorage.storageclass is specified

Specifies the disk size required, in mebibytes (Mi) or gibibytes (Gi).

cassandra.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.0.0

Default value:300

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

cassandra.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

cassandra.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

cassandra.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

cassandra.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

cassandra.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

certManager

Apigee usescert-manager for certificate validation.

The following table describes the properties of thecertManager object:

PropertyTypeDescription
certManager.namespaceAdvancedIntroduced in version: 1.9.0

Default value:cert-manager

The namespace forcert-manager.

SeeRunning cert-manager in a custom namespace.

connectAgent

Apigee Connect allows the Apigee hybrid management plane to connect securely to the MART service in the runtime plane without requiring you to expose the MART endpoint on the internet.

The following table describes the properties of theconnectAgent object:

PropertyTypeDescription
connectAgent.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

connectAgent.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of the Google IAM service account (GSA) for connectAgent to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have setgcp.workloadIdentity.enabled totrue.

Note: connectAgent uses theapigee-mart service account.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-mart@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

connectAgent.logLevelAdvancedIntroduced in version: 1.2.0

Default value:INFO

The level of log reporting. Values can be:

  • INFO: Informational messages in addition to warning, error, and fatal messages. Most useful for debugging.
  • WARNING: Non-fatal warnings in addition to error and fatal messages.
  • ERROR: Internal errors and errors that are not returned to the user in addition to fatal messages.
  • FATAL: Unrecoverable errors and events that cause Apigee Connect to crash.
connectAgent.image.pullPolicyAdvancedIntroduced in version: 1.2.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

connectAgent.image.tagAdvancedIntroduced in version: 1.2.0

Default value:1.13.4

The version label for this service's Docker image.

connectAgent.image.urlAdvancedIntroduced in version: 1.2.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
connectAgent.replicaCountMaxBasicIntroduced in version: 1.2.0

Default value:5

Maximum number of replicas available for autoscaling.

connectAgent.replicaCountMinBasicIntroduced in version: 1.2.0

Default value:1

Minimum number of replicas available for autoscaling.

In production, you may want to increasereplicaCountMin to 1, to have a greater number of connections to the control plane for reliability and scalability.

connectAgent.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:512m

The CPU limit for the resource in a Kubernetes container, in millicores.

connectAgent.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:512Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

connectAgent.resources.requests.cpuAdvancedIntroduced in version: 1.11.0

Default value:100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

connectAgent.resources.requests.memoryAdvancedIntroduced in version: 1.2.0

Default value:30Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

connectAgent.serverAdvancedIntroduced in version: 1.2.0

Default value:apigeeconnect.googleapis.com:443

The location of the server and port for this service.

connectAgent.serviceAccountPathBasicIntroduced in version: 1.1.1

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file for theapigee-mart service account.

In most installations, the value ofconnectAgent.serviceAccountPath must match the value ofmart.serviceAccountPath.

connectAgent.serviceAccountRefBasicIntroduced in version: 1.2.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

In most installations, the value ofconnectAgent.serviceAccountRef must match the value ofmart.serviceAccountRef.

connectAgent.targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.2.0

Default value:75

Target CPU utilization for the Apigee Connect agent on the pod. The value of this field enables Apigee Connect to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

connectAgent.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.2.0

Default value:600

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

connectAgent.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

connectAgent.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

connectAgent.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

connectAgent.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

connectAgent.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

defaults

The Default encryption keys for the Apigee hybrid installation.

Note: You need to update these for your installation.

The following table describes the properties of thedefaults object:

PropertyTypeDescription
defaults.org.kmsEncryptionKeyBasicIntroduced in version: 1.0.0

Default value:aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the org in KMS.

defaults.org.kvmEncryptionKeyBasicIntroduced in version: 1.0.0

Default value:aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the org in KVM.

defaults.env.kmsEncryptionKeyBasicIntroduced in version: 1.0.0

Default value:aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the environment (env) in KMS.

defaults.env.kvmEncryptionKeyBasicIntroduced in version: 1.0.0

Default value:aWxvdmVhcGlzMTIzNDU2Nw==

Default encryption key for the environment (env) in KVM.

defaults.env.cacheEncryptionKeyBasicIntroduced in version: 1.0.0

Default value:aWxvdmVhcGlzMTIzNDU2Nw==

Default cache encryption key for the environment (env).

diagnostic

The settings for the Diagnostic collector tool.

SeeUsing the Diagnostic collector

The following table describes the properties of thediagnostic object:

PropertyTypeDescription
diagnostic.bucketBasicIntroduced in version: 1.6.0

Default value: None

Required

The name of the Google Cloud storage bucket where your diagnostic data will be deposited.

SeeCreating storage buckets.

diagnostic.containerBasicIntroduced in version: 1.6.0

Default value: None

Required

This specifies which type of pod you are capturing data from. The values can be one of:

  • "apigee-cassandra" captures data about the Cassandra databgase. The istio-cassandra pods runs in the apigee namespace.
  • "apigee-mart-server" captures data about MART. The apigee-mart-server pods runs in the apigee namespace.
  • "apigee-runtime" captures data about the Message Processor. The apigee-runtime pods runs in the apigee namespace.
  • "apigee-synchronizer" captures data about the Synchronizer. The apigee-synchronizer pods runs in the apigee namespace.
  • "apigee-udca" captures data about UDCA. The apigee-udca pods runs in the apigee namespace.
  • "apigee-watcher" captures data about Watcher. The apigee-watcher pods runs in the apigee namespace.
  • "istio-proxy" captures data about the Istio ingress gateway. The istio-proxy pods runs in the istio-system namespace.
diagnostic.loggingDetails.logDurationBasicIntroduced in version: 1.6.0

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set withoperation: "LOGGING")

The duration in milliseconds of the log data collected. A typical value is30000.

Seediagnostic.operation

diagnostic.loggingDetails.loggerNames[]BasicIntroduced in version: 1.6.0

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set withoperation: "LOGGING")

Specifies by name which loggers to collect data from. For Apigee hybrid version 1.6.0, the only value supported isALL, meaning all loggers. For example:

diagnostic:loggingDetails:loggerNames:-ALL
diagnostic.loggingDetails.logLevelBasicIntroduced in version: 1.6.0

Default value: None

Required if the diagnostic collection operation is "LOGGING" (set withoperation: "LOGGING")

Specifies the granularity of the logging data to collect. In Apigee hybrid 1.6, OnlyFINE is supported.

diagnostic.namespaceBasicIntroduced in version: 1.6.0

Default value: None

Required

The Kubernetes namespace in which the pods you are collecting data on reside. The namespace must be the correct one for the container you specify withdiagnostic.container:

apigee for

  • apigee-runtime
  • apigee-synchronizer
  • apigee-udca
  • apigee-watcher
  • apigee-cassandra
  • apigee-mart-server

istio-system for

  • istio-proxy
diagnostic.operationBasicIntroduced in version: 1.6.0

Default value: None

Required

Specifies whether to collect all statistics or just logs.

Values are:

diagnostic.podNames[]BasicIntroduced in version: 1.6.0

Default value: None

Required

The names of the Kubernetes pods for which you are collecting data. For example:

diagnostic:podNames:-apigee-runtime-eng-hybrid-example-3b2ebf3-150-8vfoj-2wcjn-apigee-runtime-eng-hybrid-example-3b2ebf3-150-8vfoj-6xzn2
diagnostic.serviceAccountPathBasicIntroduced in version: 1.6.0

Default value: None

Required

The path to a service account key file (.json) for the service account with the Storage Admin role (roles/storage.admin). In most Apigee hybrid installations, this is theapigee-cassandra service account.

SeeAbout service accounts.

diagnostic.tcpDumpDetails.maxMsgsBasicIntroduced in version: 1.6.0

Default value: None

One of eitherdiagnostic.tcpDumpDetails.maxMsgs ordiagnostic.tcpDumpDetails.timeoutInSeconds isRequired if you are usingdiagnostic.tcpDumpDetails.

Sets the maximum number oftcpDump messages to collect. Apigee recommends a maximum value no greater than1000.

diagnostic.tcpDumpDetails.timeoutInSecondsBasicIntroduced in version: 1.6.0

Default value: None

One of eitherdiagnostic.tcpDumpDetails.maxMsgs ordiagnostic.tcpDumpDetails.timeoutInSeconds isRequired if you are usingdiagnostic.tcpDumpDetails.

Sets the amount of time in seconds to wait fortcpDump to return messages.

diagnostic.threadDumpDetails.delayInSecondsBasicIntroduced in version: 1.6.0

Default value: None

Bothdiagnostic.threadDumpDetails.delayInSeconds anddiagnostic.threadDumpDetails.iterations areRequired if you are usingdiagnostic.threadDumpDetails.

The delay in seconds between collecting each thread dump.

diagnostic.threadDumpDetails.iterationsBasicIntroduced in version: 1.6.0

Default value: None

Bothdiagnostic.threadDumpDetails.delayInSeconds anddiagnostic.threadDumpDetails.iterations areRequired if you are usingdiagnostic.threadDumpDetails.

The number of jstack thread dump iterations to collect.

envs

Defines an array of environments to which you can deploy your API proxies. Each environmentprovides an isolated context orsandbox for running API proxies.

Your hybrid-enabled organization must have at least one environment.

For more information, seeAbout environments.

The following table describes the properties of theenvs object:

PropertyTypeDescription
envs[].cacheEncryptionKeyBasicIntroduced in version: 1.0.0

Default value: None

One of eithercacheEncryptionKey,cacheEncryptionPath, orcacheEncryptionSecret is required.

A base64-encoded encryption key. SeeData encryption.

envs[].cacheEncryptionPathBasicIntroduced in version: 1.2.0

Default value: None

One of eithercacheEncryptionKey,cacheEncryptionPath, orcacheEncryptionSecret is required.

The path to a file containing a base64-encoded encryption key. SeeData encryption.

envs[].cacheEncryptionSecret.keyBasicIntroduced in version: 1.2.0

Default value: None

One of eithercacheEncryptionKey,cacheEncryptionPath, orcacheEncryptionSecret is required.

The key of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

envs[].cacheEncryptionSecret.nameBasicIntroduced in version: 1.2.0

Default value: None

One of eithercacheEncryptionKey, orcacheEncryptionPath, orcacheEncryptionSecret is required.

The name of aKubernetes secret containing a base64-encoded encryption key. SeeData encryption.

envs[].components.runtime.replicaCountMaxBasicIntroduced in version: 1.9.3

Default value: 4

Maximum number of replicas for autoscaling. Overridesruntime.replicaCountMax if specified.

envs[].components.runtime.replicaCountMinBasicIntroduced in version: 1.9.3

Default value: 1

Minimum number of replicas for autoscaling. Overridesruntime.replicaCountMin if specified.

envs[].components.synchronizer.replicaCountMaxBasicIntroduced in version: 1.9.3

Default value: 4

Maximum number of replicas for autoscaling. Overridessynchronizer.replicaCountMax if specified.

envs[].components.synchronizer.replicaCountMinBasicIntroduced in version: 1.9.3

Default value: 1

Minimum number of replicas for autoscaling. Overridessynchronizer.replicaCountMin if specified.

envs[].components.udca.replicaCountMaxBasicIntroduced in version: 1.9.3

Default value: 4

Maximum number of replicas for autoscaling. Overridesudca.replicaCountMax if specified.

envs[].components.udca.replicaCountMinBasicIntroduced in version: 1.9.3

Default value: 1

Minimum number of replicas for autoscaling. Overridesudca.replicaCountMin if specified.

envs.gsa.runtimeAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of the runtime Google IAM service account to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts.

Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

envs.gsa.synchronizerAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of the synchronizer Google IAM service account to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts.

Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

envs.gsa.udcaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of the udca Google IAM service account for env-scoped udca to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts.

Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

envs[].hostAliases[]BasicIntroduced in version: 1.2.0

Default value: None

Deprecated: Starting in Hybrid version 1.4 the runtime plane receives this information from the management plane. SeeAbout environments and environment groups.

envs[].httpProxy.hostBasicIntroduced in version: 1.2.0

Default value: None

Specifies the host name or IP address where the HTTP proxy is running.

ListhttpProxy properties in the orderscheme,host,port. For example:

envs:  - name: test    httpProxy:      scheme: HTTP      host: 10.12.0.47      port: 3128      ...

See also:Configure forward proxying for API proxies.

envs[].httpProxy.portBasicIntroduced in version: 1.2.0

Default value: None

Specifies the port on which the HTTP proxy is running. If this property is omitted, by default it uses port80 for HTTP and port443 for HTTPS.

envs[].httpProxy.schemeBasicIntroduced in version: 1.2.0

Default value:HTTPS

Specifies the type of the HTTP proxy as HTTP or HTTPS. By default, it usesHTTPS.

envs[].httpProxy.usernameBasicIntroduced in version: 1.2.0

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a username.

envs[].httpProxy.passwordBasicIntroduced in version: 1.2.0

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a password.

envs[].nameBasicIntroduced in version: 1.0.0

Default value: None

Required

Apigee environment name to be synchronized.

envs[].pollIntervalAdvancedIntroduced in version: 1.0.0

Default value: None

Interval used for polling organization and environment synchronization changes, in seconds.

envs[].portAdvancedIntroduced in version: 1.0.0

Default value: None

TCP port number for HTTPS traffic.

envs[].serviceAccountPaths.runtimeBasicIntroduced in version: 1.4.0

Default value: None

Path to file on local system to a Google Service Account key with theCloud Trace Agent role, usually theapigee-runtime service account. See theAbout service accounts for the default names of the service accounts and their assigned roles.

envs[].serviceAccountPaths.synchronizerBasicIntroduced in version: 1.0

Default value: None

Path to file on local system to a Google Service Account key with theApigee Synchronizer Manager role.

envs[].serviceAccountPaths.udcaBasicIntroduced in version: 1.0

Default value: None

Path to file on local system to a Google Service Account key with theApigee Analytic Agent role.

Only set this property iforgScopedUDCA is set tofalse.

envs[].serviceAccountSecretProviderClassAdvancedIntroduced in version: 1.12.0

Default value: None

The name of the environment-specific secret provider class (SecretProviderClass) used for storing service account keys in Vault.

SeeStoring service account keys in Hashicorp Vault.

envs[].serviceAccountSecretRefs.runtimeBasicIntroduced in version: 1.4.0

Default value: None

The name of aKubernetes secret. You mustcreate the secret using a Google Service Account key with theCloud Trace Agent role as its input.

envs[].serviceAccountSecretRefs.synchronizerBasicIntroduced in version: 1.2.0

Default value: None

The name of aKubernetes secret. You mustcreate the secret using a Google Service Account key with theApigee Synchronizer Manager role as its input.

envs[].serviceAccountSecretRefs.udcaBasicIntroduced in version: 1.2.0

Default value: None

The name of aKubernetes secret. You mustcreate the secret using a Google Service Account key with theApigee Analytic Agent role as its input.

Only set this property iforgScopedUDCA is set tofalse.

envs[].sslCertPathBasicIntroduced in version: 1.2.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to a TLS certificate file.

Note: For each configured environment, the Common Name (CN) in the cert must match the domain in thehostAliases[] property. For example, if the CN is*.example.com, thehostAliases[] could befoo.example.com orbar.example.com.

envs[].sslKeyPathBasicIntroduced in version: 1.2.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to the TLS private key file.

envs[].sslSecretBasicIntroduced in version: 1.2.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

gcp

Identifies the Google Cloud project ID (required for all hybrid installations), the Workload Identity and federated workload identity configurations, and the region where theapigee-logger and theapigee-metrics push their data.

The following table describes the properties of thegcp object:

PropertyTypeDescription
gcp.federatedWorkloadIdentity.audienceBasicIntroduced in version: 1.12.0

Default value: None

The allowed audience of the Workload Identity Provider on non-GKE platforms.

SeeEnabling Workload Identity Federation on AKS and EKS.

gcp.federatedWorkloadIdentity.credentialSourceFileBasicIntroduced in version: 1.12.0

Default value: None

The filename and path to the credential source file used by Workload Identity Federation to obtain the credentials for the service accounts. This is the value you provide forcredential-source-file when you configure Workload Identity Federation with thecreate-cred-config command.

SeeEnabling Workload Identity Federation on AKS and EKS.

gcp.federatedWorkloadIdentity.enabledBasicIntroduced in version: 1.12.0

Default value:false

Enables Workload Identity Federation on non-GKE platforms. Must not be settrue ifgcp.workloadIdentity.enabled is set totrue in the same cluster.

SeeEnabling Workload Identity Federation on AKS and EKS.

gcp.federatedWorkloadIdentity.tokenExpirationBasicIntroduced in version: 1.12.0

Default value:3600

The lifetime of the token in seconds.

SeeEnabling Workload Identity Federation on AKS and EKS.

gcp.projectIDBasicIntroduced in version: 1.2.0

Default value: None

Required

Identifies the Google Cloud project whereapigee-logger and theapigee-metrics push their data.

gcp.projectIDRuntimeBasicIntroduced in version: 1.2.0

Default value: None

Identifies the runtime Kubernetes cluster project.

TheprojectIDRuntime property is optional. If not used, it is assumed that theprojectID value is used for both the Apigee organization's Google Cloud project and the runtime K8S cluster's project.

gcp.regionBasicIntroduced in version: 1.2.0

Default value:us-central1

Required

Identifies the Google Cloudregion where theapigee-logger and theapigee-metrics push their data.

gcp.workloadIdentity.enabledBasicIntroduced in version: 1.10.0

Default value:false

Helm only: Enables using Workload Identity on GKE. Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.

Must not be settrue ifgcp.federatedWorkloadIdentity.enabled is set totrue in the same cluster.

Whenenabled isfalse, the default, Apigee uses the IAM service accounts for each Apigee hybrid component. SeeAbout service accounts.

WhenworkloadIdentityEnabled istrue, Apigee uses Kubernetes service accounts and maps them to the appropriate IAM service accounts for each component. Specify the IAM service accounts to map to the Kubernetes service accounts with:

gcp.workloadIdentity.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of the Google IAM service account (GSA) for all components to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have setgcp.workloadIdentity.enabled totrue.

gcp.workloadIdentity.gsa applies to all hybrid components. If you specify a value forgcp.workloadIdentity.gsa, you do not need to provide a GSA for any individual hybrid components. If you do supply a GSA for an individual component, that component's GSA overridesgcp.workloadIdentity.gsa for that component only.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-non-prod@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE.

gcp.workloadIdentityEnabledBasicIntroduced in version: 1.4.0

Default value:false

apigeectl only: Enables using Workload Identity. Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.

WhenworkloadIdentityEnabled isfalse, the default, Apigee uses the IAM service accounts for each Apigee hybrid component. SeeAbout service accounts.

WhenworkloadIdentityEnabled istrue, Apigee uses Kubernetes service accounts instead of IAM service accounts and will ignore the following configuration properties:

httpProxy

httpProxy provides configuration parameters for an HTTP forward proxy server. When configured inoverrides.yaml, all internet communication for the Apigee Connect, Logger, MART, Metrics, Synchronizer, and UDCA components pass through the proxy server.

Note: You can also configure environment-scoped HTTP proxy forwarding for APIproxies. SeeConfigure proxy forwarding for API proxies.

See also:connectAgent,logger,mart,metrics,synchronizer, andudca.

The following table describes the properties of thehttpProxy object:

PropertyTypeDescription
httpProxy.hostBasicIntroduced in version: 1.1.1

Default value: None

The hostname of the HTTP Proxy.

httpProxy.portBasicIntroduced in version: 1.1.1

Default value: None

The port of the HTTP Proxy.

httpProxy.schemeBasicIntroduced in version: 1.1.1

Default value:HTTPS

The scheme used by the proxy. Values can beHTTP orHTTPS. Values must be uppercase only.

httpProxy.usernameBasicIntroduced in version: 1.1.1

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a username.

httpProxy.passwordBasicIntroduced in version: 1.1.1

Default value: None

If the HTTP proxy requires basic authentication, then use this property to provide a password.

ingressGateways

Configures each individual instance of the Apigee ingress gateway. Use these properties when you want to manage individual instances separately byingressGateways[].name.

SeeapigeeIngressGateway to apply common configuration across all instances of the Apigee ingress gateway.

Apply changes toingressGateways properties with theapigee-org chart.

The following table describes the properties of theingressGateways object:

PropertyTypeDescription
ingressGateways[].nameBasicIntroduced in version: 1.8.0

Default value: None

Required

The name of ingress gateway. Other services will use this name to address traffic to the gateway. The name must meet the following requirements:

  • have a maximum length of 17 characters
  • contain only lowercase alphanumeric characters, '-' or '.'
  • start with an alphanumeric character
  • end with an alphanumeric character

For more information, seeDNS Subdomain Names in the Kubernetes documentation.

ingressGateways[].resources.limits.cpuAdvancedIntroduced in version: 1.8.0

Default value:2000m

The CPU limit for the resource, in millicores.

ingressGateways[].resources.limits.memoryAdvancedIntroduced in version: 1.8.0

Default value:1Gi

The memory limit for the resource, in mebibytes.

ingressGateways[].resources.requests.cpuAdvancedIntroduced in version: 1.8.0

Default value:300m

The CPU needed for normal operation of the resource, in millicores.

ingressGateways[].resources.requests.memoryAdvancedIntroduced in version: 1.8.0

Default value:128Mi

The memory needed for normal operation of the resource, in mebibytes.

ingressGateways[].replicaCountMaxBasicIntroduced in version: 1.8.0

Default value:10

The maximum number of pods that hybrid can automatically add for the ingress gateway available for autoscaling.

ingressGateways[].replicaCountMinBasicIntroduced in version: 1.8.0

Default value:2

The minimum number of pods for the ingress gateway available for autoscaling.

ingressGateways[].svcAnnotationsBasicIntroduced in version: 1.8.0

Default value: None

Optional key/value map used to annotate the ingress gateway on platforms that support annotation. For example:

ingressGateways:  svcAnnotations:    networking.gke.io/load-balancer-type: "Internal"
ingressGateways[].svcLoadBalancerIPBasicIntroduced in version: 1.8.0

Default value: None

On platforms that support specifying the load balancer IP address, the load balancer will be created with this IP address. On platforms that do not allow you to specify the load balancer IP address, this property is ignored.

ingressGateways[].svcTypeBasicIntroduced in version: 1.8.1

Default value: LoadBalancer

Used to change the type of the default k8s service for ingress deployment. Set the value toClusterIP if you want to disable creation of default load balancer. Possible values:

  • ClusterIP
  • LoadBalancer
ingressGateways[].targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.10.5, 1.11.2, 1.12.1

Default value:75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up toingressGateways[].replicaCountMax.

For more information on scaling in Kubernetes, seeHorizontal Pod Autoscaling in the Kubernetes documentation.

ingressGateways[].tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

ingressGateways[].tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

ingressGateways[].tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

ingressGateways[].tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

ingressGateways[].tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

istiod

Configures the Apigee ingress.

The following table describes the properties of theistiod object:

PropertyTypeDescription
istiod.accessLogFileAdvancedIntroduced in version: 1.8.0

Default value:/dev/stdout

The file address for the ingress access log, for example/dev/stdout.

Leaving this value undefined disables access logging.

istiod.accessLogFormatAdvancedIntroduced in version: 1.8.0

The format for the ingress access log.

Leaving this value undefined results in using the proxy's default access log format.

Default access log format:

'{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'

The following is a copy of the default access log format with line breaks added for readability.

'{"start_time":"%START_TIME%",  "remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%",  "user_agent":"%REQ(USER-AGENT)%",  "host":"%REQ(:AUTHORITY)%",  "request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%",  "request_time":"%DURATION%",  "status":"%RESPONSE_CODE%",  "status_details":"%RESPONSE_CODE_DETAILS%",  "bytes_received":"%BYTES_RECEIVED%",  "bytes_sent":"%BYTES_SENT%",  "upstream_address":"%UPSTREAM_HOST%",  "upstream_response_flags":"%RESPONSE_FLAGS%",  "upstream_response_time":"%RESPONSE_DURATION%",  "upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",  "upstream_cluster":"%UPSTREAM_CLUSTER%",  "x_forwarded_for":"%REQ(X-FORWARDED-FOR)%",  "request_method":"%REQ(:METHOD)%",  "request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",  "request_protocol":"%PROTOCOL%",  "tls_protocol":"%DOWNSTREAM_TLS_VERSION%",  "request_id":"%REQ(X-REQUEST-ID)%",  "sni_host":"%REQUESTED_SERVER_NAME%",  "apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}'
istiod.forwardClientCertDetailsAdvancedIntroduced in version: 1.9.2

Default value:SANITIZE_SET

Determines how the Envoy proxy (for the Apigee ingress gateway) handles thex-forwarded-client-cert (XFCC) HTTP header.

Possible values are:

  • SANITIZE_SET (default) When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop.
  • FORWARD_ONLY When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request only.
  • APPEND_FORWARD When the client connection is mTLS, append the client certificate information to the request's XFCC header and forward it.
  • SANITIZE Do not forward the XFCC header.
  • ALWAYS_FORWARD_ONLY Always forward the XFCC header in the request, regardless of whether the client connection is mTLS.

For more information on these values, see the Envoy documentation forEnum extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertDetails.

If you change this setting after installing Hybrid, apply it withapigeectl init and then restart your Apigee ingress gateway pods.

istiod.healthCheckUserAgentsAdvancedIntroduced in version: 1.12.0

Default values:

- "GoogleStackdriverMonitoring-UptimeChecks(https://cloud.google.com/monitoring)"- "Edge Health Probe"

Enables non-Google Cloud loadbalancers to check the ingress gateway's health check endpoints (/healthz/ingress and/healthz) by overriding the default user-agent allow list in hybrid.

Note: Usage of this configuration property is only supported in hybrid installations using Helm charts. It is not supported for use withapigeectl.

To override the default user agents specified, use the following syntax, inserting the custom user agents:

istiod:  healthCheckUserAgents:   - "CUSTOM_USER_AGENT_1"  - "CUSTOM_USER_AGENT_2"

To remove the user agent requirement, use the following:

istiod:  healthCheckUserAgents: []

Note: The pods must be restarted for this to take effect. Usekubectl rollout restart deployment -n apigee apigee-ingressgateway-manager to restart the pods andkubectl rollout status deployment -n apigee apigee-ingressgateway-manager to check the status of the rollout.
istiod.image.pullPolicyAdvancedIntroduced in version: 1.8.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

istiod.image.tagAdvancedIntroduced in version: 1.8.0

Default value:1.18.7-asm.4-distroless

The version label for this service's Docker image.

istiod.image.urlAdvancedIntroduced in version: 1.8.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
istiod.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

istiod.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

istiod.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

istiod.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

istiod.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

k8sCluster

Identifies Kubernetes cluster where the hybrid runtime is installed.

The following table describes the properties of thek8sCluster object:

PropertyTypeDescription
k8sCluster.nameBasicIntroduced in version: 1.2.0

Default value: None

The name of the Kubernetes cluster where the hybrid runtime is installed.

k8sCluster.regionBasicIntroduced in version: 1.2.0

Default value: None

Identifies the Google Cloudregion in which your Kubernetes cluster was created.

kubeRBACProxy

Identifies where Apigee should look for Kubernetes role-based access controls.

The following table describes the properties of thekubeRBACProxy object:

PropertyTypeDescription
kubeRBACProxy.image.pullPolicyAdvancedIntroduced in version: 1.2.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

kubeRBACProxy.image.tagAdvancedIntroduced in version:1.2.0

Default value:v0.14.2

The version label for this service's Docker image.

kubeRBACProxy.image.urlAdvancedIntroduced in version: 1.2.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
kubeRBACProxy.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:500m

The CPU limit for the resource in a Kubernetes container, in millicores.

kubeRBACProxy.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:128Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

kubeRBACProxy.resources.requests.cpuAdvancedIntroduced in version: 1.11.0

Default value:5m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

kubeRBACProxy.resources.requests.memoryAdvancedIntroduced in version: 1.11.0

Default value:64Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

logger

Defines the service that manages operational logs. All of the Apigee hybrid servicesthat run in your Kubernetes cluster output this information.

For more information, seeLogging overview.

The following table describes the properties of thelogger object:

PropertyTypeDescription
logger.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

logger.bufferChunkSizeAdvancedIntroduced in version: 1.12.0

Default value: 256k

The initial buffer size to read log files.

logger.bufferMaxSizeAdvancedIntroduced in version: 1.12.0

Default value: 104857600

The limit of the buffer size per monitored file. Files exceeding this limit are removed from the monitored file list.

logger.bufferMemoryLimitAdvancedIntroduced in version: 1.12.0

Default value: 150MB

The limit of memory that logger can consumed. If reach, the logger will momentarily pause reading more data until the existing data is flushed in memory.

logger.enabledBasicIntroduced in version: 1.0.0

Default value:false

Enables or disables logging on the cluster. For non-GKE set totrue, for GKE on Google Cloud or Google Distributed Cloudset tofalse.

logger.envVarsBasicIntroduced in version: 1.8.5

Default value: None

Allows you to include theNO_PROXY Fluent Bit environment variable, which specifies URLs for which traffic is not routed through the HTTP proxy. TheNO_PROXY variable should be defined as a comma-separated string of host names, in the format:

logger:  ...  envVars:    NO_PROXY: '<comma-separated-values>'

for example:

  envVars:    NO_PROXY: 'kubernetes.default.svc,oauth2.googleapis.com,logging.googleapis.com'

UseenvVars: NO_PROXY optionally when you have HTTP forward proxy enabled.

SeeNO_PROXY in the Fluent Bit documentation.

logger.flushIntervalAdvancedIntroduced in version: 1.12.0

Default value: 1

The interval to wait before invoking the next buffer flushed, in seconds.

logger.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of theapigee-logger Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have setgcp.workloadIdentity.enabled totrue.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-logger@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

logger.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

logger.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.9.9

The version label for this service's Docker image.

logger.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
logger.livenessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:3

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

logger.livenessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:0

The number of seconds after a container is started before a liveness probe is initiated.

logger.livenessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:60

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

logger.livenessProbe.successThresholdAdvancedIntroduced in version: 1.0.0

Default value:1

The minimum consecutive successes needed for a liveness probe to be considered successful after a failure. The minimum value is 1.

logger.livenessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

logger.nodeSelector.keyBasicIntroduced in version: 1.0.0

Default value:apigee.com/apigee-logger-enabled

Required

Node selector label key used to target dedicated Kubernetes nodes forlogger runtime services.

See Configuring dedicated node pools.

logger.nodeSelector.valueBasicIntroduced in version: 1.0.0

Default value:true

Required

Node selector label value used to target dedicated Kubernetes nodes forlogger runtime services.

See Configuring dedicated node pools.

logger.resources.limits.cpuAdvancedIntroduced in version: 1.0.0

Default value:200m

The CPU limit for the resource in a Kubernetes container, in millicores.

logger.resources.limits.memoryAdvancedIntroduced in version: 1.0.0

Default value:500Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

logger.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

logger.resources.requests.memoryAdvancedIntroduced in version: 1.0.0

Default value:250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

logger.serviceAccountPathBasicIntroduced in version: 1.0.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withLogs Writer role.

logger.serviceAccountRefBasicIntroduced in version: 1.2.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

logger.storageMaxChunksAdvancedIntroduced in version: 1.12.0

Default value: 128

The maximum number of chunks that can be up in memory. Chunks exceeding the limit will be saved in the file system.

logger.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.0.0

Default value:30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

logger.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

logger.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

logger.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

logger.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

logger.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

mart

Defines the MART (Management API for RunTime data) service, which acts as an API provider forpublic Apigee APIs so that you can access and manage runtime data entities such as KMS (API Keys andOAuth tokens), KVM, Quota, and API products.

The following table describes the properties of themart object:

PropertyTypeDescription
mart.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

mart.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of theapigee-mart Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have setgcp.workloadIdentity.enabled totrue.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-mart@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

mart.hostAliasBasicIntroduced in version: 1.0.0

Default value: None

The host alias pointing to theMART object. You can set this property to* or a fully-qualified domain name.

mart.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

mart.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

mart.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
mart.initCheckCF.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:10m

The amount of CPU resources allocated to the initialization check of the Cloud Foundry process.

mart.livenessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:12

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

mart.livenessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:15

The number of seconds after a container is started before a liveness probe is initiated.

mart.livenessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

mart.livenessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

mart.metricsURLBasicIntroduced in version: 1.0.0

Default value:/v1/server/metrics

mart.nodeSelector.keyBasicIntroduced in version: 1.0.0

Default value: None

Optional node selector label key for targeting Kubernetes nodes formart runtime services. If you do not specify a key for mart.nodeselector, then your runtime uses the node specified in thenodeSelector object.

See Configuring dedicated node pools.

mart.nodeSelector.valueBasicIntroduced in version: 1.0.0

Default value: None

Optional node selector label value for targeting Kubernetes nodes formart runtime services. See also thenodeSelector object.

See Configuring dedicated node pools.

mart.readinessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

mart.readinessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:15

The number of seconds after a container is started before a readiness probe is initiated.

mart.readinessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

mart.readinessProbe.successThresholdAdvancedIntroduced in version: 1.0.0

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

mart.readinessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

mart.replicaCountMaxBasicIntroduced in version: 1.0.0

Default value:5

Maximum number of replicas available for autoscaling.

mart.replicaCountMinBasicIntroduced in version: 1.0.0

Default value:1

Minimum number of replicas available for autoscaling.

mart.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:2000m

The CPU limit for the resource in a Kubernetes container, in millicores.

mart.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:5Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

mart.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

mart.resources.requests.memoryAdvancedIntroduced in version: 1.0.0

Default value:512Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

mart.serviceAccountPathBasicIntroduced in version: 1.1.1

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withno role.

mart.serviceAccountRefBasicIntroduced in version: 1.2.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

mart.sslCertPathBasicIntroduced in version: 1.0.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

Local file system path for loading and encoding the SSL cert to a Secret.

mart.sslKeyPathBasicIntroduced in version: 1.0.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

Local file system path for loading and encoding the SSL key to a Secret.

mart.sslSecretBasicIntroduced in version: 1.2.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

mart.targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.0.0

Default value:75

Target CPU utilization for the MART process on the pod. The value of this field enables MART to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

mart.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.0.0

Default value:30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

mart.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

mart.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

mart.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

mart.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

mart.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

metrics

Defines the service that collects operations metrics. You can use metrics data to monitor thehealth of Hybrid services, to set up alerts, and so on.

For more information, seeMetrics collection overview.

The following table describes the properties of themetrics object:

PropertyTypeDescription
metrics.adapter.image.pullPolicyAdvancedIntroduced in version: 1.8.1

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

metrics.adapter.image.tagAdvancedIntroduced in version: 1.8.1

Default value:v0.11.0

The version label for this service's Docker image.

metrics.adapter.image.urlAdvancedIntroduced in version: 1.8.1

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
metrics.adapter.resources.limits.cpuAdvancedIntroduced in version: 1.13.3

Default value:500m

The CPU limit for the adapter resource in a Kubernetes container, in millicores.

metrics.adapter.resources.limits.memoryAdvancedIntroduced in version: 1.13.3

Default value:4Gi

The memory limit for the adapter resource in a Kubernetes container, in gibibytes.

metrics.adapter.resources.requests.cpuAdvancedIntroduced in version: 1.13.3

Default value:100m

The CPU needed for normal operation of the adapter in a Kubernetes container, in millicores.

metrics.adapter.resources.requests.memoryAdvancedIntroduced in version: 1.13.3

Default value:128Mi

The memory needed for normal operation of the adapter in a Kubernetes container, in mebibytes.

metrics.aggregator.resources.requests.cpuAdvancedIntroduced in version: 1.4.0

Default value:500m

The CPU needed for normal operation of the aggregator in a Kubernetes container, in millicores.

Note: Usemetrics.appStackdriverExporter.resources.requests.cpu instead ofmetrics.aggregator.resources.requests.cpu.
metrics.aggregator.resources.requests.memoryAdvancedIntroduced in version: 1.4.0

Default value:512Mi

The memory needed for normal operation of the aggregator in a Kubernetes container, in mebibytes.

Note: Usemetrics.appStackdriverExporter.resources.requests.memory instead ofmetrics.aggregator.resources.requests.memory.
metrics.aggregator.resources.limits.cpuAdvancedIntroduced in version: 1.4.0

Default value:500m

The CPU limit for the aggregator resource in a Kubernetes container, in millicores.

Note: Usemetrics.appStackdriverExporter.resources.limits.cpu instead ofmetrics.aggregator.resources.limits.cpu.
metrics.aggregator.resources.limits.memoryAdvancedIntroduced in version: 1.4.0

Default value:3Gi

The memory limit for the aggregator resource in a Kubernetes container, in gibibytes.

Note: Usemetrics.appStackdriverExporter.resources.limits.memory instead ofmetrics.aggregator.resources.limits.memory.
metrics.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

metrics.app.resources.requests.cpuAdvancedIntroduced in version: 1.4.0

Default value:500m

The CPU needed for normal operation of the app in a Kubernetes container, in millicores.

metrics.app.resources.requests.memoryAdvancedIntroduced in version: 1.4.0

Default value:512Mi

The memory needed for normal operation of the app in a Kubernetes container, in mebibytes.

metrics.app.resources.limits.cpuAdvancedIntroduced in version: 1.4.0

Default value:500m

The CPU limit for the app resource in a Kubernetes container, in millicores.

metrics.app.resources.limits.memoryAdvancedIntroduced in version: 1.4.0

Default value:1Gi

The memory limit for the app resource in a Kubernetes container, in gibibytes.

metrics.appStackdriverExporter.resources.requests.cpuAdvancedIntroduced in version: 1.7.0

Default value:128m

The CPU needed for normal operation of the stackdriverExporter in a Kubernetes container, in millicores.

metrics.appStackdriverExporter.resources.requests.memoryAdvancedIntroduced in version: 1.7.0

Default value:512Mi

The memory needed for normal operation of the stackdriverExporter in a Kubernetes container, in mebibytes.

metrics.appStackdriverExporter.resources.limits.cpuAdvancedIntroduced in version: 1.7.0

Default value:500m

The CPU limit for the stackdriverExporter resource in a Kubernetes container, in millicores.

metrics.appStackdriverExporter.resources.limits.memoryAdvancedIntroduced in version: 1.7.0

Default value:1Gi

The memory limit for the stackdriverExporter resource in a Kubernetes container, in gibibytes.

metrics.collector.envVarsBasicIntroduced in version: 1.13

Default value: None

Allows you to pass in and override environment variables in OpenTelemetry. For example, you can defineHTTP_PROXY,HTTPS_PROXY, orNO_PROXY to have its requests pass through the proxy server.

TheHTTP_PROXY variable can be defined as a string containing the host name, in the format:

metrics:...  envVars:    HTTP_PROXY: '<host-name>'

for example:

  envVars:    HTTP_PROXY: 'http://1.1.1.1:80'

TheHTTPS_PROXY variable can be defined as a string containing the host name, in the format:

metrics:...  envVars:    HTTPS_PROXY: '<host-name>'

for example:

  envVars:    HTTPS_PROXY: 'https://1.1.1.1:80'

TheNO_PROXY variable should be defined as a comma-separated string of host names, in the format:

metrics:...envVars:  NO_PROXY: '<comma-separated-values>'

for example:

envVars:  NO_PROXY: 'https://1.1.1.1:80, https://1.1.1.1:81'

UseenvVars: HTTP_PROXY,envVars: HTTPS_PROXY, orenvVars: NO_PROXY optionally when you have HTTP forward proxy enabled.

SeeProxy support in the OpenTelemetry documentation.

metrics.collector.imagePullPolicyAdvancedIntroduced in version: 1.12.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUse a private image repository with Apigee hybrid.

metrics.collector.image.tagBasicIntroduced in version: 1.12.0

Default value:v0.93.0

The version label for this service's Docker image.

metrics.collector.image.urlBasicIntroduced in version: 1.12.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
metrics.collector.resources.requests.cpuAdvancedIntroduced in version: 1.12.0

Default value:500m

The CPU needed for normal operation of the app in a Kubernetes container, in millicores.

metrics.collector.resources.requests.memoryAdvancedIntroduced in version: 1.12.0

Default value:512Mi

The memory needed for normal operation of the app in a Kubernetes container, in mebibytes.

metrics.collector.resources.limits.cpuAdvancedIntroduced in version: 1.12.0

Default value:500m

The CPU limit for the app resource in a Kubernetes container, in millicores.

metrics.collector.resources.limits.memoryAdvancedIntroduced in version: 1.12.0

Default value:1Gi

The memory limit for the app resource in a Kubernetes container, in gibibytes.

metrics.collector.livenessProbe.failureThresholdAdvancedIntroduced in version: 1.12.0

Default value:5

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

metrics.collector.livenessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.12.0

Default value:30

The number of seconds after a container is started before a liveness probe is initiated.

metrics.collector.livenessProbe.periodSecondsAdvancedIntroduced in version: 1.12.0

Default value:10

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

metrics.collector.livenessProbe.successThresholdAdvancedIntroduced in version: 1.12.0

Default value:1

The minimum consecutive successes needed for a liveness probe to be considered successful after a failure. The minimum value is 1.

metrics.collector.livenessProbe.timeoutSecondsAdvancedIntroduced in version: 1.12.0

Default value:5

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.collector.readinessProbe.failureThresholdAdvancedIntroduced in version: 1.12.0

Default value:3

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

metrics.collector.readinessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.12.0

Default value:30

The number of seconds after a container is started before a readiness probe is initiated.

metrics.collector.readinessProbe.periodSecondsAdvancedIntroduced in version: 1.12.0

Default value:10

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

metrics.collector.readinessProbe.successThresholdAdvancedIntroduced in version: 1.12.0

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

metrics.collector.readinessProbe.timeoutSecondsAdvancedIntroduced in version: 1.12.0

Default value:5

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.disablePrometheusPipelineBasicIntroduced in version: 1.12.0

Default value:true

Metrics forProxyV2 andTargetV2 monitored resources are not emitted when set totrue. Use metrics forProxy andTarget monitored resources instead.

metrics.enabledBasicIntroduced in version: 1.0.0

Default value:true

Enables Apigee metrics. Set totrue to enable metrics. Set tofalse to disable metrics.

metrics.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of theapigee-metrics Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have setgcp.workloadIdentity.enabled totrue.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-metrics@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

metrics.nodeSelector.keyBasicIntroduced in version: 1.0.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes formetrics runtime services.

See Configuring dedicated node pools.

metrics.nodeSelector.valueBasicIntroduced in version: 1.0.0

Default value: None

Required

Node selector label value used to target dedicated Kubernetes nodes formetrics runtime services.

See Configuring dedicated node pools.

metrics.prometheus.containerPortAdvancedIntroduced in version: 1.0.0

Default value:9090

The port to connect to the Prometheus metrics service.

metrics.prometheus.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

metrics.prometheus.image.tagAdvancedIntroduced in version: 1.0.0

Default value:v2.45.0

The version label for this service's Docker image.

metrics.prometheus.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
metrics.prometheus.livenessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:6

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

metrics.prometheus.livenessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

metrics.prometheus.livenessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:3

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.prometheus.readinessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:120

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

metrics.prometheus.readinessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

metrics.prometheus.readinessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:3

The number of seconds after which a liveness probe times out. The minimum value is 1.

metrics.prometheus.resources.limits.cpuAdvancedIntroduced in version: 1.13.3

Default value:500m

The CPU limit for the prometheus resource in a Kubernetes container, in millicores.

metrics.prometheus.resources.limits.memoryAdvancedIntroduced in version: 1.13.3

Default value:4Gi

The memory limit for the prometheus resource in a Kubernetes container, in gibibytes.

metrics.prometheus.resources.requests.cpuAdvancedIntroduced in version: 1.13.3

Default value:128m

The CPU needed for normal operation of the prometheus in a Kubernetes container, in millicores.

metrics.prometheus.resources.requests.memoryAdvancedIntroduced in version: 1.13.3

Default value:512Mi

The memory needed for normal operation of the prometheus in a Kubernetes container, in mebibytes.

metrics.prometheus.sslCertPathBasicIntroduced in version: 1.0.0

Default value: None

Required

Path to the SSL cert for the Prometheus metrics collection process. Prometheus is a tool Apigee can use for collecting and processing metrics.

See:

metrics.prometheus.sslKeyPathBasicIntroduced in version: 1.0.0

Default value: None

Required

Path to the SSL Key for the Prometheus metrics collection process. Prometheus is a tool Apigee can use for collecting and processing metrics.

See:

metrics.proxy.resources.requests.cpuAdvancedIntroduced in version: 1.4.0

Default value:500m

The CPU needed for normal operation of the proxy in a Kubernetes container, in millicores.

metrics.proxy.resources.requests.memoryAdvancedIntroduced in version: 1.4.0

Default value:512Mi

The memory needed for normal operation of the proxy in a Kubernetes container, in mebibytes.

metrics.proxy.resources.limits.cpuAdvancedIntroduced in version: 1.4.0

Default value:500m

The CPU limit for the proxy resource in a Kubernetes container, in millicores.

metrics.proxy.resources.limits.memoryAdvancedIntroduced in version: 1.4.0

Default value:1Gi

The memory limit for the proxy resource in a Kubernetes container, in gibibytes.

metrics.proxyStackdriverExporter.resources.requests.cpuAdvancedIntroduced in version: 1.7.0

Default value:128m

The CPU needed for normal operation of the stackdriverExporter in a Kubernetes container, in millicores.

metrics.proxyStackdriverExporter.resources.requests.memoryAdvancedIntroduced in version: 1.7.0

Default value:512Mi

The memory needed for normal operation of the stackdriverExporter in a Kubernetes container, in mebibytes.

metrics.proxyStackdriverExporter.resources.limits.cpuAdvancedIntroduced in version: 1.7.0

Default value:500m

The CPU limit for the stackdriverExporter resource in a Kubernetes container, in millicores.

metrics.proxyStackdriverExporter.resources.limits.memoryAdvancedIntroduced in version: 1.7.0

Default value:1Gi

The memory limit for the stackdriverExporter resource in a Kubernetes container, in gibibytes.

metrics.proxyURLBasicIntroduced in version: 1.0.0

Default value: None

URL for the metrics process sidecar proxy in the Kubernetes cluster.

metrics.sdSidecar.containerPortAdvancedIntroduced in version: 1.0.0

Default value:9091

The port for connecting to the Cloud Monitoring metrics service.

metrics.sdSidecar.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when Kubelet pulls this service's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists
  • Always: Always pull the policy, even if it already exists

    For more information, see Updating images.

metrics.sdSidecar.image.tagAdvancedIntroduced in version: 1.0.0

Default value:v0.9.0

The version label for this service's Docker image.

metrics.sdSidecar.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
metrics.serviceAccountPathBasicIntroduced in version: 1.0.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withMonitoring Metric Writer role.

metrics.serviceAccountRefBasicIntroduced in version: 1.2.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

metrics.stackdriverExporter.resources.requests.cpuAdvancedIntroduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

metrics.stackdriverExporter.resources.requests.memoryAdvancedIntroduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

metrics.stackdriverExporter.resources.limits.cpuAdvancedIntroduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

metrics.stackdriverExporter.resources.limits.memoryAdvancedIntroduced in version: 1.4.0

Deprecated: Starting in Hybrid version 1.8,metrics:stackdriverExporter has been replaced withmetrics:appStackdriverExporter andmetrics:proxyStackdriverExporter. See:

metrics.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.0.0

Default value:300

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

metrics.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

metrics.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

metrics.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

metrics.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

metrics.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

mintTaskScheduler

mintTaskScheduler is the cron job to schedule monetization tasks, like recurring fee calculation on a periodic basis.

The following table describes the properties of themintTaskScheduler object:

PropertyTypeDescription
mintTaskScheduler.image.pullPolicyAdvancedIntroduced in version: 1.7.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

mintTaskScheduler.image.tagAdvancedIntroduced in version: 1.7.0

Default value:1.13.4

The version label for this service's Docker image.

mintTaskScheduler.image.urlAdvancedIntroduced in version: 1.7.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
mintTaskScheduler.resources.limits.cpuAdvancedIntroduced in version: 1.1.0

Default value:2000m

The CPU limit for the resource in a Kubernetes container, in millicores.

mintTaskScheduler.resources.limits.memoryAdvancedIntroduced in version: 1.1.0

Default value:4Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

mintTaskScheduler.resources.requests.cpuAdvancedIntroduced in version: 1.7.0

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

mintTaskScheduler.resources.requests.memoryAdvancedIntroduced in version: 1.7.0

Default value:512Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

mintTaskScheduler.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

mintTaskScheduler.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

newDataPipeline

newDataPipeline determines if Apigee hybrid uses thenew data pipeline for the runtime components to write data directly to the control plane. This property is required for data residency-enabled hybrid orgs at v1.13.1 or later. Do not attempt to use the new data pipeline feature with non data residency-enabled orgs; only new orgs created on hybrid v1.13.1 can use this new feature. See alsoUsing data residency with Apigee hybrid.

The following table describes the properties of thenewDataPipeline object:

PropertyTypeDescription
newDataPipeline.debugSessionAdvancedIntroduced in version: 1.13.1

Default value:false

Determines if the new Pub/Sub data pipeline is enabled. Set this property totrue to usethe new data pipeline (required for new hybrid v1.13.1 orgs withdata residency-enabled).Leave it set tofalse to disable the new data pipeline. For more information, seeConfigure hybrid to use the new data pipeline.

newDataPipeline.analyticsAdvancedIntroduced in version: 1.13.1

Default value:false

Determines if analytics use the new Pub/Sub data pipeline. Set this totrue toenable analytics to use the new data pipeline (required for new hybrid v1.13.1 orgs withdata residency-enabled). Leave it set tofalse to force analytics to use the old data pipeline. For more information, seeConfigure hybrid to use the new data pipeline.

residency.

nodeSelector

ThenodeSelector object defines the node for your Apigee instance. Behind the scenes Apigee hybrid takes care to map the label key/value forapigeeRuntime andapigeeData to the individual Istio and MART components when you install or upgrade theapigee-org andapigee-ingress-manager charts. You can override this for individual objects in themart:nodeSelector property.

The following table describes the properties of thenodeSelector object:

PropertyTypeDescription
nodeSelector.apigeeData.keyAdvancedIntroduced in version: 1.0.0

Default value:cloud.google.com/gke-nodepool

ApigeeData is the node for the Cassandra database. Node selector label key for targeting Kubernetes nodes for working with Apigee services data.

SeeConfigure dedicated node pools.

nodeSelector.apigeeData.valueAdvancedIntroduced in version: 1.0.0

Default value:apigee-data

apigee-data is the node for the Cassandra database. Node selector label value for targeting Kubernetes nodes for working with Apigee services data.

SeeConfigure dedicated node pools.

nodeSelector.apigeeRuntime.keyAdvancedIntroduced in version: 1.0.0

Default value:cloud.google.com/gke-nodepool

Apigee Runtime is the node for the runtime environment for the project. Node selector label key for targeting Kubernetes nodes for Apigee runtime services.

SeeConfigure dedicated node pools.

nodeSelector.apigeeRuntime.valueAdvancedIntroduced in version: 1.0.0

Default value:apigee-runtime

apigee-runtime is the node for the runtime environment for the project. Node selector label value for targeting Kubernetes nodes for Apigee runtime services.

SeeConfigure dedicated node pools.

nodeSelector.requiredForSchedulingAdvancedIntroduced in version: 1.0.0

Default value: true

TherequiredForScheduling property defaults totrue. Whentrue, it means that if Kubernetes cannot find nodes with the label key/value that is configured then the underlying Pods will not get scheduled on VM worker nodes.

For production,nodeSelector.requiredForScheduling should be set to true.

SeeConfigure dedicated node pools.

redis

The following table describes the properties of theredis object:

PropertyTypeDescription
redis.auth.passwordBasicIntroduced in version: 1.6.0

Default value:iloveapis123

Required

Password for the Redis administrator. The admin user is used for any administrative activities performed on the Redis cluster.

redis.auth.secretBasicIntroduced in version: 1.9.1

Default value: None

The name of the file stored in a Kubernetes secret that contains the password for the Redis administrator. The secret file should contain the key:

data:redis.auth.password:encoded_value

See also:

redis.envoy.image.pullPolicyAdvancedIntroduced in version: 1.6.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

redis.envoy.image.tagAdvancedIntroduced in version: 1.6.0

Default value:v1.27.0

The version label for this service's Docker image.

redis.envoy.image.urlAdvancedIntroduced in version: 1.6.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
redis.image.pullPolicyAdvancedIntroduced in version: 1.6.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

redis.image.tagAdvancedIntroduced in version: 1.6.0

Default value:1.13.4

The version label for this service's Docker image.

redis.image.urlAdvancedIntroduced in version: 1.6.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
redis.replicaCountBasicIntroduced in version: 1.6.0

Default value:2

Redis is a replicated storage. This property specifies the number of Redis nodes employed as aStatefulSet.

redis.resources.requests.cpuAdvancedIntroduced in version: 1.6.0

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Apigee recommends a value from500m to1000m. With 0.5 cores, a Redis node can typically handle 10K QPS. With 1.0 core, it can typically handle 20K QPS. CPU request resources above 1000m are not helpful in most cases.
redis.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

redis.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

redis.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

redis.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

redis.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

runtime

The following table describes the properties of theruntime object:

PropertyTypeDescription
runtime.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

runtime.envVarsBasicIntroduced in version: 1.13.1

Default value: None

Allows you to supply additional env variables to the runtime component in a key-value pair:

runtime:  envVars:KEY_1:VALUE_N    ... ...KEY_N:VALUE_N

for example:

runtime:  envVars:    RUNTIME_ENV_VAR1: "value of runtime env-var 1"    RUNTIME_ENV_VAR2: "value of runtime env-var 2"
runtime.hpaBehavior.scaleDown.percent.periodSecondsAdvancedIntroduced in version: 1.7.0

Default value: 60

The window of time for which the policy should hold true when scaling down a percentage of runtime instances.

runtime.hpaBehavior.scaleDown.percent.valueAdvancedIntroduced in version: 1.7.0

Default value: 20

The amount of change which is permitted by the policy when scaling down a percentage of runtime instances.

runtime.hpaBehavior.scaleDown.pods.periodSecondsAdvancedIntroduced in version: 1.7.0

Default value: 60

The window of time for which the policy should hold true when scaling down a number of runtime instances.

runtime.hpaBehavior.scaleDown.pods.valueAdvancedIntroduced in version: 1.7.0

Default value: 20

The amount of change which is permitted by the policy when scaling down a number of runtime instances.

runtime.hpaBehavior.scaleDown.selectPolicyAdvancedIntroduced in version: 1.7.0

Default value: Min

The decision that autoscaler makes between multiple autoscaling policies. Set the value toMin allows the smallest change in scaling down runtime instances. Set the value toMax allows the largest change in scaling down runtime instances.

runtime.hpaBehavior.scaleDown.stabilizationWindowSecondsAdvancedIntroduced in version: 1.7.0

Default value: 120

The number of seconds for which past recommendations should be considered while scaling down.

runtime.hpaBehavior.scaleUp.percent.periodSecondsAdvancedIntroduced in version: 1.7.0

Default value: 60

The window of time for which the policy should hold true when scaling up a percentage of runtime instances.

runtime.hpaBehavior.scaleUp.percent.valueAdvancedIntroduced in version: 1.7.0

Default value: 20

The window of time for which the policy should hold true when scaling up a percentage of runtime instances.

runtime.hpaBehavior.scaleUp.pods.periodSecondsAdvancedIntroduced in version: 1.7.0

Default value: 60

The window of time for which the policy should hold true when scaling up a number of runtime instances.

runtime.hpaBehavior.scaleUp.pods.valueAdvancedIntroduced in version: 1.7.0

Default value: 4

The amount of change which is permitted by the policy when scaling up a number of runtime instances.

runtime.hpaBehavior.scaleUp.selectPolicyAdvancedIntroduced in version: 1.7.0

Default value: Max

The decision that autoscaler makes between multiple autoscaling policies. Set the value toMin allows the smallest change in scaling up runtime instances. Set the value toMaxallows the largest change in scaling up runtime instances.

runtime.hpaBehavior.scaleUp.stabilizationWindowSecondsAdvancedIntroduced in version: 1.7.0

Default value: 30

The number of seconds for which past recommendations should be considered while scaling up runtime instances.

runtime.hpaMetrics.serverMainTaskWaitTimeAdvancedIntroduced in version: 1.7.0

Default value: 400M

The desired average wait time (in ms) of processing queue in runtime instances for proxy requests at the http layer.

runtime.hpaMetrics.serverNioTaskWaitTimeAdvancedIntroduced in version: 1.7.0

Default value: 400M

The desired average wait time (in ms) of processing queue in runtime instances for proxy requests to process policies.

runtime.hpaMetrics.targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.7.0

Default value: 75

The desired CPU utilization percentage across all runtime instances.

runtime.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

runtime.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

runtime.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
runtime.livenessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

runtime.livenessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:60

The number of seconds after a container is started before a liveness probe is initiated.

runtime.livenessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

runtime.livenessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

runtime.nodeSelector.keyBasicIntroduced in version: 1.0.0

Default value: None

Optional Node selector label key for targeting Kubernetes nodes forruntime services.

SeenodeSelector property.

runtime.nodeSelector.valueBasicIntroduced in version: 1.0.0

Default value: None

Node selector label value for targeting Kubernetes nodes forruntime services.

See Configuring dedicated node pools.

runtime.readinessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

runtime.readinessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:60

The number of seconds after a container is started before a readiness probe is initiated.

runtime.readinessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

runtime.readinessProbe.successThresholdAdvancedIntroduced in version: 1.0.0

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

runtime.readinessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

runtime.replicaCountMaxBasicIntroduced in version: 1.0.0

Default value:4

Maximum number of replicas available for autoscaling.

runtime.replicaCountMinBasicIntroduced in version: 1.0.0

Default value:1

Minimum number of replicas available for autoscaling.

runtime.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:4000m

The CPU limit for the resource in a Kubernetes container, in millicores.

runtime.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:6Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

runtime.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Note:To achieve smooth autoscaling of the message processors to accommodate traffic increases, we recommend that you do not exceed two cores (2000 millicores) if you decide to override the default.

Apigee runtime components are bounded by I/O, and adding more CPU capacity does not always help with traffic increases. When there are high CPU requests, message processors may not autoscale and liveliness probes may fail with high traffic.

runtime.resources.requests.memoryAdvancedIntroduced in version: 1.0.0

Default value:512Mi (see note below)

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes (Mi) or Gibibytes (Gi).

Note: Reset the value ofruntime.resources.requests.memory to at least1Gi in youroverrides.yaml. The default of512Mi is enough for initial operation and configuration, but should be raised for production.

To achieve smooth autoscaling of the message processors to accommodate traffic increases, we recommend that you do not exceed 2.5Gi (2560Mi) if you decide to override the default.

runtime.service.typeAdvancedIntroduced in version: 1.0.0

Default value:ClusterIP

The type of service. You can set this to a service other than ClusterIP; for example,LoadBalancer.

runtime.targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.0.0

Default value:75

Target CPU utilization for the runtime process on the pod. The value of this field enables the runtime to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

runtime.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.0.0

Default value:180

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

runtime.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

runtime.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

runtime.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

runtime.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

runtime.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

synchronizer

Ensures that the Message Processors are kept up to date with the latest deployed API proxy bundles. To do this, the Synchronizer polls the management plane; when a new contract is detected, the Synchronizer sends it to the runtime plane. By default, Synchronizer stores environment configuration data in Cassandra.

For more information, seeConfigure the Synchronizer.

The following table describes the properties of thesynchronizer object:

PropertyTypeDescription
synchronizer.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

synchronizer.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

synchronizer.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

synchronizer.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
synchronizer.livenessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

synchronizer.livenessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:0

The number of seconds after a container is started before a liveness probe is initiated.

synchronizer.livenessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

synchronizer.livenessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

synchronizer.nodeSelector.keyBasicIntroduced in version: 1.0.0

Default value: None

Required

Optional node selector label key for targeting Kubernetes nodes forsynchronizer runtime services.

SeenodeSelector.

synchronizer.nodeSelector.valueBasicIntroduced in version: 1.0.0

Default value: None

Optional node selector label value used for targeting Kubernetes nodes forsynchronizer runtime services.

SeenodeSelector.

synchronizer.pollIntervalAdvancedIntroduced in version: 1.0.0

Default value:60

The length of time that Synchronizer waits between polling operations. Synchronizer polls Apigee control plane services to detect and pull new runtime contracts.

synchronizer.readinessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:2

The number of times Kubernetes will verify that readiness probes have failed before marking the podunready. The minimum value is 1.

synchronizer.readinessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:0

The number of seconds after a container is started before a readiness probe is initiated.

synchronizer.readinessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

synchronizer.readinessProbe.successThresholdAdvancedIntroduced in version: 1.0.0

Default value:1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

synchronizer.readinessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

synchronizer.replicaCountBasicIntroduced in version: 1.0.0

Deprecated: Starting in Hybrid version 1.2, manage the Synchronizer replica count with:synchronizer.replicaCountMax andsynchronizer.replicaCountMin

synchronizer.replicaCountMaxBasicIntroduced in version: 1.2.0

Default value:4

Maximum number of replicas for autoscaling.

synchronizer.replicaCountMinBasicIntroduced in version: 1.2.0

Default value:1

Minimum number of replicas for autoscaling.

synchronizer.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:2000m

The CPU limit for the resource in a Kubernetes container, in millicores.

synchronizer.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:5Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

synchronizer.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:100m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

synchronizer.resources.requests.memoryAdvancedIntroduced in version: 1.0.0

Default value:1Gi

The memory needed for normal operation of the resource in a Kubernetes container, in gigabytes.

synchronizer.serviceAccountPathBasicIntroduced in version: 1.0.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withApigee Synchronizer Manager role.

synchronizer.serviceAccountRefBasicIntroduced in version: 1.2.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

synchronizer.serviceAccountSecretBasicIntroduced in version: 1.1.0

Default value: None

The name of aKubernetes secret. You must create the secret using a Google Service Account key with theApigee Synchronizer Manager role as its input.

synchronizer.targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.0.0

Default value:75

Target CPU utilization for the Synchronizer process on the pod. The value of this field enables Synchronizer to auto-scale when CPU utilization reaches this value, up toreplicaCountMax.

synchronizer.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.0.0

Default value:30

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

synchronizer.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

synchronizer.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

synchronizer.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

synchronizer.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

synchronizer.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

udca

(Universal Data Collection Agent) Defines the service that runs within the data collection podin the runtime plane. This service extracts analytics and deployment status data and sends it to theUnified Analytics Platform (UAP).

For more information, seeAnalytics and deployment status datacollection.

The following table describes the properties of theudca object:

PropertyTypeDescription
udca.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

udca.fluentd.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

udca.fluentd.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.9.12-2

The version label for this service's Docker image.

udca.fluentd.image.urlAdvancedIntroduced in version: 1.0.0

Default value:gcr.io/apigee-release/hybrid/apigee-stackdriver-logging-agent

The location of the Docker image for this service.

udca.fluentd.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:1000m

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.fluentd.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:500Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.fluentd.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

udca.fluentd.resources.requests.memoryAdvancedIntroduced in version: 1.0.0

Default value:250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

udca.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of theapigee-udca Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have setgcp.workloadIdentity.enabled totrue.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-udca@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

udca.image.pullPolicyAdvancedIntroduced in version: 1.0.0

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

udca.image.tagAdvancedIntroduced in version: 1.0.0

Default value:1.13.4

The version label for this service's Docker image.

udca.image.urlAdvancedIntroduced in version: 1.0.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
udca.jvmXmsAdvancedIntroduced in version: 1.0.0

Deprecated: Starting in Hybrid version 1.8,udca.jvmXms is no longer used.

udca.jvmXmxAdvancedIntroduced in version: 1.0.0

Deprecated: Starting in Hybrid version 1.8,udca.jvmXmx is no longer used.

udca.livenessProbe.failureThresholdAdvancedIntroduced in version: 1.0.0

Default value:2

The number of times Kubernetes will verify that liveness probes have failed before restarting the container. The minimum value is 1.

udca.livenessProbe.initialDelaySecondsAdvancedIntroduced in version: 1.0.0

Default value:0

The number of seconds after a container is started before a liveness probe is initiated.

udca.livenessProbe.periodSecondsAdvancedIntroduced in version: 1.0.0

Default value:5

Determines how often to perform a liveness probe, in seconds. The minimum value is 1.

udca.livenessProbe.timeoutSecondsAdvancedIntroduced in version: 1.0.0

Default value:1

The number of seconds after which a liveness probe times out. The minimum value is 1.

udca.nodeSelector.keyBasicIntroduced in version: 1.0.0

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes forudca runtime services.

See Configuring dedicated node pools.

udca.nodeSelector.valueBasicIntroduced in version: 1.0.0

Default value: None

Required

Node selector label value used to target dedicated Kubernetes nodes forudca runtime services.

See Configuring dedicated node pools.

udca.pollingIntervalInSecAdvancedIntroduced in version: 1.0.0

Default value:1

The length of time, in seconds, that UDCA waits between polling operations. UDCA polls the data directory on the data collection pod's file system to detect new files to be uploaded.

udca.replicaCountMaxBasicIntroduced in version: 1.0.0

Default value:4

The maximum number of pods that hybrid can automatically add for the UDCA deployment. Because UDCA is implemented as a ReplicaSet, the pods are replicas.

It is recommended to setudca.replicaCountMax to a maximum number of replicas per environment times the number of environments in your Apigee org. For example, if you want to allow at most 4 replicas per environment and you have 3 environments, setudca.replicaCountMax: 12.

If you are using environment-scoped UDCA, setudca.replicaCountMax to the maximum number of replicas for a single environment. SeeorgScopedUDCA.
udca.replicaCountMinBasicIntroduced in version: 1.0.0

Default value:1

The minimum number of pods for the UDCA deployment. Because UDCA is implemented as a ReplicaSet, the pods are replicas.

If the CPU usage goes aboveudca.targetCPUUtilizationPercentage, then hybrid will gradually increase the number of pods, up toudca.replicaCountMax.

udca.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:1000m

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:2Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

udca.resources.requests.cpuAdvancedIntroduced in version: 1.0.0

Default value:250m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

udca.resources.requests.memoryAdvancedIntroduced in version: 1.0.0

Default value:250Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

udca.revisionAdvancedIntroduced in version: 1.0.0

Default value:v1

A static value that is populated in a label to enable canary deployments.

udca.serviceAccountPathBasicIntroduced in version: 1.0.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

Path to Google Service Account key file withApigee Analytics Agent role.

udca.serviceAccountRefBasicIntroduced in version: 1.2.0

Default value: None

One of eitherserviceAccountPath orserviceAccountRef is required.

udca.targetCPUUtilizationPercentageAdvancedIntroduced in version: 1.0.0

Default value:75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources. Hybrid uses the combined utilization of all containers in the data collection pod (both fluentd and UDCA) to calculate the current utilization.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up toudca.replicaCountMax.

udca.terminationGracePeriodSecondsAdvancedIntroduced in version: 1.0.0

Default value:600

The time between a request for pod deletion and when the pod is killed, in seconds. During this period, any prestop hooks will be executed and any running process should terminate gracefully.

udca.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

udca.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

udca.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

udca.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

udca.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

virtualhosts

Thevirtualhosts property is a required configuration property. Virtual hosts allow Apigee hybrid to handle API requests to a specified environment group..

For more information, seeConfigure virtual hosts.

The following table describes the properties of thevirtualhosts object:

PropertyTypeDescription
virtualhosts[].additionalGatewaysBasicIntroduced in version: 1.2.0

Default value: None

A list of Istio Gateways to route traffic to.

virtualhosts[].cipherSuites[]AdvancedIntroduced in version: 1.9.2

Default value: None

This property configures the TLS ciphers used in the ingress gateway. Below is a list of the ciphers enabled by default in OpenSSL format. You can find more information about the supported ciphers in the documentation for theBoring FIPS build of Envoy. A blank value defaults to the cipher suites supported by the Boring FIPS build of Envoy.

TLS v1.3:

Enabled by defaultAdditional ciphersuites
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
TLS 1.3 ciperhsuites cannot
be overridden.

TLS v1.2:

Enabled by defaultAdditional ciphersuites
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES128-SHA
  • AES256-GCM-SHA384
  • AES256-SHA
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA
  • ECDHE-RSA-CHACHA20-POLY1305

TLS v1.1:

Enabled by defaultAdditional ciphersuites
TLS v1.1 is not enabled by default.
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-ECDSA-AES256-SHA
  • ECDHE-RSA-AES256-SHA

To enable more ciphersuites, add them to thevirtualhosts.cipherSuites property along with the TLS version you want to enable them for in thevirtualhosts.minTLSProtocolVersion property. For example, to enable all accepted TLS v.1.2 ciphersuites, add the following to yourvirtualhosts configuration:

virtualhosts:- name: ENV_GROUP_NAME  minTLSProtocolVersion: "1.2"  cipherSuites:  - "AES128-GCM-SHA256"  - "AES128-SHA"  - "AES256-GCM-SHA384"  - "AES256-SHA"  - "ECDHE-ECDSA-AES128-GCM-SHA256"  - "ECDHE-ECDSA-AES128-SHA"  - "ECDHE-ECDSA-AES256-GCM-SHA384"  - "ECDHE-ECDSA-AES256-SHA"  - "ECDHE-ECDSA-CHACHA20-POLY1305"  - "ECDHE-RSA-AES128-GCM-SHA256"  - "ECDHE-RSA-AES128-SHA"  - "ECDHE-RSA-AES256-GCM-SHA384"  - "ECDHE-RSA-AES256-SHA"  - "ECDHE-RSA-CHACHA20-POLY1305"...

If you want to enable older versions of TLS in your Apigee ingress gateway deployment, use thevirtualhosts.minTLSProtocolVersion andvirtualhosts.cipherSuites properties.

For example, to enable TLS v.1.1:

virtualhosts:- name: ENV_GROUP_NAME  minTLSProtocolVersion: "1.1"  cipherSuites:  - "ECDHE-ECDSA-AES128-GCM-SHA256"  - "ECDHE-RSA-AES128-GCM-SHA256"  - "ECDHE-ECDSA-AES256-GCM-SHA384"  - "ECDHE-RSA-AES256-GCM-SHA384"  - "ECDHE-ECDSA-CHACHA20-POLY1305"  - "ECDHE-RSA-CHACHA20-POLY1305"  - "ECDHE-ECDSA-AES128-SHA"  - "ECDHE-RSA-AES128-SHA"  - "ECDHE-ECDSA-AES256-SHA"  - "ECDHE-RSA-AES256-SHA"...
Note: This property overrides the list of cipher suites supported by Envoy, and does not append to it.Tip: Thevirtualhosts.cipherSuites property uses the OpenSSL cipher suite format. For a list of ciphers with their names in both OpenSSL and IANA format, seeTranslating OpenSSL cipher suite names to IANA in the SSL.org documentation.
virtualhosts[].nameBasicIntroduced in version: 1.2.0

Default value: None

Required

The name of the virtual host.

virtualhosts[].maxTLSProtocolVersionBasicIntroduced in version: 1.3.0

Default value: None

The maximum version of the TLS protocol Envoy can select. Envoy automatically uses the optimal TLS protocol version betweenvirtualhosts[].minTLSProtocolVersion andvirtualhosts[].maxTLSProtocolVersion.

The value must be in the form of a number. For example:

virtualhosts:- name: default  maxTLSProtocolVersion: "1.3"

Where the number represents the TLS version number in the form#.#. In the example above,"1.3" represents the Istio TLS versionTLSV1_3.

See alsoServerTLSSettings.TLSProtocol in the Istio documentation.

virtualhosts[].minTLSProtocolVersionBasicIntroduced in version: 1.3.0

Default value: None

The minimum version of the TLS protocol Envoy can select. Envoy automatically uses the optimal TLS protocol version betweenvirtualhosts[].minTLSProtocolVersion andvirtualhosts[].maxTLSProtocolVersion.

The value must be in the form of a number. For example:

virtualhosts:- name: default  minTLSProtocolVersion: "1.2"

Where the number represents the TLS version number in the form#.#. In the example above,1.2 represents the Istio TLS versionTLSV1_2.

See alsoServerTLSSettings.TLSProtocol in the Istio documentation.

virtualhosts[].selectorBasicIntroduced in version: 1.2.0

Default value:app: apigee-ingressgateway

Required

A key-value selector-value pair for pointing to different ingress selectors.

  • apigee-ingressgateway: for Apigee hybrid installations using Apigee ingress gateway.
  • istio-ingressgateway: for Apigee hybrid installations using Cloud Service Mesh (Apigee hybrid versions 1.8 and earlier).

If no selector label is supplied, the configuration is supplied to Apigee ingress gateway.

virtualhosts[].sslCertPathBasicIntroduced in version: 1.2.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to a TLS certificate file.

Note: For each configured environment, the Common Name (CN) in the cert must match the domain in thehostAliases[] property. For example, if the CN is*.example.com, thehostAliases[] could befoo.example.com orbar.example.com.

virtualhosts[].sslKeyPathBasicIntroduced in version: 1.2.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The path on your system to the TLS private key file.

virtualhosts[].sslSecretBasicIntroduced in version: 1.2.0

Default value: None

EithersslCertPath/sslKeyPath orsslSecret is required.

The name of a file stored in a Kubernetes secret that contains the TLS certificate and private key. You must create the secret using the TLS certificate and key data as its input.

See also:

watcher

Thewatcher property is a required configuration property. The watcher is a process that watches for configuration changes and triggers their application to the runtime plane.

The following table describes the properties of thewatcher object:

PropertyTypeDescription
watcher.annotationsAdvancedIntroduced in version: 1.5.0

Default value: None

Optional key/value map used to annotate pods. For more information, seeCustom annotations.

watcher.args.enableIssueScanningAdvancedIntroduced in version: 1.10.0

Default value:true

Enables or disables Automated issue surfacing. Whentrue, Watcher automatically scans the control plane and Kubernetes API server state to determine if there are any configuration issues.

Set tofalse to disable Automated issue surfacing. For more information, seeAutomated issue surfacing.

watcher.args.enableLeaderElectAdvancedIntroduced in version: 1.13.0

Default value:true

Whentrue (the default)watcher.args.enableLeaderElect selects a single watcher pod to manage and report the routing information. Limiting this to a single pod is required to prevent downtime during upgrades or rollback. During these events, multiple versions of watcher can be running simultaneously. Each Watcher instance may have different route creation logic, which can cause downtime.watcher.replicaCountMax.

watcher.args.issueScanIntervalAdvancedIntroduced in version: 1.10.0

Default value:60

The interval in seconds for how often Watcher scans the runtime plane for automated issue surfacing. For more information, seeAutomated issue surfacing.

watcher.gsaAdvancedIntroduced in version: 1.10.0

Default value: None

Helm only: The email address of theapigee-watcher Google IAM service account (GSA) to associate with the corresponding Kubernetes service account when enabling Workload Identity on GKE clusters using Helm charts. Set this when you have setgcp.workloadIdentity.enabled totrue.

GSA email addresses typically have the format of:

GSA_NAME@PROJECT_ID.iam.gserviceaccount.com

For example:

apigee-watcher@my-hybrid-project.iam.gserviceaccount.com
Tip: You can find the email address of your service accounts with the following command:
gcloud iam service-accounts list --project ${PROJECT_ID} --filter "apigee"

SeeEnabling Workload Identity on GKE orEnabling Workload Identity Federation on AKS and EKS.

watcher.image.pullPolicyAdvancedIntroduced in version: 1.4.0

Default value:IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

  • IfNotPresent: Do not pull a new image if it already exists.
  • Always: Always pull the image, regardless of whether it exists already.

For more information, seeUpdating images.

watcher.image.tagAdvancedIntroduced in version: 1.4.0

Default value:1.13.4

The version label for this service's Docker image.

watcher.image.urlAdvancedIntroduced in version: 1.4.0

Default value: None

The location of the Docker image for this service.

Useapigee-pull-push --list to see the current repository URL for this component.

Tip: Consider usinghub to set a private repository URL for all components instead of configuring them individually.
watcher.replicaCountMaxBasicIntroduced in version: 1.3.0

Default value:1

The maximum number of watcher replicas. This should be kept at1 to avoid conflicts.

Apigee hybrid uses one watcher pod per installation. Leader election automatically selects one watcher pod. Additional watcher pod replicas will be forced into an unstable state. Seewatcher.args.enableLeaderElect.

Warning: Do not exceed a value of 1 forwatcher.replicaCountMax.

watcher.replicaCountMinBasicIntroduced in version: 1.3.0

Default value:1

The minimum number of watcher replicas.

watcher.resources.limits.cpuAdvancedIntroduced in version: 1.11.0

Default value:1000m

The CPU limit for the resource in a Kubernetes container, in millicores.

watcher.resources.limits.memoryAdvancedIntroduced in version: 1.11.0

Default value:2Gi

The memory limit for the resource in a Kubernetes container, in mebibytes.

watcher.serviceAccountPathBasicIntroduced in version: 1.3.0

Default value: None

Required.

Path to Google Service Account key file withApigee Runtime Agent role.

watcher.serviceAccountRefAdvancedIntroduced in version: 1.3.0

Default value: None

One of either serviceAccountPath or serviceAccountRef is required.

watcher.tolerations.effectAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values foreffect can be:

  • NoExecute
  • NoSchedule
  • PreferNoSchedule

SeeTaints and Tolerations: Concepts for details.

watcher.tolerations.keyAdvancedIntroduced in version: 1.10.1

Default value: None

Required to use theTaints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

SeeTaints and Tolerations: Concepts for details.

watcher.tolerations.operatorAdvancedIntroduced in version: 1.10.1

Default value:"Equal"

Required to use theTaints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger theeffect. Values foroperator can be:

  • Equal matches the value set invalue.
  • Exists ignores the value set invalue.

SeeTaints and Tolerations: Concepts for details.

watcher.tolerations.tolerationSecondsAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

SeeTaints and Tolerations: Concepts for details.

watcher.tolerations.valueAdvancedIntroduced in version: 1.10.1

Default value: None

Used by theTaints and Tolerations feature of Kubernetes.

value is the value that triggers theeffect whenoperator is set toEqual.

SeeTaints and Tolerations: Concepts for details.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.