Configurable Settings - Server on Kubernetes

How to apply changes to the Kubernetes environment
Required fields in installation.yaml
Sample installation.yaml with required fields
Optional fields in installation.yaml

How to apply changes to the Kubernetes environment

Changes in the installation.yaml can be applied by running the install.sh script or the upgrade.sh script in a Kubernetes environment. Note that re-running the install.sh script will delete any database information that would have been stored previously.

Required fields in installation.yaml

Variable Name	Key Value	Explanation of the Variable and Key Values
`server: host`	String	The server.host value needs to start with http:// or https://. The value can be an IP Address or a FQDN. This value needs to match the URL that Developers will use in a browser to access this server.
`server: org_name`	String	Used as an identifier for the Organization using vFunction
`server: admin: email`	String	Accepted characters include A-Z a-z 0-9 . _ % + - @
`server: admin: name`	String	Used an an identifier for the logged in user in the vFunction Server UI
`server: admin: password`	String	Used for the Admin as the password for first logging into the Server UI. The Admin can then change the password from the Server UI if desired. Minimum requirements: 8 characters, lower & uppercase letter, number and a special character ! @ # $ % ^ &
`measurement: auto_scaling`	String	Two potential strings can be used for this field: `Yes`: Indicates that the measurement services auto scaling is active `No`: Indicates that the measurement services auto scaling is not active (default)
`measurement: min_num_of_services`	Integer	The default value is 1. If measurements.auto_scaling is "No", this will be the number of measurements service pods
`measurement: max_num_of_services`	Integer	The default value is 10. This value is only relevant if measurements.auto_scaling is "Yes"
`measurement: max_pod_memory_capacity`	String	The default value for the Maximum Memory used by each Measurements Pod is 8gb. This can be increased if needed
`measurements: max_pod_cpu_capacity`	String	The default value for the Maximum CPU used by the Measurements Pod(s) is "1". This value can be increased if needed
`measurements: ephemeral_storage`	String	The default value for the Ephemeral Storage used by the Measurements Pod(s) is "1G". This value is used both for the Resources and Limits for the Ephemeral Storage
`tls: use_letsencrypt`	String	Default value is "No". With the Value set to, "Yes", a Persistent Volume will be created to manage the SSL Certificate through Let's Encrypt to auto-renew the expired Certificate
`mysql: max_pod_memory_capacity`	String	The default value for the Maximum Memory used by the MySQL Pod is 2gb. This value can be increased if needed
`mysql: max_pod_cpu_capacity`	String	The default value for the Maximum CPU used by the MySQL Pod is "1". This value can be increased if needed
`mysql: ephemeral_storage`	String	The default value for the Ephemeral Storage used by the MySQL Pod(s) is "1G". This value is used both for the Resources and Limits for the Ephemeral Storage
`nginx: force_http`	String	The force_http key can be used if the SSL certificate used in the environment is not going to be added to the vFunction Nginx Pod. With force_http set to Yes, TLS will be terminated on the route. And, the vFunction Nginx Pod will listen to http traffic on Port 80. The default value is, "No" to have the Port and Protocol used by the Nginx Pod to match the settings in the server.host field
`nginx: ipv6_disabled`	String	When set to, "Yes", the ipv6_disabled key will disable the vFunction Nginx pod from listening to and from sending traffic to other Pods over IPv6. The default value is, "No" to allow the Nginx Pod to listen for IPv6 traffic
`ingress: use_ingress`	String	The default value is, "Yes" which creates a vfunction-ingress Nginx-based Ingress Controller. To use a third-party Ingress, set this value to, "No"
`ingress: external_ingress`	String	The default value is, "No". Changing the value to "Yes" should be used to send traffic through a third-party Ingress instead of the vFunction Nginx Ingress that will be created when setting use_ingress to "Yes". The most common use case for "Yes" would be if the Kubernetes Cluster uses a third-party Ingress that is not Nginx. At this time, the only supported vFunction Ingress is Nginx. If using an Ingress besides Nginx, set this value to "Yes" and configure the third-party Ingress to send traffic from the External Ingress to the vfunction-nginx Pod
`ingress: tls_termination`	String	The default value is "edge". This value is necessary when ingress.use_ingress is set to "Yes". With edge set, TLS traffic will be terminated on the Ingress Controller. The Ingress Controller should have its own SSL certificate that can terminate TLS, e.g. kubernetes.mycompany.com. Traffic will be sent from the ingress to the vfunction-nginx Pod on HTTP and the vfunction-nginx Pod will listen on Port 80. With ingress.tls_termination: "passthrough" set as the value, the Kubernetes Cluster will ignore the TLS termination even if there is an Ingress Controller. Termination of TLS will be done on the vfunction-nginx Pod. A valid SSL certificate is needed in the tls.crt along with the Key in tls.key.
`ingress: use_tls_certificate`	String	The default value is set to "No". If setting "Yes", you will also need to populate the installation.yaml's tls.crt with the SSL Certificate and the tls.key with the Key
`ingress: type`	String	The default value is set to "nginx". At this time, vFunction only supports Nginx External Ingress Controllers. If using a separate third-party External Ingress, please contact support@vfunction.com and provide the name of this product so we can work towards adding support. In the meantime, set ingress.external_ingress: Yes and set ingress.use_ingress: No. Then point the External Ingress to the vfunction-nginx Pod once the installation is complete.
`ingress nginx: controller_type`	String	The default value is set to "ingress-nginx". Alternatively, the value "nginx-ingress-controller" can also be used. vFunction's Ingress is an ingress-nginx Controller. But, if an organization uses Nginx for their third-party Ingress but the ingress is a nginx-ingress-controller, the organization can set ingress.use_ingress to "Yes" and modify this value to manage this Ingress from the vFunction installation
`ingress: nginx: class`	String	The default value is set to "nginx". If an organization uses a third-party Nginx Ingress but this Ingress uses a different class, such as "nginx-v2", this value can be modified. The organization can then manage this Ingress from the vFunction installation
`distributed: otlp: min_num_of_services`	Integer	The default value is 1. This defines the minimum number of OTLP Pods in the environment. This Pod is used to receive Open Telemetry Protocol traces for Distributed Applications.
`distributed: otlp: max_num_of_services`	Integer	The default value is 10. This defines the maximum number of OTLP Pods in the environment
`distributed: otlp: max_pod_memory_capacity`	String	The default value for the Maximum Memory used by each OTLP Pod is 8gb. This can be increased if needed
`distributed: otlp: max_pod_cpu_capacity`	String	The default value for the Maximum CPU used by each OTLP Pod is "1". This value can be increased if needed
`distributed: otlp: ephemeral_storage`	String	The default value for the Ephemeral Storage used by each OTLP Pod is "250M". This value is used both for the Resources and Limits for the Ephemeral Storage
`distributed: dm: min_num_of_services`	Integer	The default value is 1. This defines the minimum number of DM Pods in the environment. This Pod is used for Distributed Measurements to analyze local Service Maps received from the OTLP Pod during Learning to display the Architecture for a Distributed Architecture Application
`distributed: dm: max_num_of_services`	Integer	The default value is 10. This defines the maximum number of DM Pods in the environment
`distributed: dm: max_pod_memory_capacity`	String	The default value for the Maximum Memory used by each DM Pod is 8gb. This can be increased if needed
`distributed: dm: max_pod_cpu_capacity`	String	The default value for the Maximum CPU used by each DM Pod is "1". This value can be increased if needed
`distributed: dm: ephemeral_storage`	String	The default value for the Ephemeral Storage used by each DM Pod is "1G". This value is used both for the Resources and Limits for the Ephemeral Storage
`security: disable_busybox_containers`	String	Default value is "No" with the alternate option of "Yes". Busybox is used to control the timing when Pods are started to ensure that prerequisite Pods, such as the MySQL Pod, are started before Pods that rely on that prerequisite Pod to be up, such as the vfapi Pods. As a consequence of disabling Busybox, some Pods may need to restart multiple times before their prerequisite Pods complete the startup process.
`security: set_pod_resources`	String	Default value is "Yes". With "Yes" set, the vFunction resource settings are used with the deployment to set minimum and maximum CPU and RAM levels. For environments that prefer / require Best Effort resource utilization rather than reserving resources, set the value to, "No" and the resources will scale until environmental limits are hit. With, "No" in place, all other installation.yaml settings for CPU and RAM are ignored

Sample installation.yaml with required fields

server:
  host: "http://my.domain.com"
  org_name: "MyCompany"
  admin:
    email: "admin@mycompany.com"
    name: "Admin"
    password: "Password1!"
  measurements:
    auto_scaling: "No"
    min_number_of_services: "2"
    max_number_of_services: "10"
    max_pod_memory_capacity: "8G"
    max_pod_cpu_capacity: "1"
    ephemeral_storage: "1G"
  smtp:
    password: ""
    url: ""
    identity: ""
    user: ""
  authentication:
    authority:
    client_id:
    client_secret:
    jwks_url:
    issuer:
    ca_root_crt: |
      -----BEGIN CERTIFICATE-----
       ...
      -----END CERTIFICATE-----      
  tls:
    use_letsencrypt: "No"
    crt: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----      
    key: |
      -----BEGIN PRIVATE KEY-----
      ...
      -----END PRIVATE KEY-----      
  mysql:
    external_mysql_ip: ""
    external_mysql_user: ""
    external_mysql_password: ""
    max_pod_memory_capacity: "4G"
    max_pod_cpu_capacity: "1"
    ephemeral_storage: "1G"
  nginx:
    force_http: "No"
    ipv6_disabled: "No"
    service_type: ""
  ingress:
    use_ingress: "Yes"
    external_ingress: "No"
    # edge, passthrough (when supported by the ingress controller), reencrypt (when supported by the ingress controller)
    tls_termination: "edge"
    use_tls_certificate: "No"
    # nginx
    type: "nginx"
    nginx:
      # ingress_nginx / nginx-ingress-controller
      controller_type: "ingress-nginx"
      class: "nginx"
      additional_annotations:
#        - key: "nginx.ingress.kubernetes.io/xxx"
#          value: "true"
  storage:
    storage_class:
    mysql_persistent_volume:
    mysql_persistent_volume_claim:
    storage_persistent_volume:
    storage_persistent_volume_claim:
    lets_encrypt_persistent_volume:
    lets_encrypt_persistent_volume_claim:
  distributed:
    otlp:
      min_number_of_services: "1"
      max_number_of_services: "10"
      max_pod_memory_capacity: "8G"
      max_pod_cpu_capacity: "1"
      ephemeral_storage: "250M"
    dm:
      min_number_of_services: "1"
      max_number_of_services: "10"
      max_pod_memory_capacity: "8G"
      max_pod_cpu_capacity: "1"
      ephemeral_storage: "1G"
  backup:
    mysql:
      S3:
        bucket: ""
        key: ""
        secret: ""
        region: ""
  security:
    disable_busybox_containers: "No"
    image_pull_policy: ""
    set_pod_resources: "Yes"
    proxy:
      http_proxy:
      https_proxy:
      additional_no_proxy:
offline:
  custom_docker_registry:
  custom_image_pull_secret:

authentication

Installation.yaml Configuration	Details
`authentication:` `authority:` "https://accounts.google.com" `client_id:` "clientID-xyz" `client_secret:` "clientSecret-xyz" `jwks_url:` "https://www.googleapis.com/oauth2/v3/certs" `issuer:` "https://accounts.google.com" `ca_root_crt:` \| -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----	By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow The authentication subkey is used to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider

backup

Installation.yaml Configuration	Details
`backup:` `mysql:` `S3:` `bucket:` "awsBucket" `key:` "awsKey" `secret:`"awsSecret" `region:` "awsRegion"	The MySQL DB Persistent Volume can be backed up to an AWS S3 bucket if desired

ingress.nginx.additional_annotations

Installation.yaml Configuration Details

Installation.yaml Configuration	Details
`ingress:` `nginx:` `additional annotations:` - key: "nginx.ingress.kubernetes.io/xxx" value: "true"	vFunction support annotations for ingress-nginx and for nginx-ingress-controller Nginx Ingress Controllers Default annotations for `nginx-ingress` Controller Type: nginx.ingress.kubernetes.io/proxy-body-size: "250m" nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" nginx.ingress.kubernetes.io/rewrite-target: / Default annotations for `nginx-ingress-controller` Controller Type: nginx.org/client-max-body-size: "250m" nginx.org/proxy-connect-timeout: "600s" nginx.org/proxy-read-timeout: "600s" nginx.org/proxy-send-timeout: "600s"

   ingress:
      nginx:
         additional annotations:
            - key: "nginx.ingress.kubernetes.io/xxx"             value: "true"

vFunction support annotations for ingress-nginx and for nginx-ingress-controller Nginx Ingress Controllers

Default annotations for nginx-ingress Controller Type:

nginx.ingress.kubernetes.io/proxy-body-size: "250m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/rewrite-target: /

Default annotations for nginx-ingress-controller Controller Type:

nginx.org/client-max-body-size: "250m"
nginx.org/proxy-connect-timeout: "600s"
nginx.org/proxy-read-timeout: "600s"
nginx.org/proxy-send-timeout: "600s"

mysql.external_mysql_*

Installation.yaml Configuration	Details
`mysql:` `external_mysql_ip:` "ipAddress" `external_mysql_user:` "username" `external_mysql_password:` "password"	Used if the MySQL database is hosted outside the vFunction Kubernetes Namespace

nginx

Installation.yaml Configuration	Details
`nginx:` `service_type:` ""	By default, the nginx.service_type is set to the value, "LoadBalancer" when ingress.use_ingress is set to, "No". If ingress.use_ingress is set to, "Yes", the nginx.service_type is set to, "ClusterIP".

offline.custom_docker_registry

Installation.yaml Configuration	Details
`server:` `custom_docker_registry:` privateRegistry	Used with the Offline Kubernetes Installation when the Container Images cannot be downloaded from Docker Hub and must be downloaded from a Private Docker Registry instead Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script

offline.custom_image_pull_secret

Installation.yaml Configuration Details

Installation.yaml Configuration	Details
`server:` `custom_image_pull_secret:` imagePullSecretValue	Used with the Offline Kubernetes Installation when the Container Images cannot be downloaded from Docker Hub and must be downloaded from a Private Docker Registry instead The Image Pull Secret allows for the Private Docker Registry to be accessed to pull the Container Images for the Kubernetes installation Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script

server:
custom_image_pull_secret: imagePullSecretValue

Used with the Offline Kubernetes Installation when the Container Images cannot be downloaded from Docker Hub and must be downloaded from a Private Docker Registry instead
The Image Pull Secret allows for the Private Docker Registry to be accessed to pull the Container Images for the Kubernetes installation
Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script

security.proxy

Installation.yaml Configuration Details

security:
proxy:
http_proxy:
https_proxy:
additional_no_proxy: By default, "no_proxy" entries are automatically added to the ConfigMaps for each Pod for routing to localhost,127.0.0.1,vfunction-mysql,vfunction-storage,vfunction-vfapi-idp,vfunction-vfapi-measurements,vfunction-vfapi-measurements,vfunction-vfapi-organizations,vfunction-vfapi-parser,vfunction-vfapi-users,vfunction-nginx. If additional no_proxy entries are needed or to route external traffic through a proxy via http_proxy or https_proxy, add these entries here. These proxy entries may be necessary if the environment has been configured to use a third-party OpenID Identity Provider for authentication, e.g. login.microsoftonline.com.

Installation.yaml Configuration	Details
`security:` `proxy:` `http_proxy:` `https_proxy:` `additional_no_proxy:`	By default, "no_proxy" entries are automatically added to the ConfigMaps for each Pod for routing to `localhost,127.0.0.1,vfunction-mysql,vfunction-storage,vfunction-vfapi-idp,vfunction-vfapi-measurements,vfunction-vfapi-measurements,vfunction-vfapi-organizations,vfunction-vfapi-parser,vfunction-vfapi-users,vfunction-nginx`. If additional no_proxy entries are needed or to route external traffic through a proxy via http_proxy or https_proxy, add these entries here. These proxy entries may be necessary if the environment has been configured to use a third-party OpenID Identity Provider for authentication, e.g. login.microsoftonline.com.

server.smtp

Installation.yaml Configuration	Details
`smtp:` `user:` notifications@mycompany.com `password:` my$uperS3cr3t `identity:` `url:` smtp://smtp.gmail.com:587	The vFunction Server can send notifications about upgrades, about Architectural Observability Events and about user onboarding

server.storage

Installation.yaml Configuration Details

Installation.yaml Configuration	Details
`storage:` `storage_class:` notDefault `mysql_persistent_volume:` `mysql_persistent_volume_claim:` `storage_persistent_volume:` `storage_persistent_volume_claim:` `lets_encrypt_persistent_volume:` `lets_encrypt_persistent_volume_claim:`	The `storage.storage_class` is set as "default" by default. This is the storageClass used to create the PersistentVolumeClaims for the Persistent Volumes. This value can be changed to an alternate string for the creation of the PersistentVolumeClaims. The `storage.mysql_persistent_volume` is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume. The `storage.mysql_persistent_volume_claim` is vfunction-mysql-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here. The `storage.storage_persistent_volume` is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume. The `storage.storage_persistent_volume_claim` is vfunction-storage-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here.

storage:
   storage_class: notDefault
   mysql_persistent_volume:
   mysql_persistent_volume_claim:
   storage_persistent_volume:
   storage_persistent_volume_claim:
   lets_encrypt_persistent_volume:
   lets_encrypt_persistent_volume_claim:

The storage.storage_class is set as "default" by default. This is the storageClass used to create the PersistentVolumeClaims for the Persistent Volumes. This value can be changed to an alternate string for the creation of the PersistentVolumeClaims.
The storage.mysql_persistent_volume is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume.
The storage.mysql_persistent_volume_claim is vfunction-mysql-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here.
The storage.storage_persistent_volume is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume.
The storage.storage_persistent_volume_claim is vfunction-storage-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here.

tls

Installation.yaml Configuration	Details
`tls:` `crt:` \| -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- `key:` \| -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----	The `crt` field can be used to place the SSL Certificate and Chain as a Bundle for Nginx. If TLS will be terminated on the route, the nginx.force_http field can be used to have traffic sent over HTTPS to the Ingress and over HTTP from the Ingress to the vFunction Nginx Pod The `key` field can be used for the Private Key for the SSL Certificate.

Updated on 02 Jul 2024