Configurable Settings - Server on OpenShift

How to apply changes to the OpenShift Operator environment
Required fields in installation.yaml
Sample installation.yaml with required fields
Optional fields in installation.yaml

How to apply changes to the OpenShift Operator environment

Air-Gapped (Offline) environment

Changes in the installation.yaml can be applied by running the install.sh script or the upgrade.sh script in an OpenShift Offline environment. Note that re-running the install.sh script will delete any database information that would have been stored previously.

Online environment

When working in the OpenShift Console, changes in the Operator YAML will automatically be applied as new Pods are brought online reflecting the changes.

Required fields in installation.yaml

Variable Name	Key Value	Explanation of the Variable and Key Values
server.host	String	The server.host value needs to start with http:// or https://. The value can be an IP Address or a FQDN. This value needs to match the URL that Developers will use in a browser to access this server.
server.org_name	String	Used as an identifier for the Organization using vFunction
server.admin.email	String	Accepted characters include A-Z a-z 0-9 . _ % + - @
server.admin.name	String	Used an an identifier for the logged in user in the vFunction Server UI
server.admin.password	String	Used for the Admin as the password for first logging into the Server UI. The Admin can then change the password from the Server UI if desired. Minimum requirements: 8 characters, lower & uppercase letter, number and a special character ! @ # $ % ^ &
server.upgrade	String	Three potential strings can be used for this field: `Daily`: The operator will check for a new version every day at 3 AM and will install it automatically `Always`: The operator will check for a new version every 10 minutes and will install it automatically `Never`: Do not upgrade automatically (default)
server.offline	String	Two potential strings can be used for this field: `No`: The operator will retrieve the Container Images from the RedHat Registry `Yes`: The operator will retrieve the Container Images from the Installation TGZ
measurements.min_num_of_services	Integer	The default value is 1. The number of measurements pods will increase on an as-needed basis until the max_num_of_services is reached
measurements.max_num_of_services	Integer	The default value is 10. The number of measurements pods will increase from the min_num_of_services to this maximum on an as-needed basis
measurements.max_pod_memory_capacity	String	The default value for the Maximum Memory used by each Measurements Pod is 8gb. This can be increased if needed
measurements.max_pod_cpu_capacity	String	The default value for the Maximum CPU used by the Measurements Pod(s) is "1". This value can be increased if needed
measurements.pod_ephemeral_storage	String	The default value for the Ephemeral Storage used by the Measurements Pod(s) is "1G". This value is used both for the Resources and Limits for the Ephemeral Storage
server.tls.use_letsencrypt	String	Two potential strings can be used for this field: `No`: The default value where Let's Encrypt is not used to manage the TLS certificate `Yes`: A separate Let's Encrypt Volume will be created to store the Let's Encrypt Certbot and TLS Certificate and Key
server.nginx.force_http	String	Two potential strings can be used for this field: `No`: Either TLS will be used from the Route to the Nginx Pod and the Nginx Pod needs to include the TLS Certificate and Key. Or, HTTP will be used on both the Route and Nginx Pod. `Yes`: TLS will be terminated on the route. And, the vFunction Nginx Pod will listen to http traffic on Port 80
server.nginx.ipv6_disabled	String	Two potential strings can be used for this field: `No`: The default value where the vFunction Nginx pod listens to and sends traffic over IPv4 and IPv6 `Yes`: Disables the vFunction Nginx pod from listening to and from sending traffic to other Pods over IPv6
route.use_route	String	Two potential strings can be used for this field: `Yes`: The default value where a Route Object is created to send external traffic to the vFunction Nginx pod `No`: Used to send traffic right to the internal vFunction-Nginx Pod and to not create a Route Object
route.tls_termination	String	Three potential strings can be used for this field: `edge`: TLS traffic will be terminated on the Route. The Route should have its own SSL certificate that can terminate TLS, e.g. openshift.mycompany.com. Traffic will be sent from the Route to the vfunction-nginx Pod on HTTP with value server.nginx.force_http automatically set and the vfunction-nginx Pod will listen on Port 80 `passthrough`: The OpenShift Cluster will ignore the TLS termination and the termination of TLS will be done on the vfunction-nginx Pod. A valid SSL certificate is needed in the tls.crt along with the Key in tls.key `reencrypt`: TLS will be terminated and validated by the Route. Traffic will then be re-encrypted and sent to the vfunction-nginx Pod over TLS. A valid SSL certificate is needed in the tls.crt along with the Key in tls.key
route.use_tls_certificate	String	Two potential strings can be used for this field: `Yes`: Set when route.tls_termination is set to "passthrough" or "reencrypt" `No`: Set when TLS is not used or when route.tls_termination is set to "edge"
mysql.max_pod_memory_capacity	String	The default value for the Maximum Memory used by each Mysql Pod is 4gb. This can be increased if needed
mysql.max_pod_cpu_capacity	String	The default value for the Maximum CPU used by the MySQL Pod is "1". This value can be increased if needed
mysql.pod_ephemeral_storage	String	The default value for the Ephemeral Storage used by the MySQL Pod is "1G". This value is used both for the Resources and Limits for the Ephemeral Storage
distributed.otlp.min_num_of_services	Integer	The default value is 1. This defines the minimum number of OTLP Pods in the environment. This Pod is used to receive Open Telemetry Protocol traces for Distributed Applications.
distributed.otlp.max_num_of_services	Integer	The default value is 10. This defines the maximum number of OTLP Pods in the environment
distributed.otlp.max_pod_memory_capacity	String	The default value for the Maximum Memory used by each OTLP Pod is 8gb. This can be increased if needed
distributed.otlp.max_pod_cpu_capacity	String	The default value for the Maximum CPU used by each OTLP Pod is "1". This value can be increased if needed
distributed.otlp.pod_ephemeral_storage	String	The default value for the Ephemeral Storage used by each OTLP Pod is "250M". This value is used both for the Resources and Limits for the Ephemeral Storage
distributed.dm.min_num_of_services	Integer	The default value is 1. This defines the minimum number of DM Pods in the environment. This Pod is used for Distributed Measurements to analyze local Service Maps received from the OTLP Pod during Learning to display the Architecture for a Distributed Architecture Application
distributed.dm.max_num_of_services	Integer	The default value is 10. This defines the maximum number of DM Pods in the environment
distributed.dm.max_pod_memory_capacity	String	The default value for the Maximum Memory used by each DM Pod is 8gb. This can be increased if needed
distributed.dm.max_pod_cpu_capacity	String	The default value for the Maximum CPU used by each DM Pod is "1". This value can be increased if needed
distributed.dm.pod_ephemeral_storage	String	The default value for the Ephemeral Storage used by each DM Pod is "1G". This value is used both for the Resources and Limits for the Ephemeral Storage
backup.mysql.restore_during_installation	String	Two potential strings can be used for this field: `Yes`: The DB will be restored during installation from the latest kept backup with the same major version if available on attached DB storage or S3 bucket `No`: The default value where the DB will not be restored
security.force_hashed_images	String	Two potential strings can be used for this field: `Yes`: Uses hashed images for all deployments `No`: Coming Soon
security.set_pod_resources	String	Two potential strings can be used for this field: `Yes`: The default value where all vFunction resource settings, e.g. measurement.max_pod_cpu_capacity, are used with the deployment to set minimum and maximum CPU and RAM levels. `No`: The minimum and maximum resources will scale until environmental limits are hit. With, "No" in place, all other installation.yaml settings for CPU and RAM are ignored
security.use_rate_limiting	String	Two potential strings can be used for this field: `Yes`: An organization can also use server.requests_per_second to define how many of the same API the Server will answer per second, such as 10, before throwing an error `No`: The default value where the vFunction Server will try to process every request that it receives. This creates a risk that excessive requests will slow down the Server or result in a Denial of Service attack
security.requests_per_second	String	An organization can set server.use_rate_limting to prevent a Denial of Service attack The requests_per_second defines how many of the same API the Server will answer per second, such as "10", before throwing an error

Sample installation.yaml with required fields

server:
  host: "http://my.domain.com"
  org_name: "MyCompany"
  admin:
    email: "admin@mycompany.com"
    name: "Admin"
    password: "Password1!"
  upgrade: "Never"
  offline: "Yes"
  custom_docker_registry: ""
  custom_image_pull_secret: ""

  measurements:
    min_number_of_services: "2"
    max_number_of_services: "10"
    max_pod_memory_capacity: "8G"
    max_pod_cpu_capacity: "1"
    pod_ephemeral_storage: "1G"
    S3:
      bucket: ""
      key: ""
      secret: ""
      region: ""

  smtp:
    password: ""
    url: ""
    identity: ""
    user: ""

  authentication:
    authority: ""
    client_id: ""
    client_secret: ""
    jwks_url: ""
    issuer: ""
    ca_root_crt: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----      

  tls:
    use_letsencrypt: "No"
    crt: |
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----      
    key: |
      -----BEGIN PRIVATE KEY-----
      ...
      -----END PRIVATE KEY-----      

  nginx:
    force_http: "No"
    ipv6_disabled: "No"
    service_type: ""

  route:
    use_route: "Yes"
    tls_termination: "edge"
    use_tls_certificate: "No"

  mysql:
    external_mysql_ip: ""
    external_mysql_user: ""
    external_mysql_password: ""
    max_pod_memory_capacity: "4G"
    max_pod_cpu_capacity: "1"
    pod_ephemeral_storage: "1G"

  storage:
    storage_class: ""
    mysql_persistent_volume: ""
    mysql_persistent_volume_claim: ""
    storage_persistent_volume: ""
    storage_persistent_volume_claim: ""
    lets_encrypt_persistent_volume: ""
    lets_encrypt_persistent_volume_claim: ""

  distributed:
    otlp:
      min_number_of_services: "1"
      max_number_of_services: "10"
      max_pod_memory_capacity: "8G"
      max_pod_cpu_capacity: "1"
      pod_ephemeral_storage: "250M"
    dm:
      min_number_of_services: "1"
      max_number_of_services: "10"
      max_pod_memory_capacity: "8G"
      max_pod_cpu_capacity: "1"
      pod_ephemeral_storage: "1G"

  backup:
    mysql:
      ### Indicates if the DB should be restored during installation from the latest kept backup with the same major version (if available on attached DB storage or S3 bucket)
      restore_during_installation: "No"
      S3:
        bucket: ""
        key: ""
        secret: ""
        region: ""

  security:
    image_pull_policy: ""
    force_hashed_images: "No"
    set_pod_resources: "Yes"
    proxy:
      http_proxy: ""
      https_proxy: ""
      additional_no_proxy: ""
    use_rate_limiting: "No"
    requests_per_second: "10"

server.authentication.*

Installation.yaml Configuration	Details
`authentication:` `authority:` "https://accounts.google.com" `client_id:` "clientID-xyz" `client_secret:` "clientSecret-xyz" `jwks_url:` "https://www.googleapis.com/oauth2/v3/certs" `issuer:` "https://accounts.google.com" `ca_root_crt:` \| -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----	By default, a vFunction Server allows users to authenticate with a built-in OAuth username and password workflow The authentication subkey is used to change the authentication workflow from this built-in OAuth username and password to integrate with an OpenID Connect identity provider

server.backup.mysql.S3.*

Installation.yaml Configuration	Details
`backup:` `mysql:` `S3:` `bucket:` "awsBucket" `key:` "awsKey" `secret:`"awsSecret" `region:` "awsRegion"	The MySQL DB Persistent Volume can be backed up to an AWS S3 bucket if desired

server.custom_docker_registry

Installation.yaml Configuration	Details
`server:` `custom_docker_registry:` privateRegistry	Used with the Offline OpenShift Installation when the Container Images cannot be downloaded from RedHat Registry and must be downloaded from a Private Docker Registry instead Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script

server.custom_image_pull_secret

Installation.yaml Configuration Details

Installation.yaml Configuration	Details
`server:` `custom_image_pull_secret:` imagePullSecretValue	Used with the Offline OpenShift Installation when the Container Images cannot be downloaded from RedHat Registry and must be downloaded from a Private Docker Registry instead The Image Pull Secret allows for the Private Docker Registry to be accessed to pull the Container Images for the OpenShift Operator installation Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script

server:
custom_image_pull_secret: imagePullSecretValue

Used with the Offline OpenShift Installation when the Container Images cannot be downloaded from RedHat Registry and must be downloaded from a Private Docker Registry instead
The Image Pull Secret allows for the Private Docker Registry to be accessed to pull the Container Images for the OpenShift Operator installation
Instead of manually populating this value in the installation.yaml, this value should be populated as a Prerequisite to the installation while running the offline/init.sh script

server.measurements.S3.*

Installation.yaml Configuration	Details
`server:` `measurements:` `S3:` `bucket:` "awsBucket" `key:` "awsKey" `secret:` "awsSecret" `region:` "awsRegion"	The Measurements Storage Persistent Volume can be placed on an AWS S3 bucket if desired

server.mysql.external_mysql_*

Installation.yaml Configuration	Details
`mysql:` `external_mysql_ip:` "ipAddress" `external_mysql_user:` "username" `external_mysql_password:` "password"	Used if the MySQL database is hosted outside the vFunction OpenShift Operator Namespace

server.nginx.service_type

Installation.yaml Configuration Details

Installation.yaml Configuration	Details
`nginx:` `service_type:` "ClusterIP"	Two potential strings can be used for this field: `ClusterIP`: The default value where the vFunction Nginx service is exposed on an IP address internal to the Cluster. The service will only be reachable from within the cluster by a Route Object `LoadBalancer`: Exposes the vFunction Nginx service externally to a Load Balancer. NodePort and ClusterIP services are automatically created and the external Load Balancer automatically routes to these `NodePort`: Exposes the vFunction Nginx service on each Node's IP at a static port. A ClusterIP service will automatically be created and the NodePort service automatically routes here. The NodePort service will be reachable outside the Cluster also via NodeIP:NodePort

nginx:
service_type: "ClusterIP"

Two potential strings can be used for this field:

ClusterIP: The default value where the vFunction Nginx service is exposed on an IP address internal to the Cluster. The service will only be reachable from within the cluster by a Route Object
LoadBalancer: Exposes the vFunction Nginx service externally to a Load Balancer. NodePort and ClusterIP services are automatically created and the external Load Balancer automatically routes to these
NodePort: Exposes the vFunction Nginx service on each Node's IP at a static port. A ClusterIP service will automatically be created and the NodePort service automatically routes here. The NodePort service will be reachable outside the Cluster also via NodeIP:NodePort

server.security.*

Installation.yaml Configuration Details

Installation.yaml Configuration	Details
`security:` `image_pull_policy:` "IfNotPresent" `proxy:` `http_proxy:` "login.microsoft.com" `https_proxy:` "login.microsoft.com" `additional_no_proxy:` "my.org.com"	The `server.security.image_pull_policy` defines how to manage pulling the Container Images during and installation or upgrade. Available values include Always, IfNotPresent, and Never The `server.security.proxy` Key can be used if (force example) authentication traffic needs to route through a proxy to be sent outside of the network, the authentication address can be added to the security.proxy.http_proxy and security.proxy.https_proxy fields The `server.security.proxy.additional_no_proxy` can be used to add onto the default No Proxy addresses of localhost, 127.0.0.1 and the vFunction Services themselves

security:
   image_pull_policy: "IfNotPresent"
   proxy:
      http_proxy: "login.microsoft.com"
      https_proxy: "login.microsoft.com"
      additional_no_proxy: "my.org.com"

The server.security.image_pull_policy defines how to manage pulling the Container Images during and installation or upgrade.

Available values include Always, IfNotPresent, and Never
The server.security.proxy Key can be used if (force example) authentication traffic needs to route through a proxy to be sent outside of the network, the authentication address can be added to the security.proxy.http_proxy and security.proxy.https_proxy fields

The server.security.proxy.additional_no_proxy can be used to add onto the default No Proxy addresses of localhost, 127.0.0.1 and the vFunction Services themselves

server.smtp*

Installation.yaml Configuration	Details
`smtp:` `user:` notifications@mycompany.com `password:` my$uperS3cr3t `identity:` `url:` smtp://smtp.gmail.com:587	The vFunction Server can send notifications about upgrades, about Architectural Observability Events and about user onboarding

server.storage.*

Installation.yaml Configuration Details

Installation.yaml Configuration	Details
`storage:` `storage_class:` notDefault `mysql_persistent_volume:` `mysql_persistent_volume_claim:` `storage_persistent_volume:` `storage_persistent_volume_claim:` `lets_encrypt_persistent_volume:` `lets_encrypt_persistent_volume_claim:`	The `storage.storage_class` is set as "default" by default. This is the storageClass used to create the PersistentVolumeClaims for the Persistent Volumes. This value can be changed to an alternate string for the creation of the PersistentVolumeClaims. The `storage.mysql_persistent_volume` is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume. The `storage.mysql_persistent_volume_claim` is vfunction-mysql-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here. The `storage.storage_persistent_volume` is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume. The `storage.storage_persistent_volume_claim` is vfunction-storage-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here.

storage:
   storage_class: notDefault
   mysql_persistent_volume:
   mysql_persistent_volume_claim:
   storage_persistent_volume:
   storage_persistent_volume_claim:
   lets_encrypt_persistent_volume:
   lets_encrypt_persistent_volume_claim:

The storage.storage_class is set as "default" by default. This is the storageClass used to create the PersistentVolumeClaims for the Persistent Volumes. This value can be changed to an alternate string for the creation of the PersistentVolumeClaims.
The storage.mysql_persistent_volume is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume.
The storage.mysql_persistent_volume_claim is vfunction-mysql-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here.
The storage.storage_persistent_volume is, by default, dynamically created. It may be preferable to manually create this Persistent Volume. If the Persistent Volume is manually created, use this field for the metadata.name of the Persistent Volume.
The storage.storage_persistent_volume_claim is vfunction-storage-pvc. If using a custom MySQL PVC to create the Persistent Volume, add that name here.

server.tls.*

Installation.yaml Configuration	Details
`tls:` `crt:` \| -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- `key:` \| -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----	The `tls.crt` Key can be used for the SSL Certificate if setting the route.tls_termination to passthrough or reencrypt The `tls.key` Key can be used for the SSL Key if setting the route.tls_termination to passthrough or reencrypt

Updated on 27 Feb 2025