Configuration settings catalog
Here is a catalog of the settings to use when configuring and managing Mission Control. The following Mission Control tables cover:
Category: Mission Control topology |
||||
|---|---|---|---|---|
Name |
Type |
Default Value |
Range |
Description |
Control Plane |
Boolean |
TRUE |
TRUE, FALSE |
Specifies whether to deploy Mission Control in Control Plane mode rather than Data Plane mode. |
|
Configure the topology setting in the KOTS Admin Console. |
Category: Observability-advanced |
||||
|---|---|---|---|---|
Name |
Type |
Default Value |
Range |
Description |
Allow monitoring process to run on the control plane |
Boolean |
TRUE, FALSE |
Allows deployment of monitoring components on the Kubernetes Control Plane. Only required in constrained environments where the Control Plane is tainted but should host these components. |
|
Allow monitoring components on DSE nodes |
Boolean |
TRUE, FALSE |
Whether to deploy monitoring components (such as Vector and Mimir) on DSE worker nodes. Only enable this for constrained environments. |
|
|
Configure these advanced observability settings in the Control Plane. |
Category: Observability-storage |
||||
|---|---|---|---|---|
Name |
Type |
Default Value |
Range |
Description |
Storage backend |
string |
S3, GCS |
Specifies which object storage backend to use for the observability stack (Mimir and Loki). |
|
Category: Observability-S3 Storage |
||||
Region |
string |
us-east-1 |
Region where the bucket is located. |
|
Access Key ID |
string |
AWS access key ID. |
||
Secret Access Key |
Password |
AWS secret access key. |
||
Bucket endpoint URL |
string |
URL to reach the S3 compatible object storage service. |
||
Observability Bucket Insecure Access |
Boolean |
TRUE |
TRUE, FALSE |
Controls whether calls made to the storage backend use TLS. Disable only when your storage backend does not support HTTPS. |
Category: Observability-GCS storage |
||||
Service Account |
Password |
Key file content for the service account accessing the GCS buckets storing Mimir and Loki data. JSON format expected. |
||
Category: Observability-Mimir topology |
||||
|---|---|---|---|---|
Name |
Type |
Default Value |
Range |
Description |
Tune Mimir Topology |
Boolean |
TRUE, FALSE |
Change the replication factor and the number of replicas for each Mimir component. |
|
Number of Ingester instances |
number |
1 |
1.. |
|
Number of Distributor instances |
number |
1 |
1.. |
|
Number of Querier instances |
number |
1 |
1.. |
|
Number of Query Frontend instances |
number |
1 |
1.. |
|
Number of Ruler instances |
number |
1 |
1.. |
|
Number of Alert Manager instances |
number |
2 |
2.. |
A minimum of two instances are required for the |
Number of Store Gateway instances |
number |
1 |
1.. |
|
Number of Query Scheduler instances |
number |
1 |
1.. |
|
Ingester replication factor |
number |
1 |
1.. |
|
Alert manager replication factor |
number |
2 |
2.. |
Mimir cannot handle a replication factor of |
Category: Observability-Mimir resources |
||||
Name |
Type |
Default Value |
Range |
Description |
CPU Requests |
100m |
Minimum available CPU cores requested to allow scheduling a Mimir microservice. 100m = 100 millicores = 0.1 core. |
||
CPU Limits |
This is not a literal or updateable value |
Maximum number of cores allocated to a Mimir microservice. In order to maximize resource utilization do not set this value. |
||
Memory Requests |
128Mi |
Minumum available RAM requested to allow scheduling a Mimir microservice on a worker node. |
||
Memory Limits |
2Gi |
Maximum allowed RAM usage per Mimir microservice. Any service using more than this value is terminated and rescheduled. |
||
Category: Observability-Mimir advanced |
||||
Max Global Series Per User |
number |
0 |
The maximum allowed number of series that are accepted per tenant. |
|
Category: Observability-Mimir storage |
||||
Name |
Type |
Default Value |
Range |
Description |
Bucket Name |
string |
Name of the bucket (S3 or GCS) storing Mimir’s metrics data. |
||
Storage retention |
string |
7d |
#ms, #s, #h, #d, #m, #w, #y |
Set the retention period for metrics data (in milliseconds, seconds, hours, days, months, weeks, or years). These values can be used in combination - for example, |
Use Persistent Volumes |
Boolean |
TRUE |
TRUE, FALSE |
Secures data which is local to specific Mimir’s microservices by using persistent storage. Required for production deployments. |
Storage Class |
Storage Class |
(default for K8s cluster) |
All available storage classes |
For embedded runtime installs, set this to standard. When using your own Kubernetes cluster, set it to one of your available storage classes that allows dynamic provisioning. |
Access Modes |
string |
ReadWriteOnce |
ReadWriteOnce |
Set to |
Alert Manager Volume Size |
1Gi |
Use 10GB for production deployments. [1] |
||
Compactor Volume Size |
2Gi |
Use at least 300GB for production deployments. [1] |
||
Store Gateway Volume Size |
2Gi |
Use 50GB for production deployments. [1] |
||
Ingester Volume Size |
2Gi |
Use at least 100GB for production deployments. [1] WARNING: Using too small a size results in metrics no longer being ingested. |
||
Category: Observability-Loki |
||||
|---|---|---|---|---|
Name |
Type |
Default Value |
Range |
Description |
Loki Reader Instances |
number |
1 |
||
Loki Writer Instances |
number |
1 |
||
Loki Replication Factor |
number |
1 |
The number of ingesters to which Loki forwards writes. This should be less than or equal to the number of write instances. |
|
Category: Observability-Loki storage |
||||
Storage retention |
string |
7d |
#ms, #s, #h, #d, #m, #w, #y |
Set the retention period for logging data (in milliseconds, seconds, hours, days, months, weeks, or years). These values can be used in combination - for example, |
Force Path-Style Addressing |
Boolean |
FALSE |
FALSE, TRUE |
Forces requests to use AWS S3 path-style addressing, which does not prefix the endpoint URL with the bucket name. This is useful when Minio is the S3 storage backend. |
Use Persistent Volumes |
Boolean |
TRUE |
TRUE, FALSE |
Required for production deployments. |
Persistent Volumes size |
string |
10Gi |
Use at least 50GB for production deployments. [1] |
|
Storage Class |
Storage Class |
(default for K8s cluster) |
All available storage classes |
For embedded runtime installs, set to standard. When using your own Kubernetes cluster, set it to one of your available storage classes that allows dynamic provisioning. |
Chunks Bucket Name |
string |
Name of the bucket to store the log entries sent to Loki. |
||
Ruler Bucket Name |
string |
Name of the bucket to store the alerting rules for Loki. |
||
Category: User Interface (UI) |
||||
|---|---|---|---|---|
Name |
Type |
Default Value |
Range |
Description |
Create temporary admin user |
Boolean |
TRUE |
TRUE, FALSE |
Creates an admin user that authenticates to Mission Control without setting up LDAP or OpenID. |
Category: User Interface Admin user |
||||
string |
Email address of the admin user. |
|||
Password hash |
string |
The bcrypt hash of the password. On Linux and Unix systems, generate this by running: |
||
Username |
string |
admin |
Name of the admin user |
|
Category: Identity Provider connector |
||||||
|---|---|---|---|---|---|---|
Name |
Type |
Default Value |
Range |
Description |
||
Dex Connector |
string |
None, LDAP, OpenID Connect |
Defines which connector to be configured for authentication and authorization in Mission Control’s UI. |
|||
Category: LDAP connector |
||||||
Name |
Type |
Default Value |
Range |
Description |
||
Host |
string |
Host and optional port of the LDAP server. |
||||
No SSL |
Boolean |
FALSE |
TRUE, FALSE |
Required if the LDAP host is not using TLS (port 389).
|
||
Skip TLS verify |
Boolean |
FALSE |
TRUE, FALSE |
Whether to turn off Transport Layer Security (TLS) certificate verification.
|
||
Start TLS |
Boolean |
FALSE |
TRUE, FALSE |
When connecting to the server, connect using the |
||
Root CA |
string |
A trusted root certificate file content (base64-encoded Privacy Enhanced Mail (PEM) file). |
||||
Bind DN |
string |
The DN to bind with when performing the search. When not provided, the search is performed anonymously. |
||||
Bind password |
string |
The password with which to bind when performing the search. When not provided, the search is performed anonymously. |
||||
Username prompt |
string |
The prompt the user sees when requesting their username. When unspecified, the default is |
||||
User base DN |
string |
BaseDN from which to start the search. It translates to the query |
||||
User filter |
string |
BaseDN from which to start the search. It translates to the query |
||||
Username attribute |
string |
uid |
Username attribute used for comparing user entries. This is translated and combined with the other filter as |
|||
User id attribute |
string |
uid |
||||
User email attribute |
string |
|||||
User display name attribute |
string |
uid |
||||
Preferred username attribute |
||||||
Group base DN |
string |
BaseDN from which to start the search. It translates to the query |
||||
Group filter |
string |
(objectClass=group) |
Optional filter to apply when searching the directory. |
|||
Group/user matchers |
string |
- userAttr: uid groupAttr: member |
A list of field pairs that matches a user to a group. It adds an additional requirement to the filter that an attribute in the group must match the user’s attribute value. Expected format: multi-line YAML list of objects with |
|||
Group name attribute |
string |
name |
||||
Category: OIDC connector |
||||||
Name |
Type |
Default Value |
Range |
Description |
||
Issuer URL |
string |
Canonical URL of the provider, also used for configuration discovery.
|
||||
Client ID |
string |
|||||
Client Secret |
Password |
|||||
Basic auth unsupported |
Boolean |
FALSE |
TRUE, FALSE |
Some providers require passing client_secret via POST parameters instead of basic auth, despite the OAuth2 RFC discouraging it. Many of these cases are caught internally, but you may need to check this setting. |
||
Scopes |
string |
- profile |
List of additional scopes to request in token response. Default is profile and email. See Full list. Expected format: multi-line YAML list of strings. |
|||
Skip email verified |
Boolean |
FALSE |
TRUE, FALSE |
Not recommended. Some providers return claims without |
||
Enable groups |
Boolean |
FALSE |
TRUE, FALSE |
Not recommended. Groups claims only refresh when the ID token is refreshed; meaning that the regular refresh flow does not update the groups claim. By default the OIDC connector does npt allow groups claims. If it is satisfactory to have potentially stale group claims then use this option to enable groups claims through the OIDC connector on a per-connector basis. |
||
Get user info |
Boolean |
FALSE |
TRUE, FALSE |
When enabled, the OpenID Connector queries the UserInfo endpoint for additional claims. UserInfo claims take priority over claims returned by the IDToken. Use this option when the IDToken does not contain all of the claims requested. See OpenID user information. |
||
User ID key |
string |
The claim used as user id. Defaults to |
||||
Username key |
string |
The claim used as username. Defaults to |
||||
ACR values |
string |
The Authentication Context Class values within the Authentication Request that the Authorization Server is being requested to process. Expected format: multi-line YAML list of strings. |
||||
Prompt type |
string |
For offline_access, the prompt parameter is set by default to |
||||
Preferred username claim |
string |
The claim used as preferred username. Defaults to |
||||
Email claim |
string |
The claim used as email. |
||||
Preferred groups claim |
string |
groups |
The claim used as groups. |
|||
