Configuration settings catalog
Here is a catalog of the settings to use when configuring and managing Mission Control.
Topology
Configure the deployment mode for Mission Control.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
control plane |
Boolean |
TRUE |
TRUE, FALSE |
Specifies whether to deploy Mission Control in control plane mode rather than data plane mode. |
|
Configure the topology setting in the KOTS Admin Console. |
Ingress configuration
Configure ingress settings for platform services access.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
ingress.enabled |
Boolean |
FALSE |
TRUE, FALSE |
Enables ingress for all platform services (Mission Control UI, Grafana, and Vector aggregator). When enabled, the system creates Ingress objects for unified access through domain-based routing. |
ingress.regionDomain |
string |
Primary domain for Mission Control UI access (for example, |
||
ingress.wildcardDomain |
string |
Wildcard domain for service subdomains (for example, |
|
When you enable ingress, the system automatically creates a ConfigMap named For OpenShift environments, the system automatically creates Route objects instead of standard Ingress objects, with proper SSL passthrough configuration. |
Observability
The following settings configure observability components for monitoring and logging.
Advanced
Configure advanced settings for the monitoring component deployment.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Allow the monitoring process to run on the control plane |
Boolean |
TRUE, FALSE |
Allows the deployment of monitoring components on the Kubernetes control plane. Only required in constrained environments where the control plane is tainted but should host these components. |
|
Allow monitoring components on DataStax Enterprise (DSE) nodes |
Boolean |
TRUE, FALSE |
Whether to deploy monitoring components, such as Vector, Mimir, and Loki, on database worker nodes. Only enable this for constrained environments. |
|
Configure these advanced observability settings in the control plane. |
Storage backend
Configure the object storage backend for the observability stack.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Storage backend |
string |
S3, GCS |
Specifies which object storage backend to use for the observability stack (Mimir and Loki). |
|
Region |
string |
us-east-1 |
Region where the bucket is located. |
|
Access Key ID |
string |
AWS access key ID. |
||
Secret Access Key |
Password |
AWS secret access key. |
||
Bucket endpoint URL |
string |
URL to reach the S3 compatible object storage service. |
||
Observability Bucket Insecure Access |
Boolean |
TRUE |
TRUE, FALSE |
Controls whether calls made to the storage backend use TLS. Disable only when your storage backend does not support HTTPS. |
GCS storage
Configure Google Cloud Storage (GCS) service account credentials.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Service Account |
Password |
Key file content for the service account accessing the GCS buckets storing Mimir and Loki data. JSON format expected. |
Mimir topology
Configure Mimir topology and replication settings.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Tune Mimir Topology |
Boolean |
TRUE, FALSE |
Change the replication factor and the number of replicas for each Mimir component. |
|
Number of Ingester instances |
number |
1 |
1.. |
|
Number of Distributor instances |
number |
1 |
1.. |
|
Number of Querier instances |
number |
1 |
1.. |
|
Number of Query Frontend instances |
number |
1 |
1.. |
|
Number of Ruler instances |
number |
1 |
1.. |
|
Number of Alert Manager instances |
number |
2 |
2.. |
A minimum of two instances are required for the |
Number of Store Gateway instances |
number |
1 |
1.. |
|
Number of Query Scheduler instances |
number |
1 |
1.. |
|
Ingester replication factor |
number |
1 |
1.. |
|
Alert manager replication factor |
number |
2 |
2.. |
Mimir cannot handle a replication factor of |
Mimir resources
Configure CPU and memory resource allocation for Mimir microservices.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
CPU Requests |
100m |
Minimum available CPU cores requested to allow scheduling a Mimir microservice. 100m = 100 millicores = 0.1 core. |
||
CPU Limits |
This is not a literal or updatable value |
Maximum number of cores allocated to a Mimir microservice. In order to maximize resource utilization do not set this value. |
||
Memory Requests |
128Mi |
Minimum available RAM requested to allow scheduling a Mimir microservice on a worker node. |
||
Memory Limits |
2Gi |
Maximum allowed RAM usage per Mimir microservice. Any service using more than this value is terminated and rescheduled. |
Mimir advanced
Configure advanced Mimir settings for series limits.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Max Global Series Per User |
number |
0 |
The maximum allowed number of series that are accepted per tenant. |
Mimir storage
Configure Mimir storage buckets, retention, and persistent volumes.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Bucket Name |
string |
Name of the bucket (S3 or GCS) storing Mimir’s metrics data. |
||
Storage retention |
string |
7d |
#ms, #s, #h, #d, #m, #w, #y |
Set the retention period for metrics data (in milliseconds, seconds, hours, days, months, weeks, or years). These values can be used in combination - for example, |
Use Persistent Volumes |
Boolean |
TRUE |
TRUE, FALSE |
Secures data which is local to specific Mimir’s microservices by using persistent storage. Required for production deployments. |
Storage Class |
Storage Class |
(default for K8s cluster) |
All available storage classes |
When using your own Kubernetes cluster, set this to one of your available storage classes that allows dynamic provisioning. |
Access Modes |
string |
ReadWriteOnce |
ReadWriteOnce |
Set to |
Alert Manager Volume Size |
1Gi |
Use 10GB for production deployments. You cannot modify this size after the initialization of the cluster without deleting the existing Persistent Volumes and statefulsets, which can result in data loss. |
||
Compactor Volume Size |
2Gi |
Use at least 300GB for production deployments. You cannot modify this size after the initialization of the cluster without deleting the existing Persistent Volumes and statefulsets, which can result in data loss. |
||
Store Gateway Volume Size |
2Gi |
Use 50GB for production deployments. You cannot modify this size after the initialization of the cluster without deleting the existing Persistent Volumes and statefulsets, which can result in data loss. |
||
Ingester Volume Size |
2Gi |
Use at least 100GB for production deployments. You cannot modify this size after the initialization of the cluster without deleting the existing Persistent Volumes and statefulsets, which can result in data loss. WARNING: Using too small a size results in metrics no longer being ingested. |
Loki instances
Configure Loki instances and replication settings.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Loki Reader Instances |
number |
1 |
||
Loki Writer Instances |
number |
1 |
||
Loki Replication Factor |
number |
1 |
The number of ingesters to which Loki forwards writes. This should be less than or equal to the number of write instances. |
Loki storage
Configure Loki storage retention, buckets, and persistent volumes.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Storage retention |
string |
7d |
#ms, #s, #h, #d, #m, #w, #y |
Set the retention period for logging data (in milliseconds, seconds, hours, days, months, weeks, or years). These values can be used in combination - for example, |
Force Path-Style Addressing |
Boolean |
FALSE |
FALSE, TRUE |
Forces requests to use AWS S3 path-style addressing, which does not prefix the endpoint URL with the bucket name. This is useful when using S3-compatible storage backends. |
Use Persistent Volumes |
Boolean |
TRUE |
TRUE, FALSE |
Required for production deployments. |
Persistent Volumes size |
string |
10Gi |
Use at least 50GB for production deployments. You cannot modify this size after the initialization of the cluster without deleting the existing Persistent Volumes and statefulsets, which can result in data loss. |
|
Storage Class |
Storage Class |
(default for K8s cluster) |
All available storage classes |
When using your own Kubernetes cluster, set this to one of your available storage classes that allows dynamic provisioning. |
Chunks Bucket Name |
string |
Name of the bucket to store the log entries sent to Loki. |
||
Ruler Bucket Name |
string |
Name of the bucket to store the alerting rules for Loki. |
User Interface (UI)
The following settings configure the Mission Control UI.
Admin user
Configure the temporary admin user for initial authentication.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Create temporary admin user |
Boolean |
TRUE |
TRUE, FALSE |
Creates an admin user that authenticates to Mission Control without setting up LDAP or OpenID. |
string |
Email address of the admin user. |
|||
Password hash |
string |
The bcrypt hash of the password. On Linux and Unix systems, generate this by running: |
||
Username |
string |
admin |
Name of the admin user |
Identity provider connector
Select the authentication connector type for the UI.
Name |
Type |
Default Value |
Range |
Description |
|---|---|---|---|---|
Dex Connector |
string |
None, LDAP, OpenID Connect |
Defines which connector to be configured for authentication and authorization in Mission Control’s UI. |
LDAP connector
Configure LDAP authentication settings including host, TLS, and user/group mappings.
Name |
Type |
Default Value |
Range |
Description |
||
|---|---|---|---|---|---|---|
Host |
string |
Host and optional port of the LDAP server. |
||||
No SSL |
Boolean |
FALSE |
TRUE, FALSE |
Required if the LDAP host is not using TLS (port 389).
|
||
Skip TLS verify |
Boolean |
FALSE |
TRUE, FALSE |
Whether to turn off Transport Layer Security (TLS) certificate verification.
|
||
Start TLS |
Boolean |
FALSE |
TRUE, FALSE |
When connecting to the server, connect using the |
||
Root CA |
string |
A trusted root certificate file content (base64-encoded Privacy Enhanced Mail (PEM) file). |
||||
Bind DN |
string |
The DN to bind with when performing the search. When not provided, the search is performed anonymously. |
||||
Bind password |
string |
The password with which to bind when performing the search. When not provided, the search is performed anonymously. |
||||
Username prompt |
string |
The prompt the user sees when requesting their username. When unspecified, the default is |
||||
User base DN |
string |
BaseDN from which to start the search. It translates to the query |
||||
User filter |
string |
BaseDN from which to start the search. It translates to the query |
||||
Username attribute |
string |
uid |
Username attribute used for comparing user entries. This is translated and combined with the other filter as |
|||
User id attribute |
string |
uid |
||||
User email attribute |
string |
|||||
User display name attribute |
string |
uid |
||||
Preferred username attribute |
||||||
Group base DN |
string |
BaseDN from which to start the search. It translates to the query |
||||
Group filter |
string |
(objectClass=group) |
Optional filter to apply when searching the directory. |
|||
Group/user matchers |
string |
- userAttr: uid groupAttr: member |
A list of field pairs that matches a user to a group. It adds an additional requirement to the filter that an attribute in the group must match the user’s attribute value. Expected format: multi-line YAML list of objects with |
|||
Group name attribute |
string |
name |
OIDC connector
Configure OpenID Connect (OIDC) authentication settings including issuer, client credentials, and claims.
Name |
Type |
Default Value |
Range |
Description |
||
|---|---|---|---|---|---|---|
Issuer URL |
string |
Canonical URL of the provider, also used for configuration discovery.
|
||||
Client ID |
string |
|||||
Client Secret |
Password |
|||||
Basic auth unsupported |
Boolean |
FALSE |
TRUE, FALSE |
Some providers require passing client_secret via POST parameters instead of basic auth, despite the OAuth2 RFC discouraging it. Many of these cases are caught internally, but you might need to check this setting. |
||
Scopes |
string |
- profile |
List of additional scopes to request in token response. Default is profile and email. See Full list. Expected format: multi-line YAML list of strings. |
|||
Skip email verified |
Boolean |
FALSE |
TRUE, FALSE |
Not recommended. Some providers return claims without |
||
Enable groups |
Boolean |
FALSE |
TRUE, FALSE |
Not recommended. Groups claims only refresh when the ID token is refreshed; meaning that the regular refresh flow does not update the groups claim. By default the OIDC connector does not allow groups claims. If it is satisfactory to have potentially stale group claims then use this option to enable groups claims through the OIDC connector on a per-connector basis. |
||
Get user info |
Boolean |
FALSE |
TRUE, FALSE |
When enabled, the OpenID Connector queries the UserInfo endpoint for additional claims. UserInfo claims take priority over claims returned by the IDToken. Use this option when the IDToken does not contain all of the claims requested. See OpenID user information. |
||
User ID key |
string |
The claim used as user id. Defaults to |
||||
Username key |
string |
The claim used as username. Defaults to |
||||
ACR values |
string |
The Authentication Context Class values within the Authentication Request that the Authorization Server is being requested to process. Expected format: multi-line YAML list of strings. |
||||
Prompt type |
string |
For offline_access, the prompt parameter is set by default to |
||||
Preferred username claim |
string |
The claim used as preferred username. Defaults to |
||||
Email claim |
string |
The claim used as email. |
||||
Preferred groups claim |
string |
groups |
The claim used as groups. |
