Mission Control
Mission Control
| Value | Description |
|---|---|
| global.ui.host | The domain to be used for ingress Defaults to mission-control-ui.local |
| global.otel.collector | OpenTelemetry Endpoint to send internal traces |
| global.registry | Defaults to docker.io/flanksource |
| extraArgs | Extra arguments to mission-control |
| image.pullPolicy | Defaults to IfNotPresent |
| image.tag | |
| otel.serviceName | Defaults to mission-control |
| properties.incidents.disable | Defaults to {} |
| properties.logs.disable | Defaults to true |
| replicas | Defaults to 1 |
| resources.limits.cpu | Defaults to 500m |
| resources.limits.memory | Defaults to 1024Mi |
| resources.requests.cpu | Defaults to 100m |
| resources.requests.memory | Defaults to 768Mi |
Canary Checker
| Value | Description |
|---|---|
| canary-checker.resources.requests.cpu | Defaults to 100m |
| canary-checker.resources.limits.cpu | Defaults to 500m |
| canary-checker.resources.requests.memory | Defaults to 768Mi |
| canary-checker.resources.limits.memory | Defaults to 1024Mi |
| canary-checker.serviceAccount.annotations | {} |
| canary-checker.serviceAccount.name | canary-checker-sa |
| canary-checker.extraArgs | {} |
Config DB
| Value | Description |
|---|---|
| config-db.resources.requests.cpu | Defaults to 100m |
| config-db.resources.limits.cpu | Defaults to 500m |
| config-db.resources.requests.memory | Defaults to 768Mi |
| config-db.resources.limits.memory | Defaults to 1024Mi |
| config-db.serviceAccount.annotations | {} |
| config-db.serviceAccount.name | config-db-sa |
| config-db.extraArgs | {} |
Ingress
| Value | Description |
|---|---|
| global.ui.host | The domain to be used for ingress, will be the primary entrypoint into mission control. Defaults to mission-control-ui.local |
| ingress.annotations | Defaults to kubernetes.io/ingress.class: nginx |
| ingress.enabled | Defaults to true |
| global.ui.tlsSecretName | Defaults to mission-control-ui-tls |
| global.api.tlsSecretName |
Database
| Value | Description |
|---|---|
| db.create | Defaults to true |
| db.conf | postgres.conf settings |
| db.resources.requests.memory | Defaults to 4Gi |
| db.shmVolume | Defaults to 256Mi |
| db.storage | Defaults to 20Gi |
| db.storageClass | |
| db.secretKeyRef.key | Defaults to DB_URL |
| db.secretKeyRef.name | Defaults to incident-commander-postgres |
Using an external database
In order to connect to an existing database the secret referenced by db.secretKeyRef.name needs to be created.
- Create a new secret
See Postgres Connection Strings for a full list of parameterskubectl create secret generic incident-commander-postgres \
--from-literal=DB_URL=postgres://postgres:postgres@db/mission_control
--from-literal=SSLMODE=disable
--from-literal=POSTGRES_HOST=db
--from-literal=DATABASE=mission_control
--from-literal=POSTGRES_USER=postgres
--from-literal=POSTGRES_PASSWORD=postgres - Update the helm values to disable db creation
values.yaml
db:
create: false
Updating postgres.conf settings
The defaults settings applied to installed Postgres database can be configured under the db.conf value.
In order to increase (or decrease) memory usage - The db.conf, db.resources and db.shmVolume values need to be updated.
reduce-db-resources.yamldb:
shmVolume: 64Mi
resources:
requests:
memory: 256Mi
limits:
memory: 512Mi
conf:
shared_buffers: 128MB
max_connections: 30
effective_cache_size: 256MB
work_mem: 4MB
| Value | Description |
|---|---|
| max_connections | Defaults to 200 |
| shared_buffers | Defaults to 1GB |
| effective_cache_size | Defaults to 3GB |
| maintenance_work_mem | Defaults to 256MB |
| wal_buffers | Defaults to 16MB |
| effective_io_concurrency | Defaults to 200 |
| work_mem | Defaults to 10MB |
| max_wal_size | Defaults to 4GB |
| log_autovacuum_min_duration | Defaults to 0 |
| log_connections | Defaults to on |
| log_destination | Defaults to stderr |
| log_directory | Defaults to /var/log/postgresql |
| log_file_mode | Defaults to 0644 |
| log_filename | Defaults to postgresql.log |
| log_line_prefix | Defaults to %m [%p] %q[user=%u,db=%d,app=%a] |
| log_lock_waits | Defaults to on |
| log_min_duration_statement | Defaults to 1s |
| log_rotation_age | Defaults to 0 |
| log_rotation_size | Defaults to 0 |
| log_statement | Defaults to "all" |
| log_temp_files | Defaults to 0 |
| log_timezone | Defaults to UTC |
| logging_collector | Defaults to on |
| ssl | Defaults to off |
| timezone | Defaults to UTC |
| password_encryption | Defaults to scram-sha-256 |
| db_user_namespace | Defaults to off |
| extra_float_digits | Defaults to 0 |
Pganalyze collector
AdvancedA pganalyze.com collector can be installed using:
| Value | Description |
|---|---|
| db.pganalyze.enabled | Defaults to false |
| db.pganalyze.secretName | Defaults to pganalyze Secret container pganalyze API token |
| db.pganalyze.systemID | Defaults to mission-control |
Postgrest
AdvancedMission Control uses postgrest to provide a REST API over the database, this is setup is automatic and connects to either the internal or external DB.
| Value | Description |
|---|---|
| externalPostgrest.imageName | |
| externalPostgrest.enable | Defaults to true |
| externalPostgrest.dbAnonRole | Defaults to postgrest_anon |
| externalPostgrest.dbScema | Defaults to public |
| externalPostgrest.logLevel | Defaults to info |
| externalPostgrest.maxRows | Defaults to 2000 |
| externalPostgrest.tag | Postgrest version |
Authentication
See SSO
| Value | Description |
|---|---|
| kratos.enabled | Defaults to true |
| kratos.kratos.config.courier.smtp.connection_uri | |
| kratos.deployment.resources | {} |
| kratos.kratos.config.log.level | Defaults to warning |
| kratos.kratos.config.secrets.default | |
| kratos.kratos.config.session.lifespan | Defaults to 336h |
| smtp.secretRef.name | Defaults to incident-commander-smtp |
See kratos/values.yaml for all options.
Security / Service Account Settings
| Value | Description |
|---|---|
| serviceAccount.rbac.clusterRole | Defaults to true |
| serviceAccount.rbac.configmaps | Defaults to true |
| serviceAccount.rbac.exec | Defaults to true |
| serviceAccount.rbac.podRun | Defaults to true |
| serviceAccount.rbac.readAll | Defaults to true |
| serviceAccount.rbac.secrets | Defaults to true |
| serviceAccount.rbac.tokenRequest | Defaults to true |
| canary-checker.image.type | Defaults to full |
Identity Mapper
The Identity Role Mapper script is a CEL script that is evaluated after Kratos runs the JSONNET claims mapper to map users to roles and membership in Mission Control teams.
| Value | Description |
|---|---|
| identityRoleMapper.configMap.key | |
| identityRoleMapper.configMap.mountPath | Defaults to /etc/identity-role-mapper |
| identityRoleMapper.configMap.name | |
| identityRoleMapper.script | CEL script to return a JSON object with a role and list of teams an identity to should be mapped to |
To grant the admin role to all users in the admins group (as returned by the identity provider)
{
"role": "admins" in identity.traits.groups ? "admin": "viewer"
}.toJSON()
Input
The CEL script can make use of any of these Identity fields provided by Kratos
| Field | Description | Scheme |
|---|---|---|
identity.traits.email* | Email address | string |
identity.created_at | Timestamp for when the identity was created |
|
identity.id | Unique identifier for the identity | string |
identity.metadata_public | Public metadata for the identity |
|
identity.state | Current state of the identity |
|
identity.traits.groups | List of groups the identity belongs to |
|
identity.traits.name.first | First name | string |
identity.traits.name.last | Last name | string |
identity.updated_at | Timestamp for when the identity was last updated |
|
Output
The CEL script needs to return a JSON object that looks like:
{
"role": "admin",
"teams": [],
}
| Field | Description | Scheme |
|---|---|---|
role | Mission control role. See RBAC |
|
teams | List of name or id of the teams the OIDC identity will be put into |
|