Docsright arrowEdge Stackright arrow1.14right arrowThe Ambassador Edge Stack container

6 min • read

The Ambassador Edge Stack container

To give you flexibility and independence from a hosting platform's uptime, you can pull the ambassador and aes images from any of the following registries:

  • docker.io/datawire/
    • Note: In rare occasions, you may experience rate limits when using Docker Hub. See this page to learn how to deal with them.
  • quay.io/datawire/
  • gcr.io/datawire/

For an even more robust installation, consider using a local registry as a pull through cache or configure a publicly accessible mirror.

Environment variables

Use the following variables for the environment of your Ambassador Edge Stack container:

PurposeVariableDefault valueValue type
CoreAMBASSADOR_IDdefaultPlain string
CoreAMBASSADOR_NAMESPACEdefault (1)Kubernetes namespace
CoreAMBASSADOR_SINGLE_NAMESPACEEmptyBoolean; non-empty=true, empty=false
CoreAMBASSADOR_ENVOY_BASE_ID0Integer
CoreAMBASSADOR_LEGACY_MODEfalseBoolean; Go strconv.ParseBool
CoreAMBASSADOR_FAST_RECONFIGUREfalseEXPERIMENTAL -- Boolean; true=true, any other value=false
CoreAMBASSADOR_ENVOY_API_VERSIONV2String Enum; V3 or V2
CoreAMBASSADOR_UPDATE_MAPPING_STATUSfalseBoolean; true=true, any other value=false
CoreAMBASSADOR_DISABLE_SNAPSHOT_SERVERfalseBoolean; non-empty=true, empty=false
CoreAMBASSADOR_JSON_LOGGINGfalseBoolean; non-empty=true, empty=false
CoreAMBASSADOR_AMBEX_SNAPSHOT_COUNT30Integer; 0 value disables ambex snapshots
CoreAMBASSADOR_AMBEX_NO_RATELIMITfalseBoolean; set to true to turn disable ratelimiting Envoy reconfiguration
Ambassador Edge StackAES_LOG_LEVELwarnLog level
Ambassador Edge StackAES_RATELIMIT_PREVIEWfalseBoolean; Go strconv.ParseBool
Ambassador Edge StackAES_AUTH_TIMEOUT4sDuration; Go time.ParseDuration
Primary Redis (L4)REDIS_SOCKET_TYPEtcpGo network such as tcp or unix; see Go net.Dial
Primary Redis (L4)REDIS_URLNone, must be set explicitlyGo network address; for TCP this is a host:port pair; see Go net.Dial
Primary Redis (L4)REDIS_TLS_ENABLEDfalseBoolean; Go strconv.ParseBool
Primary Redis (L4)REDIS_TLS_INSECUREfalseBoolean; Go strconv.ParseBool
Primary Redis (auth)REDIS_USERNAMEEmptyPlain string
Primary Redis (auth)REDIS_PASSWORDEmptyPlain string
Primary Redis (auth)REDIS_AUTHEmptyRequires AES_RATELIMIT_PREVIEW; Plain string
Primary Redis (tune)REDIS_POOL_SIZE10Integer
Primary Redis (tune)REDIS_PING_INTERVAL10sDuration; Go time.ParseDuration
Primary Redis (tune)REDIS_TIMEOUT0sDuration; Go time.ParseDuration
Primary Redis (tune)REDIS_SURGE_LIMIT_INTERVAL0sDuration; Go time.ParseDuration
Primary Redis (tune)REDIS_SURGE_LIMIT_AFTERThe value of REDIS_POOL_SIZEInteger
Primary Redis (tune)REDIS_SURGE_POOL_SIZE0Integer
Primary Redis (tune)REDIS_SURGE_POOL_DRAIN_INTERVAL1mDuration; Go time.ParseDuration
Primary Redis (tune)REDIS_PIPELINE_WINDOW0Requires AES_RATELIMIT_PREVIEW; Duration; Go time.ParseDuration
Primary Redis (tune)REDIS_PIPELINE_LIMIT0Requires AES_RATELIMIT_PREVIEW; Integer; [Go strconv.ParseInt][]
Primary Redis (tune)REDIS_TYPESINGLERequires AES_RATELIMIT_PREVIEW; String; SINGLE, SENTINEL, or CLUSTER
Per-Second RateLimit RedisREDIS_PERSECONDfalseBoolean; Go strconv.ParseBool
Per-Second RateLimit Redis (L4)REDIS_PERSECOND_SOCKET_TYPENone, must be set explicitly (if REDIS_PERSECOND)Go network such as tcp or unix; see Go net.Dial
Per-Second RateLimit Redis (L4)REDIS_PERSECOND_URLNone, must be set explicitly (if REDIS_PERSECOND)Go network address; for TCP this is a host:port pair; see Go net.Dial
Per-Second RateLimit Redis (L4)REDIS_PERSECOND_TLS_ENABLEDfalseBoolean; Go strconv.ParseBool
Per-Second RateLimit Redis (L4)REDIS_PERSECOND_TLS_INSECUREfalseBoolean; Go strconv.ParseBool
Per-Second RateLimit Redis (auth)REDIS_PERSECOND_USERNAMEEmptyPlain string
Per-Second RateLimit Redis (auth)REDIS_PERSECOND_PASSWORDEmptyPlain string
Per-Second RateLimit Redis (auth)REDIS_PERSECOND_AUTHEmptyRequires AES_RATELIMIT_PREVIEW; Plain string
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_POOL_SIZE10Integer
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_PING_INTERVAL10sDuration; Go time.ParseDuration
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_TIMEOUT0sDuration; Go time.ParseDuration
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_SURGE_LIMIT_INTERVAL0sDuration; Go time.ParseDuration
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_SURGE_LIMIT_AFTERThe value of REDIS_PERSECOND_POOL_SIZEInteger
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_SURGE_POOL_SIZE0Integer
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_SURGE_POOL_DRAIN_INTERVAL1mDuration; Go time.ParseDuration
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_TYPESINGLERequires AES_RATELIMIT_PREVIEW; String; SINGLE, SENTINEL, or CLUSTER
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_PIPELINE_WINDOW0Requires AES_RATELIMIT_PREVIEW; Duration; Go time.ParseDuration
Per-Second RateLimit Redis (tune)REDIS_PERSECOND_PIPELINE_LIMIT0Requires AES_RATELIMIT_PREVIEW; Integer
RateLimitEXPIRATION_JITTER_MAX_SECONDS300Integer
RateLimitUSE_STATSDfalseBoolean; Go strconv.ParseBool
RateLimitSTATSD_HOSTlocalhostHostname
RateLimitSTATSD_PORT8125Integer
RateLimitGOSTATS_FLUSH_INTERVAL_SECONDS5Integer
RateLimitLOCAL_CACHE_SIZE_IN_BYTES0Requires AES_RATELIMIT_PREVIEW; Integer
RateLimitNEAR_LIMIT_RATIO0.8Requires AES_RATELIMIT_PREVIEW; Float; [Go strconv.ParseFloat][]
Developer PortalDEVPORTAL_CONTENT_URLhttps://github.com/datawire/devportal-contentgit-remote URL
Developer PortalDEVPORTAL_CONTENT_DIR/Rooted Git directory
Developer PortalDEVPORTAL_CONTENT_BRANCHmasterGit branch name
Developer PortalPOLL_EVERY_SECS60Integer
EnvoySTATSD_ENABLEDfalseBoolean; Python value.lower() == "true"
EnvoyDOGSTATSDfalseBoolean; Python value.lower() == "true"
EnvoyDD_ENTITY_IDEmptyString
EnvoyENVOY_CONCURRENCYEmptyInteger

Log level names are case-insensitive. From least verbose to most verbose, valid log levels are error, warn/warning, info, debug, and trace.

Port assignments

Ambassador Edge Stack uses the following ports to listen for HTTP/HTTPS traffic automatically via TCP:

PortProcessFunction
8001envoyInternal stats, logging, etc.; not exposed outside pod
8002wattInternal watt snapshot access; not exposed outside pod
8003ambexInternal ambex snapshot access; not exposed outside pod
8004diagdInternal diagd access when AMBASSADOR_FAST_RECONFIGURE is set; not exposed outside pod
8005snapshotExposes a scrubbed Ambassador Edge Stack snapshot outside of the pod
8080envoyDefault HTTP service port
8443envoyDefault HTTPS service port
8877diagdDirect access to diagnostics UI; provided by busyambassador entrypoint when AMBASSADOR_FAST_RECONFIGURE is set

  1. This may change in a future release to reflect the Pods's namespace if deployed to a namespace other than default. https://github.com/emissary-ingress/emissary/issues/1583