Docs
Edge Stack1.14The Ambassador Edge Stack container
6 min • read
The Ambassador Edge Stack container
To give you flexibility and independence from a hosting platform's uptime, you can pull the ambassador and aes images from any of the following registries:
docker.io/datawire/- Note: In rare occasions, you may experience rate limits when using Docker Hub. See this page to learn how to deal with them.
quay.io/datawire/gcr.io/datawire/
For an even more robust installation, consider using a local registry as a pull through cache or configure a publicly accessible mirror.
Environment variables
Use the following variables for the environment of your Ambassador Edge Stack container:
| Purpose | Variable | Default value | Value type |
|---|---|---|---|
| Core | AMBASSADOR_ID | default | Plain string |
| Core | AMBASSADOR_NAMESPACE | default (1) | Kubernetes namespace |
| Core | AMBASSADOR_SINGLE_NAMESPACE | Empty | Boolean; non-empty=true, empty=false |
| Core | AMBASSADOR_ENVOY_BASE_ID | 0 | Integer |
| Core | AMBASSADOR_LEGACY_MODE | false | Boolean; Go strconv.ParseBool |
| Core | AMBASSADOR_FAST_RECONFIGURE | false | EXPERIMENTAL -- Boolean; true=true, any other value=false |
| Core | AMBASSADOR_ENVOY_API_VERSION | V2 | String Enum; V3 or V2 |
| Core | AMBASSADOR_UPDATE_MAPPING_STATUS | false | Boolean; true=true, any other value=false |
| Core | AMBASSADOR_DISABLE_SNAPSHOT_SERVER | false | Boolean; non-empty=true, empty=false |
| Core | AMBASSADOR_JSON_LOGGING | false | Boolean; non-empty=true, empty=false |
| Core | AMBASSADOR_AMBEX_SNAPSHOT_COUNT | 30 | Integer; 0 value disables ambex snapshots |
| Core | AMBASSADOR_AMBEX_NO_RATELIMIT | false | Boolean; set to true to turn disable ratelimiting Envoy reconfiguration |
| Ambassador Edge Stack | AES_LOG_LEVEL | warn | Log level |
| Ambassador Edge Stack | AES_RATELIMIT_PREVIEW | false | Boolean; Go strconv.ParseBool |
| Ambassador Edge Stack | AES_AUTH_TIMEOUT | 4s | Duration; Go time.ParseDuration |
| Primary Redis (L4) | REDIS_SOCKET_TYPE | tcp | Go network such as tcp or unix; see Go net.Dial |
| Primary Redis (L4) | REDIS_URL | None, must be set explicitly | Go network address; for TCP this is a host:port pair; see Go net.Dial |
| Primary Redis (L4) | REDIS_TLS_ENABLED | false | Boolean; Go strconv.ParseBool |
| Primary Redis (L4) | REDIS_TLS_INSECURE | false | Boolean; Go strconv.ParseBool |
| Primary Redis (auth) | REDIS_USERNAME | Empty | Plain string |
| Primary Redis (auth) | REDIS_PASSWORD | Empty | Plain string |
| Primary Redis (auth) | REDIS_AUTH | Empty | Requires AES_RATELIMIT_PREVIEW; Plain string |
| Primary Redis (tune) | REDIS_POOL_SIZE | 10 | Integer |
| Primary Redis (tune) | REDIS_PING_INTERVAL | 10s | Duration; Go time.ParseDuration |
| Primary Redis (tune) | REDIS_TIMEOUT | 0s | Duration; Go time.ParseDuration |
| Primary Redis (tune) | REDIS_SURGE_LIMIT_INTERVAL | 0s | Duration; Go time.ParseDuration |
| Primary Redis (tune) | REDIS_SURGE_LIMIT_AFTER | The value of REDIS_POOL_SIZE | Integer |
| Primary Redis (tune) | REDIS_SURGE_POOL_SIZE | 0 | Integer |
| Primary Redis (tune) | REDIS_SURGE_POOL_DRAIN_INTERVAL | 1m | Duration; Go time.ParseDuration |
| Primary Redis (tune) | REDIS_PIPELINE_WINDOW | 0 | Requires AES_RATELIMIT_PREVIEW; Duration; Go time.ParseDuration |
| Primary Redis (tune) | REDIS_PIPELINE_LIMIT | 0 | Requires AES_RATELIMIT_PREVIEW; Integer; [Go strconv.ParseInt][] |
| Primary Redis (tune) | REDIS_TYPE | SINGLE | Requires AES_RATELIMIT_PREVIEW; String; SINGLE, SENTINEL, or CLUSTER |
| Per-Second RateLimit Redis | REDIS_PERSECOND | false | Boolean; Go strconv.ParseBool |
| Per-Second RateLimit Redis (L4) | REDIS_PERSECOND_SOCKET_TYPE | None, must be set explicitly (if REDIS_PERSECOND) | Go network such as tcp or unix; see Go net.Dial |
| Per-Second RateLimit Redis (L4) | REDIS_PERSECOND_URL | None, must be set explicitly (if REDIS_PERSECOND) | Go network address; for TCP this is a host:port pair; see Go net.Dial |
| Per-Second RateLimit Redis (L4) | REDIS_PERSECOND_TLS_ENABLED | false | Boolean; Go strconv.ParseBool |
| Per-Second RateLimit Redis (L4) | REDIS_PERSECOND_TLS_INSECURE | false | Boolean; Go strconv.ParseBool |
| Per-Second RateLimit Redis (auth) | REDIS_PERSECOND_USERNAME | Empty | Plain string |
| Per-Second RateLimit Redis (auth) | REDIS_PERSECOND_PASSWORD | Empty | Plain string |
| Per-Second RateLimit Redis (auth) | REDIS_PERSECOND_AUTH | Empty | Requires AES_RATELIMIT_PREVIEW; Plain string |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_POOL_SIZE | 10 | Integer |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_PING_INTERVAL | 10s | Duration; Go time.ParseDuration |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_TIMEOUT | 0s | Duration; Go time.ParseDuration |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_SURGE_LIMIT_INTERVAL | 0s | Duration; Go time.ParseDuration |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_SURGE_LIMIT_AFTER | The value of REDIS_PERSECOND_POOL_SIZE | Integer |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_SURGE_POOL_SIZE | 0 | Integer |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_SURGE_POOL_DRAIN_INTERVAL | 1m | Duration; Go time.ParseDuration |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_TYPE | SINGLE | Requires AES_RATELIMIT_PREVIEW; String; SINGLE, SENTINEL, or CLUSTER |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_PIPELINE_WINDOW | 0 | Requires AES_RATELIMIT_PREVIEW; Duration; Go time.ParseDuration |
| Per-Second RateLimit Redis (tune) | REDIS_PERSECOND_PIPELINE_LIMIT | 0 | Requires AES_RATELIMIT_PREVIEW; Integer |
| RateLimit | EXPIRATION_JITTER_MAX_SECONDS | 300 | Integer |
| RateLimit | USE_STATSD | false | Boolean; Go strconv.ParseBool |
| RateLimit | STATSD_HOST | localhost | Hostname |
| RateLimit | STATSD_PORT | 8125 | Integer |
| RateLimit | GOSTATS_FLUSH_INTERVAL_SECONDS | 5 | Integer |
| RateLimit | LOCAL_CACHE_SIZE_IN_BYTES | 0 | Requires AES_RATELIMIT_PREVIEW; Integer |
| RateLimit | NEAR_LIMIT_RATIO | 0.8 | Requires AES_RATELIMIT_PREVIEW; Float; [Go strconv.ParseFloat][] |
| Developer Portal | DEVPORTAL_CONTENT_URL | https://github.com/datawire/devportal-content | git-remote URL |
| Developer Portal | DEVPORTAL_CONTENT_DIR | / | Rooted Git directory |
| Developer Portal | DEVPORTAL_CONTENT_BRANCH | master | Git branch name |
| Developer Portal | POLL_EVERY_SECS | 60 | Integer |
| Envoy | STATSD_ENABLED | false | Boolean; Python value.lower() == "true" |
| Envoy | DOGSTATSD | false | Boolean; Python value.lower() == "true" |
| Envoy | DD_ENTITY_ID | Empty | String |
| Envoy | ENVOY_CONCURRENCY | Empty | Integer |
Log level names are case-insensitive. From least verbose to most
verbose, valid log levels are error, warn/warning, info,
debug, and trace.
Port assignments
Ambassador Edge Stack uses the following ports to listen for HTTP/HTTPS traffic automatically via TCP:
| Port | Process | Function |
|---|---|---|
| 8001 | envoy | Internal stats, logging, etc.; not exposed outside pod |
| 8002 | watt | Internal watt snapshot access; not exposed outside pod |
| 8003 | ambex | Internal ambex snapshot access; not exposed outside pod |
| 8004 | diagd | Internal diagd access when AMBASSADOR_FAST_RECONFIGURE is set; not exposed outside pod |
| 8005 | snapshot | Exposes a scrubbed Ambassador Edge Stack snapshot outside of the pod |
| 8080 | envoy | Default HTTP service port |
| 8443 | envoy | Default HTTPS service port |
| 8877 | diagd | Direct access to diagnostics UI; provided by busyambassador entrypoint when AMBASSADOR_FAST_RECONFIGURE is set |
- This may change in a future release to reflect the Pods's
namespace if deployed to a namespace other than
default. https://github.com/emissary-ingress/emissary/issues/1583↩
ON THIS PAGE