DocsEdge Stack3.4Ambassador Edge Stack Environment variables
Ambassador Edge Stack Environment variables
Use the following variables for the environment of your Ambassador Edge Stack container:
Feature Flag Environment Variables
Variable | Default value | Value type |
---|---|---|
AMBASSADOR_EDS_BYPASS | false | Boolean; Python value.lower() == "true" |
AMBASSADOR_FORCE_SECRET_VALIDATION | false | Boolean: true =true, any other value=false |
AMBASSADOR_KNATIVE_SUPPORT | false | Boolean; non-empty=true, empty=false |
AMBASSADOR_UPDATE_MAPPING_STATUS | false | Boolean; true =true, any other value=false |
ENVOY_CONCURRENCY | Empty | Integer |
DISABLE_STRICT_LABEL_SELECTORS | false | Boolean: true =true, any other value=false |
AMBASSADOR_ID
Ambassador Edge Stack supports running multiple installs in the same cluster without restricting a given instance of Ambassador Edge Stack to a single namespace.
The resources that are visible to an installation can be limited with the AMBASSADOR_ID
environment variable.
AES_LOG_LEVEL
Adjust the log level by setting the AES_LOG_LEVEL
environment variable; from least verbose to most verbose, the valid values are error
, warn
/warning
, info
, debug
, and trace
. The default is info
.
Log level names are case-insensitive.
AGENT_CONFIG_RESOURCE_NAME
Allows overriding the default config_map/secret that is used for extracting the CloudToken for connecting with Ambassador cloud. It allows all
components (and not only the Ambassador Agent) to authenticate requests to Ambassador Cloud.
If unset it will just fallback to searching for a config map or secret with the name of ambassador-agent-cloud-token
. Note: the secret will take precedence if both a secret and config map are set.
AMBASSADOR_AMBEX_NO_RATELIMIT
Completely disables ratelimiting Envoy reconfiguration under memory pressure. This can help performance with the endpoint or Consul resolvers, but could make OOMkills more likely with large configurations.
The default is false
, meaning that the rate limiter is active.
AMBASSADOR_AMBEX_SNAPSHOT_COUNT
Envoy-configuration snapshots get saved (as ambex-#.json
) in /ambassador/snapshots
. The number of snapshots is controlled by the AMBASSADOR_AMBEX_SNAPSHOT_COUNT
environment variable.
Set it to 0 to disable.
AMBASSADOR_CLUSTER_ID
Each Ambassador Edge Stack installation generates a unique cluster ID based on the UID of its Kubernetes namespace and its Ambassador Edge Stack ID: the resulting cluster ID is a UUID which cannot be used
to reveal the namespace name nor Ambassador Edge Stack ID itself. Ambassador Edge Stack needs RBAC permission to get namespaces for this purpose, as shown in the default YAML files provided by Datawire;
if not granted this permission it will generate a UUID based only on the Ambassador Edge Stack ID. To disable cluster ID generation entirely, set the environment variable
AMBASSADOR_CLUSTER_ID
to a UUID that will be used for the cluster ID.
AMBASSADOR_CONFIG_BASE_DIR
Controls where Ambassador Edge Stack will store snapshots. By default, the latest configuration will be in /ambassador/snapshots
. If you have overridden it, Ambassador Edge Stack saves configurations in $AMBASSADOR_CONFIG_BASE_DIR/snapshots
.
AMBASSADOR_DISABLE_FEATURES
To completely disable feature reporting, set the environment variable AMBASSADOR_DISABLE_FEATURES
to any non-empty value.
AMBASSADOR_DRAIN_TIME
At each reconfiguration, Ambassador Edge Stack keeps around the old version of it's envoy config for the duration of the configured drain time.
The AMBASSADOR_DRAIN_TIME
variable controls how much of a grace period Ambassador Edge Stack provides active clients when reconfiguration happens.
Its unit is seconds and it defaults to 600 (10 minutes). This can impact memory usage because Ambassador Edge Stack needs to keep around old versions of its configuration
for the duration of the drain time.
AMBASSADOR_ENVOY_API_VERSION
By default, Ambassador Edge Stack will configure Envoy using the V3 Envoy API.
In Ambassador Edge Stack 2.0, you were able switch back to Envoy V2 by setting the AMBASSADOR_ENVOY_API_VERSION
environment variable to "V2".
Ambassador Edge Stack 3.0 has removed support for the V2 API and only the V3 API is used. While this variable cannot be set to another value in 3.0, it may
be used when introducing new API versions that are not yet available in Ambassador Edge Stack such as V4.
AMBASSADOR_GRPC_METRICS_SINK
Configures Ambassador Edge Stack (envoy) to send metrics to the Agent which are then relayed to the Cloud. If not set then we don’t configure envoy to send metrics to the agent. If set with a bad address:port then we log an error message. In either scenario, it just stops metrics from being sent to the Agent which has no negative effect on general routing or Ambassador Edge Stack uptime.
AMBASSADOR_HEALTHCHECK_BIND_ADDRESS
Configures Ambassador Edge Stack to bind its health check server to the provided address. If not set Ambassador Edge Stack will bind to all addresses (0.0.0.0
).
AMBASSADOR_HEALTHCHECK_BIND_PORT
Configures Ambassador Edge Stack to bind its health check server to the provided port. If not set Ambassador Edge Stack will listen on the admin port(8877
).
AMBASSADOR_HEALTHCHECK_IP_FAMILY
Allows the IP Family used by health check server to be overriden. By default, the health check server will listen for both IPV4 and IPV6 addresses. In some clusters you may want to force IPV4_ONLY
or IPV6_ONLY
.
AMBASSADOR_ISTIO_SECRET_DIR
Ambassador Edge Stack will read the mTLS certificates from /etc/istio-certs
unless configured to use a different directory with the AMBASSADOR_ISTIO_SECRET_DIR
environment variable and create a secret in that location named istio-certs
.
AMBASSADOR_JSON_LOGGING
When AMBASSADOR_JSON_LOGGING
is set to true
, JSON format will be used for most of the control plane logs.
Some (but few) logs from gunicorn
and the Kubernetes client-go
package will still be in text only format.
AMBASSADOR_LABEL_SELECTOR
Restricts Ambassador Edge Stack's configuration to only the labelled resources. For example, you could apply a version-two: true
label
to all resources that should be visible to Ambassador Edge Stack, then set AMBASSADOR_LABEL_SELECTOR=version-two=true
in its Deployment.
Resources without the specified label will be ignored.
AMBASSADOR_NAMESPACE
Controls namespace configuration for Amabssador.
AMBASSADOR_RECONFIG_MAX_DELAY
Controls up to how long Ambassador will wait to receive changes before doing an Envoy reconfiguration. The unit is in seconds and must be > 0.
AMBASSADOR_SINGLE_NAMESPACE
When set, configures Ambassador Edge Stack to only work within a single namespace.
AMBASSADOR_SNAPSHOT_COUNT
The number of snapshots that Ambassador Edge Stack should save.
AMBASSADOR_VERIFY_SSL_FALSE
By default, Ambassador Edge Stack will verify the TLS certificates provided by the Kubernetes API. In some situations, the cluster may be
deployed with self-signed certificates. In this case, set AMBASSADOR_VERIFY_SSL_FALSE
to true
to disable verifying the TLS certificates.
DD_ENTITY_ID
Ambassador Edge Stack supports setting the dd.internal.entity_id
statitics tag using the DD_ENTITY_ID
environment variable. If this value
is set, statistics will be tagged with the value of the environment variable. Otherwise, this statistics tag will be omitted (the default).
DOGSTATSD
If you are a user of the Datadog monitoring system, pulling in the Envoy statistics from Ambassador Edge Stack is very easy.
Because the DogStatsD protocol is slightly different than the normal StatsD protocol, in addition to setting Ambassador Edge Stack's
STATSD_ENABLED=true
environment variable, you also need to set theDOGSTATSD=true
environment variable.
SCOUT_DISABLE
Ambassador Edge Stack integrates Scout, a service that periodically checks with Datawire servers to advise of available updates. Scout also sends anonymized usage data and the Ambassador Edge Stack version. This information is important to us as we prioritize test coverage, bug fixes, and feature development. Note that the Ambassador Edge Stack will run regardless of the status of Scout.
We do not recommend you disable Scout, since we use this mechanism to notify users of new releases (including critical fixes and security issues). This check can be disabled by setting
the environment variable SCOUT_DISABLE
to 1
in your Ambassador Edge Stack deployment.
STATSD_ENABLED
If enabled, then Ambassador Edge Stack has Envoy expose metrics information via the ubiquitous and well-tested StatsD
protocol. To enable this, you will simply need to set the environment variable STATSD_ENABLED=true
in Ambassador Edge Stack's deployment YAML
STATSD_HOST
When this variable is set, Ambassador Edge Stack by default sends statistics to a Kubernetes service named statsd-sink
on UDP port 8125 (the usual
port of the StatsD protocol). You may instead tell Ambassador Edge Stack to send the statistics to a different StatsD server by setting the
STATSD_HOST
environment variable. This can be useful if you have an existing StatsD sink available in your cluster.
STATSD_PORT
Allows for configuring StatsD on a port other than the default (8125)
STATSD_FLUSH_INTERVAL
How often, in seconds, to submit statsd reports (if STATSD_ENABLED
)
_AMBASSADOR_ID
Used with the Ambassador Consul connector. Sets the Ambassador ID so multiple instances of this integration can run per-Cluster when there are multiple Ambassador Edge Stacks (Required if AMBASSADOR_ID
is set in your Ambassador Edge Stack Deployment
_AMBASSADOR_TLS_SECRET_NAME
Used with the Ambassador Consul connector. Sets the name of the Kubernetes v1.Secret
created by this program that contains the Consul-generated TLS certificate.
_AMBASSADOR_TLS_SECRET_NAMESPACE
Used with the Ambassador Consul connector. Sets the namespace of the Kubernetes v1.Secret
created by this program.
_CONSUL_HOST
Used with the Ambassador Consul connector. Sets the IP or DNS name of the target Consul HTTP API server
_CONSUL_PORT
Used with the Ambassador Consul connector. Sets the port number of the target Consul HTTP API server.
AMBASSADOR_DISABLE_SNAPSHOT_SERVER
Disables the built-in snapshot server
AMBASSADOR_ENVOY_BASE_ID
Base ID of the Envoy process
AES_RATELIMIT_PREVIEW
Enables support for redis clustering, local caching, and an upgraded redis client with improved scalability in preview mode.
AES_AUTH_TIMEOUT
Configures the default timeout in the authentication extension.
REDIS_SOCKET_TYPE
Redis currently support three different deployment methods. Ambassador Edge Stack can now support using a Redis deployed in any of these ways for rate
limiting when AES_RATELIMIT_PREVIEW=true
.
REDIS_URL
The URL to dial to talk to Redis.
This will be either a hostname:port pair or a comma separated list of
hostname:port pairs depending on the REDIS_TYPE
you are using.
REDIS_TLS_ENABLED
Specifies whether to use TLS when talking to Redis.
REDIS_TLS_INSECURE
Specifies whether to skip certificate verification when using TLS to talk to Redis.
REDIS_USERNAME
REDIS_USERNAME
and REDIS_PASSWORD
handle all Redis authentication that is separate from Rate Limit Preview so failing to set them when using REDIS_AUTH
will result in Ambassador not being able to authenticate with Redis for all of its other functionality.
REDIS_PASSWORD
REDIS_USERNAME
and REDIS_PASSWORD
handle all Redis authentication that is separate from Rate Limit Preview so failing to set them when using REDIS_AUTH
will result in Ambassador not being able to authenticate with Redis for all of its other functionality.
REDIS_AUTH
If you configure REDIS_AUTH
, then REDIS_USERNAME
cannot be changed from the value default
, and
REDIS_PASSWORD
should contain the same value as REDIS_AUTH
.
REDIS_POOL_SIZE
The number of connections to keep around when idle. The total number of connections may go lower than this if there are errors. The total number of connections may go higher than this during a load surge.
REDIS_PING_INTERVAL
The rate at which Ambassador will ping the idle connections in the normal pool (not extra connections created for a load surge).
REDIS_TIMEOUT
Sets 4 different timeouts:
(*net.Dialer).Timeout
for establishing connections(*redis.Client).ReadTimeout
for reading a single complete response(*redis.Client).WriteTimeout
for writing a single complete request- The timeout when waiting for a connection to become available from the pool (not including the dial time, which is timed out separately)
A value of "0" means "no timeout".
REDIS_SURGE_LIMIT_INTERVAL
During a load surge, if the pool is depleted, then Ambassador may create new
connections to Redis in order to fulfill demand, at a maximum rate of one new
connection per REDIS_SURGE_LIMIT_INTERVAL
.
REDIS_SURGE_LIMIT_AFTER
The number of connections that can be created after the normal pool is
depleted before REDIS_SURGE_LIMIT_INTERVAL
kicks in.
REDIS_SURGE_POOL_SIZE
Normally during a surge, excess connections beyond REDIS_POOL_SIZE
are
closed immediately after they are done being used, instead of being returned
to a pool.
REDIS_SURGE_POOL_SIZE
configures a "reserve" pool for excess connections
created during a surge.
REDIS_SURGE_POOL_DRAIN_INTERVAL
How quickly to drain connections from the surge pool after a surge is over.
REDIS_PIPELINE_WINDOW
The duration after which internal pipelines will be flushed.
REDIS_PIPELINE_LIMIT
The maximum number of commands that can be pipelined before flushing.
REDIS_TYPE
Redis currently support three different deployment methods. Ambassador Edge Stack can now support using a Redis deployed in any of these ways for rate
limiting when AES_RATELIMIT_PREVIEW=true
.
REDIS_PERSECOND
If true, a second Redis connection pool is created (to a potentially different Redis instance) that is only used for per-second
RateLimits; this second connection pool is configured by the REDIS_PERSECOND_*
variables rather than the usual REDIS_*
variables.
REDIS_PERSECOND_SOCKET_TYPE
Configures the REDIS_SOCKET_TYPE for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_URL
Configures the REDIS_URL for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_TLS_ENABLED
Configures REDIS_TLS_ENABLED for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_TLS_INSECURE
Configures REDIS_TLS_INSECURE for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_USERNAME
Configures the REDIS_USERNAME for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_PASSWORD
Configures the #REDIS_PASSWORD for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_AUTH
Configures REDIS_AUTH for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_POOL_SIZE
Configures the REDIS_POOL_SIZE for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_PING_INTERVAL
Configures the REDIS_PING_INTERVAL for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_TIMEOUT
Configures the REDIS_TIMEOUT for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_SURGE_LIMIT_INTERVAL
Configures the REDIS_SURGE_LIMIT_INTERVAL for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_SURGE_LIMIT_AFTER
Configures REDIS_SURGE_LIMIT_AFTER for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_SURGE_POOL_SIZE
Configures the REDIS_SURGE_POOL_SIZE for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_SURGE_POOL_DRAIN_INTERVAL
Configures the REDIS_SURGE_POOL_DRAIN_INTERVAL for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_TYPE
Configures the REDIS_TYPE for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_PIPELINE_WINDOW
Configures the REDIS_PIPELINE_WINDOW for the second REDIS_PERSECOND connection pool.
REDIS_PERSECOND_PIPELINE_LIMIT
Configures the REDIS_PIPELING_LIMIT for the second REDIS_PERSECOND connection pool.
EXPIRATION_JITTER_MAX_SECONDS
USE_STATSD
The RateLimitService
reports to statsd, and attempts to do so by default (USE_STATSD
, STATSD_HOST
, STATSD_PORT
, GOSTATS_FLUSH_INTERVAL_SECONDS
).
GOSTATS_FLUSH_INTERVAL_SECONDS
Configures the flush interval in seconds for the go statistics.
LOCAL_CACHE_SIZE_IN_BYTES
Only available if AES_RATELIMIT_PREVIEW: "true
. The AES rate limit extension can optionally cache over-the-limit keys so it does
not need to read the redis cache again for requests with labels that are already over the limit.
Setting LOCAL_CACHE_SIZE_IN_BYTES
to a non-zero value with enable local caching.
NEAR_LIMIT_RATIO
Only available if AES_RATELIMIT_PREVIEW: "true"
. Adjusts the ratio used by the near_limit
statistic for tracking requests that
are "near the limit". Defaults to 0.8
(80%) of the limit defined in the RateLimit
rule.
DEVPORTAL_CONTENT_URL
Default URL to the repository hosting the content for the Portal
DEVPORTAL_CONTENT_DIR
Default content subdirectory within the DEVPORTAL_CONTENT_URL
the devportal content is located at (defaults to /
)
DEVPORTAL_CONTENT_BRANCH
Default content branch within the repo at DEVPORTAL_CONTENT_URL
to use for the devportal content (defaults to master
)
DEVPORTAL_DOCS_BASE_PATH
Base path for each api doc (defaults to /doc/
)
POLL_EVERY_SECS
Interval for polling OpenAPI docs; default 60 seconds. Set to 0 to disable devportal polling.
AES_ACME_LEADER_DISABLE
This prevents Ambassador Edge Stack from trying to manage ACME. When enabled, Host
resources will be unable to use ACME to manage their tls secrets
regardless of the config on the Host
resource.
AES_REPORT_DIAGNOSTICS_TO_CLOUD
By setting AES_REPORT_DIAGNOSTICS_TO_CLOUD
to false, you can disable the feature where diagnostic information about your installation of Ambassador Edge Stack
will be sent to Ambassador cloud. If this variable is disabled, you will be unable to access cluster diagnostic information in the cloud.
AES_SNAPSHOT_URL
Configures the default endpoint where config snapshots are stored and accessed.
ENV_AES_SECRET_NAME
Use to override the name of the secret that Ambassador Edge Stack attempts to find licensing information in.
ENV_AES_SECRET_NAMESPACE
Use to override the namespace of the secret that Ambassador Edge Stack attempts to find licensing information in. By default, Ambassador Edge Stack will look for the secret in the same namespace that Ambassador Edge Stack was installed in.
AMBASSADOR_EDS_BYPASS
Bypasses EDS handling of endpoints and causes endpoints to be inserted to clusters manually. This can help resolve with 503 UH
caused by certification rotation relating to a delay between EDS + CDS.
AMBASSADOR_FORCE_SECRET_VALIDATION
If you set the AMBASSADOR_FORCE_SECRET_VALIDATION
environment variable, invalid Secrets will be rejected,
and a Host
or TLSContext
resource attempting to use an invalid certificate will be disabled entirely.
AMBASSADOR_KNATIVE_SUPPORT
Enables support for knative
AMBASSADOR_UPDATE_MAPPING_STATUS
If AMBASSADOR_UPDATE_MAPPING_STATUS
is set to the string true
, Ambassador Edge Stack will update the status
of every Mapping
CRD that it accepts for its configuration. This has no effect on the proper functioning of Ambassador Edge Stack itself, and can be a
performance burden on installations with many Mapping
s. It has no effect for Mapping
s stored as annotations.
The default is false
. We recommend leaving AMBASSADOR_UPDATE_MAPPING_STATUS
turned off unless required for external systems.
ENVOY_CONCURRENCY
Configures the optional --concurrency command line option when launching Envoy. This controls the number of worker threads used to serve requests and can be used to fine-tune system resource usage.
DISABLE_STRICT_LABEL_SELECTORS
In Ambassador Edge Stack version 3.2
, a bug with how Hosts
are associated with Mappings
was fixed and with how Listeners
are associated with Hosts
. The mappingSelector
\selector
fields in Hosts
and Listeners
were not
properly being enforced in prior versions. If any single label from the selector was matched then the resources would be associated with each other instead
of requiring all labels in the selector to be present. Additonally, if the hostname
of a Mapping
matched the hostname
of a Host
then they would be associated
regardless of the configuration of mappingSelector
\selector
.
In version 3.2
this bug was fixed and resources that configure a selector will only be associated if all labels required by the selector are present.
This brings the mappingSelector
and selector
fields in-line with how label selectors are used throughout Kubernetes. To avoid unexpected behavior after the upgrade,
add all labels that configured in any mappingSelector
\selector
to Mappings
you want to associate with the Host
or the Hosts
you want to be associated with the Listener
. You can opt-out of this fix and return to the old
association behavior by setting the environment variable DISABLE_STRICT_LABEL_SELECTORS
to "true"
(default: "false"
). A future version of
Ambassador Edge Stack may remove the ability to opt-out of this bugfix.
Note: The
mappingSelector
field is only configurable onv3alpha1
CRDs. In thev2
CRDs the equivalent field isselector
. eitherselector
ormappingSelector
may be configured in thev3alpha1
CRDs, butselector
has been deprecated in favour ofmappingSelector
.
See The Host documentation for more information about Host
/ Mapping
association.
Port assignments
Ambassador Edge Stack uses the following ports to listen for HTTP/HTTPS traffic automatically via TCP:
Port | Process | Function |
---|---|---|
8001 | envoy | Internal stats, logging, etc.; not exposed outside pod |
8002 | watt | Internal watt snapshot access; not exposed outside pod |
8003 | ambex | Internal ambex snapshot access; not exposed outside pod |
8004 | diagd | Internal diagd access; not exposed outside pod |
8005 | snapshot | Exposes a scrubbed Ambassador Edge Stack snapshot outside of the pod |
8080 | envoy | Default HTTP service port |
8443 | envoy | Default HTTPS service port |
8877 | diagd | Direct access to diagnostics UI; provided by busyambassador entrypoint |
- This may change in a future release to reflect the Pods's
namespace if deployed to a namespace other than
default
. https://github.com/emissary-ingress/emissary/issues/1583↩