Configuration property reference

Introduced in version: 1.3.0

Default value: iloveapis123

Optional

The name of a Kubernetes secret that contains a salt used when computing hashes to obfuscate user data before it is sent to Apigee analytics. If you do not specify a salt value, iloveapis123 is used by default. Create the secret with the salt value as its input. You can use the same salt across multiple clusters to ensure consistent hashing results between the clusters.

Apigee uses SHA512 to hash the original value before sending data from the runtime plane to the control plane.

See: Obfuscate user data for analytics.

Default value: https://apigee.googleapis.com

Defines the API path for all APIs in your installation.

Introduced in version: 1.0.0

Default value: none

Required

ID of your Google Cloud project. Works with k8sClusterName (deprecated) and gcpRegion (deprecated) to identify the project and determine where the apigee-logger and the apigee-metrics push their data.

Introduced in version: 1.0.0

Default value: us-central1

Required

The closet Google Cloud region or zone of your Kubernetes cluster. Works with gcpProjectID (deprecated) and k8sClusterName (deprecated) to identify the project and determine where the apigee-logger and the apigee-metrics push their data.

Default value: None

Helm only: The URL of a private image container repository used to pull images for all apigee components from a private repo.

hub provides a default path for all Apigee hybrid components. If you are using a private repository, use hub to set the repository URL for all components rather than using the individual image.url property for each component. Only configure indivisual URLs if you are using a separate repository for a specific component.

The image path for each individual component will be the value of hub plus the image name and tag for the component.

For example, if the value of hub private-docker-host.example.com, individual components will automatically resolve the image path:

hub: private-docker-host.example.com

as:

## an example of internal component vs 3rd party
containers:
- name: apigee-udca
  image: private-docker-host.example.com/apigee-udca:1.11.2
  imagePullPolicy: IfNotPresent

containers:
- name: apigee-ingressgateway
  image: private-docker-host.example.com/apigee-asm-ingress:1.18.7-asm.26-distroless
  imagePullPolicy: IfNotPresent

The other components will follow a similar pattern.

Use apigee-pull-push --list to see the current repository URL for all components.

See Use a private image repository with Helm.

You can override image URL for components individualy with the following properties:

• ao.image.url
• apigeeIngressGateway.image.url
• cassandra.image.url
• cassandra.auth.image.url
• cassandra.backup.image.url
• cassandra.restore.image.url
• connectAgent.image.url
• ingressGateways[].image.url
• istiod.image.url
• kubeRBACProxy.image.url
• logger.image.url
• mart.image.url
• metrics.adapter.image.url
• metrics.prometheus.image.url
• metrics.sdSidecar.image.url
• mintTaskScheduler.image.url
• redis.image.url
• redis.envoy.image.url
• runtime.image.url
• synchronizer.image.url
• udca.image.url
• udca.fluentd.image.url
• watcher.image.url

Default value: None

Kubernetes secret name configured as docker-registry type; used to pull images from private repo.

Default value: None

Required

A unique identifier for this installation.

A unique string to identify this instance. This can be any combination of letters and numbers up to 63 characters in length.

Introduced in version: 1.0.0

Default value: None

Name of the Kubernetes (K8S) procluster where your hybrid project is running. Works with gcpProjectID (deprecated) and gcpRegion (deprecated) to identify the project and determine where the apigee-logger and the apigee-metrics push their data.

Default value: defaults.org.kmsEncryptionKey

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

Local file system path for the Apigee KMS data's encryption key.

Default value: None

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

The path to a file containing a base64-encoded encryption key. See Data encryption.

Default value: None

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

The key of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

Default value: None

Optional. Use only one of kmsEncryptionKey or kmsEncryptionPath or kmsEncryptionSecret.

The name of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

Default value: defaults.org.kmsEncryptionKey

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

Local file system path for the Apigee KVM data's encryption key.

Default value: None

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

The path to a file containing a base64-encoded encryption key. See Data encryption.

Default value: None

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

The key of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

Default value: None

Optional. Use only one of kvmEncryptionKey or kvmEncryptionPath or kvmEncryptionSecret.

The name of a Kubernetes secret containing a base64-encoded encryption key. See Data encryption.

Default value: false

For multi-org clusters, this property enables the organization's metrics to be exported to the project listed in the gcp.projectID property. Apply this setting in the overrides file for each organization in a multi-org cluster. For more information, see Adding multiple hybrid orgs to a cluster.

Default value: apigee

The namespace of your Kubernetes cluster where the Apigee components will be installed.

Introduced in version: 1.0.0

Default value: None

Required

The hybrid-enabled organization that was provisioned for you by Apigee during the hybrid installation. An organization is the top-level container in Apigee. It contains all your API proxies and related resources. If the value is empty, you must update it with your org name once you have created it.

Default value: true

Enables the Universal Data Collection Agent service (UDCA) at the org level, that extracts analytics, monetization and debug (trace) and sends it to the Unified Analytics Platform (UAP) which resides in the Control Plane.

Org-scoped UDCA uses a single Google service account for all Apigee environments. The service account needs to have the Apigee Analytics Agent (roles/apigee.analyticsAgent) role.

Specify the path to the service account key file with the udca.serviceAccountPath property or provide the key in a Kubernetes secret with the udca.serviceAccountRef property in your overrides.yaml configuration file.

If you prefer to use a separate UDCA agent for each environment, set orgScopedUDCA: false and set the values for envs[].serviceAccountPaths.udca and envs[].serviceAccountSecretRefs.udca.

See also: udca.

Default value: "1112" (Your Apigee hybrid version without periods. For example for version 1.11.0, the default value is "1110".)

Apigee hybrid supports rolling Kubernetes updates, which allow deployment updates to take place with zero downtime by incrementally updating Pod instances with new ones.

When updating certain YAML overrides that result in underlying Kubernetes PodTemplateSpec change, the revision override property must also be changed in the customer's override.yaml. This is required for the underlying Kubernetes ApigeeDeployment (AD) controller to conduct a safe rolling update of from the previous version to the new version. You can use any lowercase text value, eg: blue, a, 1.0.0

When the revision property is changed and applied, a rolling update will occur for all components

Changes to properties of the following objects require an update to revision:

• nodeSelector
• envs
• imagePullSecrets
• gcpProjectID
• k8sClusterName
• contractProvider
• org

For more information, see Rolling updates.

Default value: true

Enables strict validation of the link between the Apigee Org and Google Cloud project and checks for the existence of environment groups.

See also org

Default value: true

Enables strict validation of service account permissions. This uses Cloud Resource Manager API method testIamPermissions to verify that the provided service account has the required permissions. In the case of service accounts for an Apigee Org, the project ID check is the one mapped to the Organization. For Metrics and Logger, the project checked is based on the gcpProjectID overrides.yaml configuration.

See also gcpProjectID

Default value: true

Stops Apigee from supplying configuration to customer-installed ASM.

• Set to true for hybrid installations using Apigee ingress gateway.
• Set to false for hybrid installations using Anthos Service Mesh (Apigee hybrid versions 1.8 and earlier).

Default value: true

When true (the default), Apigee hybrid does not manage Kubernetes ClusterRole and ClursterRoleBinding directly. If you have a process that requires managing these resources, the process must be performed by a user with the correct permissions to do so.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

Default value: 1.11.2

The version label for this service's Docker image.

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

Default value: 1.11.2

The version label for this service's Docker image.

Default value: gcr.io/apigee-release/hybrid/apigee-installer

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

Default value: 250m

The CPU limit for the resource in a Kubernetes container, in millicores.

Default value: 256Mi

The memory limit for the resource in a Kubernetes container, in mebibytes.

Default value: 250m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value: 256Mi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

• NoExecute
• NoSchedule
• PreferNoSchedule

See Taints and Tolerations: Concepts for details.

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

• Equal matches the value set in value.
• Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

Default value: 1.18.7-asm.26-distroless

The version label for this service's Docker image.

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes for ingress gateway services.

See Configuring dedicated node pools.

Default value: None

Optional node selector label value used to target dedicated Kubernetes nodes for ingress gateway services and override the nodeSelector.apigeeData settings.

See nodeSelector.

Default value: 4

The maximum number of pods that hybrid can automatically add for the ingress gateway available for autoscaling.

Default value: 2

The minimum number of pods for the ingress gateway available for autoscaling.

Default value: 75

The threshold of CPU usage for scaling the number of pods in the ReplicaSet, as a percentage of total available CPU resources.

When CPU usage goes above this value, then hybrid will gradually increase the number of pods in the ReplicaSet, up to apigeeIngressGateway.replicaCountMax.

For more information on scaling in Kubernetes, see Horizontal Pod Autoscaling in the Kubernetes documentation.

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

effect specifies the effect that matching a toleration with a taint will have. Values for effect can be:

• NoExecute
• NoSchedule
• PreferNoSchedule

See Taints and Tolerations: Concepts for details.

Default value: None

Required to use the Taints and Tolerations feature of Kubernetes.

key identifies pods to which the toleration can be applied.

See Taints and Tolerations: Concepts for details.

Default value: "Equal"

Required to use the Taints and Tolerations feature of Kubernetes.

operator specifies the operation used to trigger the effect. Values for operator can be:

• Equal matches the value set in value.
• Exists ignores the value set in value.

See Taints and Tolerations: Concepts for details.

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

tolerationSeconds defines in seconds how long a pod stays bound to a failing or unresponsive node.

See Taints and Tolerations: Concepts for details.

Default value: None

Used by the Taints and Tolerations feature of Kubernetes.

value is the value that triggers the effect when operator is set to Equal.

See Taints and Tolerations: Concepts for details.

Default value: None

Optional key/value map used to annotate pods. For more information, see Custom annotations.

Default value: iloveapis123

Required

Password for the Cassandra administrator. The admin user is used for any administrative activities performed on the Cassandra cluster, such as backup and restore.

Default value: iloveapis123

Required

Password for the Cassandra Data Definition Language (DDL) user. Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.

Default value: iloveapis123

Required

The password for the default Cassandra user created when Authentication is enabled. This password must be reset when configuring Cassandra authentication. See Configuring TLS for Cassandra.

Default value: iloveapis123

Required

Password for the Cassandra Data Manipulation Language (DML) user. The DML user is used by the client communication to read and write data to Cassandra.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

Default value: 1.11.2

The version label for this service's Docker image.

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

Default value: iloveapis123

Required

Password for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

Default value: jmxuser

Required

Username for the Cassandra JMX operations user. Used to authenticate and communicate with the Cassandra JMX interface.

Default value: iloveapis123

Required

Password for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

Default value: apigee

Required

Username for the Cassandra Jolokia JMX operations user. Used to authenticate and communicate with the Cassandra JMX API.

Default value: None

The name of the file stored in a Kubernetes secret that contains the Cassandra users and passwords. You can create the secret using following the following instructions: Create the Secret.

See also:

• Storing data in a Kubernetes secret
• Secrets in the Kubernetes documentation
• Creating a Secret Using kubectl in the Kubernetes documentation

Default value: None

The Cassandra secret storage policy. When set, it must match the SecretProviderClass which references the external secret provider, like Hashicorp Vault. When unset, Apigee hybrid uses either the usernames and passwords stored in:

• cassandra.auth.admin.password
• cassandra.auth.ddl.password
• cassandra.auth.default.password
• cassandra.auth.dml.password
• cassandra.auth.jmx.password
• cassandra.auth.jmx.username
• cassandra.auth.jolokia.password
• cassandra.auth.jolokia.username

or the Kubernetes secret stored in:

• cassandra.auth.secret

See Storing Cassandra secrets in Hashicorp Vault for instructions to create the policy.

Default value: GCP

The name of a backup provider. Supported values: GCP, HYBRID, and CSI. Set the value to:

• GCP to store backup archives on Google Cloud Storage.
• HYBRID to store backup archives on a remote SSH server.
• CSI (recommended) to utilize Kubernetes CSI Volume Snapshots for backup. For information on CSI backup and restore for cloud platforms such as Google Cloud, AWS, and Azure, see CSI backup and restore.

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to GCP.

Must be in the format gs://BUCKET_NAME (the gs:// prefix is required).

The name of an existing Google Cloud Storage bucket that will be used to store backup archives. See Creating buckets if you need to create one.

Default value: false

Data backup is not enabled by default. To enable, set to true.

See Cassandra backup and recovery.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

Default value: 1.11.2

The version label for this service's Docker image.

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to HYBRID.

The path on your local file system to the SSH private key file.

Default value: 0 2 * * *

The schedule for the backup cron job.

See Cassandra backup and recovery.

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to HYBRID.

The IP address of your remote SSH backup server.

Default value: None

Path to a Google Service Account key file that has the Storage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used for uploading backup archives to a specified cassandra.backup.dbStorageBucket.

If backup is enabled and cassandra.backup.cloudProvider is set to GCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to upload backup archives:

• Specified cassandra.backup.serviceAccountPath.
• Specified cassandra.backup.serviceAccountRef.
• Configured Workload Identity for Apigee Hybrid in GKE.

Default value: None

The name of an existing Kubernetes secret that stores the content of a Google Service Account key file that has the Storage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used for uploading backup archives to a specified cassandra.backup.dbStorageBucket.

If backup is enabled and cassandra.backup.cloudProvider is set to GCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to upload backup archives:

• Specified cassandra.backup.serviceAccountPath.
• Specified cassandra.backup.serviceAccountRef.
• Configured Workload Identity for Apigee Hybrid in GKE.

Default value: None

Required if backup is enabled and cassandra.backup.cloudProvider is set to HYBRID.

Can either be an absolute or relative path to the apigee user's home directory.

The name of the backup directory on your backup SSH server.

Default value: apigeecluster

Specifies the name of the Cassandra cluster.

Default value: dc-1

Specifies the datacenter of the Cassandra node.

Default value: None

When you set hostNetwork to true, the DNS policy is set to ClusterFirstWithHostNet for you.

Default value: None

Hostname or IP of a Cassandra cluster node. If not set, the Kubernetes local service is used.

Default value: 100M

The amount of JVM system memory allocated to newer objects, in megabytes.

Default value: false

Enables the Kubernetes hostNetwork feature. Apigee uses this feature in multi-region installations to communicate between pods if the pod network namespace does not have connectivity between clusters (the clusters are running in "island network mode"), which is the default case in non-GKE installations, including GKE on-prem, GKE on AWS, Anthos on bare metal, AKS, EKS, and OpenShift.

Set cassandra.hostNetwork to false for single region installations and multi-region installations with connectivity between pods in different clusters, for example GKE installations.

Set cassandra.hostNetwork to true for multi-region installations with no communication between between pods in different clusters, for example GKE On-prem, GKE on AWS, Anthos on bare metal, AKS, EKS, and OpenShift installations. See Multi-region deployment: Prerequisites.

When true, DNS policy is automatically set to ClusterFirstWithHostNet.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

Default value: 1.11.2

The version label for this service's Docker image.

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

Default value: 512M

The upper limit of JVM system memory available for Cassandra operations, in megabytes.

Default value: None

IP address of an existing Cassandra cluster used to expand the existing cluster to a new region. See Configure the multi-region seed host.

Default value: None

Required

Node selector label key used to target dedicated Kubernetes nodes for cassandra data services.

See Configuring dedicated node pools.

Default value: None

Optional node selector label value used to target dedicated Kubernetes nodes for cassandra data services and override the nodeSelector.apigeeData settings.

See nodeSelector.

Default value: 9042

Port number used to connect to cassandra.

Default value: ra-1

Specifies the rack of the Cassandra node.

Default value: 2

The number of times Kubernetes will verify that readiness probes have failed before marking the pod unready. The minimum value is 1.

Default value: 0

The number of seconds after a container is started before a readiness probe is initiated.

Default value: 10

Determines how often to perform a readiness probe, in seconds. The minimum value is 1.

Default value: 1

The minimum consecutive successes needed for a readiness probe to be considered successful after a failure. The minimum value is 1.

Default value: 5

The number of seconds after which a liveness probe times out. The minimum value is 1.

Default value: 1

Cassandra is a replicated database. This property specifies the number of Cassandra nodes employed as a StatefulSet.

Default value: 500m

The CPU needed for normal operation of the resource in a Kubernetes container, in millicores.

Default value: 1Gi

The memory needed for normal operation of the resource in a Kubernetes container, in mebibytes.

Default value: GCP

The name of a restore provider. Supported values: GCP, HYBRID, and CSI. Set the value to:

• GCP to restore data from a backup stored on Google Cloud Storage.
• HYBRID to restore data from a backup stored on a remote SSH server.
• CSI (recommended) to utilize Kubernetes CSI Volume Snapshots for restore. For information on CSI backup and restore for cloud platforms such as Google Cloud, AWS, and Azure, see CSI backup and restore.

Default value: None

Required if restore is enabled and cassandra.restore.cloudProvider is set to GCP.

Must be in the format gs://BUCKET_NAME (the gs:// prefix is required).

The name of a Google Cloud Storage bucket that stores backup archives to be used for data restoration.

Default value: false

Data restoration is not enabled by default. To enable, set to true.

See Cassandra backup and recovery.

Default value: IfNotPresent

Determines when kubelet pulls the pod's Docker image. Possible values include:

• IfNotPresent: Do not pull a new image if it already exists.
• Always: Always pull the image, regardless of whether it exists already.

For more information, see Updating images.

Default value: 1.11.2

The version label for this service's Docker image.

Default value: None

The location of the Docker image for this service.

Use apigee-pull-push --list to see the current repository URL for this component.

Default value: None

Path to a Google Service Account key file that has the Storage Object Admin (roles/storage.objectAdmin) role. This Google Service Account will be used to download backup archives from a specified cassandra.restore.dbStorageBucket.

If restore is enabled and cassandra.restore.cloudProvider is set to GCP, one of the following is required to ensure Apigee Hybrid can access the Google Cloud Storage bucket to download backup archives for restoration:

• Specified