Skip to content

Latest commit

 

History

History
165 lines (143 loc) · 14.1 KB

feature-flags.md

File metadata and controls

165 lines (143 loc) · 14.1 KB

Feature Flags

This lists the feature flags and their sub-configurations to enable/disable and configure features of the KAS Fleet Manager. This set of features can be seen below.

Access Control

For more information on access control for KAS Fleet Manager, see this documentation.

  • enable-deny-list: Enables access control for denied users.

    • deny-list-config-file [Required]: The path to the file containing the list of users that should be denied access to the service. (default: 'config/deny-list-configuration.yaml', example: deny-list-configuration.yaml).
  • enable-access-list: Enables access control for accepted organisations.

    • access-list-config-file [Required]: The path to the file containing the list of orgId's that should be allowed access to the service. (default: 'config/access-list-configuration.yaml', example: access-list-configuration.yaml).

Connectors

  • enable-connectors: Enables Kafka Connectors.
    • mas-sso-base-url [Required]: The base URL of the Keycloak instance to be used for authentication.
    • mas-sso-realm [Required]: The Keycloak realm to be used for authentication.
    • connector-types [Optional]: Directory containing connector type service URLs (default: 'config/connector-types').

Database

  • enable-db-debug: Enables Postgres debug logging.

Health Check Server

  • enable-health-check-https: Enable HTTPS for health check server.
    • https-cert-file [Required]: The path to the file containing the TLS certificate.
    • https-key-file [Required]: The path to the file containing the TLS private key.

Kafka

  • enable-deletion-of-expired-kafka: Enables deletion of developer Kafka instances when its life span has expired.
  • enable-kafka-external-certificate: Enables custom Kafka TLS certificate.
    • kafka-tls-cert-file [Required]: The path to the file containing the Kafka TLS certificate (default: 'secrets/kafka-tls.crt').
    • kafka-tls-key-file [Required]: The path to the file containing the Kafka TLS private key (default: 'secrets/kafka-tls.key').
  • enable-developer-instance: Enable the creation of one kafka developer instances per user
  • quota-type: Sets the quota service to be used for access control when requesting Kafka instances (options: ams or quota-management-list, default: quota-management-list).

    For more information on the quota service implementation, see the quota service architecture architecture documentation.

    • If this is set to quota-management-list, quotas will be managed via the quota management list configuration.

      See quota control documentation for more information about the quota management list.

      • enable-instance-limit-control [Required]: Enables enforcement of limits on how much Kafka instances a user can create (default: false).

        If enabled, the maximum instances a user can create can be specified in one of the following ways:

        • quota-management-list-config-file [Optional]: Allows setting of Kafka instance limit per organisation via registered_users_per_organisation or per service account via registered_service_accounts (default: 'config/quota-management-list-configuration.yaml', example: quota-management-list-configuration.yaml).
        • max-allowed-instances [Optional]: The default maximum Kafka instance limit a user can create (default: 1).

        See the max allowed instances section for more information about setting Kafka instance limits for users.

    • If this is set to ams, quotas will be managed via OCM's accounts management service (AMS).

Keycloak

  • mas-sso-debug: Enables Keycloak debug logging.
  • mas-sso-enable-auth: Enables Kafka authentication via Keycloak.
    • mas-sso-base-url [Required]: The base URL of the Keycloak instance.
    • mas-sso-cert-file [Optional]: File containing tls cert for the mas-sso. Useful when mas-sso uses a self-signed certificate. If the provided file does not exist, is the empty string or the provided file content is empty then no custom MAS SSO certificate is used (default secrets/keycloak-service.crt).
    • mas-sso-client-id-file [Required]: The path to the file containing a Keycloak account client ID that has access to the Kafka service accounts realm (default: 'secrets/keycloak-service.clientId').
    • mas-sso-client-secret-file [Required]: The path to the file containing a Keycloak account client secret that has access to the Kafka service accounts realm (default: 'secrets/keycloak-service.clientSecret').
    • mas-sso-realm [Required]: The Keycloak realm to be used for the Kafka service accounts.
  • mas-sso-insecure: Disables Keycloak TLS verification.

Metrics Server

  • enable-metrics-https: Enables HTTPS for the metrics server.
    • https-cert-file [Required]: The path to the file containing the TLS certificate.
    • https-key-file [Required]: The path to the file containing the TLS private key.

Observability

  • enable-observatorium-mock: Enables use of a mock Observatorium client.
    • observatorium-timeout [Optional]: Timeout to be used for Observatorium requests (default: 240s).
    • observatorium-token-file [Optional]: The path to the file containing a token for authenticating with Observatorium (default: 'secrets/observatorium.token').
  • observatorium-debug: Enables Observatorium debug logging.
  • observatorium-ignore-ssl: Disables Observatorium TLS verification.
  • observatorium-auth-type[Optional]: This allows for the choice of either Red Hat SSO (redhat) or Dex (dex) as the authentication medium for interaction between kas-fleet-manager and Observatorium (default: dex, options: redhat or dex).

Dex Authentication

  • The '[Required]' in the following denotes that these flags are required to use Dex Authentication with the service.
    • dex-password-file[Required]: The path to the file containing the Dex password for use with Dex authentication.
    • dex-secret-file[Required]: The path to the file containing the Dex secret for use with Dex authentication.
    • dex-username[Required]: The Dex username for authentication (default: [email protected])
    • dex-url[Required]: The Dex URL for authentication (default: http://dex-dex.apps.pbraun-observatorium.observability.rhmw.io).
    • observatorium-gateway[Required]: The Observatorium URL for use with dex authentication (default: https://observatorium-observatorium.apps.pbraun-observatorium.observability.rhmw.io).
    • observatorium-tenant[Required]: The Observatorium tenant name for use with dex authentication (default: test).

Red Hat SSO Authentication

  • The '[Required]' in the following denotes that these flags are required to use Red Hat SSO Authentication with the service.
    • observability-red-hat-sso-auth-server-url[Required]: Red Hat SSO authentication server URL (default: https://sso.redhat.com/auth).
    • observability-red-hat-sso-realm[Required]: Red Hat SSO realm (default: redhat-external).
    • observability-red-hat-sso-token-refresher-url[Required]: Red Hat SSO token refresher URL (default: www.test.com).
    • observability-red-hat-sso-observatorium-gateway[Required]: Red Hat SSO observatorium gateway (default: https://observatorium-mst.api.stage.openshift.com).
    • observability-red-hat-sso-tenant[Required]: Red Hat SSO tenant (default: managedKafka).
    • observability-red-hat-sso-logs-client-id-file[Required]: The path to the file containing the client ID for the logs service account for use with Red Hat SSO.
    • observability-red-hat-sso-logs-secret-file[Required]: The path to the file containing the client secret for the logs service account for use with Red Hat SSO.
    • observability-red-hat-sso-metrics-client-id-file[Required]: The path to the file containing the client ID for the metrics service account for use with Red Hat SSO.
    • observability-red-hat-sso-metrics-secret-file[Required]: The path to the file containing the client secret for the metrics service account for use with Red Hat SSO.

Observability CloudWatch Logging

  • observability-enable-cloudwatchlogging: Enable Observability to deliver data plane logs to AWS CloudWatch
  • observability-cloudwatchlogging-config-file-path: Path to a file containing the configuration for Observability related to AWS CloudWatch Logging in YAML format. Only takes effect when --observability-enable-cloudwatchlogs is set (default "secrets/observability-cloudwatchlogs-config.yaml")

OpenShift Cluster Manager

  • enable-ocm-mock: Enables use of a mock OCM client.
    • ocm-mock-mode [Optional]: Sets the ocm client mock type (default: stub-server).
  • ocm-debug: Enables OpenShift Cluster Manager (OCM) debug logging.

Dataplane Cluster Management

  • enable-ready-dataplane-clusters-reconcile: Enables reconciliation of data plane clusters in a Ready state.

  • enable-kafka-sre-identity-provider-configuration: Enable the configuration of Kafka_SRE identity provider on the data plane cluster. If enabled, the following flags are required.

    • osd-idp-mas-sso-client-id-file [Required]: The path to the file containing a Keycloak account client ID that has access to the Kafka SRE realm (default: 'secrets/osd-idp-keycloak-service.clientId').
    • osd-idp-mas-sso-client-secret-file [Required]: The path to the file containing a Keycloak account client secret that has access to the Kafka SRE realm (default: 'secrets/osd-idp-keycloak-service.clientSecret').
    • osd-idp-mas-sso-realm [Required]: The Keycloak realm to be used for the Kafka SRE.
  • kubeconfig: A path to kubeconfig file used to communicate with standalone dataplane clusters.

  • dataplane-cluster-scaling-type: Sets the behaviour of how the service manages and scales OSD clusters (options: manual, auto or none).

    For more information on the different dataplane cluster scaling types and their behaviour, see the dataplane osd cluster options documentation.

    • If this is set to manual, the following configuration must be specified:
      • dataplane-cluster-config-file [Required]: The path to the file that contains a list of data plane clusters and their details for the service to manage (default: 'config/dataplane-cluster-configuration.yaml', example: dataplane-cluster-configuration.yaml).
    • If this is set to auto, the following configurations can be specified:
      • providers-config-file [Required]: The path to the file containing a list of supported cloud providers that the service can provision dataplane clusters to (default: 'config/provider-configuration.yaml', example: provider-configuration.yaml).
      • dynamic-scaling-config-file [Required]: The path to the file containing information about each Kafka instance types, dynamic scaling configuration (default: 'config/dynamic-scaling-configuration.yaml', example: dynamic-scaling-configuration.yaml).
  • cluster-logging-operator-addon-id: Enables the Cluster Logging Operator addon with Cloud Watch and application level logs enabled. (default: "", An empty string indicates that the operator should not be installed).

  • strimzi-operator-index-image: Strimzi operator index image name

  • strimzi-operator-namespace: Strimzi operator namespace

  • strimzi-operator-package: Strimzi operator package name

  • strimzi-operator-sub-channel: Strimzi operator subscription channel

  • strimzi-operator-subscription-config-file: Strimzi operator subscription config. This is applied for standalone clusters only. The configuration must be of type https://pkg.go.dev/github.com/operator-framework/[email protected]/pkg/operators/v1alpha1?utm_source=gopls#SubscriptionConfig

  • kas-fleetshard-operator-index-image: kas-fleetshard operator index image name

  • kas-fleetshard-operator-namespace: kas-fleetshard operator namespace

  • kas-fleetshard-operator-package: kas-fleetshard operator package name

  • kas-fleetshard-operator-sub-channel: kas-fleetshard operator subscription channel

  • kas-fleetshard-operator-subscription-config-file: kas-fleetshard operator subscription config. This is applied for standalone clusters only. The configuration must be of type https://pkg.go.dev/github.com/operator-framework/[email protected]/pkg/operators/v1alpha1?utm_source=gopls#SubscriptionConfig

  • observability-operator-index-image: Observability operator index image

  • observability-operator-starting-csv: Observability operator subscription starting CSV

Sentry

  • enable-sentry: Enables Sentry error reporting.
    • sentry-key-file [Required]: The path to the file containing the Sentry key (default: 'secrets/sentry.key').
    • sentry-project [Required]: The Sentry project ID.
    • sentry-url [Required]: The base URL of the Sentry instance.
    • enable-sentry-debug [Optional]: Enables Sentry debug logging (default: false).
    • sentry-timeout [Optional]: The timeout duration for requests to Sentry.

Server

  • enable-https: Enables HTTPS for the KAS Fleet Manager server.
    • https-cert-file [Required]: The path to the file containing the TLS certificate.
    • https-key-file [Required]: The path to the file containing the TLS private key.
  • enable-terms-acceptance: Enables terms acceptance verification.