Armory Docs – Armory Scale Agent Configuration Reference

Plugins: Armory Scale Agent Plugin Configuration Options

Mon, 01 Jan 0001 00:00:00 +0000

Setting	Type	Default	Description
`kubesvc.cache.accountCleanupFrequencySeconds`	integer	600 (10m)	How long to keep accounts that are no longer connected to any Agent
`kubesvc.cache.cacheDefaults`	array	`ReplicaSet` `Service` `Ingress` `DaemonSet` `Deployment` `Pod` `StatefulSet` `Job` `CronJob` `NetworkPolicy` `Namespace` `CustomResourceDefinition`	Default list of kubernetes kinds to cache, non overridable.
`kubesvc.cache.cacheKinds`	array	`kubesvc.cache.cacheDefaults`	List of kubernetes kinds to cache, overridable.
`kubesvc.cache.cacheStreamingPoolCoreSize` `kubesvc.cache.cacheStreamingPoolMaxSize`	integer	10/100	Thread pool sizing to write to cache. Each thread handles events for a single account at a time. It doesn't need to be greater than the number of agents. More threads means faster response. If Kubernetes accounts are very busy, you can set max size to `number of Kubernetes accounts / number of Clouddriver instances`.
`kubesvc.cache.cleanDataWithUnusedAccounts`	boolean	true	When cleaning an old account, also clean its associated data.
`kubesvc.cache.eventsCleanupFrequencySeconds`	integer	7200 (2h)	How long to keep Kubernetes events cached for.
`kubesvc.cache.namespaceExpiryMinutes`	integer	0	Disabled by default, set it to a value greater than 0 to enable. Specifies minutes to keep namespace definitions in memory to reduce calls to the database.
`kubesvc.cache.onDemandQuickWaitMs`	integer	10000	How long to wait for a recache operation.
`kubesvc.cache.operationWaitMs`	integer	30000	How long to wait for a Kubernetes operation like deploy, scale, delete, or others
`kubesvc.cluster`	string	none	Type of clustering. `local`: for development only; don’t try to coordinate with other Clouddriver instances `redis`: use Redis to coordinate via pubsub. Redis will be deprecated in a future release. 0.10.24+0.9.400.8.48 `kubernetes`:(Recommended) Requires additional `cluster-kubernetes configuration.`
`kubesvc.cluster-kubernetes.kubeconfigFile` `kubesvc.cluster-kubernetes.verifySsl` `kubesvc.cluster-kubernetes.namespace` `kubesvc.cluster-kubernetes.httpPortName` `kubesvc.cluster-kubernetes.clouddriverServiceNamePrefix`	string boolean string string string	null true null http spin-clouddriver	(Optional) If configured, the plugin uses this file to discover Endpoints. If not configured, it will use the service account mounted to the pod. (Optional) Whether to verify the Kubernetes API cert or not. (Optional) If configured, the plugin watches Endpoints in this namespace. If null, it watches endpoints in the namespace indicated in the file `/var/run/secrets/kubernetes.io/serviceaccount/namespace` (Optional) Name of the port configured in clouddriver Service that forwards traffic to clouddriver http port for REST requests. (Optional) Name prefix of the Kubernetes Service pointing to the Clouddriver standard HTTP port.
`kubesvc.credentials.poller.reloadFrequencyMs`	long	30000	2.23.0+ 1.23.0+ How often the plugin will refresh account credentials to clouddriver in case `credentials.poller.enabled` is disabled. Otherwise the standard properties of `credentials.poller.enabled` and `credentials.poller.types.kubernetes.reloadFrequencyMs` are respected
`kubesvc.disableV2Provider`	boolean	false	If you don’t need the V2 provider account, set that to true to speed up caching deserialization.
`kubesvc.dynamicAccounts.enabled`	boolean	false	0.11.27+0.10.65+0.9.81+ Enable access to the Dynamic Accounts API
`kubesvc.grpc.auth.x509.enabled`	boolean	false	Enable x509 subject filtering
`kubesvc.grpc.auth.x509.filters`	list(string)	`[]`	x509 subject line filter; see x509 Certificate Subject Filtering
`kubesvc.grpc.server.address`	string	`*`	Address to bind the gRPC server to
`kubesvc.grpc.server.port`	int	`9091`	Port to bind the gRPC server to
`kubesvc.grpc.server.healthServiceEnabled`	boolean	`true`	Enable gRPC healthcheck service
`kubesvc.grpc.server.maxInboundMessageSize`	data size	`4MB`	Maximum size of a gRPC message. It should be at least as big as the biggest Kubernetes object manifest you can expect.
`kubesvc.grpc.server.security.enabled`	boolean	`false`	Enable transport level security
`kubesvc.grpc.server.security.certificateChain`	string	none	Reference to the server's certificate chain.
`kubesvc.grpc.server.security.privateKey`	string	none	Reference to the private key of the server.
`kubesvc.grpc.server.security.privateKeyPassword`	string	none	Reference to private key password if password protected. You can use secret management to store the password.
`kubesvc.grpc.server.security.clientAuth`	string	`NONE`	`NONE`: no client certificate verification, `OPTIONAL`: verify client certificates if presented, `REQUIRE`: require client to present certificates and verify it
`kubesvc.grpc.server.security.ciphers`	list(string)	`[]`	By default, use the systems default ciphers.
`kubesvc.grpc.server.security.trustCertCollection`	string	none	By default, use the systems default truststore (cacerts). Otherwise, reference to a truststore to validate clients.
`kubesvc.grpc.server.security.protocols`	string	none	By default, use the systems default protocols. Otherwise, list of protocols accepted (`TLSv1.1, TLSv1.2, etc.`
`kubesvc.grpc.server.security.keepAliveHeartbeatSeconds`	int	none	how often should send keepalive grpc pings to client
`kubesvc.grpc.server.security.KeepAliveTimeOutSeconds`	int	none	How long to wait for a response after a keepalive before closing the connection
`kubesvc.heartbeat.initialDelay` `kubesvc.heartbeat.period` `kubesvc.heartbeat.periodUnit`	long long timeUnit	0 60 SECONDS	How often each Clouddriver node reports its assingments as recent. Set the heartbeat period to a value less than `kubesvc.cache.accountCleanupFrequencySeconds` to prevent losing account cache.
`kubesvc.heartbeat.enabled`	boolean	true	0.13.7+0.12.8+0.11.45+Optional. Setting this to false makes Clouddriver rely on gRPC connections instead of pings to consider a connection alive. Useful for remote agent configuration with slow network and no load balancers in between agent and Clouddriver.
`kubesvc.jobs.operation-history.purge.weeks`	integer	1	0.10.3+0.9.320.8.40(Optional) The number of weeks to retain information on the databse table `kubesvc_ops_history`.
`kubesvc.jobs.operation-history.purge.cron`	Spring cron expression	0 0 0 * * 0	0.10.3+0.9.320.8.40(Optional) How often to run the cleanup logic.
`kubesvc.loadBalancer`	string	none	Pick a different account load balancing algorithm. Only implementation so far is the “MN algorithm” that does hides Agent connections from other clouddriver instances and assigns account to the least busy connected Clouddriver while never unassigning an account from a still connected instance unless it dies or stops being connected to that account.
`kubesvc.runtime.defaults.onlySpinnakerManaged`	boolean	false	Same meaning as V2 provider. Should Spinnaker cache manifests that are not deployed by Spinnaker?
`kubesvc.runtime.defaults.customResources[].kubernetesKind` `kubesvc.runtime.defaults.customResources[].spinnakerKind` `kubesvc.runtime.defaults.customResources[].deployPriority` `kubesvc.runtime.defaults.customResources[].versioned` `kubesvc.runtime.defaults.customResources[].namespaced`	string string number as string (“100”) boolean boolean	none none “100” false false	Same meaning as V2 provider. Customize behavior of Spinnaker for an unknown (to Spinnaker) resource. - `kubernetesKind` in the format `.` - `spinnakerKind` is one of the Spinnaker kinds - `deployPriority` will determine in which order Spinnaker will deploy a resource if multiple manifests are to be deployed in an operation. - `versioned` should Spinnaker version new resource or just update them? - `namespaced` is barely used with kubesvc.
`kubesvc.runtime.accounts[string].onlySpinnakerManaged` `kubesvc.runtime.accounts[string].customResources[]…`			Same as above but per account. This takes priority over default runtime settings. Default values are used if not populated for the account. Format is a map (account name → props), e.g. kubesvc.runtime.accounts: prod: onlySpinnakerManaged: true
`kubesvc.v2-cache-eviction.disable`	boolean		0.10.3+ Set this to `true` if you want to turn off the eviction of the V2 cache.
`kubesvc.v2-cache-eviction.batch-size`	integer	5	0.10.3+ How many Kubernetes kinds to evict for each eviction event.
`kubesvc.v2-cache-eviction.millis`	integer	200	0.10.3+ The time between evictions in milliseconds. Using a low value can lead to a spike in resource usage when migration occurs.
`kubesvc.ops.processTime.metric.result.maxLength`	integer	255	How many characters as a maximum could have the `kubesvc.ops.processTime.result` attribute metric

Plugins: Armory Scale Agent Service Configuration Options

Mon, 01 Jan 0001 00:00:00 +0000

Configuration options

Settings	Type	Default	Description
`clouddriver.auth.token`	string	none	0.3.0+ Optional bearer token added to each request back to the endpoint.
`clouddriver.auth.tokenCommand.command` `clouddriver.auth.tokenCommand.args` `clouddriver.auth.tokenCommand.format` `clouddriver.auth.tokenCommand.refreshIntervalSeconds`	string []string string integer	none none [] 0	0.3.0+ Allows to invoke a command every `refreshIntervalSeconds` seconds that outputs either the token (`format` is `raw`) or a JSON object with an attribute of `token` if `format` is `json` or left empty. `args` is the optional list of parameters to the command.
`clouddriver.grpc`	string (hostname)	`spin-clouddriver-grpc:9091`	Hostname of the Clouddriver or gRPC proxy endpoint.
`clouddriver.backoff.baseDelay` `clouddriver.backoff.multiplier` `clouddriver.backoff.jitter` `clouddriver.backoff.maxDelay`	long float float long	1000000000 (1 second) 1.6 0.2 120000000000 (120 seconds) check backoff - Go package for changes in the future	1.0.54+The amount of nanoseconds to backoff after the first connection failure. 1.0.54+The factor with which to multiply connection backoffs after a failed retry. Should ideally be greater than 1. 1.0.54+The factor with which connection backoffs are randomized. 1.0.54+The nanoseconds upper bound of connection backoff delay.
`clouddriver.keepAliveHeartbeatSeconds`	integer	20	0.6.9+Optional. How often the gPRC keep alive message is sent. - Not set: (default) sent every 20 seconds. - 0: not sent. - Any `n` value greater than 0: sent every `n` seconds.
`clouddriver.keepAliveOperationSeconds`	integer	0	1.0.58+Optional. How much time to wait after not receiving operations to restart the connection to clouddriver. - Not set: default 0 (not restart). - Any `n` value greater than 0: restart every `n` seconds.
`clouddriver.keepAliveTimeOutSeconds`	integer	none	Timeout before closing the grpc connection.
`clouddriver.insecure`	boolean	true	Set to false, if you are connecting to a TLS server.
`clouddriver.noProxy`	boolean	false	0.3.1+ Ignore the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables when connecting back to the control plane (Armory Continuous Deployment).
`clouddriver.responseRetries.enabled` `clouddriver.responseRetries.maxRetries` `clouddriver.responseRetries.backOffMs`	boolean integer integer	true 3 3000	0.6.7+Enables or disables retries. 0.6.7+How many times to retry sending the response to Clouddriver. 0.6.7+How much time to wait between retries in milliseconds. Note that Agent Plugin config option `kubesvc.cache.operationWaitMs` should be set so that it does not time out before the retries are complete.
`clouddriver.tls.serverName`	string	none	Server name on the remote certificate (override from the hostname).
`clouddriver.tls.insecureSkipVerify`	boolean	false	Do not verify the endpoint's certificate.
`clouddriver.tls.clientCertFile` `clouddriver.tls.clientKeyFile` `clouddriver.tls.clientKeyFilePassword`	string string string	none none none	Client certificate file for mTLS. Client key file if not included in the certificate. Password the key file if needed.
`clouddriver.tls.cacertFile`	string	none	If provided, verify endpoint certificate with the trust store. Otherwise, the system trust store is used.
`dynamicAccounts.interceptor.enabled`	boolean	true	Whether to intercept new accounts being added on the fly.
`dynamicAccounts.enabled`	boolean	false	Dynamic account feature enabled.
`dynamicAccounts.scanBatchSize`	integer	572	How many accounts to send to scale agent at a time.
`dynamicAccounts.scanFrequencySeconds`	integer	120	How often should accounts be scanned for.
`dynamicAccounts.namePatterns`	list	[]	Patterns to match for account migration in accounts table.
`dynamicAccounts.credentialScanNamePatterns`	list	[]	Patterns to match in credential sources.
`kubernetes.noProxy`	boolean	false	0.3.1+ Ignore the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables when connecting to any Kubernetes cluster.
`kubernetes.reconnectTimeoutMs`	integer	5000	How long to wait before reconnecting to Armory Continuous Deployment.
`kubernetes.cacheGroupSize`	integer	0	Number of accounts per group when delaying watcher initialization.
`kubernetes.cacheGroupDelayMs`	integer	0	How long to wait between each group of accounts when initializing watchers.
`kubernetes.accounts[].context`	string	empty	If provided, use the given context of the configured kubeconfig.
`kubernetes.accounts[].customResourceDefinitions`	[]{kind: }	empty	0.4.0+ List of CustomResourceDefinition to expose to Armory Continuous Deployment. This is not needed if `onlyNamespacedResources` is left off. The format of `kind` is `Kind.group`.
`kubernetes.accounts[].customResourceDefinitions.scope`	string	Namespaced	1.0.9+ Possible values are 'Cluster' and 'Namespaced'. The default value if left unconfigured is 'Namespaced'.
`kubernetes.accounts[].kinds`	[]string	empty	Defines which Kubernetes kinds to cache for the Spinnaker UI. If not empty, only kinds in the list are cached. Use only the kind name in singular form and without group name (e.g. `deployment`, not `deployment.apps`). This also applies to CRDs. There’s no benefit to caching kinds that don’t display in the Spinnaker UI. The recommended set of kinds to include (per account) is: `replicaSet`, `service`, `ingress`, `daemonSet`, `deployment`, `pod`, `statefulSet`, `job`, `cronJob`. Note: Operations are still possible on every kind regardless of the config, and statuses for those operations are not affected. For example, if you need to deploy another kind such as `HorizontalPodAutoscaler`, and this kind is not defined in this list, the deployment still succeeds.
`kubernetes.accounts[].kubeConfigFile`	string	none	Path to the kubeconfig file if not using `serviceAccount`.
`kubernetes.accounts[].insecure`	boolean	false	Do not verify the TLS certificate of the Kubernetes API server Don’t use without a good reason.
`kubernetes.accounts[].metrics`	boolean	false	When true, sends pod metrics back to Armory Continuous Deployment every 20s.
`kubernetes.accounts[].name`	string	none, required	Name of the Kubernetes cluster in Armory Continuous Deployment.
`kubernetes.accounts[].namespaces`	[]string	empty	0.4.0+ Whitelist of namespaces to monitor. This comes at a greater cost of multiplying the resources by the number of namespaces.
`kubernetes.accounts[].noProxy`	boolean	false	0.3.1+ Ignore the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables when connecting to that Kubernetes cluster.
`kubernetes.accounts[].oAuthScopes`	[]string	empty	List of OAuth scope when authenticating with gcp provider Cluster access for kubectl.
`kubernetes.accounts[].omitKinds`	[]string	empty	List of kinds not to cache.
`kubernetes.accounts[].omitNamespaces`	[]string	empty	Blacklist of namespaces This comes at a greater cost of multiplying the resources by the number of namespaces. NOT CURRENTLY IMPLEMENTED
`kubernetes.accounts[].onlyNamespacedResources`	boolean	false	0.4.0+ If true, the Agent ignores non-namespaced resources; namespaces must be whitelisted with `namespaces` setting and CRDs with `customResourceDefinitons`.
`kubernetes.accounts[].onlySpinnakerManaged`	boolean	false	Only return Armory Continuous Deployment managed resources NOT IMPLEMENTED in the Agent but added to the plugin see `kubesvc.runtime.defaults.onlySpinnakerManaged`.
`kubernetes.accounts[].permissions`	list	empty	List of permissions (currently `READ` or `WRITE`) with a list of authorized roles. For more information, see Permissions format.
`kubernetes.accounts[].maxResumableResourceAgeMs`	integer	300000 (5m)	When connecting to Armory Continuous Deployment, the Agent asks Clouddriver for the latest resource version known per resource that is not older than that setting. The resource version is used to resume the watch without first doing a list - saving memory and time. There’s no guarantee that the resource version is still known. If not “remembered” by the Kubernetes API server, a `list` call is used. Kubernetes API Concepts
`kubernetes.accounts[].serviceAccount`	boolean	false	If true and the Agent runs in Kubernetes - use the current service account to call to the current API server. In that mode, you don’t need to provide a kubeconfig file.
`kubernetes.serverSideApply.enabled`	string	allowed	1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never use ServerSideApply (SSA). allowed: Use CSA unless annotation `agent-k8s.armory.io/serverside-apply: enabled` is present or config `kubernetes.serverSideApply.kinds[].enabled` is present in configuration file.
`kubernetes.serverSideApply.clearManagedFields`	string	allowed	1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never delete managed fields in order to keep agent as the only manager of a manifest. allowed: Send manifest as-is unless annotation `agent-k8s.armory.io/ssa-clear-managed-fields: enabled` is present or `kubernetes.serverSideApply.kinds[].clearManagedFields` is present in configuration file.
`kubernetes.serverSideApply.manifestDefaults`	string	allowed	1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never modify applied manifests to include field defaults. allowed: Send manifest as-is unless annotation `agent-k8s.armory.io/ssa-manifest-defaults: enabled` is present or `kubernetes.serverSideApply.kinds[].manifestDefaults` is present in configuration file.
`kubernetes.serverSideApply.kinds[].kind`	string		1.0.47+ Kind name ID for the next configurations
`kubernetes.serverSideApply.kinds[].enabled`	string	allowed	1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never use ServerSideApply (SSA). allowed: Use CSA unless annotation `agent-k8s.armory.io/serverside-apply: enabled` is present
`kubernetes.serverSideApply.kinds[].clearManagedFields`	string	allowed	1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never delete managed fields in order to keep agent as the only manager of a manifest. allowed: Send manifest as-is unless annotation `agent-k8s.armory.io/ssa-clear-managed-fields: enabled` is present
`kubernetes.serverSideApply.kinds[].manifestDefaults`	string	allowed	1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never modify applied manifests to include field defaults. allowed: Send manifest as-is unless annotation `agent-k8s.armory.io/ssa-manifest-defaults: enabled` is present
`kubernetes.retries.enabled`	boolean	true	Optional. Enable or disable retries when the Agent makes a failed request to the Kubernetes API server.
`kubernetes.retries.maxRetries`	integer	3	Optional. The number of times that the Agent will try the same request if it fails.
`kubernetes.retries.backOffMs`	integer	3000	Optional. How much time (in milliseconds) to wait between retry attempts.
`kubernetes.retries.retryAnyError`	boolean	false	Optional. If true, Agent will retry when encountering any error from the Kubernetes API server. If false, Agent will only retry if the error contains any item from `retryableErrors`.
`kubernetes.retries.retryableErrors`	string	`- timeout` `- deadline exceeded`	Optional. If the error from the Kubernetes API server contains any item from this list, the request will be retried. Requires `retryAnyError` to be false.
`logging.file`	string	stdout if not defined	File to save logs to.
`logging.format`	string	text	Format for the Agent logs. Can be `text` or `json`
`logging.level`	string	`INFO`	Log level. Can be any of (case insensitive): `panic`, `fatal` , `error`, `warn` (or `warning`), `info`, `debug`, `trace`.
`logging.multiWrite`	boolean	false	When set to true, logs will be printed to stdout and saved to a file simultaneously.
`logging.maxSizeMb`	integer	1	Max size of each log file.
`logging.maxAgeDays`	integer	10	How many days to keep the log file backup.
`logging.maxBackups`	integer	10	Max number of log file backups.
`logging.localTime`	boolean	true	when set to true the timestamps will have local time, otherwise UTC.
`logging.compress`	boolean	false	when set to true files are compressed as tar gz.
`logging.fields`	map	empty	Logging contextual key-value pairs. The `agentCluster` and `agentNamespace` keys could be detected automatically when a value is not provided, and being populated with the name/host of the cluster, and namespace where the instance is running. E.g. `logging.fields.agentNamespace:` The agentNamespace will be automatically discover by the instance. `logging.fields.agentNamespace: test` The agentNamespace will use the provided value.
`pprof.enabled`	boolean	false	Enable pprof endpoint. Useful for troubleshooting, slowness, memory leaks, and more! pprof README.
`pprof.port`	integer	6060	Port on which to respond to pprof requests.
`prometheus.enabled`	boolean	false	Enable Prometheus handler.
`prometheus.port`	integer	8008	Port to expose Prometheus metrics on. Responds to both `/metrics` (standard) and `/prometheus_metrics` (Armory Continuous Deployment default).
`server.host`	string	localhost	Hostname of the server health check.
`server.port`	integer	8082	Port of the server health check.
`server.ssl.enabled`, `server.ssl.certFile`, `server.ssl.keyFile`, `server.ssl.keyPassword`, `server.ssl.caCertFile`, `server.ssl.keyFilePassword`, `server.ssl.clientAuth`			Various options to control TLS config. Don’t bother, it’s just for the health endpoint.
`secrets.vault.*`	object	none	Vault configuration.
`tasks.totalBudget`	integer	1000	If > 0, limits the number of cluster sync tasks that can be started concurrently, this is when doing the initial listing before starting a watcher, modifying this value can help reduce memory spikes when Agent starts.
`tasks.budgetPerAccount`	integer	50	Same as `totalBudget` but per account. If both settings are provided, they’re both checked.
`tasks.queueCheckFrequencyMs`	integer	2000	Frequency at which the Agent checks for new tasks to launch. Once launched a task is not stopped until explicitly requested (account unregistered or connection to Armory Continuous Deployment lost).
`timeoutSeconds`	integer	0	0.5.12+ The maximum length of time to wait before giving up on a server request. A value of zero means no timeout.