Skip to main content

Mission Control

Mission Control

ValueDescription
global.ui.hostThe domain to be used for ingress Defaults to mission-control-ui.local
global.otel.collectorOpenTelemetry Endpoint to send internal traces
global.registryDefaults to docker.io/flanksource
extraArgsExtra arguments to mission-control
image.pullPolicyDefaults to IfNotPresent
image.tag
otel.serviceNameDefaults to mission-control
properties.incidents.disableDefaults to {}
properties.logs.disableDefaults to true
replicasDefaults to 1
resources.limits.cpuDefaults to 500m
resources.limits.memoryDefaults to 1024Mi
resources.requests.cpuDefaults to 100m
resources.requests.memoryDefaults to 768Mi

Canary Checker

ValueDescription
canary-checker.resources.requests.cpuDefaults to 100m
canary-checker.resources.limits.cpuDefaults to 500m
canary-checker.resources.requests.memoryDefaults to 768Mi
canary-checker.resources.limits.memoryDefaults to 1024Mi
canary-checker.serviceAccount.annotations{}
canary-checker.serviceAccount.namecanary-checker-sa
canary-checker.extraArgs{}

Config DB

ValueDescription
config-db.resources.requests.cpuDefaults to 100m
config-db.resources.limits.cpuDefaults to 500m
config-db.resources.requests.memoryDefaults to 768Mi
config-db.resources.limits.memoryDefaults to 1024Mi
config-db.serviceAccount.annotations{}
config-db.serviceAccount.nameconfig-db-sa
config-db.extraArgs{}

Ingress

ValueDescription
global.ui.hostThe domain to be used for ingress, will be the primary entrypoint into mission control.
Defaults to mission-control-ui.local
ingress.annotationsDefaults to kubernetes.io/ingress.class: nginx
ingress.enabledDefaults to true
global.ui.tlsSecretNameDefaults to mission-control-ui-tls
global.api.tlsSecretName

Database

ValueDescription
db.createDefaults to true
db.confpostgres.conf settings
db.resources.requests.memoryDefaults to 4Gi
db.shmVolumeDefaults to 256Mi
db.storageDefaults to 20Gi
db.storageClass
db.secretKeyRef.keyDefaults to DB_URL
db.secretKeyRef.nameDefaults to incident-commander-postgres

Using an external database

In order to connect to an existing database the secret referenced by db.secretKeyRef.name needs to be created.

  1. Create a new secret
    kubectl create secret generic incident-commander-postgres \
    --from-literal=DB_URL=postgres://postgres:postgres@db/mission_control
    --from-literal=SSLMODE=disable
    --from-literal=POSTGRES_HOST=db
    --from-literal=DATABASE=mission_control
    --from-literal=POSTGRES_USER=postgres
    --from-literal=POSTGRES_PASSWORD=postgres

    See Postgres Connection Strings for a full list of parameters

  2. Update the helm values to disable db creation
    values.yaml
    db:
    create: false

Updating postgres.conf settings

The defaults settings applied to installed Postgres database can be configured under the db.conf value.

Updating Memory Usage

In order to increase (or decrease) memory usage - The db.conf, db.resources and db.shmVolume values need to be updated.

reduce-db-resources.yaml
db:
shmVolume: 64Mi
resources:
requests:
memory: 256Mi
limits:
memory: 512Mi
conf:
shared_buffers: 128MB
max_connections: 30
effective_cache_size: 256MB
work_mem: 4MB
ValueDescription
max_connectionsDefaults to 200
shared_buffersDefaults to 1GB
effective_cache_sizeDefaults to 3GB
maintenance_work_memDefaults to 256MB
wal_buffersDefaults to 16MB
effective_io_concurrencyDefaults to 200
work_memDefaults to 10MB
max_wal_sizeDefaults to 4GB
log_autovacuum_min_durationDefaults to 0
log_connectionsDefaults to on
log_destinationDefaults to stderr
log_directoryDefaults to /var/log/postgresql
log_file_modeDefaults to 0644
log_filenameDefaults to postgresql.log
log_line_prefixDefaults to %m [%p] %q[user=%u,db=%d,app=%a]
log_lock_waitsDefaults to on
log_min_duration_statementDefaults to 1s
log_rotation_ageDefaults to 0
log_rotation_sizeDefaults to 0
log_statementDefaults to "all"
log_temp_filesDefaults to 0
log_timezoneDefaults to UTC
logging_collectorDefaults to on
sslDefaults to off
timezoneDefaults to UTC
password_encryptionDefaults to scram-sha-256
db_user_namespaceDefaults to off
extra_float_digitsDefaults to 0

Pganalyze collector

Advanced

A pganalyze.com collector can be installed using:

ValueDescription
db.pganalyze.enabledDefaults to false
db.pganalyze.secretNameDefaults to pganalyze Secret container pganalyze API token
db.pganalyze.systemIDDefaults to mission-control

Postgrest

Advanced

Mission Control uses postgrest to provide a REST API over the database, this is setup is automatic and connects to either the internal or external DB.

ValueDescription
externalPostgrest.imageName
externalPostgrest.enableDefaults to true
externalPostgrest.dbAnonRoleDefaults to postgrest_anon
externalPostgrest.dbScemaDefaults to public
externalPostgrest.logLevelDefaults to info
externalPostgrest.maxRowsDefaults to 2000
externalPostgrest.tagPostgrest version

Authentication

See SSO

ValueDescription
kratos.enabledDefaults to true
kratos.kratos.config.courier.smtp.connection_uri
kratos.deployment.resources{}
kratos.kratos.config.log.levelDefaults to warning
kratos.kratos.config.secrets.default
kratos.kratos.config.session.lifespanDefaults to 336h
smtp.secretRef.nameDefaults to incident-commander-smtp

See kratos/values.yaml for all options.

Security / Service Account Settings

ValueDescription
serviceAccount.rbac.clusterRoleDefaults to true
serviceAccount.rbac.configmapsDefaults to true
serviceAccount.rbac.execDefaults to true
serviceAccount.rbac.podRunDefaults to true
serviceAccount.rbac.readAllDefaults to true
serviceAccount.rbac.secretsDefaults to true
serviceAccount.rbac.tokenRequestDefaults to true
canary-checker.image.typeDefaults to full

Identity Mapper

The Identity Role Mapper script is a CEL script that is evaluated after Kratos runs the JSONNET claims mapper to map users to roles and membership in Mission Control teams.

ValueDescription
identityRoleMapper.configMap.key
identityRoleMapper.configMap.mountPathDefaults to /etc/identity-role-mapper
identityRoleMapper.configMap.name
identityRoleMapper.scriptCEL script to return a JSON object with a role and list of teams an identity to should be mapped to

To grant the admin role to all users in the admins group (as returned by the identity provider)

{
"role": "admins" in identity.traits.groups ? "admin": "viewer"
}.toJSON()

Input

The CEL script can make use of any of these Identity fields provided by Kratos

FieldDescriptionScheme
identity.traits.email*

Email address

string

identity.created_at

Timestamp for when the identity was created

identity.id

Unique identifier for the identity

string

identity.metadata_public

Public metadata for the identity

identity.state

Current state of the identity

identity.traits.groups

List of groups the identity belongs to

identity.traits.name.first

First name

string

identity.traits.name.last

Last name

string

identity.updated_at

Timestamp for when the identity was last updated

Output

The CEL script needs to return a JSON object that looks like:

{
"role": "admin",
"teams": [],
}
FieldDescriptionScheme
role

Mission control role. See RBAC

teams

List of name or id of the teams the OIDC identity will be put into