Mission Control
Mission Control
Value | Description |
global.ui.host | The domain to be used for ingress Defaults to mission-control-ui.local |
global.otel.collector | OpenTelemetry Endpoint to send internal traces |
global.registry | Defaults to docker.io/flanksource |
extraArgs | Extra arguments to mission-control |
image.pullPolicy | Defaults to IfNotPresent |
image.tag | |
otel.serviceName | Defaults to mission-control |
properties.incidents.disable | Defaults to {} |
properties.logs.disable | Defaults to true |
replicas | Defaults to 1 |
resources.limits.cpu | Defaults to 500m |
resources.limits.memory | Defaults to 1024Mi |
resources.requests.cpu | Defaults to 100m |
resources.requests.memory | Defaults to 768Mi |
Canary Checker
Value | Description |
canary-checker.resources.requests.cpu | Defaults to 100m |
canary-checker.resources.limits.cpu | Defaults to 500m |
canary-checker.resources.requests.memory | Defaults to 768Mi |
canary-checker.resources.limits.memory | Defaults to 1024Mi |
canary-checker.serviceAccount.annotations | {} |
canary-checker.serviceAccount.name | canary-checker-sa |
canary-checker.extraArgs | {} |
Config DB
Value | Description |
config-db.resources.requests.cpu | Defaults to 100m |
config-db.resources.limits.cpu | Defaults to 500m |
config-db.resources.requests.memory | Defaults to 768Mi |
config-db.resources.limits.memory | Defaults to 1024Mi |
config-db.serviceAccount.annotations | {} |
config-db.serviceAccount.name | config-db-sa |
config-db.extraArgs | {} |
Value | Description |
global.ui.host | The domain to be used for ingress, will be the primary entrypoint into mission control. Defaults to mission-control-ui.local |
ingress.annotations | Defaults to kubernetes.io/ingress.class: nginx |
ingress.enabled | Defaults to true |
global.ui.tlsSecretName | Defaults to mission-control-ui-tls |
global.api.tlsSecretName |
Value | Description |
db.create | Defaults to true |
db.conf | postgres.conf settings |
db.resources.requests.memory | Defaults to 4Gi |
db.shmVolume | Defaults to 256Mi |
db.storage | Defaults to 20Gi |
db.storageClass | |
db.secretKeyRef.key | Defaults to DB_URL |
db.secretKeyRef.name | Defaults to incident-commander-postgres |
Using an external database
In order to connect to an existing database the secret referenced by db.secretKeyRef.name
needs to be created.
- Create a new secret
See Postgres Connection Strings for a full list of parameterskubectl create secret generic incident-commander-postgres \
--from-literal=POSTGRES_PASSWORD=postgres - Update the helm values to disable db creation
create: false
Updating postgres.conf settings
The defaults settings applied to installed Postgres database can be configured under the db.conf
In order to increase (or decrease) memory usage - The db.conf
, db.resources
and db.shmVolume
values need to be updated.
shmVolume: 64Mi
memory: 256Mi
memory: 512Mi
shared_buffers: 128MB
max_connections: 30
effective_cache_size: 256MB
work_mem: 4MB
Value | Description |
max_connections | Defaults to 200 |
shared_buffers | Defaults to 1GB |
effective_cache_size | Defaults to 3GB |
maintenance_work_mem | Defaults to 256MB |
wal_buffers | Defaults to 16MB |
effective_io_concurrency | Defaults to 200 |
work_mem | Defaults to 10MB |
max_wal_size | Defaults to 4GB |
log_autovacuum_min_duration | Defaults to 0 |
log_connections | Defaults to on |
log_destination | Defaults to stderr |
log_directory | Defaults to /var/log/postgresql |
log_file_mode | Defaults to 0644 |
log_filename | Defaults to postgresql.log |
log_line_prefix | Defaults to %m [%p] %q[user=%u,db=%d,app=%a] |
log_lock_waits | Defaults to on |
log_min_duration_statement | Defaults to 1s |
log_rotation_age | Defaults to 0 |
log_rotation_size | Defaults to 0 |
log_statement | Defaults to "all" |
log_temp_files | Defaults to 0 |
log_timezone | Defaults to UTC |
logging_collector | Defaults to on |
ssl | Defaults to off |
timezone | Defaults to UTC |
password_encryption | Defaults to scram-sha-256 |
db_user_namespace | Defaults to off |
extra_float_digits | Defaults to 0 |
Pganalyze collector
AdvancedA pganalyze.com collector can be installed using:
Value | Description |
db.pganalyze.enabled | Defaults to false |
db.pganalyze.secretName | Defaults to pganalyze Secret container pganalyze API token |
db.pganalyze.systemID | Defaults to mission-control |
AdvancedMission Control uses postgrest to provide a REST API over the database, this is setup is automatic and connects to either the internal or external DB.
Value | Description |
externalPostgrest.imageName | |
externalPostgrest.enable | Defaults to true |
externalPostgrest.dbAnonRole | Defaults to postgrest_anon |
externalPostgrest.dbScema | Defaults to public |
externalPostgrest.logLevel | Defaults to info |
externalPostgrest.maxRows | Defaults to 2000 |
externalPostgrest.tag | Postgrest version |
Value | Description |
kratos.enabled | Defaults to true |
kratos.kratos.config.courier.smtp.connection_uri | |
kratos.deployment.resources | {} |
kratos.kratos.config.log.level | Defaults to warning |
kratos.kratos.config.secrets.default | |
kratos.kratos.config.session.lifespan | Defaults to 336h |
smtp.secretRef.name | Defaults to incident-commander-smtp |
See kratos/values.yaml for all options.
Security / Service Account Settings
Value | Description |
serviceAccount.rbac.clusterRole | Defaults to true |
serviceAccount.rbac.configmaps | Defaults to true |
serviceAccount.rbac.exec | Defaults to true |
serviceAccount.rbac.podRun | Defaults to true |
serviceAccount.rbac.readAll | Defaults to true |
serviceAccount.rbac.secrets | Defaults to true |
serviceAccount.rbac.tokenRequest | Defaults to true |
canary-checker.image.type | Defaults to full |
Identity Mapper
The Identity Role Mapper script is a CEL script that is evaluated after Kratos runs the JSONNET claims mapper to map users to roles and membership in Mission Control teams.
Value | Description |
identityRoleMapper.configMap.key | |
identityRoleMapper.configMap.mountPath | Defaults to /etc/identity-role-mapper |
identityRoleMapper.configMap.name | |
identityRoleMapper.script | CEL script to return a JSON object with a role and list of teams an identity to should be mapped to |
To grant the admin
role to all users in the admins
group (as returned by the identity provider)
"role": "admins" in identity.traits.groups ? "admin": "viewer"
The CEL script can make use of any of these Identity fields provided by Kratos
Field | Description | Scheme |
identity.traits.email* | Email address |
identity.created_at | Timestamp for when the identity was created | |
identity.id | Unique identifier for the identity |
identity.metadata_public | Public metadata for the identity | |
identity.state | Current state of the identity | |
identity.traits.groups | List of groups the identity belongs to | |
identity.traits.name.first | First name |
identity.traits.name.last | Last name |
identity.updated_at | Timestamp for when the identity was last updated |
The CEL script needs to return a JSON object that looks like:
"role": "admin",
"teams": [],
Field | Description | Scheme |
role | Mission control role. See RBAC | |
teams | List of name or id of the teams the OIDC identity will be put into |