Armory Scale Agent Service Configuration Options

This page contains a detailed list of configuration options for the Agent service.

Configuration options

SettingsTypeDefaultDescription
clouddriver.auth.tokenstringnone0.3.0+ Optional bearer token added to each request back to the endpoint.
clouddriver.auth.tokenCommand.command
clouddriver.auth.tokenCommand.args
clouddriver.auth.tokenCommand.format
clouddriver.auth.tokenCommand.refreshIntervalSeconds
string
[]string
string
integer
none
none
[]
0
0.3.0+ Allows to invoke a command every refreshIntervalSeconds seconds that outputs either the token (format is raw) or a JSON object with an attribute of token if format is json or left empty. args is the optional list of parameters to the command.
clouddriver.grpcstring (hostname)spin-clouddriver-grpc:9091Hostname of the Clouddriver or gRPC proxy endpoint.
clouddriver.backoff.baseDelay
clouddriver.backoff.multiplier
clouddriver.backoff.jitter
clouddriver.backoff.maxDelay
long
float
float
long
1000000000 (1 second)
1.6
0.2
120000000000 (120 seconds)
check backoff - Go package for changes in the future
1.0.54+The amount of nanoseconds to backoff after the first connection failure.
1.0.54+The factor with which to multiply connection backoffs after a failed retry. Should ideally be greater than 1.
1.0.54+The factor with which connection backoffs are randomized.
1.0.54+The nanoseconds upper bound of connection backoff delay.
clouddriver.keepAliveHeartbeatSecondsinteger200.6.9+Optional. How often the gPRC keep alive message is sent.
- Not set: (default) sent every 20 seconds.
- 0: not sent.
- Any n value greater than 0: sent every n seconds.
clouddriver.keepAliveOperationSecondsinteger01.0.58+Optional. How much time to wait after not receiving operations to restart the connection to clouddriver.
- Not set: default 0 (not restart).
- Any n value greater than 0: restart every n seconds.
clouddriver.keepAliveTimeOutSecondsintegernoneTimeout before closing the grpc connection.
clouddriver.insecurebooleantrueSet to false, if you are connecting to a TLS server.
clouddriver.noProxybooleanfalse0.3.1+ Ignore the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables when connecting back to the control plane (Armory Continuous Deployment).
clouddriver.responseRetries.enabled
clouddriver.responseRetries.maxRetries
clouddriver.responseRetries.backOffMs
boolean
integer
integer
true
3
3000
0.6.7+Enables or disables retries.
0.6.7+How many times to retry sending the response to Clouddriver.
0.6.7+How much time to wait between retries in milliseconds.
Note that Agent Plugin config option kubesvc.cache.operationWaitMs should be set so that it does not time out before the retries are complete.
clouddriver.tls.serverNamestringnoneServer name on the remote certificate (override from the hostname).
clouddriver.tls.insecureSkipVerifybooleanfalseDo not verify the endpoint's certificate.
clouddriver.tls.clientCertFile
clouddriver.tls.clientKeyFile
clouddriver.tls.clientKeyFilePassword
string
string
string
none
none
none
Client certificate file for mTLS.
Client key file if not included in the certificate.
Password the key file if needed.
clouddriver.tls.cacertFilestringnoneIf provided, verify endpoint certificate with the trust store. Otherwise, the system trust store is used.
dynamicAccounts.interceptor.enabledbooleantrueWhether to intercept new accounts being added on the fly.
dynamicAccounts.enabledbooleanfalseDynamic account feature enabled.
dynamicAccounts.scanBatchSizeinteger572How many accounts to send to scale agent at a time.
dynamicAccounts.scanFrequencySecondsinteger120How often should accounts be scanned for.
dynamicAccounts.namePatternslist[]Patterns to match for account migration in accounts table.
dynamicAccounts.credentialScanNamePatternslist[]Patterns to match in credential sources.
kubernetes.noProxybooleanfalse0.3.1+ Ignore the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables when connecting to any Kubernetes cluster.
kubernetes.reconnectTimeoutMsinteger5000How long to wait before reconnecting to Armory Continuous Deployment.
kubernetes.cacheGroupSizeinteger0Number of accounts per group when delaying watcher initialization.
kubernetes.cacheGroupDelayMsinteger0How long to wait between each group of accounts when initializing watchers.
kubernetes.accounts[].contextstringemptyIf provided, use the given context of the configured kubeconfig.
kubernetes.accounts[].customResourceDefinitions[]{kind: }empty0.4.0+ List of CustomResourceDefinition to expose to Armory Continuous Deployment. This is not needed if onlyNamespacedResources is left off. The format of kind is Kind.group.
kubernetes.accounts[].customResourceDefinitions.scopestringNamespaced1.0.9+ Possible values are 'Cluster' and 'Namespaced'. The default value if left unconfigured is 'Namespaced'.
kubernetes.accounts[].kinds[]stringemptyDefines which Kubernetes kinds to cache for the Spinnaker UI. If not empty, only kinds in the list are cached. Use only the kind name in singular form and without group name (e.g. deployment, not deployment.apps). This also applies to CRDs.
There’s no benefit to caching kinds that don’t display in the Spinnaker UI. The recommended set of kinds to include (per account) is: replicaSet, service, ingress, daemonSet, deployment, pod, statefulSet, job, cronJob.
Note: Operations are still possible on every kind regardless of the config, and statuses for those operations are not affected. For example, if you need to deploy another kind such as HorizontalPodAutoscaler, and this kind is not defined in this list, the deployment still succeeds.
kubernetes.accounts[].kubeConfigFilestringnonePath to the kubeconfig file if not using serviceAccount.
kubernetes.accounts[].insecurebooleanfalseDo not verify the TLS certificate of the Kubernetes API server
Don’t use without a good reason.
kubernetes.accounts[].metricsbooleanfalseWhen true, sends pod metrics back to Armory Continuous Deployment every 20s.
kubernetes.accounts[].namestringnone, requiredName of the Kubernetes cluster in Armory Continuous Deployment.
kubernetes.accounts[].namespaces[]stringempty0.4.0+ Whitelist of namespaces to monitor.
This comes at a greater cost of multiplying the resources by the number of namespaces.
kubernetes.accounts[].noProxybooleanfalse0.3.1+ Ignore the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables when connecting to that Kubernetes cluster.
kubernetes.accounts[].oAuthScopes[]stringemptyList of OAuth scope when authenticating with gcp provider
Cluster access for kubectl.
kubernetes.accounts[].omitKinds[]stringemptyList of kinds not to cache.
kubernetes.accounts[].omitNamespaces[]stringemptyBlacklist of namespaces
This comes at a greater cost of multiplying the resources by the number of namespaces.
NOT CURRENTLY IMPLEMENTED
kubernetes.accounts[].onlyNamespacedResourcesbooleanfalse0.4.0+ If true, the Agent ignores non-namespaced resources; namespaces must be whitelisted with namespaces setting and CRDs with customResourceDefinitons.
kubernetes.accounts[].onlySpinnakerManagedbooleanfalseOnly return Armory Continuous Deployment managed resources
NOT IMPLEMENTED in the Agent but added to the plugin see kubesvc.runtime.defaults.onlySpinnakerManaged.
kubernetes.accounts[].permissionslistemptyList of permissions (currently READ or WRITE) with a list of authorized roles. For more information, see Permissions format.
kubernetes.accounts[].maxResumableResourceAgeMsinteger300000 (5m)When connecting to Armory Continuous Deployment, the Agent asks Clouddriver for the latest resource version known per resource that is not older than that setting.

The resource version is used to resume the watch without first doing a list - saving memory and time. There’s no guarantee that the resource version is still known. If not “remembered” by the Kubernetes API server, a list call is used. Kubernetes API Concepts
kubernetes.accounts[].serviceAccountbooleanfalseIf true and the Agent runs in Kubernetes - use the current service account to call to the current API server. In that mode, you don’t need to provide a kubeconfig file.
kubernetes.serverSideApply.enabledstringallowed1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never use ServerSideApply (SSA). allowed: Use CSA unless annotation agent-k8s.armory.io/serverside-apply: enabled is present or config kubernetes.serverSideApply.kinds[].enabled is present in configuration file.
kubernetes.serverSideApply.clearManagedFieldsstringallowed1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never delete managed fields in order to keep agent as the only manager of a manifest. allowed: Send manifest as-is unless annotation agent-k8s.armory.io/ssa-clear-managed-fields: enabled is present or kubernetes.serverSideApply.kinds[].clearManagedFields is present in configuration file.
kubernetes.serverSideApply.manifestDefaultsstringallowed1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never modify applied manifests to include field defaults. allowed: Send manifest as-is unless annotation agent-k8s.armory.io/ssa-manifest-defaults: enabled is present or kubernetes.serverSideApply.kinds[].manifestDefaults is present in configuration file.
kubernetes.serverSideApply.kinds[].kindstring1.0.47+ Kind name ID for the next configurations
kubernetes.serverSideApply.kinds[].enabledstringallowed1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never use ServerSideApply (SSA). allowed: Use CSA unless annotation agent-k8s.armory.io/serverside-apply: enabled is present
kubernetes.serverSideApply.kinds[].clearManagedFieldsstringallowed1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never delete managed fields in order to keep agent as the only manager of a manifest. allowed: Send manifest as-is unless annotation agent-k8s.armory.io/ssa-clear-managed-fields: enabled is present
kubernetes.serverSideApply.kinds[].manifestDefaultsstringallowed1.0.47+ Optional. always/never/allowed. Override annotations and kind list to Always/Never modify applied manifests to include field defaults. allowed: Send manifest as-is unless annotation agent-k8s.armory.io/ssa-manifest-defaults: enabled is present
kubernetes.retries.enabledbooleantrueOptional. Enable or disable retries when the Agent makes a failed request to the Kubernetes API server.
kubernetes.retries.maxRetriesinteger3Optional. The number of times that the Agent will try the same request if it fails.
kubernetes.retries.backOffMsinteger3000Optional. How much time (in milliseconds) to wait between retry attempts.
kubernetes.retries.retryAnyErrorbooleanfalseOptional. If true, Agent will retry when encountering any error from the Kubernetes API server. If false, Agent will only retry if the error contains any item from retryableErrors.
kubernetes.retries.retryableErrorsstring- timeout
- deadline exceeded
Optional. If the error from the Kubernetes API server contains any item from this list, the request will be retried. Requires retryAnyError to be false.
logging.filestringstdout if not definedFile to save logs to.
logging.formatstringtextFormat for the Agent logs. Can be text or json
logging.levelstringINFOLog level. Can be any of (case insensitive):
panic, fatal , error, warn (or warning), info, debug, trace.
logging.multiWritebooleanfalseWhen set to true, logs will be printed to stdout and saved to a file simultaneously.
logging.maxSizeMbinteger1Max size of each log file.
logging.maxAgeDaysinteger10How many days to keep the log file backup.
logging.maxBackupsinteger10Max number of log file backups.
logging.localTimebooleantruewhen set to true the timestamps will have local time, otherwise UTC.
logging.compressbooleanfalsewhen set to true files are compressed as tar gz.
logging.fieldsmapemptyLogging contextual key-value pairs.
The agentCluster and agentNamespace keys could be detected automatically when a value is not provided, and being populated with the name/host of the cluster, and namespace where the instance is running.
E.g.
logging.fields.agentNamespace:
The agentNamespace will be automatically discover by the instance.
logging.fields.agentNamespace: test
The agentNamespace will use the provided value.
pprof.enabledbooleanfalseEnable pprof endpoint. Useful for troubleshooting, slowness, memory leaks, and more!
pprof README.
pprof.portinteger6060Port on which to respond to pprof requests.
prometheus.enabledbooleanfalseEnable Prometheus handler.
prometheus.portinteger8008Port to expose Prometheus metrics on. Responds to both /metrics (standard) and /prometheus_metrics (Armory Continuous Deployment default).
server.hoststringlocalhostHostname of the server health check.
server.portinteger8082Port of the server health check.
server.ssl.enabled, server.ssl.certFile, server.ssl.keyFile, server.ssl.keyPassword, server.ssl.caCertFile, server.ssl.keyFilePassword, server.ssl.clientAuthVarious options to control TLS config. Don’t bother, it’s just for the health endpoint.
secrets.vault.*objectnoneVault configuration.
tasks.totalBudgetinteger1000If > 0, limits the number of cluster sync tasks that can be started concurrently, this is when doing the initial listing before starting a watcher, modifying this value can help reduce memory spikes when Agent starts.
tasks.budgetPerAccountinteger50Same as totalBudget but per account. If both settings are provided, they’re both checked.
tasks.queueCheckFrequencyMsinteger2000Frequency at which the Agent checks for new tasks to launch. Once launched a task is not stopped until explicitly requested (account unregistered or connection to Armory Continuous Deployment lost).
timeoutSecondsinteger00.5.12+ The maximum length of time to wait before giving up on a server request. A value of zero means no timeout.

Last modified March 3, 2023: (2d069084)