Common Configuration Patterns

This page documents common configuration patterns shared between the Glass UI and Glass Instrumentation Helm charts.

Overview

Both Glass charts use consistent configuration structures for:

Image configuration
Service configuration
Resource requirements
Security contexts
Scheduling and affinity
Pod disruption budgets

Understanding these patterns makes it easier to configure any Glass service consistently.

Image Configuration

All container images use a consistent structure:

YAML
images:
  serviceName:
    registry: "registry.open-xchange.com"
    repository: "glass"
    name: "service-image"
    tag: "latest"
    pullPolicy: "IfNotPresent"

Parameter	Type	Description
`registry`	string	Container registry hostname (e.g., `registry.open-xchange.com`, `docker.io`)
`repository`	string	Repository path within the registry (e.g., `glass`, `myorg/glass`)
`name`	string	Image name (e.g., `nats`, `policy`, `middleware`)
`tag`	string	Image tag (e.g., `latest`, `1.0.0`, `v2.1.3`). Default: `latest`
`pullPolicy`	enum	Image pull policy: `Always`, `IfNotPresent`, or `Never`. Default: `IfNotPresent`
`registryOverride`	string	Override registry for this specific image (optional)
`repositoryOverride`	string	Override repository for this specific image (optional)

Example:

YAML
images:
  policy:
    registry: "registry.open-xchange.com"
    repository: "glass"
    name: "policy"
    tag: "1.2.3"
    pullPolicy: "IfNotPresent"

Service Configuration

All services follow a common configuration template:

YAML
serviceName:
  enabled: true
  replicas: 2
  logLevel: "info"
  logFormat: "json"
  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 128Mi
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podAnnotations: {}
  podLabels: {}
  containerSecurityContext: {}
  podSecurityContext: {}
  serviceAccount:
    create: true
    name: ""
    annotations: {}

Parameter	Type	Description
`enabled`	boolean	Enable or disable this service deployment. Default: `true`
`replicas`	integer	Number of pod replicas for high availability and load distribution (0-100)
`logLevel`	enum	Logging verbosity level: `debug`, `info`, `warn`, or `error`
`logFormat`	enum	Log output format: `json` (structured) or `text` (human-readable)
`resources`	object	Container resource requirements - see Resource Requirements
`nodeSelector`	object	Node selection constraints for pod scheduling (key-value pairs)
`tolerations`	array	Pod tolerations for taint-based node selection
`affinity`	object	Pod affinity and anti-affinity rules for advanced scheduling
`podAnnotations`	object	Custom annotations to add to service pods
`podLabels`	object	Custom labels to add to service pods
`containerSecurityContext`	object	Container-level security context - see Container Security Context
`podSecurityContext`	object	Pod-level security context - see Pod Security Context
`serviceAccount`	object	Kubernetes service account configuration for this service
`podDisruptionBudget`	object	Service-specific pod disruption budget configuration

Resource Requirements

Kubernetes resource requests and limits for CPU and memory.

YAML
resources:
  requests:
    cpu: "100m"
    memory: "128Mi"
  limits:
    cpu: "1000m"
    memory: "512Mi"

Parameter	Type	Description
`requests.cpu`	string	CPU request (e.g., `100m`, `0.5`, `1`)
`requests.memory`	string	Memory request (e.g., `128Mi`, `1Gi`, `512M`)
`limits.cpu`	string	CPU limit (e.g., `1000m`, `2`, `4`)
`limits.memory`	string	Memory limit (e.g., `512Mi`, `2Gi`, `1G`)

CPU Units

1 = 1 CPU core
1000m = 1 CPU core (millicore notation)
500m = 0.5 CPU cores

Memory Units

Mi = Mebibytes (1024² bytes)
Gi = Gibibytes (1024³ bytes)
M = Megabytes (1000² bytes)
G = Gigabytes (1000³ bytes)

Container Security Context

Container-level security settings including user, capabilities, and seccomp profiles.

YAML
containerSecurityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault

Parameter	Type	Description
`allowPrivilegeEscalation`	boolean	Allow privilege escalation (should typically be `false`)
`readOnlyRootFilesystem`	boolean	Mount root filesystem as read-only for security
`runAsNonRoot`	boolean	Require container to run as non-root user
`runAsUser`	integer	User ID to run the container (UID ≥ 0)
`runAsGroup`	integer	Group ID to run the container (GID ≥ 0)
`capabilities.add`	array	Linux capabilities to add to the container
`capabilities.drop`	array	Linux capabilities to drop from the container
`seccompProfile.type`	enum	Seccomp profile type: `RuntimeDefault`, `Unconfined`, or `Localhost`
`seccompProfile.localhostProfile`	string	Path to localhost seccomp profile (if type is `Localhost`)

Pod Security Context

Pod-level security settings including user, group, and filesystem permissions.

YAML
podSecurityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
  seccompProfile:
    type: RuntimeDefault

Parameter	Type	Description
`runAsNonRoot`	boolean	Require all containers to run as non-root user
`runAsUser`	integer	User ID for all containers in the pod (UID ≥ 0)
`runAsGroup`	integer	Primary group ID for all containers (GID ≥ 0)
`fsGroup`	integer	Special supplemental group for volume ownership (GID ≥ 0)
`fsGroupChangePolicy`	enum	Policy for changing volume ownership: `Always` or `OnRootMismatch`
`seccompProfile.type`	enum	Seccomp profile type: `RuntimeDefault`, `Unconfined`, or `Localhost`

Scheduling

Node Selector

Constrain pods to nodes with specific labels:

YAML
nodeSelector:
  kubernetes.io/os: linux
  node-type: worker

Tolerations

Allow pods to schedule on nodes with specific taints:

YAML
tolerations:
  - key: "dedicated"
    operator: "Equal"
    value: "dns"
    effect: "NoSchedule"

Affinity

Advanced pod scheduling rules:

YAML
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
        - matchExpressions:
            - key: topology.kubernetes.io/zone
              operator: In
              values:
                - us-east-1a
                - us-east-1b

Anti-Affinity Preset

Some services support an anti-affinity preset for simplified configuration:

YAML
antiAffinityPreset: "soft"  # or "hard"

soft (preferred): Pods prefer different nodes but can colocate if necessary
hard (required): Pods must be on different nodes

Pod Disruption Budget

Ensure service availability during voluntary disruptions:

YAML
podDisruptionBudget:
  minAvailable: 1
  # or
  maxUnavailable: 1

Parameter	Type	Description
`minAvailable`	integer/string	Minimum pods that must be available (e.g., `1`, `50%`)
`maxUnavailable`	integer/string	Maximum pods that can be unavailable (e.g., `1`, `25%`)

Usage Across Charts

Glass UI Services

All Glass UI services (policy, middleware, authUsers, etc.) use these common patterns.

Glass Instrumentation Services

All Glass Instrumentation services (discovery, dynamicSnapshots, logStreamer, etc.) use these common patterns.

Image References

All images.* properties across both charts follow the image configuration pattern.