Skip to content

Glass UI Configuration Reference

This page provides a complete reference for all configuration parameters available in the Glass UI Helm chart.

Shared Configuration

Many parameters use shared patterns documented in Common Configuration, including image configuration, resource requirements, and security contexts.

Cluster Identity

Cluster identification and labeling for SPOG organization.

Parameter Default Description
clusterId Unique cluster identifier for SPOG control plane. Used to identify this cluster in the SPOG system. Must follow Kubernetes naming conventions (lowercase alphanumeric characters or '-'). Can be empty string (optional).

Example:
labels {} Cluster labels as key-value pairs for cluster organization and filtering in SPOG. These labels are used for label-based access control, dashboard filtering, and cluster taxonomy. (accepts arbitrary string key-value pairs)

Example:
environment: production
region: center
role: control-plane

Reserved Label Keys

The following keywords are reserved and should not be used as label keys: and, or, not, in, like, contains, group, by, cluster_id. These conflict with the GlassQL filter query syntax.

Labels defined here are used throughout SPOG for:

Global Settings

Global configuration values that apply to all services in the chart.

Parameter Default Description
global.image.registry Override container registry for all images (e.g., 'myregistry.local:8085')

Example: myregistry.local:8085
global.image.repository Override repository path for all images (e.g., 'myproject')

Example: myproject
global.image.pullPolicy IfNotPresent Set image pull policy for all containers

Options: Always, IfNotPresent, Never
global.imagePullSecrets {} Define inline registry credentials for pulling private images (accepts arbitrary keys with object values)

Example:
myIPSSecret:
  email: admin@registry.example.com
  password: regPassword
  registry: registry.example.com:5000
  username: regUsername
global.imagePullSecretsList [] Reference existing Kubernetes image pull secrets by name

Example:
- global-imagepullsecrets-1
- global-imagepullsecrets-2
global.openshift.enabled false Enable OpenShift compatibility mode

Default Pod Configuration

Security, scheduling, and availability settings inherited by all services. The defaults implement Pod Security Standards (Restricted profile) for secure, production-ready deployments.

Parameter Default Description
containerSecurityContext 
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault
Default container security context for all services. Defaults implement Pod Security Standards (Restricted profile).
podSecurityContext 
fsGroup: 10001
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
seccompProfile:
  type: RuntimeDefault
Default pod security context for all services. Runs as non-root user 10001 with seccomp enabled.
podAnnotations {} Default pod annotations for all services. Useful for Prometheus scrape config or policy enforcement. (accepts arbitrary string key-value pairs)

Example:
prometheus.io/port: '8080'
prometheus.io/scrape: 'true'
podLabels {} Default pod labels for all services. Added to all pods in addition to standard labels. (accepts arbitrary string key-value pairs)
nodeSelector {} Default node selector for all services. Schedule pods only on nodes with matching labels. (accepts arbitrary string key-value pairs)

Example:
workload-type: spog
tolerations [] Default tolerations for all services. Allow pods to schedule on nodes with matching taints.

Example:
- effect: NoSchedule
  key: dedicated
  operator: Equal
  value: spog
affinity {} Default affinity rules for all services.
antiAffinityPreset - ⚠️ Not found in schema
podDisruptionBudget 
minAvailable: 1
Default pod disruption budget for all services. Controls voluntary pod evictions during maintenance.

Individual services can override these settings. Use nodeSelector and tolerations for dedicated node pools, and antiAffinityPreset: required for strict high-availability requirements.

Product Configuration

Identifies this deployment within the SPOG ecosystem and configures the CloudControl API prefix.

Parameter Default Description
powerdns.product spog-glass-ui Product identifier used for resource naming and Kubernetes labeling

Example: spog-glass-ui
ccPrefix spog.glass.powerdns.com Prefix used for labels on SPOG objects in Kubernetes for resource organization and identification

Example: spog.glass.powerdns.com

TLS Configuration

Global TLS settings for ingress resources and certificate management.

Parameter Default Description
globalTls.enabled false Master TLS switch. When true, enables TLS for: (1) UI ingress, (2) NATS WebSocket. Service-specific TLS can also be enabled independently via ui.ingress.tls.enabled or nats.tls.enabled.
globalTls.secretName Default TLS secret name used by all services unless overridden. Fallback chain: ui.ingress.tls.secretName → globalTls.secretName, nats.tls.secretName → globalTls.secretName. Must contain tls.crt and tls.key.

Example: glass-ui-tls
globalTls.certbot.enabled false Enable automatic certificate management via cert-manager ingress annotations
globalTls.certbot.email Email address for Let's Encrypt certificate notifications and renewal alerts. Can be empty if certbot is disabled.

Example:
globalTls.certbot.staging false Use Let's Encrypt staging environment for testing (avoids rate limits during development)
globalTls.certbot.annotations {} Additional cert-manager annotations for certificate customization (accepts arbitrary string key-value pairs)

Example:
acme.cert-manager.io/http01-override-ingress-name: custom-ingress
cert-manager.io/issue-temporary-certificate: 'true'

Enable globalTls.certbot for automatic certificate provisioning via Let's Encrypt. Set certbot.staging: true for testing to avoid rate limits.

Ingress Configuration

Global ingress controller settings and routing configuration.

Parameter Default Description
globalIngress.controller Ingress controller type deployed in the cluster. Determines controller-specific annotations and behavior. Empty string uses the cluster default ingress controller.

Options: `,nginx,traefik,haproxy,istio,custom`

Example: nginx
globalIngress.customAnnotations {} Custom annotations for non-standard or exotic ingress controllers. Applied to all ingress resources. (accepts arbitrary string key-value pairs)

Example:
custom.ingress.kubernetes.io/rate-limit: '100'
custom.ingress.kubernetes.io/timeout: 300s
globalIngress.host Global hostname that all ingress resources fall back to if not specified at service level. Should be a fully qualified domain name (FQDN). Can be empty.

Example:

NATS Server

NATS messaging server configuration for real-time communication between the control plane and instrumented clusters.

Parameter Default Description
nats.replicas 1 Number of NATS server replicas for high availability

Example: 1
nats.websocket.nodePort 31222 NodePort for WebSocket service (required for external access)

Example: 31222
nats.tls.enabled false Enable TLS for NATS WebSocket independently of globalTls. TLS activates if this OR globalTls.enabled is true. Use this to enable NATS TLS while keeping ingress on HTTP, or vice versa.
nats.tls.secretName Kubernetes TLS secret for NATS WebSocket. Falls back to globalTls.secretName if not set. Typically use the same secret as ingress for wildcard certificates, or a separate secret for NATS-specific certificates.

Example: nats-tls-cert
nats.debug false Enable NATS server debug logging
nats.trace false Enable NATS server trace logging (very verbose)
nats.resources 
limits:
  cpu: 500m
  memory: 512Mi
requests:
  cpu: 100m
  memory: 128Mi
Container resource requirements (CPU/memory requests and limits) for NATS server
nats.podSecurityContext 
fsGroup: 953
runAsGroup: 953
runAsNonRoot: true
runAsUser: 953
Pod-level security context for NATS server deployment
nats.containerSecurityContext 
allowPrivilegeEscalation: false
capabilities:
  drop:
  - ALL
readOnlyRootFilesystem: true
seccompProfile:
  type: RuntimeDefault
Container-level security context for NATS server container

Leaf Node Architecture

The Glass UI NATS server connects as a leaf node to the central controlplane NATS hub at nats-hub:7422. This leaf node topology allows the UI to communicate with all instrumented clusters through the hub, while keeping the NATS configuration simple and scalable. The hub connection uses authentication credentials from the nats-secrets secret provisioned by CloudControl.

NATS provides the messaging backbone for SPOG. For high availability, increase replicas to 3 or more. Enable tls for production deployments with leaf-node connections from remote clusters.

Policy Service

REGO-based authorization engine for access control decisions.

Parameter Default Description
policy 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 2
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
serviceAccount:
  annotations: {}
  create: true
  name: glass-policy
tolerations: []
Policy service configuration - REGO-based authorization engine
policy.oidc.enabled false Enable OIDC authentication. When false, static users are used instead.
policy.oidc.issuerUrl OIDC provider issuer URL (e.g., 'https://auth.example.com' or 'https://accounts.google.com')
policy.oidc.customCA Custom CA certificate for validating OIDC provider TLS. Use when the IdP uses certificates signed by a private CA.

Example:
configMapKey: ca.crt
configMapName: my-oidc-ca
enabled: true
policy.secrets 
natsPassword:
  valueFrom:
    secretKeyRef:
      key: password
      name: glass-nats-policy-auth
natsUser:
  value: policy
nkeysIssuer:
  valueFrom:
    secretKeyRef:
      key: public
      name: glass-jwt-mint-nkey
Policy service secrets for JWT validation and NATS authentication. These secrets are generated automatically by the glass-ui chart's init jobs and typically do not need to be modified.

Example:
natsPassword:
  valueFrom:
    secretKeyRef:
      key: password
      name: glass-nats-policy-auth
natsUser:
  value: policy
nkeysIssuer:
  valueFrom:
    secretKeyRef:
      key: public
      name: glass-jwt-mint-nkey

See Authentication and Authorization for policy configuration details and examples.

Middleware Service

Service discovery and cluster routing for the control plane.

Parameter Default Description
centerMiddleware 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 1
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
secrets:
  natsToken:
    valueFrom:
      secretKeyRef:
        key: token
        name: glass-center-middleware-auth
serviceAccount:
  annotations: {}
  create: true
  name: glass-center-middleware
tolerations: []
Center Middleware service configuration - service discovery and cluster routing

Service Multiplexer

Multi-cluster call routing for distributed operations.

Parameter Default Description
centerServiceMultiplexer 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 1
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
secrets:
  natsToken:
    valueFrom:
      secretKeyRef:
        key: token
        name: glass-center-service-multiplexer-auth
serviceAccount:
  annotations: {}
  create: true
  name: glass-center-service-multiplexer
tolerations: []
Service Multiplexer configuration - multi-cluster call routing
centerServiceMultiplexer.allowlist 
- cc-api-adapter.*
- log-streamer.Stream
- k8s-manager.*
- dns-check.Query

Auth Users Service

User authentication service supporting Static, LDAP, and OIDC providers.

Parameter Default Description
authUsers 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 2
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
tolerations: []
Auth Users service configuration - authentication service (Static/LDAP/OIDC)

Global Config Data

Dashboard and navigation data configuration.

Parameter Default Description
globalConfig Global configuration for dashboards and navigation
globalConfig.defaults.enabled true Enable default dashboards and navigation. When enabled, provides a default dashboard at '/' with all widgets and a 'Tools' menu with DNS Query and Flush Cache. Set to false to disable all defaults.
globalConfig.dashboards {}
globalConfig.navigation 
menus: []

See Dashboards and Playlists and Navigation for configuration details and examples.

Global Config Dashboards Service

Dashboard configuration provider service.

Parameter Default Description
globalConfigDashboards 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 2
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
secrets:
  natsToken:
    valueFrom:
      secretKeyRef:
        key: token
        name: glass-global-config-dashboard-auth
serviceAccount:
  annotations: {}
  create: true
  name: glass-global-config-dashboards
tolerations: []
Global Config Dashboards service configuration - dashboard configuration provider
globalConfigDashboards.serviceName center-dynamic-dashboards

Global Config Navigation Service

Navigation configuration provider service.

Parameter Default Description
globalConfigNavigation 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 2
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
secrets:
  natsToken:
    valueFrom:
      secretKeyRef:
        key: token
        name: glass-global-config-navigation-auth
serviceAccount:
  annotations: {}
  create: true
  name: glass-global-config-navigation
tolerations: []
Global Config Navigation service configuration - navigation configuration provider
globalConfigNavigation.serviceName center-navigation

Snapshot Mirrors Data

Configuration for snapshot mirror instances.

Parameter Default Description
snapshotMirrors 
cc-state:
  dynamic: true
  mirrorDescription: Cloud Control State Mirror
  mirrorName: cc-state
  mirrorVersion: 1.0.0
  refreshIntervalSeconds: 1
  targetEndpoint: State
  targetMajorVersion: v1
  targetService: cc-api-adapter
  targetVersionConstraint: '>=1.0.0'
Configuration for snapshot mirror instances (accepts arbitrary keys with object values)

Snapshot Mirror CC State Service

CloudControl state caching service for improved performance and reduced API load.

Parameter Default Description
snapshotMirrorCcState 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 1
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
secrets:
  natsToken:
    valueFrom:
      secretKeyRef:
        key: token
        name: glass-cc-state-auth
serviceAccount:
  annotations: {}
  create: true
  name: glass-cc-state-mirror
tolerations: []
CloudControl State Mirror service configuration - caches CloudControl state
snapshotMirrorCcState.mirrorName cc-state
snapshotMirrorCcState.targetService cc-api-adapter
snapshotMirrorCcState.targetEndpoint State
snapshotMirrorCcState.dynamic true
snapshotMirrorCcState.refreshIntervalSeconds 1

Event Monitors Data

Configuration for event monitor instances.

Parameter Default Description
eventMonitors 
multiplexedCall:
  eventName: MultiplexedCall
  eventService: multiplexer
  eventVersion: v1
Configuration for event monitor instances (accepts arbitrary keys with object values)

Event Monitor Multiplexed Call Service

Audit logging and event monitoring for tracking system activity.

Parameter Default Description
eventMonitorMultiplexedCall 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 1
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
secrets:
  natsToken:
    valueFrom:
      secretKeyRef:
        key: token
        name: glass-multiplexed-call-event-monitor-auth
serviceAccount:
  annotations: {}
  create: true
  name: glass-multiplexed-call-event-monitor
tolerations: []
Multiplexed Call Event Monitor service configuration - audit logging and event monitoring
eventMonitorMultiplexedCall.eventName MultiplexedCall
eventMonitorMultiplexedCall.eventService multiplexer

UI Service

Web frontend application providing the Glass interface.

Parameter Default Description
ui 
affinity: {}
enabled: true
logFormat: json
logLevel: info
nodeSelector: {}
podAnnotations: {}
podLabels: {}
replicas: 2
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi
serviceAccount:
  annotations: {}
  create: true
  name: glass-ui
tolerations: []
UI service configuration - Vue 3 frontend with PrimeVue components
ui.config.loginConfig 
loginType: static
UI authentication configuration. Supports static (built-in) users or OIDC authentication via an external identity provider.

Example:
additionalScopes:
- groups
authority: https://auth.example.com/realms/spog
client_id: spog-console
loginType: oidc
post_logout_redirect_uri: https://console.example.com
redirect_uri: https://console.example.com/authz/callback
ui.service.type ClusterIP Kubernetes service type

Options: ClusterIP, NodePort, LoadBalancer
ui.service.nodePort NodePort for service (only used when type is NodePort)
ui.ingress.host Hostname for UI ingress. Falls back to globalIngress.host if not set.
ui.ingress.tls.enabled false Enable TLS for UI ingress independently of globalTls. TLS activates if this OR globalTls.enabled is true.
ui.ingress.tls.secretName TLS secret name for UI ingress. Falls back to globalTls.secretName if not set. Use this to specify a different certificate than NATS or other services.

The loginConfig setting controls how users authenticate. Use loginType: static for built-in users (defined in policy.staticUsers) or loginType: oidc for external identity providers. When using OIDC, the redirect_uri must point to https://<your-host>/authz/callback.

See Authentication and Authorization for complete setup instructions and provider-specific examples (Dex, Keycloak).

Container Images

Container image configuration for all services. Set top-level defaults for registry, project, and pullPolicy, or override per-service using the imageConfig structure.

Parameter Default Description
images 
authUsers:
  name: auth-users
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
eventMonitor:
  name: event-monitor
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
globalConfig:
  name: global-config
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
jwtMint:
  name: jwt-mint
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
middleware:
  name: middleware
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
nats:
  name: nats
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: 2.12.0
nkeyGenerator:
  name: k8s-nkey-generator
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
plainPasswordGenerator:
  name: k8s-plain-password-generator
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
policy:
  name: policy
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
serviceMultiplexer:
  name: service-multiplexer
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
snapshotMirror:
  name: snapshot-mirror
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
ui:
  name: ui
  pullPolicy: IfNotPresent
  registry: registry.open-xchange.com
  repository: glass
  tag: latest
Container image configuration for all Glass UI services

Observability

Prometheus metrics and OpenTelemetry logging configuration for monitoring control plane services.

Parameter Default Description
prometheus.operator.available false Set to true if Prometheus Operator is available to create PodMonitor objects
prometheus.operator.scrape.interval 10s Scrape interval for Prometheus metrics collection (duration format: e.g., '10s', '1m', '30s')

Example: 10s
prometheus.annotations true Set to true to add Prometheus scrape annotations on pods (for Prometheus deployments without Prometheus Operator)
otelLogging.enabled false Enable OTEL log forwarding to an OTLP collector
otelLogging.endpoint OTLP collector endpoint (e.g., 'otel-collector:4318' for HTTP or 'otel-collector:4317' for gRPC)

Example: otel-collector:4318
otelLogging.protocol grpc OTLP protocol to use for log export

Options: grpc, http
otelLogging.timeout 10s Export timeout duration (e.g., '10s', '30s', '1m')

Example: 10s

See Also