Helm and terraform values

token

token

-

API token that is used to communicate with Traceable's SaaS platform.

refreshTokenFile

refresh_token_file

-

Defines the path to the refresh token (in the container).

environment

environment

-

The environment in which the platform agent is being installed. For example, production, development, and QA.

endpoint

endpoint

api.traceable.ai

Traceable’s Platform endpoint.

serviceAccountName

service_account_name

traceable-agent-service-account

Defines the Traceable agent pod service account name

logLevel

logLevel

INFO

Defines the log level of Traceable Platform agent logs. Set it to DEBUG to enable debug logging.

logLevelInterval

log_level_interval

LOG_LEVEL_INFO

Defines the log level of Traceable’s internal library. The default value is INFO. Different logging levels are:

• LOG_LEVEL_TRACE

• LOG_LEVEL_DEBUG

• LOG_LEVEL_INFO

• LOG_LEVEL_WARN

• LOG_LEVEL_ERROR

• LOG_LEVEL_CRITICAL

resources.limits.cpu

resources.limits.cpu

1

Platform agent max CPU

resources.limits.memory

resources.limits.memory

2Gi

Platform agent max memory

resources.requests.cpu

resources.requests.cpu

200m

Platform agent requested CPU

resources.requests.memory

resources.requests.memory

400Mi

Platform agent requested memory

multipartMaxFileSize

multipart_max_file_size

2048

Limits the number of a file's first bytes that are captured for multipart/form-data content type

serverPort

server_port

5441

gRPC server port for Traceable Platform agent APIs

restServerPort

rest_server_port

5442

HTTP server port for Traceable Platform agent APIs

tlsServerPort

tls_server_port

5443

TLS endpoint port for Traceable Platform agent APIs

collector.ports.opentelemetry

collector.ports.opentelemetry

4317

Configure the OTLP gRPC receiver port.

collector.ports.opentelemetryHttp

collector.ports.opentelemetry_http

4318

Configure the OTLP HTTP receiver port.

imageCredentials.registry

image_credentials.registry

docker.io

Docker images registry

imageCredentials.registrySuffix

image_credentials.registry_suffix

traceableai

Docker images registry suffix or path to Traceable’s images

imageCredentials.username

image_credentials.username

-

Docker registry username

imageCredentials.password

image_credentials.password

-

Docker registry password

imageName

image_name

traceable-agent

Traceable Platform agent image name. Use this option to override the default name.

imageVersion

image_version

-

Traceable Platform agent’s version number. Use this option if you wish to use a version different from the released version.

imagePullSecretName

image_pull_secret_name

The custom image pull secret name. Make sure that it exists in the same namespace that traceable-agent deployment runs.

autoscaling.minReplicas

autoscaling.min_replicas

1

Defines the minimum number of traceable-agent replicas.

autoscaling.maxReplicas

autoscaling.max_replicas

1

Defines the maximum number of traceable-agent replicas.

autoscaling.targetMemoryUtilization

autoscaling.target_memory_utilization

80

Target memory utilization.

autoscaling.targetCpuUtilization

autoscaling.target_cpu_utilization

80

Target CPU utilization.

autoscaling.enabled

autoscaling.enabled

true

Enable Kubernetes horizontal pod autoscaling.

labels

labels

-

List of labels to add to the deployment.

additionalGlobalLabels

additional_global_labels

-

Labels to be added to all Traceable resources.

additionalAnnotations

additional_annotations

data-ingest.dynatrace.com/inject: "false"
dynakube.dynatrace.com/inject: "false"
oneagent.dynatrace.com/inject: "false"
dynatrace.com/inject: "false"

Additional annotations for Traceable Platform agent and eBPF deployment.

additionalGlobalAnnotations

additional_global_annotations

-

Annotations to be added to all Traceable resources.

podSecurityPoliciesEnabled

pod_security_policies_enabled

false

Set it to true to enable the use of pod security policies.

externalTokenSecret.name

external_token_secret.name

-

Configuring this field allows you to provide the secret before installation instead of specifying the token as a value. 

The name is the secret name.

tlsEnabled

tls_enabled

false

Set to true when end-to-end TLS is required for all ports. All traffic must be directed to tlsServerPort. The agent service will expose no other agent ports.

additionalCertAltNames

-

Additional certificate alternative names that are added to the auto-generated certificate.

externalTokenSecret.key

external_token_secret.key

-

key is the key name that contains the token value.

remoteCaBundle

remote_ca_bundle

Platform CA bundle, which is base64 encoded.

remoteCaCertSecret.secretName

remote_ca_cert_secret.secret_name

Platform CA as a secret in the same namespace, Traceable Platform agent deployment.

remoteCaCertSecret.caCertFileName

remote_ca_cert_secret.ca_cert_file_name

Platform CA key name within the secret.

remoteCaCertFile

remote_ca_cert_file

Platform CA as a file injected into the Traceable Platform agent container. Make sure that this is the absolute path to the file.

serviceType

service_type

ClusterIP

Defines the service type of the Platform agent. Supported values are:

• ClusterIP

• NodePort

  • LoadBalancer

tlsPrivateCertificatesAsSecret.secretName

tls_private_certificates_as_secret.secret_name

-

This setting allows you to specify the name of a Kubernetes secret that contains the TLS private certificates. The secret must be located in the same namespace as your Traceable deployment.

tlsPrivateCertificatesAsSecret.rootCAFileName

tls_private_certificates_as_secret.root_ca_file_name

-

Value for specifying the filename of the root CA certificate. Both reference the root CA certificate file, which must be a key in the Kubernetes secret containing your TLS private certificates.

tlsPrivateCertificatesAsSecret.certFileName

tls_private_certificates_as_secret.cert_file_name

-

Value for specifying the filename of the certificate. Both reference the certificate file, which must be a key in the Kubernetes secret containing your TLS private certificates.

tlsPrivateCertificatesAsSecret.keyFileName

tls_private_certificates_as_secret.secret_name

Value for specifying the filename of the private key. Both reference the private key file, which must be a key in the Kubernetes secret containing your TLS private certificates.

ingress.enabled

ingress.enabled

false

Enables an ingress controller for the platform agent when true

ingress.domain

ingress.domain

-

The domain name of the Ingress controller

ingress.http.annotations

ingress.http.annotations

-

Ingress controller annotations for the HTTP services

ingress.grpc.annotations

ingress.grpc.annotations

-

Ingress controller annotations for the GRPC services

ingress.ingressClassName

ingress.ingress_class_name

This field replaces the deprecated kubernetes.io/ingress.class annotation.

The ingress class determines which ingress controller should handle a particular ingress resource. For example, if you have different ingress controllers (like NGINX, Traefik, etc.), you might set this field to the name of the ingress class that the controller uses.

collector.batch.timeout

collector.batch.timeout

200ms

The time duration after which a batch is sent to the Traceable platform regardless of size.

collector.batch.sendBatchSize

collector.batch.send_batch_size

8192

The number of spans after which a batch is sent to the Traceable platform, regardless of the timeout.

collector.batch.sendBatchMaxSize

collector.batch.send_batch_max_size

10000

Defines the upper limit of the batch size. 0 means no upper limit on the batch size. This property ensures that larger batches are split into smaller units. It must be greater or equal to send_batch_size

collector.receivers.opencensus.enabled

collector.receivers.opencensus.enabled

true

Set to true to enable OpenCensus receiver.

collector.receivers.zipkin.enabled

collector.receivers.zipkin.enabled

true

Set to true to enable Zipkin receiver.

collector.receivers.jaeger.enabled

collector.receivers.jaeger.enabled

true

Set to true to enable Jaeger receiver.

collector.receivers.otlp.enabled

collector.receivers.otlp.enabled

true

Set to true to enable OTLP receiver.

collector.exporters.otlp.compression

collector.exporters.otlp.compression

gzip

Compression format used to send data to the Traceable platform. An empty value denotes no compression.

collector.receivers.otlp.maxRecvMsgSizeMib

collector.receivers.otlp.max_recv_msg_size_mib

16

Maximum message size is allowed to be sent to the OTLP receiver.

collector.receivers.otlp.maxConnectionAge

collector.receivers.otlp.max_connection_age

1m

Maximum connection age to the OTLP receiver. It can be expressed as a duration string, for example  120s = 120 seconds, 120m = 120 minutes, 2h = 2 hours

collector.grpcMaxCallRecvMsgSize

collector.grpc_max_call_recv_msg_size

33554432

Specifies the maximum size of messages that the collector service client can receive from the agent manager over the gRPC channel in TPA. If set too low, it may cause errors like "Failed to receive data from config server," indicating that larger messages are being dropped. Adjust this setting to ensure smooth communication between services without data loss.

injector.propagationFormats

injector.propagation_formats

[“TRACECONTEXT”]

List of propagation formats used by the injected Java agent. The supported values are TRACECONEXT and B3.

injector.captureContentType

injector.capture_content_Type

[“json“,

“grpc“,

“x-www-form-urlencoded”]

List of content types that the injected proxy captures. This is a substring match.

injector.proxy.inboundInterceptionMode

injector.proxy.inbound_interception_mode

REDIRECT

Defines the iptables interception mode. The supported values are REDIRECT and TPROXY.

injector.traceReporterType

injector.trace_reporter_type

OTLP

Use this to configure the trace reporting format from OTLP or ZIPKIN.

injectorEnabled

injector_enabled

true

Enables mutatingwebhook injector service. Set to false when no instrumentation sidecars will be injected.

injector.blockingConfig.enabled

injector.blocking_config.enabled

true

Enable blocking for injected containers.

injector.blockingConfig.region_blocking.enabled

injector.blocking_config.region_blocking.enabled

true

Enable region blocking for injected containers.

injector.blockingConfig.evaluate_body

injector.blocking_config.evaluate_body

true

Enable body evaluation for injected containers.

injectorTmeRestServerIdleTimeout

injector_tme_rest_server_idle_timeout

60

Connection keep-alive time, in seconds, for injected tme (Traceable module extension) REST server.

injectorTmeRestServerDisableKeepAlive

injector_tme_rest_server_disable_keep_alive

false

Disable keep-alive entirely for the injected tme REST server.

injector.blockingConfig.blockingContentType

injector.blocking_config.blocking_content_type

Supports content types like text/html for setting HTML headers. When configured, it allows for the injection of HTML content as a response.

injector.blockingConfig.blockingMessage

injector.blocking_config.blocking_message

Allows specifying a custom HTML string to be returned as the response message when blocking is triggered.

ebpfCaptureEnabled

ebpf_capture_enabled

false

Enables the data capture mode using eBPF.

ebpfHttp2CaptureEnabled

ebpf_http2_capture_enabled

false

Enables HTTP 2 data capture in eBPF tracer.

ebpfTraceReporterType

ebpf_trace_reporter_type

OTLP

Configure the trace reporter. Possible values are OTLP or ZIPKIN.

ebpfServiceNameLabels

ebpf_service_name_labels

[]

You can use this configuration to name services using Kubernetes labels assigned to the instrumented application.
Example:

ebpfServiceNameLabels: [app, service] If this configuration is added to the configmap, app, and service labels are checked on the pod template of the instrumented app in the same order, and whichever is found first that is used to name the service. If the pod template has service: myservice as the label, myservice will be used as the service name.

ebpfEnableGoMemoryLimit

ebpf_enable_go_memory_limit

true

Sets the container memory limit for the eBPF tracer binary. Set the value to false to disable.

ebpfNodeAffinityMatchExpressions

ebpf_node_affinity_match_expressions

[]

Set node affinity for the eBPF pods.

Example:

ebpfNodeAffinityMatchExpressions:
  - matchExpressions:
    - key: "pool_type"
      operator: "In"
      values:
      - "frontgate"

In this example, daemonSet is scheduled on all nodes, which has a label with key pool_type and value frontgate. Any node that does not satisfy this criteria is ignored.

You can use the operator field to specify a logical operator for Kubernetes to use when interpreting the rules. You can use In, NotIn, Exists, DoesNotExist, Gt and Lt.

If you specify multiple expressions in a single matchExpressions field, then the Pod can be scheduled onto a node only if all the expressions are satisfied (expressions are ANDed).

If you specify multiple matchExpressions in ebpfNodeAffinityMatchExpressions then the Pod can be scheduled onto a node if one of the specified matchExpressions can be satisfied (matchExpressions are ORed).

Consider the following values.yaml:

ebpfNodeAffinityMatchExpressions:
  - matchExpressions:
      - key: "env"
        operator: "In"
        values:
          - "staging"
          - "preprod"
      - key: "pool_type"
        operator: "Exists"
  - matchExpressions:
      - key: "python_app"
        operator: "DoesNotExist"

In this example, daemonSet is scheduled on all nodes which satisfy the following rule:

(("env" IN ["staging", "preprod"]) 
AND ("pool_type" EXISTS)) 
OR ("python_app" DOES_NOT_EXIST)

ebpfLogLevel

ebpf_log_level

info

Defines the eBPF log level. Allowed values are trace, debug, info, warn, and error.

ebpfRunAsPrivileged

ebpf_run_as_privileged

false

Run the eBPF container in privileged mode.

ebpfMaxActiveRetProbe

ebpf_max_active_ret_probe

1

ebpfDeployOnMaster

ebpf_deploy_on_master

false

Deploy the eBPF tracer on the Kubernetes master node as well. It is usually deployed as a daemonset to the other non-master nodes.

ebpfTolerations

ebpf_tolerations

[]

Tolerations are configured on a pod to schedule on nodes with the corresponding taints. Set the tolerations here for the eBPF pod.

ebpfNodeSelectors

ebpf_node_selectors

{}

Node selectors for nodes you want to deploy the eBPF tracer on, that is, if you do not wish to deploy the tracer daemonset on all nodes.

ebpfMetricsEnabled

ebpf_metrics_enabled

true

Capture and export eBPF metrics to the Traceable platform.

ebpfExcludeProcesses

ebpf_exclude_processes

[]

Comma-separated values to exclude processes from capturing.

ebpfUprobeAttachExclusionRules

ebpf_uprobe_attach_exclusion_rules

[]

Configure these rules to exclude process from uprobe attach.

ebpfTracerVersion

ebpf_tracer_version

1.14.1(changes as updates are made. Check the traceable-agent repo for updates).

eBPF tracer image version.

ebpfTracerImageName

ebpf_tracer_image_name

ebpf-tracer

eBPF tracer image name.

ebpfLogging.encoding

ebpf_logging.encoding

JSON

Log encoding.

ebpfLogging.error_output_paths

ebpf_logging.error_output_paths

stderr

Error output path.

ebpfBtfDownloadsPath

ebpf_btf_downloads_path

/etc/traceable/ebpf-tracer/btf/downloads

Defines the download path to eBPF BTF.

ebpfServiceAccountName

ebpf_service_account_name

traceable-agent-ebpf-service-account

Defines the eBPF pod service account name.

ebpfProbeEventQueueSize

ebpf_probe_event_queue_size

50000

Configure the eBPF probe event queue size.

ebpfRequestPerSecondLimit

ebpf_request_per_second_limit

1000

Process requests per second limit handled by the eBPF tracer.

ebpfMaxConnection

ebpf_max_connection

10000

Configure the maximum number of connections tracked in the eBPF tracer.

ebpfSELinuxOptionsEnabled

ebpf_se_linux_options_enabled

false

Enable seLinuxOptions in eBPF pod securityContext (Configure a Security Context for a Pod or Container).

ebpfSELinuxOptionsRole

ebpf_se_linux_options_role

system_r

Configure the seLinuxOptions role.

ebpfSELinuxOptionsType

ebpf_se_linux_options_type

spc_t

Configure the seLinuxOptions type.

ebpfSELinuxOptionsUser

ebpf_se_linux_options_user

system_u

Configure the seLinuxOptions user.

ebpfOpenshiftSCC

false

Enable Openshift’s SecurityContextConstraints on eBPF.

ebpfOpenshiftSccConfig.allowPrivilegeEscalation

false

Openshift SCC allowPrivilegeEscalation configuration

ebpfOpenshiftSccConfig.allowHostDirVolumePlugin

true

Openshift SCC allowHostDirVolumePlugin configuration

Openshift SCC allowHostDirVolumePlugin configuration

true

Openshift SCC allowHostDirVolumePlugin configuration

ebpfOpenshiftSccConfig.allowHostIPC

true

Openshift SCC allowHostIPC configuration

ebpfOpenshiftSccConfig.allowHostNetwork

true

Openshift SCC allowHostNetwork configuration

ebpfOpenshiftSccConfig.allowHostPorts

true

Openshift SCC allowHostPorts configuration

ebpfOpenshiftSccConfig.readOnlyRootFilesystem

false

Openshift SCC readOnlyRootFilesystem configuration

ebpfOpenshiftSccConfig.requiredDropCapabilities

• DAC_READ_SEARCH

• LINUX_IMMUTABLE

• NET_BROADCAST

• NET_ADMIN

• NET_RAW

• IPC_OWNER

• SYS_MODULE

• SYS_RAWIO

• SYS_PACCT

• SYS_BOOT

• SYS_NICE

• SYS_TIME

• SYS_TTY_CONFIG

• MKNOD

• LEASE

• AUDIT_WRITE

• AUDIT_CONTROL

• MAC_OVERRIDE

• MAC_ADMIN

• SYSLOG

• WAKE_ALARM

• BLOCK_SUSPEND

• AUDIT_READ

• PERFMON

• BPF

Openshift SCC requiredDropCapabilities configuration

ebpfDefaultRateLimitConfig.enabled

ebpf_default_rate_limit_config.enabled

false

Enable default rate limit configuration in the eBPF tracer to be used for sampling.

ebpfDefaultRateLimitConfig.maxCountGlobal

ebpf_default_rate_limit_config.max_count_global

0

The total number of requests to be rate-limited in a given time window.

ebpfDefaultRateLimitConfig.maxCountPerEndpoint

ebpf_default_rate_limit_config.max_count_per_endpoint

0

The number of requests per endpoint to be rate-limited in a given time window.

ebpfDefaultRateLimitConfig.refreshPeriod

ebpf_default_rate_limit_config.refresh_period

1m

Interval for rate limiter buckets to be reset

Accepted values are in the form of 1s, 2m, 3h. The Default value is 1m.

ebpfDefaultRateLimitConfig.valueExpirationPeriod

ebpf_default_rate_limit_config.value_expiration_period

168h

Interval for rate limiter cache to be reset

Accepted values are in the form of 1s, 2m, 3h. The Default value is 168h

ebpfDefaultRateLimitConfig.spanType

ebpf_default_rate_limit_config.span_type

SPAN_TYPE_NO_SPAN

Span type for rate-limited spans.

ebpfPodLabels

ebpf_pod_labels

[]

Pod labels for the eBPF tracer to capture.

ebpfPodAnnotations

ebpf_pod_annotations

[]

Pod annotations for the eBPF tracer to capture. For example,

# Configure pod annotations keys to capture as span attributes.
ebpfPodAnnotations:
  - team
  - release_date

In the example above, the annotations team and release_date will be captured as span attributes by the eBPF tracer.

ebpfProcFsScanPeriodInSec

ebpf_proc_fs_scan_period_in_sec

60 seconds

This option for the procfs scan allows you to configure the interval at which the eBPF tracer scans the procfs to detect running processes on the host. This feature enables the inclusion and exclusion of processes based on the configuration.

From eBPF version 1.19, this interval is now configurable, and the default scan period has been extended to 60 seconds. After an initial scan at startup, the eBPF tracer will perform subsequent scans at the configured interval, meaning any new processes that start between these scans will only be tracked or reported after the next scan occurs.

httpsProxy

https_proxy

-

Value of https_proxy environment variable to connect to an HTTPS proxy for traffic outgoing to the Traceable Platform.

httpProxy

http_proxy

-

Value of http_proxy environment variable to connect to an HTTPS proxy for traffic outgoing to the Traceable Platform.

noProxy

no_proxy

-

Set this environment variable to exclude comma-separated  IP addresses and hosts from being routed through an HTTP or HTTPS proxy.

httpReverseProxyEnabled

http_reverse_proxy_enabled

false

Enable HTTP reverse proxy in traceable-agent. When enabled, you can use the HTTP server port, which defaults to 5442, to send all requests to the traceable-agent.

maxBodySize

max_body_size

131072

Defines the maximum body size in bytes to capture. This applies to both ext_cap and injected containers.

evaluateBody

evaluate_body

true

Enable body evaluation during blocking evaluation.

blockingEnabled

blocking_enabled

true

Enable blocking for agents that use ext_cap.

regionBlockingEnabled

region_blocking_enabled

true

Enable region blocking for agents that use ext_cap.

collectorEnabled

collector_enabled

true

Set to true to enable OTEL collector. Set it to false when you do not wish to export traces and metrics. For example, use Traceable Platform agent as injector only.

agentManagerEnabled

agent_manager_enabled

true

Enables agent manager to manage Traceable Platform agent’s configuration. Set it to false when you do not wish to have Platform agent configuration from the Platform.

extCapEnabled

ext_cap_enabled

true

Enables external capture. Set it to false when external capture via Traceable Platform agent is not required.

allowedContentTypes

allowed_content_types

["json", "x-www-form-urlencoded"]

List of content types captured for Traceable Module Extension (TME) based agents.

additionalAnnotations

additional_annotations

data-ingest.dynatrace.com/inject: "false"
dynakube.dynatrace.com/inject: "false"
oneagent.dynatrace.com/inject: "false"
dynatrace.com/inject: "false"

Additional annotations for Traceable Platform agent and eBPF deployment.

tolerations

tolerations

-

tolerations are configured on a pod to schedule it on nodes with the corresponding taints. For more information on Tolerations and taints, see Taints and Tolerations.

openshiftSCC

false

Enable Openshift’s SecurityContextConstraints on traceable-agent.