---
title: "Helm and terraform values"
slug: "helm-and-terraform-values"
updated: 2025-03-24T08:21:18Z
published: 2025-03-24T08:21:18Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Helm and terraform values

The following tables summarize the different Helm and Terraform values and their description.

## Administration

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `token` | `token` | - | API token that is used to communicate with Traceable's SaaS platform. |
| `refreshTokenFile` | `refresh_token_file` | - | Defines the path to the refresh token (in the container). |
| `environment` | `environment` | - | The environment in which the platform agent is being installed. For example, production, development, and QA. |
| `endpoint` | `endpoint` | api.traceable.ai | Traceable’s Platform endpoint. |
| `serviceAccountName` | `service_account_name` | traceable-agent-service-account | Defines the Traceable agent pod service account name |
| `logLevel` | `logLevel` | `INFO` | Defines the log level of Traceable Platform agent logs. Set it to `DEBUG` to enable debug logging. |
| `logLevelInterval` | `log_level_interval` | `LOG_LEVEL_INFO` | Defines the log level of Traceable’s internal library. The default value is INFO. Different logging levels are: - `LOG_LEVEL_TRACE` - `LOG_LEVEL_DEBUG` - `LOG_LEVEL_INFO` - `LOG_LEVEL_WARN` - `LOG_LEVEL_ERROR` - `LOG_LEVEL_CRITICAL` |

---

## Resources

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `resources.limits.cpu` | `resources.limits.cpu` | 1 | Platform agent max CPU |
| `resources.limits.memory` | `resources.limits.memory` | 2Gi | Platform agent max memory |
| `resources.requests.cpu` | `resources.requests.cpu` | 200m | Platform agent requested CPU |
| `resources.requests.memory` | `resources.requests.memory` | 400Mi | Platform agent requested memory |
| `multipartMaxFileSize` | `multipart_max_file_size` | 2048 | Limits the number of a file's first bytes that are captured for multipart/form-data content type. |
| `grpcToHttp.resources.limits.cpu` | `grpc_to_http.resources.limits.cpu` | 500m | Specifies the CPU limit for the **grpcToHttp** container. This value defines the maximum CPU resources the container can consume, ensuring controlled resource allocation within the deployment. |
| `grpcToHttp.resources.limits.memory` | `grpc_to_http.resources.limits.cpu` | 512Mi | Specifies the memory limit for the **grpcToHttp** container. This value defines the maximum amount of memory the container can use, preventing excessive resource consumption within the deployment. |
| `grpcToHttp.resources.requests.cpu` | `grpc_to_http.resources.limits.cpu` | 250m | Specifies the **CPU request** for the **grpcToHttp** container. This value defines the minimum amount of CPU resources the container is guaranteed to receive, ensuring stable performance within the deployment. |
| `grpcToHttp.resources.requests.memory` | `grpc_to_http.resources.limits.cpu` | 256Mi | Specifies the **memory request** for the **grpcToHttp** container. This value defines the minimum amount of memory allocated to the container, ensuring it has sufficient resources to operate efficiently. |

---

## Ports

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `serverPort` | `server_port` | 5441 | gRPC server port for Traceable Platform agent APIs |
| `restServerPort` | `rest_server_port` | 5442 | HTTP server port for Traceable Platform agent APIs |
| `tlsServerPort` | `tls_server_port` | 5443 | TLS endpoint port for Traceable Platform agent APIs |
| `collector.ports.opentelemetry` | `collector.ports.opentelemetry` | 4317 | Configure the OTLP gRPC receiver port. |
| `collector.ports.opentelemetryHttp` | `collector.ports.opentelemetry_http` | 4318 | Configure the OTLP HTTP receiver port. |

---

## Services

| Helm value | Terraform variable | Default value | Description |
| --- | --- | --- | --- |
| `multipleServices.enabled` | `multiple_services.enabled` | false | Enables the creation of multiple Kubernetes services to expose different ports opened by TPA. This is useful for handling specific listeners, such as HSL and Apigee, ensuring proper service routing. |
| `multipleServices.apigee.serviceType` | `multiple_services.apigee.service_type` | ClusterIP | Defines the service type for the Apigee listener when multiple services are enabled. This determines how the Apigee service is exposed within the Kubernetes cluster. |
| `multipleServices.apigee.nodePort` | `multiple_services.apigee.node_port` | 0 | Specifies the NodePort value for the Apigee service when the Kubernetes service type is set to **NodePort**. This allows external access to the Apigee listener on a designated port. |
| `multipleServices.hsl.serviceType` | `multiple_services.hsl.service_type` | ClusterIP | This defines the service type for the HSL listener when multiple services are enabled. It determines how the HSL service is exposed within the Kubernetes cluster. |
| `multipleServices.hsl.nodePort` | `multiple_services.hsl.node_port` | 0 | Specifies the NodePort value for the HSL service when the Kubernetes service type is set to **NodePort**. This allows external access to the HSL listener on a designated port. |

---

## Image credentials

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `imageCredentials.registry` | `image_credentials.registry` | docker.io | Docker images registry |
| `imageCredentials.registrySuffix` | `image_credentials.registry_suffix` | traceableai | Docker images registry suffix or path to Traceable’s images |
| `imageCredentials.username` | `image_credentials.username` | - | Docker registry username |
| `imageCredentials.password` | `image_credentials.password` | - | Docker registry password |
| `imageName` | `image_name` | traceable-agent | Traceable Platform agent image name. Use this option to override the default name. |
| `imageVersion` | `image_version` | - | Traceable Platform agent’s version number. Use this option if you wish to use a version different from the released version. |
| `imagePullSecretName` | `image_pull_secret_name` |  | The custom image pull secret name. Make sure that it exists in the same namespace that traceable-agent deployment runs. |

---

## Autoscaling

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `autoscaling.minReplicas` | `autoscaling.min_replicas` | 1 | Defines the minimum number of traceable-agent replicas. |
| `autoscaling.maxReplicas` | `autoscaling.max_replicas` | 1 | Defines the maximum number of traceable-agent replicas. |
| `autoscaling.targetMemoryUtilization` | `autoscaling.target_memory_utilization` | 80 | Target memory utilization. |
| `autoscaling.targetCpuUtilization` | `autoscaling.target_cpu_utilization` | 80 | Target CPU utilization. |
| `autoscaling.enabled` | `autoscaling.enabled` | true | Enable Kubernetes horizontal pod autoscaling. |

---

## Label and annotations

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `labels` | `labels` | - | List of labels to add to the deployment. |
| `additionalGlobalLabels` | `additional_global_labels` | - | Labels to be added to all Traceable resources. |
| `additionalAnnotations` | `additional_annotations` | ```yaml data-ingest.dynatrace.com/inject: "false" dynakube.dynatrace.com/inject: "false" oneagent.dynatrace.com/inject: "false" dynatrace.com/inject: "false" ``` | Additional annotations for Traceable Platform agent and eBPF deployment. |
| `additionalGlobalAnnotations` | `additional_global_annotations` | - | Annotations to be added to all Traceable resources. |

---

## Security Context

| Helm value | Terraform Variable | Default value | Description |
| --- | --- | --- | --- |
| `tpaPodSecurityContext` | `tpa_pod_security_context` | {} | Defines the **securityContext** settings for the Traceable Agent pod. These settings establish security policies at the pod level but can be overridden using the **container securityContext** configuration for more granular control. |
| `useCustomSecurityContext` | `use_custom_security_context` | false | Enables the use of a custom **securityContext** for containers deployed by this Helm chart. When set to **true**, it overrides security context settings that depend on other configurations, such as TLS on port 443 and the injector for the Traceable Agent image. A **securityContext** must be explicitly defined. Use **commonContainerSecurityContext** to specify a shared securityContext for all containers or define a custom **securityContext** for each container individually as needed. |
| `securityContext` | `security_context` | ```yaml runAsUser: 0 ``` | Defines the **securityContext** for the Traceable Agent container. This configuration is applied by default when the injector is enabled or when the TLS server port is set to **443**. It can be customized to enforce specific security policies for the container. |
| `mirroringSecurityContext` | `mirroring_security_context` | {} | Defines the **securityContext** for the mirroring container. |
| `grpcToHttpContainerSecurityContext` | `grpc_to_http_container_security_context` | {} | Defines the **securityContext** for the grpc-to-http (Envoy) container. This configuration ensures proper security settings for handling gRPC to HTTP traffic within the deployment. |
| `extensionServiceSecurityContext` | `extension_service_security_context` | {} | Defines the **securityContext** for the extension service container. This configuration ensures the application of appropriate security policies to the extension service during deployment. |
| `ebpfSecurityContext` | `ebpf_security_context` | {} | Defines the **securityContext** for the eBPF container. |
| `secretsInitSecurityContext` | `secrets_init_security_context` | {} | Defines the **securityContext** for the secrets init container. |
| `commonContainerSecurityContext` | `common_container_security_context` | {} | Defines the **common securityContext** applied to all containers when set and **useCustomSecurityContext** is enabled. If specific security requirements exist for individual containers, override this setting using the respective container-specific **securityContext** configurations. |

---

## Security policy and token

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `podSecurityPoliciesEnabled` | `pod_security_policies_enabled` | `false` | Set it to `true` to enable the use of pod security policies. |
| `externalTokenSecret.name` | `external_token_secret.name` | - | Configuring this field allows you to provide the secret before installation instead of specifying the token as a value. The name is the secret name. |
| `tlsEnabled` | `tls_enabled` | false | Set to true when end-to-end TLS is required for all ports. All traffic must be directed to `tlsServerPort`. The agent service will expose no other agent ports. |
| `additionalCertAltNames` | - |  | Additional certificate alternative names that are added to the auto-generated certificate. |
| `externalTokenSecret.key` | `external_token_secret.key` | - | `key` is the key name that contains the token value. |
| `remoteCaBundle` | `remote_ca_bundle` |  | Platform CA bundle, which is base64 encoded. |
| `remoteCaCertSecret.secretName` | `remote_ca_cert_secret.secret_name` |  | Platform CA as a secret in the same namespace, Traceable Platform agent deployment. |
| `remoteCaCertSecret.caCertFileName` | `remote_ca_cert_secret.ca_cert_file_name` |  | Platform CA key name within the secret. |
| `remoteCaCertFile` | `remote_ca_cert_file` |  | Platform CA as a file injected into the Traceable Platform agent container. Make sure that this is the absolute path to the file. |
| `serviceType` | `service_type` | ClusterIP | Defines the service type of the Platform agent. Supported values are: - ClusterIP - NodePort - LoadBalancer |
| `tlsPrivateCertificatesAsSecret.secretName` | `tls_private_certificates_as_secret.secret_name` | - | This setting allows you to specify the name of a Kubernetes secret that contains the TLS private certificates. The secret must be located in the same namespace as your Traceable deployment. |
| `tlsPrivateCertificatesAsSecret.rootCAFileName` | `tls_private_certificates_as_secret.root_ca_file_name` | - | Value for specifying the filename of the root CA certificate. Both reference the root CA certificate file, which must be a key in the Kubernetes secret containing your TLS private certificates. |
| `tlsPrivateCertificatesAsSecret.certFileName` | `tls_private_certificates_as_secret.cert_file_name` | - | Value for specifying the filename of the certificate. Both reference the certificate file, which must be a key in the Kubernetes secret containing your TLS private certificates. |
| `tlsPrivateCertificatesAsSecret.keyFileName` | `tls_private_certificates_as_secret.secret_name` |  | Value for specifying the filename of the private key. Both reference the private key file, which must be a key in the Kubernetes secret containing your TLS private certificates. |
| `tpaCaBundle` | `tpa_ca_bundle` | ““ | Configures the CA certificate for standalone Traceable Platform Agent (TPA) client deployments. This value specifies the CA bundle, such as for standalone eBPF deployments. Provide the **base64-encoded** contents of the TPA CA certificate file to ensure secure communication. |
| `tpaCaCertSecret.secretName` | `tpa_ca_cert_secret.secret_name` | ““ | Specifies the name of the Kubernetes secret that stores the TPA CA certificate. To ensure secure authentication, this secret must be created in the same namespace as the eBPF tracer. |
| `tpaCaCertSecret.caCertFileName` | `tpa_ca_cert_secret.ca_cert_file_name` | ““ | Defines the filename of the TPA CA certificate stored within the Kubernetes secret. This secret must be created in the same namespace as the eBPF tracer to ensure proper certificate retrieval. |
| `tpaCaCertFile` | `tpa_ca_cert_file` | ““ | Specifies the absolute path to the CA certificate file injected into the eBPF tracer container. This ensures the tracer has access to the required CA certificate for secure communication. |

---

## Ingress

| Helm Values | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `ingress.enabled` | `ingress.enabled` | `false` | Enables an ingress controller for the platform agent when true |
| `ingress.domain` | `ingress.domain` | - | The domain name of the Ingress controller |
| `ingress.http.annotations` | `ingress.http.annotations` | - | Ingress controller annotations for the HTTP services |
| `ingress.grpc.annotations` | `ingress.grpc.annotations` | - | Ingress controller annotations for the GRPC services |
| `ingress.ingressClassName` | `ingress.ingress_class_name` |  | This field replaces the deprecated `kubernetes.io/ingress.class` annotation. The ingress class determines which ingress controller should handle a particular ingress resource. For example, if you have different ingress controllers (like NGINX, Traefik, etc.), you might set this field to the name of the ingress class that the controller uses. |

---

## Collector

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `collector.batch.timeout` | `collector.batch.timeout` | 200ms | The time duration after which a batch is sent to the Traceable platform regardless of size. |
| `collector.batch.sendBatchSize` | `collector.batch.send_batch_size` | 8192 | The number of spans after which a batch is sent to the Traceable platform, regardless of the timeout. |
| `collector.batch.sendBatchMaxSize` | `collector.batch.send_batch_max_size` | 10000 | Defines the upper limit of the batch size. `0` means no upper limit on the batch size. This property ensures that larger batches are split into smaller units. It must be greater or equal to `send_batch_size` |
| `collector.receivers.opencensus.enabled` | `collector.receivers.opencensus.enabled` | `true` | Set to `true` to enable OpenCensus receiver. |
| `collector.receivers.zipkin.enabled` | `collector.receivers.zipkin.enabled` | `true` | Set to `true` to enable Zipkin receiver. |
| `collector.receivers.jaeger.enabled` | `collector.receivers.jaeger.enabled` | `true` | Set to `true` to enable Jaeger receiver. |
| `collector.receivers.otlp.enabled` | `collector.receivers.otlp.enabled` | `true` | Set to `true` to enable OTLP receiver. |
| `collector.exporters.otlp.compression` | `collector.exporters.otlp.compression` | `gzip` | Compression format used to send data to the Traceable platform. An empty value denotes no compression. |
| `collector.receivers.otlp.maxRecvMsgSizeMib` | `collector.receivers.otlp.max_recv_msg_size_mib` | 16 | Maximum message size is allowed to be sent to the OTLP receiver. |
| `collector.receivers.otlp.maxConnectionAge` | `collector.receivers.otlp.max_connection_age` | 1m | Maximum connection age to the OTLP receiver. It can be expressed as a duration string, for example 120s = 120 seconds, 120m = 120 minutes, 2h = 2 hours |
| `collector.grpcMaxCallRecvMsgSize` | `collector.grpc_max_call_recv_msg_size` | 33554432 | Specifies the maximum size of messages that the collector service client can receive from the agent manager over the gRPC channel in TPA. If set too low, it may cause errors like "`Failed to receive data from config server`," indicating that larger messages are being dropped. Adjust this setting to ensure smooth communication between services without data loss. |

---

## Injector

| Helm Value | Terraform Variable | Default Value | Description |
| --- | --- | --- | --- |
| `injector.propagationFormats` | `injector.propagation_formats` | `[“TRACECONTEXT”]` | List of propagation formats used by the injected Java agent. The supported values are `TRACECONEXT` and`&nbsp;B3`. |
| `injector.captureContentType` | `injector.capture_content_Type` | `[“json“,` `“grpc“,` `“x-www-form-urlencoded”]` | List of content types that the injected proxy captures. This is a substring match. |
| `injector.proxy.inboundInterceptionMode` | `injector.proxy.inbound_interception_mode` | `REDIRECT` | Defines the iptables interception mode. The supported values are `REDIRECT` and `TPROXY`. |
| `injector.traceReporterType` | `injector.trace_reporter_type` | `OTLP` | Use this to configure the trace reporting format from OTLP or ZIPKIN. |
| `injectorEnabled` | `injector_enabled` | `true` | Enables mutatingwebhook injector service. Set to `false` when no instrumentation sidecars will be injected. |
| `injector.blockingConfig.enabled` | `injector.blocking_config.enabled` | `true` | Enable blocking for injected containers. |
| `injector.blockingConfig.region_blocking.enabled` | `injector.blocking_config.region_blocking.enabled` | `true` | Enable region blocking for injected containers. |
| `injector.blockingConfig.evaluate_body` | `injector.blocking_config.evaluate_body` | `true` | Enable body evaluation for injected containers. |
| `injectorTmeRestServerIdleTimeout` | `injector_tme_rest_server_idle_timeout` | 60 | Connection keep-alive time, in seconds, for injected `tme` (Traceable module extension) REST server. |
| `injectorTmeRestServerDisableKeepAlive` | `injector_tme_rest_server_disable_keep_alive` | `false` | Disable keep-alive entirely for the injected `tme` REST server. |
| `injector.blockingConfig.blockingContentType` | `injector.blocking_config.blocking_content_type` |  | Supports content types like `text/html` for setting HTML headers. When configured, it allows for the injection of HTML content as a response. |
| `injector.blockingConfig.blockingMessage` | `injector.blocking_config.blocking_message` |  | Allows specifying a custom HTML string to be returned as the response message when blocking is triggered. |

---

## eBPF

| Helm value | Terraform value | Default value | Description |
| --- | --- | --- | --- |
| `ebpfCaptureEnabled` | `ebpf_capture_enabled` | `false` | Enables the data capture mode using eBPF. |
| `ebpfHttp2CaptureEnabled` | `ebpf_http2_capture_enabled` | `false` | Enables HTTP 2 data capture in eBPF tracer. |
| `ebpfTraceReporterType` | `ebpf_trace_reporter_type` | `OTLP` | Configure the trace reporter. Possible values are OTLP or ZIPKIN. |
| `ebpfServiceNameLabels` | `ebpf_service_name_labels` | `[]` | You can use this configuration to name services using Kubernetes labels assigned to the instrumented application. **Example:** `ebpfServiceNameLabels:` `[app, service]` If this configuration is added to the configmap, app, and service labels are checked on the pod template of the instrumented app in the same order, and whichever is found first that is used to name the service. If the pod template has service: `myservice` as the label, `myservice` will be used as the service name. |
| `ebpfEnableGoMemoryLimit` | `ebpf_enable_go_memory_limit` | `true` | Sets the container memory limit for the eBPF tracer binary. Set the value to `false` to disable. |
| `ebpfNodeAffinityMatchExpressions` | `ebpf_node_affinity_match_expressions` | `[]` | Set node affinity for the eBPF pods. Example: ```plaintext ebpfNodeAffinityMatchExpressions: - matchExpressions: - key: "pool_type" operator: "In" values: - "frontgate" ``` In this example, daemonSet is scheduled on all nodes, which has a label with key `pool_type` and value `frontgate`. Any node that does not satisfy this criteria is ignored. You can use the `operator` field to specify a logical operator for Kubernetes to use when interpreting the rules. You can use `In`, `NotIn`, `Exists`, `DoesNotExist`, `Gt` and `Lt`. If you specify multiple expressions in a single `matchExpressions` field, then the Pod can be scheduled onto a node only if all the expressions are satisfied (expressions are ANDed). If you specify multiple `matchExpressions` in `ebpfNodeAffinityMatchExpressions` then the Pod can be scheduled onto a node if one of the specified `matchExpressions` can be satisfied (`matchExpressions` are ORed). Consider the following `values.yaml`: ```plaintext ebpfNodeAffinityMatchExpressions: - matchExpressions: - key: "env" operator: "In" values: - "staging" - "preprod" - key: "pool_type" operator: "Exists" - matchExpressions: - key: "python_app" operator: "DoesNotExist" ``` In this example, daemonSet is scheduled on all nodes which satisfy the following rule: ```plaintext (("env" IN ["staging", "preprod"]) AND ("pool_type" EXISTS)) OR ("python_app" DOES_NOT_EXIST) ``` |
| `ebpfLogLevel` | `ebpf_log_level` | info | Defines the eBPF log level. Allowed values are trace, debug, info, warn, and error. |
| `ebpfRunAsPrivileged` | `ebpf_run_as_privileged` | `false` | Run the eBPF container in privileged mode. |
| `ebpfMaxActiveRetProbe` | `ebpf_max_active_ret_probe` | 1 |  |
| `ebpfDeployOnMaster` | `ebpf_deploy_on_master` | `false` | Deploy the eBPF tracer on the Kubernetes master node as well. It is usually deployed as a daemonset to the other non-master nodes. |
| `ebpfTolerations` | `ebpf_tolerations` | `[]` | Tolerations are configured on a pod to schedule on nodes with the corresponding taints. Set the tolerations here for the eBPF pod. |
| `ebpfNodeSelectors` | `ebpf_node_selectors` | `{}` | Node selectors for nodes you want to deploy the eBPF tracer on, that is, if you do not wish to deploy the tracer daemonset on all nodes. |
| `ebpfMetricsEnabled` | `ebpf_metrics_enabled` | `true` | Capture and export eBPF metrics to the Traceable platform. |
| `ebpfExcludeProcesses` | `ebpf_exclude_processes` | `[]` | Comma-separated values to exclude processes from capturing. |
| `ebpfUprobeAttachExclusionRules` | `ebpf_uprobe_attach_exclusion_rules` | `[]` | Configure these rules to exclude process from uprobe attach. |
| `ebpfTracerVersion` | `ebpf_tracer_version` | 1.14.1(changes as updates are made. Check the traceable-agent repo for updates). | eBPF tracer image version. |
| `ebpfTracerImageName` | `ebpf_tracer_image_name` | ebpf-tracer | eBPF tracer image name. |
| `ebpfLogging.encoding` | `ebpf_logging.encoding` | `JSON` | Log encoding. |
| `ebpfLogging.error_output_paths` | `ebpf_logging.error_output_paths` | `stderr` | Error output path. |
| `ebpfBtfDownloadsPath` | `ebpf_btf_downloads_path` | `/etc/traceable/ebpf-tracer/btf/downloads` | Defines the download path to eBPF BTF. |
| `ebpfServiceAccountName` | `ebpf_service_account_name` | `traceable-agent-ebpf-service-account` | Defines the eBPF pod service account name. |
| `ebpfProbeEventQueueSize` | `ebpf_probe_event_queue_size` | 50000 | Configure the eBPF probe event queue size. |
| `ebpfRequestPerSecondLimit` | `ebpf_request_per_second_limit` | 1000 | Process requests per second limit handled by the eBPF tracer. |
| `ebpfMaxConnection` | `ebpf_max_connection` | 10000 | Configure the maximum number of connections tracked in the eBPF tracer. |
| `ebpfSELinuxOptionsEnabled` | `ebpf_se_linux_options_enabled` | `false` | Enable seLinuxOptions in eBPF pod securityContext ([Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)). |
| `ebpfSELinuxOptionsRole` | `ebpf_se_linux_options_role` | `system_r` | Configure the seLinuxOptions role. |
| `ebpfSELinuxOptionsType` | `ebpf_se_linux_options_type` | `spc_t` | Configure the seLinuxOptions type. |
| `ebpfSELinuxOptionsUser` | `ebpf_se_linux_options_user` | `system_u` | Configure the seLinuxOptions user. |
| `ebpfOpenshiftSCC` |  | `false` | Enable Openshift’s SecurityContextConstraints on eBPF. |
| `ebpfOpenshiftSccConfig.allowPrivilegeEscalation` |  | `false` | Openshift SCC allowPrivilegeEscalation configuration |
| `ebpfOpenshiftSccConfig.allowHostDirVolumePlugin` |  | `true` | Openshift SCC allowHostDirVolumePlugin configuration |
| `Openshift SCC allowHostDirVolumePlugin configuration` |  | `true` | Openshift SCC allowHostDirVolumePlugin configuration |
| `ebpfOpenshiftSccConfig.allowHostIPC` |  | `true` | Openshift SCC allowHostIPC configuration |
| `ebpfOpenshiftSccConfig.allowHostNetwork` |  | `true` | Openshift SCC allowHostNetwork configuration |
| `ebpfOpenshiftSccConfig.allowHostPorts` |  | `true` | Openshift SCC allowHostPorts configuration |
| `ebpfOpenshiftSccConfig.readOnlyRootFilesystem` |  | `false` | Openshift SCC readOnlyRootFilesystem configuration |
| `ebpfOpenshiftSccConfig.requiredDropCapabilities` |  | - DAC_READ_SEARCH - LINUX_IMMUTABLE - NET_BROADCAST - NET_ADMIN - NET_RAW - IPC_OWNER - SYS_MODULE - SYS_RAWIO - SYS_PACCT - SYS_BOOT - SYS_NICE - SYS_TIME - SYS_TTY_CONFIG - MKNOD - LEASE - AUDIT_WRITE - AUDIT_CONTROL - MAC_OVERRIDE - MAC_ADMIN - SYSLOG - WAKE_ALARM - BLOCK_SUSPEND - AUDIT_READ - PERFMON - BPF | Openshift SCC requiredDropCapabilities configuration |
| `ebpfDefaultRateLimitConfig.enabled` | `ebpf_default_rate_limit_config.enabled` | `false` | Enable default rate limit configuration in the eBPF tracer to be used for sampling. |
| `ebpfDefaultRateLimitConfig.maxCountGlobal` | `ebpf_default_rate_limit_config.max_count_global` | 0 | The total number of requests to be rate-limited in a given time window. |
| `ebpfDefaultRateLimitConfig.maxCountPerEndpoint` | `ebpf_default_rate_limit_config.max_count_per_endpoint` | 0 | The number of requests per endpoint to be rate-limited in a given time window. |
| `ebpfDefaultRateLimitConfig.refreshPeriod` | `ebpf_default_rate_limit_config.refresh_period` | 1m | Interval for rate limiter buckets to be reset Accepted values are in the form of 1s, 2m, 3h. The Default value is 1m. |
| `ebpfDefaultRateLimitConfig.valueExpirationPeriod` | `ebpf_default_rate_limit_config.value_expiration_period` | 168h | Interval for rate limiter cache to be reset Accepted values are in the form of 1s, 2m, 3h. The Default value is 168h |
| `ebpfDefaultRateLimitConfig.spanType` | `ebpf_default_rate_limit_config.span_type` | `SPAN_TYPE_NO_SPAN` | Span type for rate-limited spans. |
| `ebpfPodLabels` | `ebpf_pod_labels` | [] | Pod labels for the eBPF tracer to capture. |
| `ebpfPodAnnotations` | `ebpf_pod_annotations` | [] | Pod annotations for the eBPF tracer to capture. For example, ```plaintext # Configure pod annotations keys to capture as span attributes. ebpfPodAnnotations: - team - release_date ``` In the example above, the annotations `team` and `release_date` will be captured as span attributes by the eBPF tracer. |
| `ebpfProcFsScanPeriodInSec` | `ebpf_proc_fs_scan_period_in_sec` | 60 seconds | This option for the `procfs` scan allows you to configure the interval at which the eBPF tracer scans the `procfs` to detect running processes on the host. This feature enables the inclusion and exclusion of processes based on the configuration. From eBPF version 1.19, this interval is now configurable, and the default scan period has been extended to 60 seconds. After an initial scan at startup, the eBPF tracer will perform subsequent scans at the configured interval, meaning any new processes that start between these scans will only be tracked or reported after the next scan occurs. |
| `ebpfSslKeylogIncludeRules` | `ebpf_ssl_keylog_include_rules` | - | These configuration values enable **TLS key logging** by attaching eBPF probes to the **TLS handshake** instead of the `SSL_read` and `SSL_write` functions for processes matching the executable name `ruby`. This allows Traceable to capture and analyze encrypted TLS traffic at the handshake level. > [!NOTE] > Note > > This is tested for Ruby with SSL 3.0. |

---

## Proxy

| Helm value | Terraform value | Default value | Description |
| --- | --- | --- | --- |
| `httpsProxy` | `https_proxy` | - | Value of `https_proxy` environment variable to connect to an HTTPS proxy for traffic outgoing to the Traceable Platform. |
| `httpProxy` | `http_proxy` | - | Value of `http_proxy` environment variable to connect to an HTTPS proxy for traffic outgoing to the Traceable Platform. |
| `noProxy` | `no_proxy` | - | Set this environment variable to exclude comma-separated IP addresses and hosts from being routed through an HTTP or HTTPS proxy. |
| `httpReverseProxyEnabled` | `http_reverse_proxy_enabled` | `false` | Enable HTTP reverse proxy in traceable-agent. When enabled, you can use the HTTP server port, which defaults to 5442, to send all requests to the traceable-agent. |

---

## Miscellaneous

| Helm value | Terraform value | Default value | Description |
| --- | --- | --- | --- |
| `maxBodySize` | `max_body_size` | 131072 | Defines the maximum body size in bytes to capture. This applies to both ext_cap and injected containers. |
| `evaluateBody` | `evaluate_body` | `true` | Enable body evaluation during blocking evaluation. |
| `blockingEnabled` | `blocking_enabled` | `true` | Enable blocking for agents that use ext_cap. |
| `regionBlockingEnabled` | `region_blocking_enabled` | `true` | Enable region blocking for agents that use ext_cap. |
| `collectorEnabled` | `collector_enabled` | `true` | Set to `true` to enable OTEL collector. Set it to `false` when you do not wish to export traces and metrics. For example, use Traceable Platform agent as injector only. |
| `agentManagerEnabled` | `agent_manager_enabled` | `true` | Enables agent manager to manage Traceable Platform agent’s configuration. Set it to `false` when you do not wish to have Platform agent configuration from the Platform. |
| `extCapEnabled` | `ext_cap_enabled` | `true` | Enables external capture. Set it to false when external capture via Traceable Platform agent is not required. |
| `allowedContentTypes` | `allowed_content_types` | `["json", "x-www-form-urlencoded"]` | List of content types captured for Traceable Module Extension (TME) based agents. |
| `additionalAnnotations` | `additional_annotations` | ```yaml data-ingest.dynatrace.com/inject: "false" dynakube.dynatrace.com/inject: "false" oneagent.dynatrace.com/inject: "false" dynatrace.com/inject: "false" ``` | Additional annotations for Traceable Platform agent and eBPF deployment. |
| `tolerations` | `tolerations` | - | tolerations are configured on a pod to schedule it on nodes with the corresponding taints. For more information on Tolerations and taints, see [Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). |
| `openshiftSCC` |  | `false` | Enable Openshift’s SecurityContextConstraints on traceable-agent. |
| `podAffinity` | `pod_affinity` | {} | Defines the **pod affinity** configuration for the **Traceable Agent**. Pod affinity rules influence how pods are scheduled on nodes based on specific criteria, such as labels or topology constraints. For example, the following configuration ensures that the pod is scheduled on nodes with a **security** label set to **S1**, within the same **topology zone**. This setting helps optimize resource placement and enforce workload distribution based on predefined rules. ```yaml podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: security operator: In values: - S1 topologyKey: topology.kubernetes.io/zone ``` |
| `podAntiAffinity` | `pod_anti_affinity` | {} | Defines the **pod anti-affinity** and **topology spread constraints** for the **Traceable Agent**. These settings control how pods are distributed across nodes to improve fault tolerance and resource balancing. For example, the following configuration ensures that pods are evenly spread across nodes based on **hostname**, preventing them from being scheduled on the same node when possible: ```yaml topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app.kubernetes.io/name: traceable-agent ``` This configuration helps enhance availability and load balancing by distributing pods across different nodes, reducing the risk of failures affecting multiple instances. |
| `topologySpreadConstraints` | `topology_spread_constraint` | [] | Defines the **topology spread constraints** for the **Traceable Agent** pod. This configuration ensures that pods are evenly distributed across nodes based on specific topology keys, improving availability and resilience. For example, the following configuration prevents multiple pods from being scheduled on the same node by spreading them across different hosts: ```yaml topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app.kubernetes.io/name: traceable-agent ``` This helps balance workloads and reduce the risk of node failures impacting multiple Traceable Agent instances. |
| `podDisruptionBudget` |  | ```yaml podDisruptionBudget: enabled: false maxUnavailable: 1 minAvailable: "" ``` | Defines the **pod disruption budget (PDB)** for the **Traceable Agent**. This configuration ensures a minimum number of pods remain available during voluntary disruptions, such as node maintenance or scaling events. To enable the pod disruption budget, set `enabled: true` in the configuration. This helps maintain service availability by controlling the number of pods that can be disrupted simultaneously. |
|  | `pdb_min_available` | null | Specifies the **pod disruption budget (PDB) constraints** for the **Traceable Agent** when using Terraform. The values **pdb_min_available** and **pdb_max_unavailable** determine the allowed number of pods that must remain available or can be disrupted at a time. If both values are **non-null**, the pod disruption budget is considered defined and will be applied to the pod. This ensures controlled disruptions during maintenance or scaling events, maintaining availability and stability of the deployment. |
|  | `pdb_max_unavailable` | null |

Node affinity allows you to define rules based on which the pods are scheduled on specific nodes. Without node affinity, new pods may be scheduled on any node. Configuring node affinity lets you control where the pods are scheduled.

Toleration is a feature that allows a pod to specify its tolerance for running on nodes with certain conditions. Nodes in a Kubernetes cluster can have various taints applied to them, which indicate that the node has certain limitations or requirements. A toleration is a pod specification that indicates that the pod can tolerate a node with a specific taint. By specifying a toleration, a pod can be scheduled on a node with the corresponding taint, even if it would typically be rejected.