Use this reference when configuring additional parameters of load-balancer-and-ingress-service addon or managing AKO objects(aviinfrasetting, gatewayclass, gateway) via the Custom Resources(CRs) tab.
Configurable parameters
Some parameters are only applicable for certain topology(e.g. NSX-T environment) or certain feature(e.g. Provide cluster control plane HA with Avi). Customize these parameters carefully base on your actual environment.
Parameter |
description |
type |
Default value |
Note |
---|---|---|---|---|
cloudName |
Cloud name configured in Avi Controller |
string |
Mandatory, formatted on UI |
|
controllerVersion |
Avi Controller version |
string |
20.1.3 |
|
controlPlaneNetwork.cidr |
ControlPlaneNetwork.cidr describes the control plane network cidr of the cluster |
string |
Only for using Avi provide control plane HA feature |
|
controlPlaneNetwork.name |
ControlPlaneNetwork.name describes the control plane network name of the cluster |
string |
Only for using Avi provide control plane HA feature |
|
defaultServiceEngineGroup |
Service engine group name configured in Avi Controller |
string |
Mandatory, formatted on UI |
|
defaultVipNetwork |
VIP network name in Avi Controller |
string |
Mandatory, formatted on UI |
|
defaultVipNetworkCidr |
VIP network CIDR in Avi Controller |
string |
Mandatory, formatted on UI |
|
defaultVipNetworkIpPools.end |
End represents the ending IP address of the pool |
string |
||
defaultVipNetworkIpPools.start |
Start represents the starting IP address of the pool |
string |
||
defaultVipNetworkIpPools.type |
Type represents the type of IP Address |
enum["V4"] |
V4 |
|
extraConfigs.apiServerPort |
ApiServerPort specifies Internal port for AKO's API server for the liveness probe of the AKO pod |
integer |
8080 |
|
extraConfigs.disableStaticRouteSync |
DisableStaticRouteSync describes AKO should sync static routing or not. If the POD networks are reachable from the Avi SE, this should be to true. Otherwise, it should be false. |
boolean |
false |
|
extraConfigs.enableEvents |
Defines enable or disable event broadcasting via AKO |
boolean |
false |
|
extraConfigs.enableEVH |
EnableEVH specifies if you want to enable the Enhanced Virtual Hosting Model in Avi Controller for the Virtual Services |
boolean |
false |
|
extraConfigs.fullSyncFrequency |
FullSyncFrequency controls how often AKO polls the Avi controller to update itself with cloud configurations. |
string |
1800 |
|
extraConfigs.ingress.defaultIngressController |
Enabling this flag will use AKO as the default ingress controller |
boolean |
false |
|
extraConfigs.ingress.disableIngressClass |
DisableIngressClass will prevent AKO Operator to install AKO IngressClass into workload clusters |
boolean |
true |
|
extraConfigs.ingress.enableMCI |
Enabling this flag would tell AKO to start processing multi-cluster ingress objects |
boolean |
false |
|
extraConfigs.ingress.nodeNetworkList.cidrs |
Cluster node network cidrs |
string list |
Mandatory when extraConfigs.ingress.serviceType is ClusterIP, formatted on UI |
|
extraConfigs.ingress.nodeNetworkList.name |
Cluster node network name |
string |
Mandatory when extraConfigs.ingress.serviceType is ClusterIP, formatted on UI |
|
extraConfigs.ingress.noPGForSNI |
NoPGForSNI describes if you want to get rid of poolgroups from SNI VSes. Do not use this flag if you don't want http caching |
boolean |
false |
|
extraConfigs.ingress.passthroughShardSize |
PassthroughShardSize controls the passthrough virtualservice numbers |
enum["SMALL", "MEDIUM", "LARGE"] |
SMALL |
|
extraConfigs.ingress.serviceType |
ServiceType describes ingress methods for a service |
enum["ClusterIP", "NodePort", "NodePortLocal"] |
ClusterIP |
Mandatory, formatted on UI |
extraConfigs.ingress.shardVSSize |
ShardVSSize describes ingress shared virtual service size |
enum["SMALL", "MEDIUM", "LARGE", "DEDICATED"] |
SMALL |
|
extraConfigs.l4Config.autoFQDN |
AutoFQDN controls the FQDN generation. Valid value should be default(<svc>.<ns>.<subdomain>), flat (<svc>-<ns>.<subdomain>) or disabled |
enum["default", "flat", "disabled"] |
disabled |
|
extraConfigs.l4Config.defaultDomain |
DefaultDomain controls the default sub-domain to use for L4 VSes when multiple sub-domains are configured in the cloud. |
string |
||
extraConfigs.layer7Only |
Layer7Only specifies if you want AKO only to do layer 7 load balancing |
boolean |
false |
|
extraConfigs.log.logFile |
LogFile specifies the log file name |
string |
||
extraConfigs.log.logLevel |
LogLevel specifies the AKO pod log level |
enum["INFO", "DEBUG", "WARN", "ERROR"] |
INFO |
|
extraConfigs.log.mountPath |
MountPath specifies the path to mount PVC |
string |
||
extraConfigs.log.persistentVolumeClaim |
PersistentVolumeClaim specifies if a PVC should make for AKO logging |
string |
||
extraConfigs.namespaceSelector.labelKey |
NameSpaceSelector.labelKey contains label key used for namespace migration. Same label key has to be present on namespace/s which needs migration/sync to AKO |
string |
||
extraConfigs.namespaceSelector.labelValue |
NameSpaceSelector.labelValue contains label value used for namespace migration. Same label value has to be present on namespace/s which needs migration/sync to AKO |
string |
||
extraConfigs.networksConfig.bgpPeerLabels |
BGPPeerLabels specifies BGP peers, this is used for selective VsVip advertisement. |
string list |
||
extraConfigs.networksConfig.enableRHI |
EnableRHI specifies cluster wide setting for BGP peering. |
boolean |
false |
|
extraConfigs.networksConfig.nsxtT1LR |
T1 Logical Segment mapping for backend network. |
string |
Only applies to NSX-T cloud. |
|
extraConfigs.nodePortSelector.key |
NodePortSelector only applicable if serviceType is NodePort |
string |
||
extraConfigs.nodePortSelector.value |
NodePortSelector only applicable if serviceType is NodePort |
string |
||
extraConfigs.primaryInstance |
Defines if the AKO instance is primary. Value `true` indicates that AKO instance is primary. In a multiple AKO deployment in a cluster, only one AKO instance should be primary |
boolean |
true |
|
extraConfigs.rbac.pspEnabled |
PspEnabled enables the deployment of a PodSecurityPolicy that grants AKO the proper role |
boolean |
false |
|
extraConfigs.rbac.pspPolicyAPIVersion |
PspPolicyAPIVersion decides the API version of the PodSecurityPolicy |
string |
||
extraConfigs.servicesAPI |
ServicesAPI specifies if it enables AKO in services API mode. Currently, implemented only for L4. This flag uses the upstream GA APIs which are not backward compatible with the advancedL4 APIs which uses a fork and a version of v1alpha1pre1 |
boolean |
true |
|
extraConfigs.vipPerNamespace |
Enabling this flag would tell AKO to create Parent VS per Namespace in EVH mode |
boolean |
false |
|
tenant.context |
Context is the type of AVI tenant context. |
enum["Provider", "Tenant"] |
Provider |
This field is immutable |
tenant.name |
Name is the name of the tenant. |
string |
This field is immutable |
|
workloadCredentialRef.name |
WorkloadCredentialRef points to a Secret resource that includes the username and the password to access and configure the AviController. * username Username used with basic authentication for the Avi REST API * password Password used with basic authentication for the Avi REST API This field is optional. When it's not specified, username/password will beautomatically generated for each Cluster and Tenant needs to be non-nil in this case. |
string |
||
workloadCredentialRef.namespace |
The namespace of the Secret resource includes the username and password |
string |
A simplest CR sample is:
metadata: name: load-balancer-and-ingress-service clusterName: wc0 spec: name: load-balancer-and-ingress-service clusterRef: name: wc0 namespace: wc0 config: stringData: values.yaml: | cloudName: vcenter-cloud0 defaultServiceEngineGroup: wc0-se-group defaultVipNetwork: oam-vip-dvpg defaultVipNetworkCidr: 172.16.73.0/24 extraConfigs: ingress: serviceType: ClusterIP nodeNetworkList: - networkName: cluster-mgmt-dvpg cidrs: - 172.16.68.0/22
Managing AKO objects via load-balancer-and-ingress-service add-on
Append aviObjects
section to load-balancer-and-ingress-service add-on CR to manage AKO objects(aviinfrasetting, gatewayclass, gateway) lifecycle.
A sample CR with aviObjects
is:
metadata: name: load-balancer-and-ingress-service clusterName: wc0 spec: name: load-balancer-and-ingress-service clusterRef: name: wc0 namespace: wc0 config: stringData: values.yaml: | cloudName: vcenter-cloud0 defaultServiceEngineGroup: wc0-se-group defaultVipNetwork: oam-vip-dvpg defaultVipNetworkCidr: 172.16.73.0/24 extraConfigs: ingress: serviceType: ClusterIP nodeNetworkList: - networkName: cluster-mgmt-dvpg cidrs: - 172.16.68.0/22 aviObjects: aviinfrasettings: - metadata: name: ais0 spec: seGroup: name: wc0-se-group network: vipNetworks: - networkName: oam-vip-dvpg l7Settings: shardSize: MEDIUM - metadata: name: ais1 spec: seGroup: name: wc0-se-group network: vipNetworks: - networkName: sig-vip-dvpg l7Settings: shardSize: MEDIUM gatewayclasses: - metadata: name: gwc0 spec: controller: ako.vmware.com/avi-lb parametersRef: group: ako.vmware.com kind: AviInfraSetting name: ais0 gateways: - metadata: name: gw0 namespace: gw0 spec: gatewayClassName: gwc0 listeners: - protocol: TCP port: 80 routes: selector: matchLabels: ako.vmware.com/gateway-namespace: gw0 ako.vmware.com/gateway-name: gw0 group: v1 kind: Service - protocol: TCP port: 8081 routes: selector: matchLabels: ako.vmware.com/gateway-namespace: gw0 ako.vmware.com/gateway-name: gw0 group: v1 kind: Service
In this sample CR, two aviinfrasetting objects
ais0
ais1
, one gatewayclass objectgwc0
, and one gateway objectgw0
will be created or updated, if already exist.Aviinfrasetting objects can be created with
enableRhi: true
andbgpPeerLabels
as needed.Edit load-balancer-and-ingress-service add-on and then switch to the Custom Resources(CRs) tab. Remove the specific AKO objects from
aviObjects
section to delete them from workload cluster.TCA will create namespace(if not exist) for gateway objects but will not delete the namespace when deleting the gateway objects.