Configuration
The KPC loads configuration data from a file (typically backed by a Kubernetes config map). The location of the configuration file is sourced from an environment variable. If the service is unable to retrieve the configuration data, it will not start. Refer to the configuration for details.
Service configuration structure
The recommended configuration format is YAML. The below sections describe the officially supported configuration options that influence various aspects of the service functionality. The service may support options other than the ones listed below, but those are not a part of the public API and may be changed or deleted at any time.
General
KPC uses its service instance name and replica ID for communication with other services and load balancing across replicas (for example, see 3/ISM). You can control the values with the following configuration options:
service:
instance:
name: <string> # Service instance name, should be unique cluster-wide. "kpc" by default.
replica.id: <string> # Service instance replica ID, should be unique cluster-wide. Random string by default.
graceful-shutdown: <uint> # Allowed service graceful shutdown period in seconds. 30 seconds by default.
MQTT transport
KPC implements 1/KP protocol over MQTT that can be exposed plain, over TLS, and over websockets.
Only plain MQTT is enabled by default, but you can configure up to all three interfaces to function concurrently, if necessary.
MQTT over websocket interface processes client connections on /ws path of the configured port.
Below are the most important configuration options.
kaa:
kpc:
transports:
mqtt:
tcp:
# Plain MQTT over TCP transport configuration.
enabled: <boolean> # Enables MQTT transport; true by default.
port: <unsigned short integer> # Port number to expose the MQTT interface at; 1883 by default.
tls:
# MQTT over TLS transport configuration.
enabled: <boolean> # Enables MQTT/TLS transport; false by default.
port: <unsigned short integer> # Port number to expose the MQTT/TLS interface at; 8883 by default.
cert-file: <string> # Location of a PEM-encoded server certificate file; "/run/ssl/tls.crt" by default.
cert-key-file: <string> # Location of a PEM-encoded server certificate key file; "/run/ssl/tls.key" by default.
client-auth:
required: <bool> # Whether to require certificate-base client authentication. In addition to the standard client's certificate validity verification, KPC will use the configured authentication interface to perform an additional certificate check. False by default.
trust-store-file: <string> # Location of a PEM-encoded server trust store file; "/run/ssl/ca.crt" by default.
ws:
# MQTT over Websocket transport configuration.
enabled: <boolean> # Enables MQTT/Websocket transport; false by default.
port: <unsigned short integer> # Port number to expose the MQTT/Websocket interface at; 9001 by default.
plain-auth.required: <bool> # Whether to require the client plain (username / password) configuration authentication. Applies to all MQTT-based transport. False by default.
client-message:
timeout: # The maximum allowed message processing duration in milliseconds, after which client message expires. KPC sets this timeout in downstream messages to other services, which must respect the timeout. Value of 0 indicates no expiration. 10,000 (10 seconds) by default.
Extension instances
Extension instances configuration is necessary for KPC to know which extension service instances are endpoint-aware, and which ones are not. By default, extensions are considered endpoint-aware. KPC will not allow endpoint communication to extensions not listed here.
kaa.kpc.extensions: # List of extension instances
<extension instance name>: # Extension service instance name
endpoint-aware: <boolean> # Specifies whether the extension is endpoint-aware. True by default.
...
Kaa applications
Many Kaa services can be configured for different behavior depending on the application version of the endpoint the processed data relates to.
This is called appversion-specific behavior and is handled in service configurations under kaa.applications.
KPC supports configuring a whitelist of allowed extension services per each application version. KPC will only allow endpoints to communicate to extension service instances listed in their application version. This configuration is optional, and no filtering occurs if the list of extensions is not configured.
kaa:
applications:
<application 1 name>:
versions:
<application 1 version 1 name>:
allowed-extension-instances:
# List of names of extension service instances that endpoints in this application version are allowed to
# communicate with. Optional.
- <service instance name>
<application 1 version 2 name>: # Multiple application versions can be configured under the "versions" key
...
<application 2 name>: # Multiple applications can be configured under the "applications" key
...
For example:
kaa:
applications:
smartKettle:
versions:
kettle_v1: # "kettle_v1" application version is configured with no filtering by extensions
kettle_v2: # "kettle_v2" only allows "dcx" and "epmx" extension instances
allowed-extension-instances:
- dcx
- epmx
kettle_v3: # "kettle_v3" explicitly specifies no restriction for extension instances. No filtering occurs.
allowed-extension-instances:
Authentication interface for clients and endpoints
KPC uses the authentication interface to authenticate clients and endpoints. Use the below parameters to configure this interface.
kaa.ecap.consumer:
provider:
service-instance-name: <service instance name> # Instance name of the service used to authenticate clients and endpoints. "cm" by default.
timeout: <uint> # Request timeout in milliseconds for all requests to ECAP Provider. 10,000 (10 seconds) by default.
NATS
The below parameters configure KPC’s connection to NATS broker, as well as the NATS message adapters used by KPC. Note that, for security reasons, in case the NATS connection requires credentials, you should set it with the environment variables.
nats.urls: <comma separated list of URL> # NATS connection URLs. "nats://nats:4222" by default.
kaa.esp.client.concurrency: <uint> # Number of concurrent workers to read NATS-based messages from extension service. 8 by default.
Consider configuring concurrency options to at least match the number of CPUs available on your infrastructure.
Monitoring
To control the KPC management interface, use the following configuration options.
service.monitoring:
disabled: <boolean> # Disables the monitoring interface entirely. False by default (enabled).
port: <uint> # TCP port to expose the monitoring server on. 8080 by default.
Logging
KPC writes logs to stdout.
By default, the service only produces logs at startup, shutdown, or in case of errors.
To enable debug level logging, use the following option:
service:
debug: <boolean> # Enables debug level logging, false by default (disabled).
Keep in mind that enabling debug level logging will produce significantly more log output and degrade the service performance.
Default configuration
Summarizing the above, the default KPC configuration is as follows. Note that no Kaa applications are defined by default—you have to configure those for any specific Kaa-based solution.
service:
instance:
name: "kpc"
replica.id: "<random string generated on boot>"
monitoring:
disabled: false
port: 8080
graceful-shutdown: 30 # seconds
debug: false
kaa:
kpc:
transports:
mqtt:
tcp:
enabled: true
port: 1883
tls:
enabled: false
port: 8883
cert-file: "/run/ssl/tls.crt"
cert-key-file: "/run/ssl/tls.key"
client-auth:
required: false
trust-store-file: "/run/ssl/ca.crt"
ws:
enabled: false
port: 9001
plain-auth.required: false
client-message:
timeout: 10000 # milliseconds
ecap.consumer:
provider:
service-instance-name: cm
timeout: 10000 # milliseconds
applications: # none; at least one must be configured to start
nats.urls: nats://nats:4222
kaa.esp.client.concurrency: 8
