Galley provides configuration management services for Istio.
| Flags | Shorthand | Description |
|---|---|---|
--config <string> |
-c |
Config file containing args (default ``) |
--log_as_json |
Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> |
Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``) | |
--log_output_level <string> |
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> |
The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> |
The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> |
The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> |
The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> |
Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> |
The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) |
Check the liveness or readiness of a locally-running server
galley probe [flags]
| Flags | Shorthand | Description |
|---|---|---|
--config <string> |
-c |
Config file containing args (default ``) |
--interval <duration> |
Duration used for checking the target file's last modified time. (default `0s`) | |
--log_as_json |
Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> |
Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``) | |
--log_output_level <string> |
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> |
The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> |
The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> |
The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> |
The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> |
Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> |
The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--probe-path <string> |
Path of the file for checking the availability. (default ``) |
Starts Galley as a server
galley server [flags]
| Flags | Shorthand | Description |
|---|---|---|
--accessListFile <string> |
The access list yaml file that contains the allowd mTLS peer ids. (default `/etc/config/accesslist.yaml`) | |
--caCertFile <string> |
File containing the caBundle that signed the cert/key specified by --tlsCertFile and --tlsKeyFile. (default `/etc/certs/root-cert.pem`) | |
--config <string> |
-c |
Config file containing args (default ``) |
--configPath <string> |
Istio config file path (default ``) | |
--ctrlz_address <string> |
The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`) | |
--ctrlz_port <uint16> |
The IP port to use for the ControlZ introspection facility (default `9876`) | |
--deployment-name <string> |
Name of the deployment for the validation pod (default `istio-galley`) | |
--deployment-namespace <string> |
Namespace of the deployment for the validation pod (default `istio-system`) | |
--disableResourceReadyCheck |
Disable resource readiness checks. This allows Galley to start if not all resource types are supported | |
--domain <string> |
DNS domain suffix (default `cluster.local`) | |
--enable-reconcileWebhookConfiguration |
Enable reconciliation for webhook configuration. | |
--enable-server |
Run galley server mode | |
--enable-validation |
Run galley validation mode | |
--enableProfiling |
Enable profiling for Galley | |
--enableServiceDiscovery |
Enable service discovery processing in Galley | |
--excludedResourceKinds <stringSlice> |
Comma-separated list of resource kinds that should not generate source events (default `[Endpoints,Namespace,Node,Pod,Service]`) | |
--insecure |
Use insecure gRPC communication | |
--kubeconfig <string> |
Use a Kubernetes configuration file instead of in-cluster configuration (default ``) | |
--livenessProbeInterval <duration> |
Interval of updating file for the Galley liveness probe. (default `2s`) | |
--livenessProbePath <string> |
Path to the file for the Galley liveness probe. (default `/healthLiveness`) | |
--log_as_json |
Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> |
Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``) | |
--log_output_level <string> |
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> |
The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> |
The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> |
The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> |
The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> |
Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> |
The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--meshConfigFile <string> |
Path to the mesh config file (default `/etc/mesh-config/mesh`) | |
--monitoringPort <uint> |
Port to use for exposing self-monitoring information (default `15014`) | |
--pprofPort <uint> |
Port to use for exposing profiling (default `9094`) | |
--readinessProbeInterval <duration> |
Interval of updating file for the Galley readiness probe. (default `2s`) | |
--readinessProbePath <string> |
Path to the file for the Galley readiness probe. (default `/healthReadiness`) | |
--resyncPeriod <duration> |
Resync period for rescanning Kubernetes resources (default `0s`) | |
--server-address <string> |
Address to use for Galley's gRPC API, e.g. tcp://localhost:9092 or unix:///path/to/file (default `tcp://0.0.0.0:9901`) | |
--server-maxConcurrentStreams <uint> |
Maximum number of outstanding RPCs per connection (default `1024`) | |
--server-maxReceivedMessageSize <uint> |
Maximum size of individual gRPC messages (default `1048576`) | |
--service-name <string> |
Name of the validation service running in the same namespace as the deployment (default `istio-galley`) | |
--sinkAddress <string> |
Address of MCP Resource Sink server for Galley to connect to. Ex: 'foo.com:1234' (default ``) | |
--sinkAuthMode <string> |
Name of authentication plugin to use for connection to sink server. (default ``) | |
--sinkMeta <stringSlice> |
Comma-separated list of key=values to attach as metadata to outgoing sink connections. Ex: 'key=value,key2=value2' (default `[]`) | |
--tlsCertFile <string> |
File containing the x509 Certificate for HTTPS. (default `/etc/certs/cert-chain.pem`) | |
--tlsKeyFile <string> |
File containing the x509 private key matching --tlsCertFile. (default `/etc/certs/key.pem`) | |
--useOldProcessor |
Use the old processing pipeline for config processing | |
--validation-port <uint> |
HTTPS port of the validation service. Must be 443 if service has more than one port (default `443`) | |
--validation-webhook-config-file <string> |
File that contains k8s validatingwebhookconfiguration yaml. Required if enable-validation is true. (default ``) | |
--webhook-name <string> |
Name of the k8s validatingwebhookconfiguration (default `istio-galley`) |
general:
introspection:
address: --ctrlz_address
port: --ctrlz_port
kubeconfig: --kubeconfig
processing:
domainsuffix: --domain
server:
address: --server-address
auth:
insecure: --insecure
enable: --enable-server
validation:
deploymentname: --deployment-name
deploymentnamespace: --deployment-namespace
enable: --enable-validation
servicename: --service-name
tls:
caCertificates: --validation.tls.caCertificates
clientCertificate: --validation.tls.clientCertificate
privateKey: --validation.tls.privateKey
webhookconfigfile: --validation-webhook-config-file
webhookname: --webhook-name
webhookport: --validation-port
Prints out build version information
galley version [flags]
| Flags | Shorthand | Description |
|---|---|---|
--config <string> |
-c |
Config file containing args (default ``) |
--log_as_json |
Whether to format output as JSON or in plain console-friendly format | |
--log_caller <string> |
Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] (default ``) | |
--log_output_level <string> |
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`) | |
--log_rotate <string> |
The path for the optional rotating log file (default ``) | |
--log_rotate_max_age <int> |
The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`) | |
--log_rotate_max_backups <int> |
The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) | |
--log_rotate_max_size <int> |
The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) | |
--log_stacktrace_level <string> |
Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, conversions, default, grpcAdapter, kube, kube-converter, mcp, meshconfig, model, processing, rbac, resource, runtime, server, source, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) | |
--log_target <stringArray> |
The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`) | |
--output <string> |
-o |
One of 'yaml' or 'json'. (default ``) |
--short |
-s |
Use --short=false to generate full version information |
galley command.
| Variable Name | Type | Default Value | Description |
|---|---|---|---|
AUTHZ_FAILURE_LOG_BURST_SIZE |
Integer | 1 |
|
AUTHZ_FAILURE_LOG_FREQ |
Time Duration | 1m0s |
| Metric Name | Type | Description |
|---|---|---|
galley_runtime_processor_event_span_duration_milliseconds | Distribution | The duration between each incoming event |
galley_runtime_processor_events_processed_total | Count | The number of events that have been processed |
galley_runtime_processor_snapshot_events_total | Distribution | The number of events per snapshot |
galley_runtime_processor_snapshot_lifetime_duration_milliseconds | Distribution | The duration of each snapshot |
galley_runtime_processor_snapshots_published_total | Count | The number of snapshots that have been published |
galley_runtime_state_type_instances_total | LastValue | The number of type instances per type URL |
galley_runtime_strategy_on_change_total | Count | The number of times the strategy's onChange has been called |
galley_runtime_strategy_timer_max_time_reached_total | Count | The number of times the max time has been reached |
galley_runtime_strategy_timer_quiesce_reached_total | Count | The number of times a quiesce has been reached |
galley_runtime_strategy_timer_resets_total | Count | The number of times the timer has been reset |
galley_source_kube_dynamic_converter_failure_total | Count | The number of times a dynamnic kubernetes source failed converting a resources |
galley_source_kube_dynamic_converter_success_total | Count | The number of times a dynamic kubernetes source successfully converted a resource |
galley_source_kube_event_error_total | Count | The number of times a kubernetes source encountered errored while handling an event |
galley_source_kube_event_success_total | Count | The number of times a kubernetes source successfully handled an event |
galley_validation_cert_key_update_errors | Count | Galley validation webhook certificate updates errors |
galley_validation_cert_key_updates | Count | Galley validation webhook certificate updates |
galley_validation_config_load | Count | k8s webhook configuration (re)loads |
galley_validation_config_load_error | Count | k8s webhook configuration (re)load error |
galley_validation_config_update_error | Count | k8s webhook configuration update error |
galley_validation_config_updates | Count | k8s webhook configuration updates |
galley_validation_failed | Count | Resource validation failed |
galley_validation_http_error | Count | Resource validation http serve errors |
galley_validation_passed | Count | Resource is valid |
istio_build | LastValue | Istio component build info |
istio_mcp_clients_total | LastValue | The number of streams currently connected. |
istio_mcp_message_sizes_bytes | Distribution | Size of messages received from clients. |
istio_mcp_reconnections | Sum | The number of times the sink has reconnected. |
istio_mcp_recv_failures_total | Sum | The number of recv failures in the source. |
istio_mcp_request_acks_total | Sum | The number of request acks received by the source. |
istio_mcp_request_nacks_total | Sum | The number of request nacks received by the source. |
istio_mcp_send_failures_total | Sum | The number of send failures in the source. |