openshift-docs/modules/network-observability-flowcollector-api-specifications.adoc

// Automatically generated by 'openshift-apidocs-gen'. Do not edit.
:_mod-docs-content-type: REFERENCE
[id="network-observability-flowcollector-api-specifications_{context}"]
= FlowCollector API specifications



Description::
+
--
`FlowCollector` is the schema for the network flows collection API, which pilots and configures the underlying deployments.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `apiVersion`
| `string`
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and might reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

| `kind`
| `string`
| Kind is a string value representing the REST resource this object represents. Servers might infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

| `metadata`
| `object`
| Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

| `spec`
| `object`
| Defines the desired state of the FlowCollector resource.
 +
 +

*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature
is not officially supported by Red Hat. It might have been, for example, contributed by the community
and accepted without a formal agreement for maintenance. The product maintainers might provide some support
for these features as a best effort only.

|===
== .metadata
Description::
+
--
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
--

Type::
  `object`




== .spec
Description::
+
--
Defines the desired state of the FlowCollector resource.
 +
 +

*: the mention of "unsupported" or "deprecated" for a feature throughout this document means that this feature
is not officially supported by Red Hat. It might have been, for example, contributed by the community
and accepted without a formal agreement for maintenance. The product maintainers might provide some support
for these features as a best effort only.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `agent`
| `object`
| Agent configuration for flows extraction.

| `consolePlugin`
| `object`
| `consolePlugin` defines the settings related to the {product-title} Console plugin, when available.

| `deploymentModel`
| `string`
| `deploymentModel` defines the desired type of deployment for flow processing. Possible values are: +

- `Direct` (default) to make the flow processor listen directly from the agents. Only recommended on small clusters, below 15 nodes. +

- `Kafka` to make flows sent to a Kafka pipeline before consumption by the processor. +

Kafka can provide better scalability, resiliency, and high availability (for more details, see https://www.redhat.com/en/topics/integration/what-is-apache-kafka).

| `exporters`
| `array`
| `exporters` defines additional optional exporters for custom consumption or storage.

| `kafka`
| `object`
| Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the `spec.deploymentModel` is `Kafka`.

| `loki`
| `object`
| `loki`, the flow store, client settings.

| `namespace`
| `string`
| Namespace where Network Observability pods are deployed.

| `networkPolicy`
| `object`
| `networkPolicy` defines network policy settings for Network Observability components isolation.

| `processor`
| `object`
| `processor` defines the settings of the component that receives the flows from the agent,
enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.

| `prometheus`
| `object`
| `prometheus` defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.

|===
== .spec.agent
Description::
+
--
Agent configuration for flows extraction.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `ebpf`
| `object`
| `ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
is set to `eBPF`.

| `type`
| `string`
| `type` [deprecated (*)] selects the flows tracing agent. Previously, this field allowed to select between `eBPF` or `IPFIX`.
Only `eBPF` is allowed now, so this field is deprecated and is planned for removal in a future version of the API.

|===
== .spec.agent.ebpf
Description::
+
--
`ebpf` describes the settings related to the eBPF-based flow reporter when `spec.agent.type`
is set to `eBPF`.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `advanced`
| `object`
| `advanced` allows setting some aspects of the internal configuration of the eBPF agent.
This section is aimed mostly for debugging and fine-grained performance optimizations,
such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk. You can also
override the default Linux capabilities from there.

| `cacheActiveTimeout`
| `string`
| `cacheActiveTimeout` is the max period during which the reporter aggregates flows before sending.
Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
however you can expect higher memory consumption and an increased latency in the flow collection.

| `cacheMaxFlows`
| `integer`
| `cacheMaxFlows` is the max number of flows in an aggregate; when reached, the reporter sends the flows.
Increasing `cacheMaxFlows` and `cacheActiveTimeout` can decrease the network traffic overhead and the CPU load,
however you can expect higher memory consumption and an increased latency in the flow collection.

| `excludeInterfaces`
| `array (string)`
| `excludeInterfaces` contains the interface names that are excluded from flow tracing.
An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
Otherwise it is matched as a case-sensitive string.

| `features`
| `array (string)`
| List of additional features to enable. They are all disabled by default. Enabling additional features might have performance impacts. Possible values are: +

- `PacketDrop`: Enable the packets drop flows logging feature. This feature requires mounting
the kernel debug filesystem, so the eBPF agent pods must run as privileged via `spec.agent.ebpf.privileged`. +

- `DNSTracking`: Enable the DNS tracking feature. +

- `FlowRTT`: Enable flow latency (sRTT) extraction in the eBPF agent from TCP traffic. +

- `NetworkEvents`: Enable the network events monitoring feature, such as correlating flows and network policies.
This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged via `spec.agent.ebpf.privileged`.
It requires using the OVN-Kubernetes network plugin with the Observability feature.
IMPORTANT: This feature is available as a Technology Preview. +

- `PacketTranslation`: Enable enriching flows with packet translation information, such as Service NAT. +

- `EbpfManager`: [Unsupported (*)]. Use eBPF Manager to manage Network Observability eBPF programs. Pre-requisite: the eBPF Manager operator (or upstream bpfman operator) must be installed. +

- `UDNMapping`: Enable interfaces mapping to User Defined Networks (UDN).  +

This feature requires mounting the kernel debug filesystem, so the eBPF agent pods must run as privileged via `spec.agent.ebpf.privileged`.
It requires using the OVN-Kubernetes network plugin with the Observability feature.  +

- `IPSec`, to track flows between nodes with IPsec encryption.  +


| `flowFilter`
| `object`
| `flowFilter` defines the eBPF agent configuration regarding flow filtering.

| `imagePullPolicy`
| `string`
| `imagePullPolicy` is the Kubernetes pull policy for the image defined above

| `interfaces`
| `array (string)`
| `interfaces` contains the interface names from where flows are collected. If empty, the agent
fetches all the interfaces in the system, excepting the ones listed in `excludeInterfaces`.
An entry enclosed by slashes, such as `/br-/`, is matched as a regular expression.
Otherwise it is matched as a case-sensitive string.

| `kafkaBatchSize`
| `integer`
| `kafkaBatchSize` limits the maximum size of a request in bytes before being sent to a partition. Ignored when not using Kafka. Default: 1MB.

| `logLevel`
| `string`
| `logLevel` defines the log level for the Network Observability eBPF Agent

| `metrics`
| `object`
| `metrics` defines the eBPF agent configuration regarding metrics.

| `privileged`
| `boolean`
| Privileged mode for the eBPF Agent container. When set to `true`, the agent is able to capture more traffic, including from secondary interfaces.
When ignored or set to `false`, the operator sets granular capabilities (BPF, PERFMON, NET_ADMIN) to the container.
Some agent features require the privileged mode, such as packet drops tracking (see `features`) and SR-IOV support.

| `resources`
| `object`
| `resources` are the compute resources required by this container.
For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

| `sampling`
| `integer`
| Sampling interval of the eBPF probe. 100 means one packet on 100 is sent. 0 or 1 means all packets are sampled.

|===
== .spec.agent.ebpf.advanced
Description::
+
--
`advanced` allows setting some aspects of the internal configuration of the eBPF agent.
This section is aimed mostly for debugging and fine-grained performance optimizations,
such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk. You can also
override the default Linux capabilities from there.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `capOverride`
| `array (string)`
| Linux capabilities override, when not running as privileged. Default capabilities are BPF, PERFMON and NET_ADMIN.

| `env`
| `object (string)`
| `env` allows passing custom environment variables to underlying components. Useful for passing
some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
publicly exposed as part of the FlowCollector descriptor, as they are only useful
in edge debug or support scenarios.

| `scheduling`
| `object`
| scheduling controls how the pods are scheduled on nodes.

|===
== .spec.agent.ebpf.advanced.scheduling
Description::
+
--
scheduling controls how the pods are scheduled on nodes.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `affinity`
| `object`
| If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

| `nodeSelector`
| `object (string)`
| `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.

| `priorityClassName`
| `string`
| If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
If not specified, default priority is used, or zero if there is no default.

| `tolerations`
| `array`
| `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

|===
== .spec.agent.ebpf.advanced.scheduling.affinity
Description::
+
--
If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
--

Type::
  `object`




== .spec.agent.ebpf.advanced.scheduling.tolerations
Description::
+
--
`tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
--

Type::
  `array`




== .spec.agent.ebpf.flowFilter
Description::
+
--
`flowFilter` defines the eBPF agent configuration regarding flow filtering.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `action`
| `string`
| `action` defines the action to perform on the flows that match the filter. The available options are `Accept`, which is the default, and `Reject`.

| `cidr`
| `string`
| `cidr` defines the IP CIDR to filter flows by.
Examples: `10.10.10.0/24` or `100:100:100:100::/64`

| `destPorts`
| `integer-or-string`
| `destPorts` optionally defines the destination ports to filter flows by.
To filter a single port, set a single port as an integer value. For example, `destPorts: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.

| `direction`
| `string`
| `direction` optionally defines a direction to filter flows by. The available options are `Ingress` and `Egress`.

| `enable`
| `boolean`
| Set `enable` to `true` to enable the eBPF flow filtering feature.

| `icmpCode`
| `integer`
| `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by.

| `icmpType`
| `integer`
| `icmpType`, for ICMP traffic, optionally defines the ICMP type to filter flows by.

| `peerCIDR`
| `string`
| `peerCIDR` defines the Peer IP CIDR to filter flows by.
Examples: `10.10.10.0/24` or `100:100:100:100::/64`

| `peerIP`
| `string`
| `peerIP` optionally defines the remote IP address to filter flows by.
Example: `10.10.10.10`.

| `pktDrops`
| `boolean`
| `pktDrops` optionally filters only flows containing packet drops.

| `ports`
| `integer-or-string`
| `ports` optionally defines the ports to filter flows by. It is used both for source and destination ports.
To filter a single port, set a single port as an integer value. For example, `ports: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.

| `protocol`
| `string`
| `protocol` optionally defines a protocol to filter flows by. The available options are `TCP`, `UDP`, `ICMP`, `ICMPv6`, and `SCTP`.

| `rules`
| `array`
| `rules` defines a list of filtering rules on the eBPF Agents.
When filtering is enabled, by default, flows that don't match any rule are rejected.
To change the default, you can define a rule that accepts everything: `{ action: "Accept", cidr: "0.0.0.0/0" }`, and then refine with rejecting rules.

| `sampling`
| `integer`
| `sampling` is the sampling interval for the matched packets, overriding the global sampling defined at `spec.agent.ebpf.sampling`.

| `sourcePorts`
| `integer-or-string`
| `sourcePorts` optionally defines the source ports to filter flows by.
To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.

| `tcpFlags`
| `string`
| `tcpFlags` optionally defines TCP flags to filter flows by.
In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: `SYN-ACK`, `FIN-ACK`, and `RST-ACK`.

|===
== .spec.agent.ebpf.flowFilter.rules
Description::
+
--
`rules` defines a list of filtering rules on the eBPF Agents.
When filtering is enabled, by default, flows that don't match any rule are rejected.
To change the default, you can define a rule that accepts everything: `{ action: "Accept", cidr: "0.0.0.0/0" }`, and then refine with rejecting rules.
--

Type::
  `array`




== .spec.agent.ebpf.flowFilter.rules[]
Description::
+
--
`EBPFFlowFilterRule` defines the desired eBPF agent configuration regarding flow filtering rule.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `action`
| `string`
| `action` defines the action to perform on the flows that match the filter. The available options are `Accept`, which is the default, and `Reject`.

| `cidr`
| `string`
| `cidr` defines the IP CIDR to filter flows by.
Examples: `10.10.10.0/24` or `100:100:100:100::/64`

| `destPorts`
| `integer-or-string`
| `destPorts` optionally defines the destination ports to filter flows by.
To filter a single port, set a single port as an integer value. For example, `destPorts: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `destPorts: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.

| `direction`
| `string`
| `direction` optionally defines a direction to filter flows by. The available options are `Ingress` and `Egress`.

| `icmpCode`
| `integer`
| `icmpCode`, for Internet Control Message Protocol (ICMP) traffic, optionally defines the ICMP code to filter flows by.

| `icmpType`
| `integer`
| `icmpType`, for ICMP traffic, optionally defines the ICMP type to filter flows by.

| `peerCIDR`
| `string`
| `peerCIDR` defines the Peer IP CIDR to filter flows by.
Examples: `10.10.10.0/24` or `100:100:100:100::/64`

| `peerIP`
| `string`
| `peerIP` optionally defines the remote IP address to filter flows by.
Example: `10.10.10.10`.

| `pktDrops`
| `boolean`
| `pktDrops` optionally filters only flows containing packet drops.

| `ports`
| `integer-or-string`
| `ports` optionally defines the ports to filter flows by. It is used both for source and destination ports.
To filter a single port, set a single port as an integer value. For example, `ports: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `ports: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.

| `protocol`
| `string`
| `protocol` optionally defines a protocol to filter flows by. The available options are `TCP`, `UDP`, `ICMP`, `ICMPv6`, and `SCTP`.

| `sampling`
| `integer`
| `sampling` is the sampling interval for the matched packets, overriding the global sampling defined at `spec.agent.ebpf.sampling`.

| `sourcePorts`
| `integer-or-string`
| `sourcePorts` optionally defines the source ports to filter flows by.
To filter a single port, set a single port as an integer value. For example, `sourcePorts: 80`.
To filter a range of ports, use a "start-end" range in string format. For example, `sourcePorts: "80-100"`.
To filter two ports, use a "port1,port2" in string format. For example, `ports: "80,100"`.

| `tcpFlags`
| `string`
| `tcpFlags` optionally defines TCP flags to filter flows by.
In addition to the standard flags (RFC-9293), you can also filter by one of the three following combinations: `SYN-ACK`, `FIN-ACK`, and `RST-ACK`.

|===
== .spec.agent.ebpf.metrics
Description::
+
--
`metrics` defines the eBPF agent configuration regarding metrics.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `disableAlerts`
| `array (string)`
| `disableAlerts` is a list of alerts that should be disabled.
Possible values are: +

`NetObservDroppedFlows`, which is triggered when the eBPF agent is missing packets or flows, such as when the BPF hashmap is busy or full, or the capacity limiter is being triggered. +


| `enable`
| `boolean`
| Set `enable` to `false` to disable eBPF agent metrics collection. It is enabled by default.

| `server`
| `object`
| Metrics server endpoint configuration for the Prometheus scraper.

|===
== .spec.agent.ebpf.metrics.server
Description::
+
--
Metrics server endpoint configuration for the Prometheus scraper.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `port`
| `integer`
| The metrics server HTTP port.

| `tls`
| `object`
| TLS configuration.

|===
== .spec.agent.ebpf.metrics.server.tls
Description::
+
--
TLS configuration.
--

Type::
  `object`

Required::
  - `type`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
If set to `true`, the `providedCaFile` field is ignored.

| `provided`
| `object`
| TLS configuration when `type` is set to `Provided`.

| `providedCaFile`
| `object`
| Reference to the CA file when `type` is set to `Provided`.

| `type`
| `string`
| Select the type of TLS configuration: +

- `Disabled` (default) to not configure TLS for the endpoint.
- `Provided` to manually provide cert file and a key file. [Unsupported (*)].
- `Auto` to use {product-title} auto generated certificate using annotations.

|===
== .spec.agent.ebpf.metrics.server.tls.provided
Description::
+
--
TLS configuration when `type` is set to `Provided`.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.agent.ebpf.metrics.server.tls.providedCaFile
Description::
+
--
Reference to the CA file when `type` is set to `Provided`.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `file`
| `string`
| File name within the config map or secret.

| `name`
| `string`
| Name of the config map or secret containing the file.

| `namespace`
| `string`
| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the file reference: `configmap` or `secret`.

|===
== .spec.agent.ebpf.resources
Description::
+
--
`resources` are the compute resources required by this container.
For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `limits`
| `integer-or-string`
| Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

| `requests`
| `integer-or-string`
| Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

|===
== .spec.consolePlugin
Description::
+
--
`consolePlugin` defines the settings related to the {product-title} Console plugin, when available.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `advanced`
| `object`
| `advanced` allows setting some aspects of the internal configuration of the console plugin.
This section is aimed mostly for debugging and fine-grained performance optimizations,
such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.

| `autoscaler`
| `object`
| `autoscaler` spec of a horizontal pod autoscaler to set up for the plugin Deployment. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

| `enable`
| `boolean`
| Enables the console plugin deployment.

| `imagePullPolicy`
| `string`
| `imagePullPolicy` is the Kubernetes pull policy for the image defined above

| `logLevel`
| `string`
| `logLevel` for the console plugin backend

| `portNaming`
| `object`
| `portNaming` defines the configuration of the port-to-service name translation

| `quickFilters`
| `array`
| `quickFilters` configures quick filter presets for the Console plugin

| `replicas`
| `integer`
| `replicas` defines the number of replicas (pods) to start.

| `resources`
| `object`
| `resources`, in terms of compute resources, required by this container.
For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

|===
== .spec.consolePlugin.advanced
Description::
+
--
`advanced` allows setting some aspects of the internal configuration of the console plugin.
This section is aimed mostly for debugging and fine-grained performance optimizations,
such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `args`
| `array (string)`
| `args` allows passing custom arguments to underlying components. Useful for overriding
some parameters, such as a URL or a configuration path, that should not be
publicly exposed as part of the FlowCollector descriptor, as they are only useful
in edge debug or support scenarios.

| `env`
| `object (string)`
| `env` allows passing custom environment variables to underlying components. Useful for passing
some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
publicly exposed as part of the FlowCollector descriptor, as they are only useful
in edge debug or support scenarios.

| `port`
| `integer`
| `port` is the plugin service port. Do not use 9002, which is reserved for metrics.

| `register`
| `boolean`
| `register` allows, when set to `true`, to automatically register the provided console plugin with the {product-title} Console operator.
When set to `false`, you can still register it manually by editing console.operator.openshift.io/cluster with the following command:
`oc patch console.operator.openshift.io cluster --type='json' -p '[{"op": "add", "path": "/spec/plugins/-", "value": "netobserv-plugin"}]'`

| `scheduling`
| `object`
| `scheduling` controls how the pods are scheduled on nodes.

|===
== .spec.consolePlugin.advanced.scheduling
Description::
+
--
`scheduling` controls how the pods are scheduled on nodes.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `affinity`
| `object`
| If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

| `nodeSelector`
| `object (string)`
| `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.

| `priorityClassName`
| `string`
| If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
If not specified, default priority is used, or zero if there is no default.

| `tolerations`
| `array`
| `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

|===
== .spec.consolePlugin.advanced.scheduling.affinity
Description::
+
--
If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
--

Type::
  `object`




== .spec.consolePlugin.advanced.scheduling.tolerations
Description::
+
--
`tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
--

Type::
  `array`




== .spec.consolePlugin.autoscaler
Description::
+
--
`autoscaler` spec of a horizontal pod autoscaler to set up for the plugin Deployment. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
--

Type::
  `object`




== .spec.consolePlugin.portNaming
Description::
+
--
`portNaming` defines the configuration of the port-to-service name translation
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `enable`
| `boolean`
| Enable the console plugin port-to-service name translation

| `portNames`
| `object (string)`
| `portNames` defines additional port names to use in the console,
for example, `portNames: {"3100": "loki"}`.

|===
== .spec.consolePlugin.quickFilters
Description::
+
--
`quickFilters` configures quick filter presets for the Console plugin
--

Type::
  `array`




== .spec.consolePlugin.quickFilters[]
Description::
+
--
`QuickFilter` defines preset configuration for Console's quick filters
--

Type::
  `object`

Required::
  - `filter`
  - `name`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `default`
| `boolean`
| `default` defines whether this filter should be active by default or not

| `filter`
| `object (string)`
| `filter` is a set of keys and values to be set when this filter is selected. Each key can relate to a list of values using a coma-separated string,
for example, `filter: {"src_namespace": "namespace1,namespace2"}`.

| `name`
| `string`
| Name of the filter, that is displayed in the Console

|===
== .spec.consolePlugin.resources
Description::
+
--
`resources`, in terms of compute resources, required by this container.
For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `limits`
| `integer-or-string`
| Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

| `requests`
| `integer-or-string`
| Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

|===
== .spec.exporters
Description::
+
--
`exporters` defines additional optional exporters for custom consumption or storage.
--

Type::
  `array`




== .spec.exporters[]
Description::
+
--
`FlowCollectorExporter` defines an additional exporter to send enriched flows to.
--

Type::
  `object`

Required::
  - `type`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `ipfix`
| `object`
| IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to.

| `kafka`
| `object`
| Kafka configuration, such as the address and topic, to send enriched flows to.

| `openTelemetry`
| `object`
| OpenTelemetry configuration, such as the IP address and port to send enriched logs or metrics to.

| `type`
| `string`
| `type` selects the type of exporters. The available options are `Kafka`, `IPFIX`, and `OpenTelemetry`.

|===
== .spec.exporters[].ipfix
Description::
+
--
IPFIX configuration, such as the IP address and port to send enriched IPFIX flows to.
--

Type::
  `object`

Required::
  - `targetHost`
  - `targetPort`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `targetHost`
| `string`
| Address of the IPFIX external receiver.

| `targetPort`
| `integer`
| Port for the IPFIX external receiver.

| `transport`
| `string`
| Transport protocol (`TCP` or `UDP`) to be used for the IPFIX connection, defaults to `TCP`.

|===
== .spec.exporters[].kafka
Description::
+
--
Kafka configuration, such as the address and topic, to send enriched flows to.
--

Type::
  `object`

Required::
  - `address`
  - `topic`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `address`
| `string`
| Address of the Kafka server

| `sasl`
| `object`
| SASL authentication configuration. [Unsupported (*)].

| `tls`
| `object`
| TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

| `topic`
| `string`
| Kafka topic to use. It must exist. Network Observability does not create it.

|===
== .spec.exporters[].kafka.sasl
Description::
+
--
SASL authentication configuration. [Unsupported (*)].
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `clientIDReference`
| `object`
| Reference to the secret or config map containing the client ID

| `clientSecretReference`
| `object`
| Reference to the secret or config map containing the client secret

| `type`
| `string`
| Type of SASL authentication to use, or `Disabled` if SASL is not used

|===
== .spec.exporters[].kafka.sasl.clientIDReference
Description::
+
--
Reference to the secret or config map containing the client ID
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `file`
| `string`
| File name within the config map or secret.

| `name`
| `string`
| Name of the config map or secret containing the file.

| `namespace`
| `string`
| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the file reference: `configmap` or `secret`.

|===
== .spec.exporters[].kafka.sasl.clientSecretReference
Description::
+
--
Reference to the secret or config map containing the client secret
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `file`
| `string`
| File name within the config map or secret.

| `name`
| `string`
| Name of the config map or secret containing the file.

| `namespace`
| `string`
| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the file reference: `configmap` or `secret`.

|===
== .spec.exporters[].kafka.tls
Description::
+
--
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.exporters[].kafka.tls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.exporters[].kafka.tls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.exporters[].openTelemetry
Description::
+
--
OpenTelemetry configuration, such as the IP address and port to send enriched logs or metrics to.
--

Type::
  `object`

Required::
  - `targetHost`
  - `targetPort`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `fieldsMapping`
| `array`
| Custom fields mapping to an OpenTelemetry conformant format.
By default, Network Observability format proposal is used: https://github.com/rhobs/observability-data-model/blob/main/network-observability.md#format-proposal .
As there is currently no accepted standard for L3 or L4 enriched network logs, you can freely override it with your own.

| `headers`
| `object (string)`
| Headers to add to messages (optional)

| `logs`
| `object`
| OpenTelemetry configuration for logs.

| `metrics`
| `object`
| OpenTelemetry configuration for metrics.

| `protocol`
| `string`
| Protocol of the OpenTelemetry connection. The available options are `http` and `grpc`.

| `targetHost`
| `string`
| Address of the OpenTelemetry receiver.

| `targetPort`
| `integer`
| Port for the OpenTelemetry receiver.

| `tls`
| `object`
| TLS client configuration.

|===
== .spec.exporters[].openTelemetry.fieldsMapping
Description::
+
--
Custom fields mapping to an OpenTelemetry conformant format.
By default, Network Observability format proposal is used: https://github.com/rhobs/observability-data-model/blob/main/network-observability.md#format-proposal .
As there is currently no accepted standard for L3 or L4 enriched network logs, you can freely override it with your own.
--

Type::
  `array`




== .spec.exporters[].openTelemetry.fieldsMapping[]
Description::
+
--

--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `input`
| `string`
|

| `multiplier`
| `integer`
|

| `output`
| `string`
|

|===
== .spec.exporters[].openTelemetry.logs
Description::
+
--
OpenTelemetry configuration for logs.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `enable`
| `boolean`
| Set `enable` to `true` to send logs to an OpenTelemetry receiver.

|===
== .spec.exporters[].openTelemetry.metrics
Description::
+
--
OpenTelemetry configuration for metrics.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `enable`
| `boolean`
| Set `enable` to `true` to send metrics to an OpenTelemetry receiver.

| `pushTimeInterval`
| `string`
| Specify how often metrics are sent to a collector.

|===
== .spec.exporters[].openTelemetry.tls
Description::
+
--
TLS client configuration.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.exporters[].openTelemetry.tls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.exporters[].openTelemetry.tls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.kafka
Description::
+
--
Kafka configuration, allowing to use Kafka as a broker as part of the flow collection pipeline. Available when the `spec.deploymentModel` is `Kafka`.
--

Type::
  `object`

Required::
  - `address`
  - `topic`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `address`
| `string`
| Address of the Kafka server

| `sasl`
| `object`
| SASL authentication configuration. [Unsupported (*)].

| `tls`
| `object`
| TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.

| `topic`
| `string`
| Kafka topic to use. It must exist. Network Observability does not create it.

|===
== .spec.kafka.sasl
Description::
+
--
SASL authentication configuration. [Unsupported (*)].
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `clientIDReference`
| `object`
| Reference to the secret or config map containing the client ID

| `clientSecretReference`
| `object`
| Reference to the secret or config map containing the client secret

| `type`
| `string`
| Type of SASL authentication to use, or `Disabled` if SASL is not used

|===
== .spec.kafka.sasl.clientIDReference
Description::
+
--
Reference to the secret or config map containing the client ID
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `file`
| `string`
| File name within the config map or secret.

| `name`
| `string`
| Name of the config map or secret containing the file.

| `namespace`
| `string`
| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the file reference: `configmap` or `secret`.

|===
== .spec.kafka.sasl.clientSecretReference
Description::
+
--
Reference to the secret or config map containing the client secret
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `file`
| `string`
| File name within the config map or secret.

| `name`
| `string`
| Name of the config map or secret containing the file.

| `namespace`
| `string`
| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the file reference: `configmap` or `secret`.

|===
== .spec.kafka.tls
Description::
+
--
TLS client configuration. When using TLS, verify that the address matches the Kafka port used for TLS, generally 9093.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.kafka.tls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.kafka.tls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki
Description::
+
--
`loki`, the flow store, client settings.
--

Type::
  `object`

Required::
  - `mode`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `advanced`
| `object`
| `advanced` allows setting some aspects of the internal configuration of the Loki clients.
This section is aimed mostly for debugging and fine-grained performance optimizations.

| `enable`
| `boolean`
| Set `enable` to `true` to store flows in Loki.
The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.prometheus.querier`), or both.
Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
such as getting per-pod information or viewing raw flows.
If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
If they are both disabled, the Console plugin is not deployed.

| `lokiStack`
| `object`
| Loki configuration for `LokiStack` mode. This is useful for an easy Loki Operator configuration.
It is ignored for other modes.

| `manual`
| `object`
| Loki configuration for `Manual` mode. This is the most flexible configuration.
It is ignored for other modes.

| `microservices`
| `object`
| Loki configuration for `Microservices` mode.
Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode).
It is ignored for other modes.

| `mode`
| `string`
| `mode` must be set according to the installation mode of Loki: +

- Use `LokiStack` when Loki is managed using the Loki Operator +

- Use `Monolithic` when Loki is installed as a monolithic workload +

- Use `Microservices` when Loki is installed as microservices, but without Loki Operator +

- Use `Manual` if none of the options above match your setup +


| `monolithic`
| `object`
| Loki configuration for `Monolithic` mode.
Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode).
It is ignored for other modes.

| `readTimeout`
| `string`
| `readTimeout` is the maximum console plugin loki query total time limit.
A timeout of zero means no timeout.

| `writeBatchSize`
| `integer`
| `writeBatchSize` is the maximum batch size (in bytes) of Loki logs to accumulate before sending.

| `writeBatchWait`
| `string`
| `writeBatchWait` is the maximum time to wait before sending a Loki batch.

| `writeTimeout`
| `string`
| `writeTimeout` is the maximum Loki time connection / request limit.
A timeout of zero means no timeout.

|===
== .spec.loki.advanced
Description::
+
--
`advanced` allows setting some aspects of the internal configuration of the Loki clients.
This section is aimed mostly for debugging and fine-grained performance optimizations.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `excludeLabels`
| `array (string)`
| `excludeLabels` is a list of fields to be excluded from the list of Loki labels. [Unsupported (*)].

| `staticLabels`
| `object (string)`
| `staticLabels` is a map of common labels to set on each flow in Loki storage.

| `writeMaxBackoff`
| `string`
| `writeMaxBackoff` is the maximum backoff time for Loki client connection between retries.

| `writeMaxRetries`
| `integer`
| `writeMaxRetries` is the maximum number of retries for Loki client connections.

| `writeMinBackoff`
| `string`
| `writeMinBackoff` is the initial backoff time for Loki client connection between retries.

|===
== .spec.loki.lokiStack
Description::
+
--
Loki configuration for `LokiStack` mode. This is useful for an easy Loki Operator configuration.
It is ignored for other modes.
--

Type::
  `object`

Required::
  - `name`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `name`
| `string`
| Name of an existing LokiStack resource to use.

| `namespace`
| `string`
| Namespace where this `LokiStack` resource is located. If omitted, it is assumed to be the same as `spec.namespace`.

|===
== .spec.loki.manual
Description::
+
--
Loki configuration for `Manual` mode. This is the most flexible configuration.
It is ignored for other modes.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `authToken`
| `string`
| `authToken` describes the way to get a token to authenticate to Loki. +

- `Disabled` does not send any token with the request. +

- `Forward` forwards the user token for authorization. +

- `Host` [deprecated (*)] - uses the local pod service account to authenticate to Loki. +

When using the Loki Operator, this must be set to `Forward`.

| `ingesterUrl`
| `string`
| `ingesterUrl` is the address of an existing Loki ingester service to push the flows to. When using the Loki Operator,
set it to the Loki gateway service with the `network` tenant set in path, for example
https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.

| `querierUrl`
| `string`
| `querierUrl` specifies the address of the Loki querier service.
When using the Loki Operator, set it to the Loki gateway service with the `network` tenant set in path, for example
https://loki-gateway-http.netobserv.svc:8080/api/logs/v1/network.

| `statusTls`
| `object`
| TLS client configuration for Loki status URL.

| `statusUrl`
| `string`
| `statusUrl` specifies the address of the Loki `/ready`, `/metrics` and `/config` endpoints, in case it is different from the
Loki querier URL. If empty, the `querierUrl` value is used.
This is useful to show error messages and some context in the frontend.
When using the Loki Operator, set it to the Loki HTTP query frontend service, for example
https://loki-query-frontend-http.netobserv.svc:3100/.
`statusTLS` configuration is used when `statusUrl` is set.

| `tenantID`
| `string`
| `tenantID` is the Loki `X-Scope-OrgID` that identifies the tenant for each request.
When using the Loki Operator, set it to `network`, which corresponds to a special tenant mode.

| `tls`
| `object`
| TLS client configuration for Loki URL.

|===
== .spec.loki.manual.statusTls
Description::
+
--
TLS client configuration for Loki status URL.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.loki.manual.statusTls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki.manual.statusTls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki.manual.tls
Description::
+
--
TLS client configuration for Loki URL.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.loki.manual.tls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki.manual.tls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki.microservices
Description::
+
--
Loki configuration for `Microservices` mode.
Use this option when Loki is installed using the microservices deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#microservices-mode).
It is ignored for other modes.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `ingesterUrl`
| `string`
| `ingesterUrl` is the address of an existing Loki ingester service to push the flows to.

| `querierUrl`
| `string`
| `querierURL` specifies the address of the Loki querier service.

| `tenantID`
| `string`
| `tenantID` is the Loki `X-Scope-OrgID` header that identifies the tenant for each request.

| `tls`
| `object`
| TLS client configuration for Loki URL.

|===
== .spec.loki.microservices.tls
Description::
+
--
TLS client configuration for Loki URL.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.loki.microservices.tls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki.microservices.tls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki.monolithic
Description::
+
--
Loki configuration for `Monolithic` mode.
Use this option when Loki is installed using the monolithic deployment mode (https://grafana.com/docs/loki/latest/fundamentals/architecture/deployment-modes/#monolithic-mode).
It is ignored for other modes.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `tenantID`
| `string`
| `tenantID` is the Loki `X-Scope-OrgID` header that identifies the tenant for each request.

| `tls`
| `object`
| TLS client configuration for Loki URL.

| `url`
| `string`
| `url` is the unique address of an existing Loki service that points to both the ingester and the querier.

|===
== .spec.loki.monolithic.tls
Description::
+
--
TLS client configuration for Loki URL.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.loki.monolithic.tls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.loki.monolithic.tls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.networkPolicy
Description::
+
--
`networkPolicy` defines network policy settings for Network Observability components isolation.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `additionalNamespaces`
| `array (string)`
| `additionalNamespaces` contains additional namespaces allowed to connect to the Network Observability namespace.
It provides flexibility in the network policy configuration, but if you need a more specific
configuration, you can disable it and install your own instead.

| `enable`
| `boolean`
| Deploys network policies on the namespaces used by Network Observability (main and privileged).
These network policies better isolate the Network Observability components to prevent undesired connections from and to them.
This option is enabled by default when using with OVNKubernetes, and disabled otherwise (it has not been tested with other CNIs).
When disabled, you can manually create the network policies for the Network Observability components.

|===
== .spec.processor
Description::
+
--
`processor` defines the settings of the component that receives the flows from the agent,
enriches them, generates metrics, and forwards them to the Loki persistence layer and/or any available exporter.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `addZone`
| `boolean`
| `addZone` allows availability zone awareness by labelling flows with their source and destination zones.
This feature requires the "topology.kubernetes.io/zone" label to be set on nodes.

| `advanced`
| `object`
| `advanced` allows setting some aspects of the internal configuration of the flow processor.
This section is aimed mostly for debugging and fine-grained performance optimizations,
such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.

| `clusterName`
| `string`
| `clusterName` is the name of the cluster to appear in the flows data. This is useful in a multi-cluster context. When using {product-title}, leave empty to make it automatically determined.

| `deduper`
| `object`
| `deduper` allows you to sample or drop flows identified as duplicates, in order to save on resource usage.

| `filters`
| `array`
| `filters` lets you define custom filters to limit the amount of generated flows.
These filters provide more flexibility than the eBPF Agent filters (in `spec.agent.ebpf.flowFilter`), such as allowing to filter by Kubernetes namespace,
but with a lesser improvement in performance.

| `imagePullPolicy`
| `string`
| `imagePullPolicy` is the Kubernetes pull policy for the image defined above

| `kafkaConsumerAutoscaler`
| `object`
| `kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).

| `kafkaConsumerBatchSize`
| `integer`
| `kafkaConsumerBatchSize` indicates to the broker the maximum batch size, in bytes, that the consumer accepts. Ignored when not using Kafka. Default: 10MB.

| `kafkaConsumerQueueCapacity`
| `integer`
| `kafkaConsumerQueueCapacity` defines the capacity of the internal message queue used in the Kafka consumer client. Ignored when not using Kafka.

| `kafkaConsumerReplicas`
| `integer`
| `kafkaConsumerReplicas` defines the number of replicas (pods) to start for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
This setting is ignored when Kafka is disabled.

| `logLevel`
| `string`
| `logLevel` of the processor runtime

| `logTypes`
| `string`
| `logTypes` defines the desired record types to generate. Possible values are: +

- `Flows` to export regular network flows. This is the default. +

- `Conversations` to generate events for started conversations, ended conversations as well as periodic "tick" updates. Note that in this mode, Prometheus metrics are not accurate on long-standing conversations. +

- `EndedConversations` to generate only ended conversations events. Note that in this mode, Prometheus metrics are not accurate on long-standing conversations. +

- `All` to generate both network flows and all conversations events. It is not recommended due to the impact on resources footprint. +


| `metrics`
| `object`
| `Metrics` define the processor configuration regarding metrics

| `multiClusterDeployment`
| `boolean`
| Set `multiClusterDeployment` to `true` to enable multi clusters feature. This adds `clusterName` label to flows data

| `resources`
| `object`
| `resources` are the compute resources required by this container.
For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

| `subnetLabels`
| `object`
| `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in {product-title}, which is used to identify cluster external traffic.
When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.

|===
== .spec.processor.advanced
Description::
+
--
`advanced` allows setting some aspects of the internal configuration of the flow processor.
This section is aimed mostly for debugging and fine-grained performance optimizations,
such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `conversationEndTimeout`
| `string`
| `conversationEndTimeout` is the time to wait after a network flow is received, to consider the conversation ended.
This delay is ignored when a FIN packet is collected for TCP flows (see `conversationTerminatingTimeout` instead).

| `conversationHeartbeatInterval`
| `string`
| `conversationHeartbeatInterval` is the time to wait between "tick" events of a conversation

| `conversationTerminatingTimeout`
| `string`
| `conversationTerminatingTimeout` is the time to wait from detected FIN flag to end a conversation. Only relevant for TCP flows.

| `dropUnusedFields`
| `boolean`
| `dropUnusedFields` [deprecated (*)] this setting is not used anymore.

| `enableKubeProbes`
| `boolean`
| `enableKubeProbes` is a flag to enable or disable Kubernetes liveness and readiness probes

| `env`
| `object (string)`
| `env` allows passing custom environment variables to underlying components. Useful for passing
some very concrete performance-tuning options, such as `GOGC` and `GOMAXPROCS`, that should not be
publicly exposed as part of the FlowCollector descriptor, as they are only useful
in edge debug or support scenarios.

| `healthPort`
| `integer`
| `healthPort` is a collector HTTP port in the Pod that exposes the health check API

| `port`
| `integer`
| Port of the flow collector (host port).
By convention, some values are forbidden. It must be greater than 1024 and different from
4500, 4789 and 6081.

| `profilePort`
| `integer`
| `profilePort` allows setting up a Go pprof profiler listening to this port

| `scheduling`
| `object`
| scheduling controls how the pods are scheduled on nodes.

| `secondaryNetworks`
| `array`
| Defines secondary networks to be checked for resources identification.
To guarantee a correct identification, indexed values must form an unique identifier across the cluster.
If the same index is used by several resources, those resources might be incorrectly labeled.

|===
== .spec.processor.advanced.scheduling
Description::
+
--
scheduling controls how the pods are scheduled on nodes.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `affinity`
| `object`
| If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

| `nodeSelector`
| `object (string)`
| `nodeSelector` allows scheduling of pods only onto nodes that have each of the specified labels.
For documentation, refer to https://kubernetes.io/docs/concepts/configuration/assign-pod-node/.

| `priorityClassName`
| `string`
| If specified, indicates the pod's priority. For documentation, refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#how-to-use-priority-and-preemption.
If not specified, default priority is used, or zero if there is no default.

| `tolerations`
| `array`
| `tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.

|===
== .spec.processor.advanced.scheduling.affinity
Description::
+
--
If specified, the pod's scheduling constraints. For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
--

Type::
  `object`




== .spec.processor.advanced.scheduling.tolerations
Description::
+
--
`tolerations` is a list of tolerations that allow the pod to schedule onto nodes with matching taints.
For documentation, refer to https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling.
--

Type::
  `array`




== .spec.processor.advanced.secondaryNetworks
Description::
+
--
Defines secondary networks to be checked for resources identification.
To guarantee a correct identification, indexed values must form an unique identifier across the cluster.
If the same index is used by several resources, those resources might be incorrectly labeled.
--

Type::
  `array`




== .spec.processor.advanced.secondaryNetworks[]
Description::
+
--

--

Type::
  `object`

Required::
  - `index`
  - `name`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `index`
| `array (string)`
| `index` is a list of fields to use for indexing the pods. They should form a unique Pod identifier across the cluster.
Can be any of: `MAC`, `IP`, `Interface`.
Fields absent from the 'k8s.v1.cni.cncf.io/network-status' annotation must not be added to the index.

| `name`
| `string`
| `name` should match the network name as visible in the pods annotation 'k8s.v1.cni.cncf.io/network-status'.

|===
== .spec.processor.deduper
Description::
+
--
`deduper` allows you to sample or drop flows identified as duplicates, in order to save on resource usage.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `mode`
| `string`
| Set the Processor de-duplication mode. It comes in addition to the Agent-based deduplication, since the Agent cannot de-duplicate same flows reported from different nodes. +

- Use `Drop` to drop every flow considered as duplicates, allowing saving more on resource usage but potentially losing some information such as the network interfaces used from peer, or network events. +

- Use `Sample` to randomly keep only one flow on 50, which is the default, among the ones considered as duplicates. This is a compromise between dropping every duplicate or keeping every duplicate. This sampling action comes in addition to the Agent-based sampling. If both Agent and Processor sampling values are `50`, the combined sampling is 1:2500. +

- Use `Disabled` to turn off Processor-based de-duplication. +


| `sampling`
| `integer`
| `sampling` is the sampling interval when deduper `mode` is `Sample`. For example, a value of `50` means that 1 flow in 50 is sampled.

|===
== .spec.processor.filters
Description::
+
--
`filters` lets you define custom filters to limit the amount of generated flows.
These filters provide more flexibility than the eBPF Agent filters (in `spec.agent.ebpf.flowFilter`), such as allowing to filter by Kubernetes namespace,
but with a lesser improvement in performance.
--

Type::
  `array`




== .spec.processor.filters[]
Description::
+
--
`FLPFilterSet` defines the desired configuration for FLP-based filtering satisfying all conditions.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `outputTarget`
| `string`
| If specified, these filters target a single output: `Loki`, `Metrics` or `Exporters`. By default, all outputs are targeted.

| `query`
| `string`
| A query that selects the network flows to keep. More information about this query language in https://github.com/netobserv/flowlogs-pipeline/blob/main/docs/filtering.md.

| `sampling`
| `integer`
| `sampling` is an optional sampling interval to apply to this filter. For example, a value of `50` means that 1 matching flow in 50 is sampled.

|===
== .spec.processor.kafkaConsumerAutoscaler
Description::
+
--
`kafkaConsumerAutoscaler` is the spec of a horizontal pod autoscaler to set up for `flowlogs-pipeline-transformer`, which consumes Kafka messages.
This setting is ignored when Kafka is disabled. Refer to HorizontalPodAutoscaler documentation (autoscaling/v2).
--

Type::
  `object`




== .spec.processor.metrics
Description::
+
--
`Metrics` define the processor configuration regarding metrics
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `alerts`
| `array`
| `alerts` is a list of alerts to be created for Prometheus AlertManager, organized by templates and variants [Unsupported (*)].
This is currently an experimental feature behind a feature gate. To enable, edit `spec.processor.advanced.env` by adding `EXPERIMENTAL_ALERTS_HEALTH` set to `true`.
More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md

| `disableAlerts`
| `array (string)`
| `disableAlerts` is a list of alert groups that should be disabled from the default set of alerts.
Possible values are: `NetObservNoFlows`, `NetObservLokiError`, `PacketDropsByKernel`, `PacketDropsByDevice`, `IPsecErrors`, `NetpolDenied`,
`LatencyHighTrend`, `DNSErrors`, `ExternalEgressHighTrend`, `ExternalIngressHighTrend`, `CrossAZ`.
More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md

| `includeList`
| `array (string)`
| `includeList` is a list of metric names to specify which ones to generate.
The names correspond to the names in Prometheus without the prefix. For example,
`namespace_egress_packets_total` shows up as `netobserv_namespace_egress_packets_total` in Prometheus.
Note that the more metrics you add, the bigger is the impact on Prometheus workload resources.
Metrics enabled by default are:
`namespace_flows_total`, `node_ingress_bytes_total`, `node_egress_bytes_total`, `workload_ingress_bytes_total`,
`workload_egress_bytes_total`, `namespace_drop_packets_total` (when `PacketDrop` feature is enabled),
`namespace_rtt_seconds` (when `FlowRTT` feature is enabled), `namespace_dns_latency_seconds` (when `DNSTracking` feature is enabled),
`namespace_network_policy_events_total` (when `NetworkEvents` feature is enabled).
More information, with full list of available metrics: https://github.com/netobserv/network-observability-operator/blob/main/docs/Metrics.md

| `server`
| `object`
| Metrics server endpoint configuration for Prometheus scraper

|===
== .spec.processor.metrics.alerts
Description::
+
--
`alerts` is a list of alerts to be created for Prometheus AlertManager, organized by templates and variants [Unsupported (*)].
This is currently an experimental feature behind a feature gate. To enable, edit `spec.processor.advanced.env` by adding `EXPERIMENTAL_ALERTS_HEALTH` set to `true`.
More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md
--

Type::
  `array`




== .spec.processor.metrics.alerts[]
Description::
+
--

--

Type::
  `object`

Required::
  - `template`
  - `variants`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `template`
| `string`
| Alert template name.
Possible values are: `PacketDropsByKernel`, `PacketDropsByDevice`, `IPsecErrors`, `NetpolDenied`,
`LatencyHighTrend`, `DNSErrors`, `ExternalEgressHighTrend`, `ExternalIngressHighTrend`, `CrossAZ`.
More information on alerts: https://github.com/netobserv/network-observability-operator/blob/main/docs/Alerts.md

| `variants`
| `array`
| A list of variants for this template

|===
== .spec.processor.metrics.alerts[].variants
Description::
+
--
A list of variants for this template
--

Type::
  `array`




== .spec.processor.metrics.alerts[].variants[]
Description::
+
--

--

Type::
  `object`

Required::
  - `thresholds`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `groupBy`
| `string`
| Optional grouping criteria, possible values are: `Node`, `Namespace`, `Workload`.

| `lowVolumeThreshold`
| `string`
| The low volume threshold allows to ignore metrics with a too low volume of traffic, in order to improve signal-to-noise.
It is provided as an absolute rate (bytes per second or packets per second, depending on the context).
When provided, it must be parsable as a float.

| `thresholds`
| `object`
| Thresholds of the alert per severity.
They are expressed as a percentage of errors above which the alert is triggered. They must be parsable as floats.

| `trendDuration`
| `string`
| For trending alerts, the duration interval for baseline comparison. For example, "2h" means comparing against a 2-hours average. Defaults to 2h.

| `trendOffset`
| `string`
| For trending alerts, the time offset for baseline comparison. For example, "1d" means comparing against yesterday. Defaults to 1d.

|===
== .spec.processor.metrics.alerts[].variants[].thresholds
Description::
+
--
Thresholds of the alert per severity.
They are expressed as a percentage of errors above which the alert is triggered. They must be parsable as floats.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `critical`
| `string`
| Threshold for severity `critical`. Leave empty to not generate a Critical alert.

| `info`
| `string`
| Threshold for severity `info`. Leave empty to not generate an Info alert.

| `warning`
| `string`
| Threshold for severity `warning`. Leave empty to not generate a Warning alert.

|===
== .spec.processor.metrics.server
Description::
+
--
Metrics server endpoint configuration for Prometheus scraper
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `port`
| `integer`
| The metrics server HTTP port.

| `tls`
| `object`
| TLS configuration.

|===
== .spec.processor.metrics.server.tls
Description::
+
--
TLS configuration.
--

Type::
  `object`

Required::
  - `type`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the provided certificate.
If set to `true`, the `providedCaFile` field is ignored.

| `provided`
| `object`
| TLS configuration when `type` is set to `Provided`.

| `providedCaFile`
| `object`
| Reference to the CA file when `type` is set to `Provided`.

| `type`
| `string`
| Select the type of TLS configuration: +

- `Disabled` (default) to not configure TLS for the endpoint.
- `Provided` to manually provide cert file and a key file. [Unsupported (*)].
- `Auto` to use {product-title} auto generated certificate using annotations.

|===
== .spec.processor.metrics.server.tls.provided
Description::
+
--
TLS configuration when `type` is set to `Provided`.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.processor.metrics.server.tls.providedCaFile
Description::
+
--
Reference to the CA file when `type` is set to `Provided`.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `file`
| `string`
| File name within the config map or secret.

| `name`
| `string`
| Name of the config map or secret containing the file.

| `namespace`
| `string`
| Namespace of the config map or secret containing the file. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the file reference: `configmap` or `secret`.

|===
== .spec.processor.resources
Description::
+
--
`resources` are the compute resources required by this container.
For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `limits`
| `integer-or-string`
| Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

| `requests`
| `integer-or-string`
| Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

|===
== .spec.processor.subnetLabels
Description::
+
--
`subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in {product-title}, which is used to identify cluster external traffic.
When a subnet matches the source or destination IP of a flow, a corresponding field is added: `SrcSubnetLabel` or `DstSubnetLabel`.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `customLabels`
| `array`
| `customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.

| `openShiftAutoDetect`
| `boolean`
| `openShiftAutoDetect` allows, when set to `true`, to detect automatically the machines, pods and services subnets based on the
{product-title} install configuration and the Cluster Network Operator configuration. Indirectly, this is a way to accurately detect
external traffic: flows that are not labeled for those subnets are external to the cluster. Enabled by default on {product-title}.

|===
== .spec.processor.subnetLabels.customLabels
Description::
+
--
`customLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
If you enable `openShiftAutoDetect`, `customLabels` can override the detected subnets in case they overlap.
--

Type::
  `array`




== .spec.processor.subnetLabels.customLabels[]
Description::
+
--
SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
--

Type::
  `object`

Required::
  - `cidrs`
  - `name`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `cidrs`
| `array (string)`
| List of CIDRs, such as `["1.2.3.4/32"]`.

| `name`
| `string`
| Label name, used to flag matching flows.

|===
== .spec.prometheus
Description::
+
--
`prometheus` defines Prometheus settings, such as querier configuration used to fetch metrics from the Console plugin.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `querier`
| `object`
| Prometheus querying configuration, such as client settings, used in the Console plugin.

|===
== .spec.prometheus.querier
Description::
+
--
Prometheus querying configuration, such as client settings, used in the Console plugin.
--

Type::
  `object`

Required::
  - `mode`



[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `enable`
| `boolean`
| When `enable` is `true`, the Console plugin queries flow metrics from Prometheus instead of Loki whenever possible.
It is enbaled by default: set it to `false` to disable this feature.
The Console plugin can use either Loki or Prometheus as a data source for metrics (see also `spec.loki`), or both.
Not all queries are transposable from Loki to Prometheus. Hence, if Loki is disabled, some features of the plugin are disabled as well,
such as getting per-pod information or viewing raw flows.
If both Prometheus and Loki are enabled, Prometheus takes precedence and Loki is used as a fallback for queries that Prometheus cannot handle.
If they are both disabled, the Console plugin is not deployed.

| `manual`
| `object`
| Prometheus configuration for `Manual` mode.

| `mode`
| `string`
| `mode` must be set according to the type of Prometheus installation that stores Network Observability metrics: +

- Use `Auto` to try configuring automatically. In {product-title}, it uses the Thanos querier from {product-title} Cluster Monitoring +

- Use `Manual` for a manual setup +


| `timeout`
| `string`
| `timeout` is the read timeout for console plugin queries to Prometheus.
A timeout of zero means no timeout.

|===
== .spec.prometheus.querier.manual
Description::
+
--
Prometheus configuration for `Manual` mode.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `forwardUserToken`
| `boolean`
| Set `true` to forward logged in user token in queries to Prometheus

| `tls`
| `object`
| TLS client configuration for Prometheus URL.

| `url`
| `string`
| `url` is the address of an existing Prometheus service to use for querying metrics.

|===
== .spec.prometheus.querier.manual.tls
Description::
+
--
TLS client configuration for Prometheus URL.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `caCert`
| `object`
| `caCert` defines the reference of the certificate for the Certificate Authority.

| `enable`
| `boolean`
| Enable TLS

| `insecureSkipVerify`
| `boolean`
| `insecureSkipVerify` allows skipping client-side verification of the server certificate.
If set to `true`, the `caCert` field is ignored.

| `userCert`
| `object`
| `userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.

|===
== .spec.prometheus.querier.manual.tls.caCert
Description::
+
--
`caCert` defines the reference of the certificate for the Certificate Authority.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===
== .spec.prometheus.querier.manual.tls.userCert
Description::
+
--
`userCert` defines the user certificate reference and is used for mTLS. When you use one-way TLS, you can ignore this property.
--

Type::
  `object`




[cols="1,1,1",options="header"]
|===
| Property | Type | Description

| `certFile`
| `string`
| `certFile` defines the path to the certificate file name within the config map or secret.

| `certKey`
| `string`
| `certKey` defines the path to the certificate private key file name within the config map or secret. Omit when the key is not necessary.

| `name`
| `string`
| Name of the config map or secret containing certificates.

| `namespace`
| `string`
| Namespace of the config map or secret containing certificates. If omitted, the default is to use the same namespace as where Network Observability is deployed.
If the namespace is different, the config map or the secret is copied so that it can be mounted as required.

| `type`
| `string`
| Type for the certificate reference: `configmap` or `secret`.

|===