Set Wave configuration values using environment variables or in config.yml
configuration file
Declare YAML configuration values in config.yml
wave:
mail:
from: "[email protected]"
YAML configuration keys on this page are listed in "dot" notation, i.e., the mail from value in the snippet above is represented as wave.mail.from
in the tables that follow.
Environment variables for various attributes has been listed in third column, either you can provide those attributes values in config.yml or using corresponding environment variable.
General configuration options such as wave application name, port, whether to allow anonymous access (without tower token), wave and Seqera platform url.
-
micronaut.application.name
: the name of the Wave application. By default, it is set towave-app
. Optional. -
micronaut.server.port
: the port used by the Wave server. The default port is8080
. Optional. -
wave.allowAnonymous
: specifies whether anonymous access to the Wave server is permitted. By default, it is set tofalse
, meaning authentication is required. Change this option based on your security requirements. Mandatory. -
wave.server.url
: the URL for the Wave server. You can also set it using${WAVE_SERVER_URL}
environment variable. Optional. -
wave.tokens.cache.duration
: the duration for cached tokens generated by Wave. The default is1h
, and you can modify it according to your token caching preferences. Optional. -
tower.endpoint.url
: the URL pointing to the Seqera platform API service. The default is pointing to Seqera hosted platformhttps://api.cloud.seqera.io
. Optional. -
logger.levels.io.seqera
: the logger level for theio.seqera
package. By default, it is set toTRACE
, providing detailed logging. Adjust this based on logging requirements. Optional.
The generic format for the attributes is wave.registries.<registry_name>.username
and wave.registries.<registry_name>.password
.
You need to specify all the repositories you will use in the respective wave installation.
Below are the standard format for known registries, but you can change registry name (azurecr.io)
to specific one like seqeralabs.azurecr.io
.
Note: Container registry credentials can be defined in config.yml
too. These configurations are important for the wave authentication to the repositories used to push or pull artifacts.
-
wave.registries.default
: the default Docker registry for Wave. The default isdocker.io
, and it represents the Docker Hub. Optional. -
wave.registries.docker.io.username
: the Docker Hub username for authentication. It can be set using${DOCKER_USER}
environment variable. Optional. -
wave.registries.docker.io.password
: the Docker Hub password or PAT (Personal Access Token) for authentication. It can be set using${DOCKER_PAT}
environment variable. Optional. -
wave.registries.quay.io.username
: the Quay.io username for authentication. It can be set using${QUAY_USER}
environment variable. Optional. -
wave.registries.quay.io.password
: the Quay.io password or PAT for authentication. It can be set using${QUAY_PAT}
environment variable. Optional. -
wave.registries.<AWS ECR Repo name>.username
: the AWS ECR (Elastic Container Registry) username for authentication. An example AWS ECR Repo name is195996028523.dkr.ecr.eu-west-1.amazonaws.com
. It can be set using${AWS_ACCESS_KEY_ID}
environment variable. Optional. -
wave.registries.<AWS ECR Repo name>.password
: the AWS ECR password for authentication. An example AWS ECR Repo name is195996028523.dkr.ecr.eu-west-1.amazonaws.com
. It can be set using${AWS_SECRET_ACCESS_KEY}
environment variable. Optional. -
wave.registries.<azurecr Repo name>.username
: the Azure Container Registry username for authentication. An example of an Azure Container Registry Repo name isseqeralabs.azurecr.io
. It can be set using${AZURECR_USER}
environment variable. Optional. -
wave.registries.<azurecr Repo name>.password
: the Azure Container Registry password or PAT for authentication. An example of an Azure Container Registry Repo name isseqeralabs.azurecr.io
. It can be set using${AZURECR_PAT}
environment variable. Optional.
-
wave.httpclient.connectTimeout
: sets the connection timeout for the HTTP client. Its default value is20s
. Optional. -
wave.httpclient.retry.delay
: sets the delay for HTTP client retries. Its default value is1s
. Optional. -
wave.httpclient.retry.attempts
: defines the number of HTTP client retry attempts. Its default value is5
. Optional. -
wave.httpclient.retry.maxDelay
: sets the maximum delay for HTTP client retries. Optional. -
wave.httpclient.retry.jitter
: introduces jitter for HTTP client retries. Its default value is0.25
. Optional. -
wave.httpclient.retry.multiplier
: defines the multiplier for HTTP client retries. Its default value is1.0
. Optional. -
micronaut.http.services.stream-client.read-timeout
: sets the read timeout for the streaming HTTP client. Its default value is30s
. Optional. -
micronaut.http.services.stream-client.read-idle-timeout
: configures the read idle timeout for the streaming HTTP client. Its default value is120s
. Optional.
-
wave.build.timeout
: the timeout for the build process. Its default value is5m
(5 minutes), providing a reasonable time frame for the build operation. Optional. -
wave.build.workspace
: defines the path to the directory used by Wave to store artifacts such as Dockerfiles, Trivy cache for scan, Buildkit context, authentication configuration files, etc. For example,/efs/wave/build
. Mandatory. -
wave.build.cleanup
: determines the cleanup strategy after the build process. Options includeOnSuccess
, meaning cleanup occurs only if the build is successful. Optional. -
wave.build.buildkit-image
: specifies the Buildkit Docker image used in the Wave build process. The default ismoby/buildkit:v0.13.2-rootless
. Optional. -
wave.build.singularity-image
: sets the Singularity image used in the build process. The default isquay.io/singularity/singularity:v3.11.4-slim
. Optional. -
wave.build.singularity-image-arm64
: the ARM64 version of the Singularity image for the build process. The default isquay.io/singularity/singularity:v3.11.4-slim-arm64
. Optional. -
wave.build.repo
: specifies the Docker container repository for the Docker images built by Wave. This setting is required to define where the images will be stored. Mandatory. -
wave.build.cache
: determines the Docker container repository used to cache layers of images built by Wave. Mandatory. -
wave.build.status.delay
: sets the delay between build status checks. Its default value is5s
, providing a reasonable interval for status checks. Optional. -
wave.build.status.duration
: defines the duration for build status checks. Its default value is1d
(1 day), indicating how long the system should check the build status. Optional. -
wave.build.public
: indicates whether the Docker container repository is public. If set to true, Wave freeze will prefer this public repository overwave.build.repo
. Optional. -
wave.build.oci-mediatypes
: defines whether to use OCI mediatypes in exported manifests. its default value istrue
. Optional. -
wave.build.compression
: defines which type of compression will be applied to cache layers. its default value isgzip
and other options areuncompressed|estargz|zstd
. Optional. -
wave.build.force-compression
: determines whether to force the compression for each cache layers produced by the build process. The default isfalse
, enabling compression for more efficient storage. Optional.
This configuration specifies attributes for the persistence of the logs fetched from containers or k8s pods used for building requested images, which can be accessed later and also attached to the build completion email.
-
wave.build.logs.bucket
: the AWS S3 bucket where Wave will store build process logs. Mandatory. -
wave.build.logs.prefix
: sets the prefix to be used for build process log files in the specified S3 bucket. Optional. -
wave.build.logs.maxLength
: determines the maximum number of bytes that can be read from a log file. If a log file exceeds this limit, it will be truncated. The default value is100000
(100 KB). Optional.
Kubernetes configuration has options specific for k8s, and most of them, except CPU and memory, are the same for the build and scan process.
Note: only applies when using Kubernetes.
-
wave.build.k8s.namespace
: the Kubernetes namespace where Wave will run its build pods. This is a required setting, specifying the namespace to isolate and manage the Wave build processes within the Kubernetes cluster. Mandatory. -
wave.build.k8s.storage.claimName
: the volume claim name for the Wave build Kubernetes pods. Optional. -
wave.build.k8s.storage.mountPath
: defines the volume mount path on Wave build Kubernetes pods. Optional. -
wave.build.k8s.labels
: allows you to set labels on Wave build Kubernetes pods. Optional. -
wave.build.k8s.node-selector
: configures the node selector for Wave build Kubernetes pods. Optional. -
wave.build.k8s.service-account
: specifies the Kubernetes service account name to be used by Wave build pods. Optional. -
wave.build.k8s.resources.requests.cpu
: sets the amount of CPU resources to allocate to Wave build processes. For example, it could be configured as2
or1500Mi
(1.5 CPU cores). Optional. -
wave.build.k8s.resources.requests.memory
: determines the amount of memory resources to allocate to Wave build processes. For instance, it could be set to3Gi
or2000Mi
(3 or 2000 Megabytes). Optional.
Scan process configuration lets the user provide a Trivy docker image with any tag and severity levels of vulnerability that need to be scanned.
-
wave.scan.enabled
: specifies whether vulnerability scanning is enabled or disabled. It'sfalse
by default and can be enabled by changing it totrue
. Optional. -
wave.scan.severity
: the severity levels to report in vulnerability scanning. For example, you can configure it withMEDIUM,HIGH,CRITICAL
to include vulnerabilities of these severity levels in the scan report. Optional. -
wave.scan.image.name
: the Trivy docker image used for container security scanning. The default value isaquasec/trivy:0.47.0
. This the image that Wave will use to perform vulnerability scanning on containers. Optional.
Wave scan process uses the same k8s configuration of the build process except for CPU and memory requirements for the k8s pod.
Note: only applies when using Kubernetes.
-
wave.scan.k8s.resources.requests.cpu
: the amount of CPU resources allocated to Wave scan processes. For instance, you can set it to2
or1500Mi
(1.5 CPU cores). Optional. -
wave.scan.k8s.resources.requests.memory
: the memory resources allocated to Wave scan processes. For example, it could be set to3Gi
or2000Mi
(3 or 2000 Megabytes). Optional.
Rate limit configuration controls the limits of anonymous and authenticated users' access to Wave.
Note: Change these properties to tweak rate limits in wave.
-
rate-limit.build.anonymous
: the rate limit for anonymous build requests. By default, it allows up to 10 build requests per hour (10/1h
) from anonymous users. This setting controls the frequency at which anonymous users can trigger build processes in Wave. Mandatory. -
rate-limit.build.authenticated
: the rate limit for authenticated build requests. By default, it allows up to 10 build requests per minute (10/1m
) from authenticated users. This setting governs the rate at which authenticated users can initiate build processes in Wave. Mandatory. -
rate-limit.pull.anonymous
: the rate limit for anonymous pull requests. It is set to allow up to 100 pull requests per hour (100/1h
) from anonymous users by default. This setting controls how frequently anonymous users can perform pull operations in Wave. Mandatory. -
rate-limit.pull.authenticated
: the rate limit for authenticated pull requests. By default, it allows up to 100 pull requests per minute (100/1m
) from authenticated users. This setting governs the rate at which authenticated users can perform pull operations in Wave. Mandatory. -
wave.denyPaths
: user to filter out API calls for specific artifacts like manifests, which doesn't exist. Optional.
-
redis.uri
: the Uniform Resource Identifier (URI) for connecting to Redis, a popular in-memory data store. By default, it uses the formatredis://${REDIS_HOST:redis}:${REDIS_PORT:6379}
, allowing customization of the Redis host and port through environment variables. Mandatory. -
redis.pool.enabled
: whether to enable the Redis pool. It is set totrue
by default, enabling the use of a connection pool for efficient management of connections to the Redis server. Optional. -
redis.pool.minIdle
: Specifies the minimum number of idle connections to maintain in the Redis connection pool. The default value is0
. This ensures that connections are readily available for use. Optional. -
redis.pool.maxIdle
: Specifies the maximum number of idle connections to maintain in the Redis connection pool. The default value is10
. Optional. -
redis.pool.maxTotal
: Specifies the maximum number of connections that can be maintained in the Redis connection pool. The default value is50
. This helps to manage resource usage efficiently while supporting high demand. Optional. -
redis.client.timeout
: Defines the timeout duration (in milliseconds) for Redis client operations. The default value is5000
(5 seconds). Optional. -
redis.password
: Specifies the password used to authenticate with the Redis server. This is needed when redis authentication is enabled. Optional. -
surreal.default.ns
: the namespace for the Surreal database. It can be set using${SURREALDB_NS}
environment variable. Mandatory. -
surreal.default.db
: the name of the Surreal database. It can be set using${SURREALDB_DB}
environment variable. This setting defines the target database within the Surreal database system that Wave should interact with. Mandatory. -
surreal.default.url
: the URL for connecting to the Surreal database. It can be set using${SURREALDB_URL}
environment variable. This URL defines the endpoint that Wave uses to establish a connection with the Surreal database. Mandatory. -
surreal.default.user
: the username used for authentication when connecting to the Surreal database. It can be set using${SURREALDB_USER}
environment variable. Mandatory. -
surreal.default.password
: the password used for authentication when connecting to the Surreal database. It can be set using${SURREALDB_PASSWORD}
environment variable. Mandatory. -
surreal.default.init-db
: whether to create database tables, records and indices at application startup anddb
. Optional.
Wave offers a feature to provide a cache for Docker blobs, which improves the performance of supplying blobs to the client. If you use Kubernetes, Wave can also use the k8s pod to delegate the transfer task for scalability.
-
wave.blobCache.enabled
: whether to enable the blob cache. It isfalse
by default. Optional. -
wave.blobCache.s5cmdImage
: the Docker image that supplies the s5cmd tool. This tool is used to upload blob binaries to the S3 bucket. The default image used by Wave ispublic.cr.seqera.io/wave/s5cmd:v2.2.2
. Optional. -
wave.blobCache.status.delay
: the time delay in checking the status of the transfer of the blob binary from the repository to the cache. Its default value is5s
. Optional. -
wave.blobCache.status.duration
: the time for which Wave will store the blob binary in cache. Its default value is5d
. Optional. -
wave.blobCache.timeout
: timeout for blob binary transfer, after which Wave will throw aTransferTimeoutException
exception. Its default value is5m
. Optional. -
wave.blobCache.baseUrl
: the URL, which will override the base URL (part of URL before the blob path) of blobs sent to the end client. Optional. -
wave.blobCache.signing-strategy
: the URL signing strategy for different services. Currently, Wave offers it for AWS S3 and Cloudflare and you can use the respective values to enable themaws-presigned-url
andcloudflare-waf-token
. Mandatory. -
wave.blobCache.cloudflare.lifetime
: the validity of the cloud flare WAF token. Mandatory. -
wave.blobCache.cloudflare.urlSignatureDuration
: the validity of the AWS S3 URL signature. Its default value is30m
. Optional. -
wave.blobCache.cloudflare.secret-key
: the Cloudflare secret to create the WAF token. Mandatory. -
wave.blobCache.storage.bucket
: the name of Cloudflare or S3 bucket. For example,s3://wave-blob-cache
. Mandatory. -
wave.blobCache.storage.region
: the AWS region where the bucket is created. Mandatory. -
wave.blobCache.storage.endpoint
: the URL for the storage location. This will be used for the download or upload of blob binaries. Optional. -
wave.blobCache.storage.accessKey
: the access key (part of credentials) to access the resources of the service used for caching. Optional. -
wave.blobCache.storage.secretKey
: the secret key (part of credentials) to access the resources of the service used for caching. Optional. -
wave.blobCache.requestsCpu
: the amount of CPU resources allocated to the k8s pod used for blob binary transfers. Optional. -
wave.blobCache.requestsMemory
: the memory resources allocated to the k8s pod used for blob binary transfers. Optional.
Email id to send emails from on the behalf of the Wave service.
mail.from
: specifies the sender's email address for Wave notifications. This email address serves as the point of origin for any emails sent by Wave, providing a recognizable source for notifications. This setting is crucial for configuring the sender identity when Wave sends email notifications. Mandatory.
Wave Metrics service provides data about container builds and pulls per ip, container image, and user.
wave.metrics.enabled
: whether to enable the wave metrics. It isfalse
by default. Optional.
wave.accounts
: Specifies a list of credentials to access authenticated wave APIs like metrics APIs. Mandatory.
Format of the credential list- <USERNAME>:<PASSWORD CHECKSUM>