Chapter 2. OLSConfig API reference

featureGates

array (string)

Feature Gates holds list of features to be enabled explicitly, otherwise they are disabled by default. possible values: MCPServer

llm

object

LLMSpec defines the desired state of the large language model (LLM).

mcpServers

array

MCP Server settings

ols

object

OLSSpec defines the desired state of OLS deployment.

olsDataCollector

object

OLSDataCollectorSpec defines allowed OLS data collector configuration.

providers

array

apiVersion

string

API Version for Azure OpenAI provider

credentialsSecretRef

object

The name of the secret object that stores API provider credentials

deploymentName

string

Azure OpenAI deployment name

models

array

List of models from the provider

name

string

Provider name

projectID

string

Watsonx Project ID

tlsSecurityProfile

object

TLS Security Profile used by connection to provider

type

string

Provider type

url

string

Provider API URL

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

contextWindowSize

integer

Defines the model’s context window size, in tokens. The default is 128k tokens.

name

string

Model name

parameters

object

Model API parameters

url

string

Model API URL

maxTokensForResponse

integer

Max tokens for response. The default is 2048 tokens.

custom

``

custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:

ciphers:

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

minTLSVersion: VersionTLS11

intermediate

``

intermediate is a TLS security profile based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384

minTLSVersion: VersionTLS12

modern

``

modern is a TLS security profile based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

minTLSVersion: VersionTLS13

old

``

old is a TLS security profile based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility

and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384

- DHE-RSA-CHACHA20-POLY1305

- ECDHE-ECDSA-AES128-SHA256

- ECDHE-RSA-AES128-SHA256

- ECDHE-ECDSA-AES128-SHA

- ECDHE-RSA-AES128-SHA

- ECDHE-ECDSA-AES256-SHA384

- ECDHE-RSA-AES256-SHA384

- ECDHE-ECDSA-AES256-SHA

- ECDHE-RSA-AES256-SHA

- DHE-RSA-AES128-SHA256

- DHE-RSA-AES256-SHA256

- AES128-GCM-SHA256

- AES256-GCM-SHA384

- AES128-SHA256

- AES256-SHA256

- AES128-SHA

- AES256-SHA

- DES-CBC3-SHA

minTLSVersion: VersionTLS10

type

string

type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

The profiles are intent based, so they might change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list might be reduced.

Note that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.

name

string

Name of the MCP server

streamableHTTP

object

Streamable HTTP Transport settings

enableSSE

boolean

Enable Server Sent Events

headers

object (string)

Headers to send to the MCP server

sseReadTimeout

integer

SSE Read Timeout, default is 10 seconds

timeout

integer

Timeout for the MCP server, default is 5 seconds

url

string

URL of the MCP server

additionalCAConfigMapRef

object

Additional CA certificates for TLS communication between OLS service and LLM Provider

byokRAGOnly

boolean

Only use BYOK RAG sources, ignore the Red Hat OpenShift Lightspeed documentation RAG

conversationCache

object

Conversation cache settings

defaultModel

string

Default model for usage

defaultProvider

string

Default provider for usage

deployment

object

OLS deployment settings

introspectionEnabled

boolean

Enable introspection features

logLevel

string

Log level. Valid options are DEBUG, INFO, WARNING, ERROR and CRITICAL. Default: "INFO".

proxyConfig

object

Proxy settings for connecting to external servers, such as LLM providers.

queryFilters

array

Query filters

quotaHandlersConfig

object

LLM Token Quota Configuration

rag

array

RAG databases

storage

object

Persistent Storage Configuration

tlsConfig

object

TLS configuration of the Lightspeed backend’s HTTPS endpoint

tlsSecurityProfile

object

TLS Security Profile used by API endpoints

userDataCollection

object

User data collection switches

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

postgres

object

PostgresSpec defines the desired state of Postgres.

type

string

Conversation cache type. Default: "postgres"

credentialsSecret

string

Secret that holds postgres credentials

dbName

string

Postgres database name

maxConnections

integer

Postgres maxconnections. Default: "2000"

sharedBuffers

integer-or-string

Postgres sharedbuffers

user

string

Postgres user name

api

object

API container settings.

console

object

Console container settings.

dataCollector

object

Data Collector container settings.

database

object

Database container settings.

mcpServer

object

MCP server container settings.

replicas

integer

Defines the number of desired OLS pods. Default: "1"

nodeSelector

object (string)

resources

object

ResourceRequirements describes the compute resource requirements.

tolerations

array

claims

array

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

name

string

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request

string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

effect

string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key

string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator

string

Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

tolerationSeconds

integer

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

value

string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

caCertificate

string

Certificate Authority (CA) certificate used by the console proxy endpoint.

nodeSelector

object (string)

replicas

integer

Defines the number of desired Console pods. Default: "1"

resources

object

ResourceRequirements describes the compute resource requirements.

tolerations

array

claims

array

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

name

string

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request

string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

effect

string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key

string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator

string

Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

tolerationSeconds

integer

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

value

string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

resources

object

ResourceRequirements describes the compute resource requirements.

claims

array

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

name

string

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request

string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

nodeSelector

object (string)

resources

object

ResourceRequirements describes the compute resource requirements.

tolerations

array

claims

array

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

name

string

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request

string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

effect

string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key

string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator

string

Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

tolerationSeconds

integer

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

value

string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

resources

object

ResourceRequirements describes the compute resource requirements.

claims

array

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

limits

integer-or-string

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests

integer-or-string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

name

string

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

request

string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

proxyCACertificate

object

The configmap holding proxy CA certificate

proxyURL

string

Proxy URL, e.g. https://proxy.example.com:8080 If not specified, the cluster wide proxy will be used, though env var "https_proxy".

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

name

string

Filter name.

pattern

string

Filter pattern.

replaceWith

string

Replacement for the matched pattern.

enableTokenHistory

boolean

Enable token history

limitersConfig

array

Token quota limiters

initialQuota

integer

Initial value of the token quota

name

string

Name of the limiter

period

string

Period of time the token quota is for

quotaIncrease

integer

Token quota increase step

type

string

Type of the limiter

image

string

The URL of the container image to use as a RAG source

indexID

string

The Index ID of the RAG database

indexPath

string

The path to the RAG database inside of the container image

class

string

Storage class of the requested volume

size

integer-or-string

Size of the requested volume

keyCertSecretRef

object

KeySecretRef is the secret that holds the TLS key.

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

custom

``

custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:

ciphers:

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

minTLSVersion: VersionTLS11

intermediate

``

intermediate is a TLS security profile based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384

minTLSVersion: VersionTLS12

modern

``

modern is a TLS security profile based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

minTLSVersion: VersionTLS13

old

``

old is a TLS security profile based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility

and looks like this (yaml):

ciphers:

- TLS_AES_128_GCM_SHA256

- TLS_AES_256_GCM_SHA384

- TLS_CHACHA20_POLY1305_SHA256

- ECDHE-ECDSA-AES128-GCM-SHA256

- ECDHE-RSA-AES128-GCM-SHA256

- ECDHE-ECDSA-AES256-GCM-SHA384

- ECDHE-RSA-AES256-GCM-SHA384

- ECDHE-ECDSA-CHACHA20-POLY1305

- ECDHE-RSA-CHACHA20-POLY1305

- DHE-RSA-AES128-GCM-SHA256

- DHE-RSA-AES256-GCM-SHA384

- DHE-RSA-CHACHA20-POLY1305

- ECDHE-ECDSA-AES128-SHA256

- ECDHE-RSA-AES128-SHA256

- ECDHE-ECDSA-AES128-SHA

- ECDHE-RSA-AES128-SHA

- ECDHE-ECDSA-AES256-SHA384

- ECDHE-RSA-AES256-SHA384

- ECDHE-ECDSA-AES256-SHA

- ECDHE-RSA-AES256-SHA

- DHE-RSA-AES128-SHA256

- DHE-RSA-AES256-SHA256

- AES128-GCM-SHA256

- AES256-GCM-SHA384

- AES128-SHA256

- AES256-SHA256

- AES128-SHA

- AES256-SHA

- DES-CBC3-SHA

minTLSVersion: VersionTLS10

type

string

type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters. Old, Intermediate and Modern are TLS security profiles based on:

https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

The profiles are intent based, so they might change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list might be reduced.

Note that the Modern profile is currently not supported because it is not yet well adopted by common software libraries.

feedbackDisabled

boolean

transcriptsDisabled

boolean

logLevel

string

Log level. Valid options are DEBUG, INFO, WARNING, ERROR and CRITICAL. Default: "INFO".