Enterprise
Diode Configuration
Diode provides automated data ingestion into NetBox. It consists of four components:
- Reconciler - Processes change sets and updates NetBox via API
- Ingester - Receives incoming data and writes to Redis streams
- Auth - Authentication service for Diode API clients
- Hydra - Ory Hydra OAuth2/OIDC server for token management
Enable/Disable Diode
| Key | Type | Default | Description |
|---|---|---|---|
diode.enabled | bool | true | Enable the entire Diode stack |
netboxEnterprise:
spec:
diode:
enabled: false # Disable Diode entirely
When disabled, the reconciler, ingester, auth, and Hydra components are not deployed.
Component Configuration
Each component has the same configuration structure for scaling and resources:
Reconciler
| Key | Type | Default | Description |
|---|---|---|---|
diode.reconciler.replicas | uint8 | 1 | Number of reconciler replicas |
diode.reconciler.resources.cpu | int | 100 | CPU request (millicores) |
diode.reconciler.resources.memory | int | 256 | Memory request (MiB) |
diode.reconciler.limits.cpu | int | 500 | CPU limit (millicores) |
diode.reconciler.limits.memory | int | 512 | Memory limit (MiB) |
Ingester
| Key | Type | Default | Description |
|---|---|---|---|
diode.ingester.replicas | uint8 | 1 | Number of ingester replicas |
diode.ingester.resources.cpu | int | 100 | CPU request (millicores) |
diode.ingester.resources.memory | int | 256 | Memory request (MiB) |
diode.ingester.limits.cpu | int | 500 | CPU limit (millicores) |
diode.ingester.limits.memory | int | 512 | Memory limit (MiB) |
Auth
| Key | Type | Default | Description |
|---|---|---|---|
diode.auth.replicas | uint8 | 1 | Number of auth replicas |
diode.auth.resources.cpu | int | 50 | CPU request (millicores) |
diode.auth.resources.memory | int | 128 | Memory request (MiB) |
diode.auth.limits.cpu | int | 200 | CPU limit (millicores) |
diode.auth.limits.memory | int | 256 | Memory limit (MiB) |
Hydra (OAuth2/OIDC)
| Key | Type | Default | Description |
|---|---|---|---|
diode.hydra.replicas | uint8 | 1 | Number of Hydra replicas |
diode.hydra.autoMigrate | bool | true | Run database migrations on startup |
diode.hydra.resources.cpu | int | 100 | CPU request (millicores) |
diode.hydra.resources.memory | int | 256 | Memory request (MiB) |
diode.hydra.limits.cpu | int | 500 | CPU limit (millicores) |
diode.hydra.limits.memory | int | 512 | Memory limit (MiB) |
Hydra secrets (cookie, DSN, system) are auto-generated from the PostgreSQL configuration if not explicitly set.
Application Config
Reconciler Config
| Key | Type | Default | Description |
|---|---|---|---|
diode.config.reconciler.autoApplyChangesets | bool | schema true; chart seeds false | Automatically apply change sets to NetBox. The CRD schema default is true. The chart's values.yaml seeds false, and the operator forces false when NetBox Assurance is licensed so changesets go through review. Set it explicitly to override. |
diode.config.reconciler.logLevel | enum | INFO | Log level: INFO, DEBUG, WARN, ERROR |
diode.config.reconciler.databaseName | string | diode | PostgreSQL database name |
diode.config.reconciler.databaseUser | string | diode | PostgreSQL database user |
diode.config.reconciler.migrationEnabled | bool | true | Run database migrations |
diode.config.reconciler.redisDb | uint8 | 0 | Redis database number |
diode.config.reconciler.redisStreamDb | uint8 | 1 | Redis database for streams |
diode.config.reconciler.autoApplyProcessorConcurrency | uint8 | 1 | Concurrent auto-apply processors (1-255) |
diode.config.reconciler.ingestionLogProcessorConcurrency | uint8 | 4 | Concurrent ingestion-log processors (1-255) |
diode.config.reconciler.rateLimitRps | uint8 | 20 | Rate limit (requests/sec) |
diode.config.reconciler.rateLimitBurst | uint8 | 1 | Rate limit burst size |
diode.config.reconciler.rateLimitNetboxRps | uint8 | 20 | NetBox API rate limit |
diode.config.reconciler.rateLimitNetboxBurst | uint8 | 1 | NetBox API burst size |
Auth Config
| Key | Type | Default | Description |
|---|---|---|---|
diode.config.auth.logLevel | enum | INFO | Log level |
Ingester Config
| Key | Type | Default | Description |
|---|---|---|---|
diode.config.ingester.logLevel | enum | INFO | Log level |
diode.config.ingester.redisStreamDb | uint8 | 1 | Redis database for stream storage |
diode.config.ingester.redisMemoryHighWatermarkPct | uint8 | 90 | Redis used_memory/maxmemory percentage at which the ingester rejects ingest with ResourceExhausted (0-100; 0 disables). Only active when Redis has a maxmemory cap -- set redis.maxMemoryPercent. |
Environment Variable Overrides
Each Diode component accepts extraEnvs for per-component environment variables. User-set values override the operator's defaults. Set them on the component (not under config):
| Key | Type | Description |
|---|---|---|
diode.ingester.extraEnvs | list | Extra environment variables for the ingester |
diode.reconciler.extraEnvs | list | Extra environment variables for the reconciler |
diode.auth.extraEnvs | list | Extra environment variables for the auth service |
diode.hydra.extraEnvs | list | Extra environment variables for Hydra |
Telemetry Config
Each component supports telemetry configuration:
| Key | Type | Default | Description |
|---|---|---|---|
telemetryConfig.environment | string | - | Environment name (Diode uses its own default if not set) |
telemetryConfig.metricsEnabled | bool | false | Enable Prometheus metrics |
telemetryConfig.metricsExporter | enum | prometheus | Exporter: prometheus, otlp, console, none |
telemetryConfig.metricsPort | uint16 | - | Metrics endpoint port |
telemetryConfig.traceExporter | enum | none | Trace exporter: otlp, console, none |
Example enabling metrics for all Diode components:
netboxEnterprise:
spec:
diode:
enabled: true
config:
ingester:
telemetryConfig:
metricsEnabled: true
reconciler:
telemetryConfig:
metricsEnabled: true
# autoApplyChangesets: true # false recommended if using Assurance
auth:
telemetryConfig:
metricsEnabled: true
Data Flow
- External agents send data to the Ingester via gRPC
- The Ingester writes to Redis Streams for durable queuing
- The Reconciler reads from streams, processes change sets, and pushes to NetBox via its API
- Auth handles API key validation with Hydra providing OAuth2 token management
Next Steps
- Monitoring - Enable Diode component metrics
- Architecture - Full component topology diagram