APC audit logging configuration reference

This document lists every Helm value that controls the Astro Private Cloud (APC) audit logging sidecar and its sinks. For task-oriented instructions, see Set up audit log shipping.

All values in this document live under houston.logging.loggingSidecar in the astronomer chart’s values file. When you use the umbrella chart, prefix the path with astronomer., so the full path becomes astronomer.houston.logging.loggingSidecar.*.

Sidecar-level values

These values control the Vector sidecar itself, independent of which sink you enable.

Key	Type	Default	Description
`enabled`	`boolean`	`false`	Enables the Vector sidecar on the APC API and APC Worker Pods. When `false`, no audit events are shipped to any sink.
`resources.requests.cpu`	string	`50m`	CPU request for the Vector sidecar container.
`resources.requests.memory`	string	`128Mi`	Memory request for the Vector sidecar container.
`resources.limits.cpu`	string	`200m`	CPU limit for the Vector sidecar container.
`resources.limits.memory`	string	`256Mi`	Memory limit for the Vector sidecar container.
`securityContext.runAsNonRoot`	`boolean`	`true`	Vector sidecar’s `runAsNonRoot` security context. Override only when your cluster’s Pod security policy requires a different value.
`securityContext.allowPrivilegeEscalation`	`boolean`	`false`	Vector sidecar’s `allowPrivilegeEscalation` security context. Override only when your cluster’s Pod security policy requires a different value.

The Vector sidecar ships with a secure-by-default security context. The chart already applies securityContext.runAsNonRoot: true and securityContext.allowPrivilegeEscalation: false, so most installations don’t need to set these values.

The Vector image is controlled at the chart level, not on the sidecar, through images.vector.repository and images.vector.tag. These values are managed by the chart and change between chart releases, so they aren’t pinned in this reference. For the current defaults, see the astronomer/astronomer chart values file.

CloudWatch sink values

Set under houston.logging.loggingSidecar.cloudwatch. Use this sink on Amazon EKS.

Key	Type	Default	Description
`enabled`	`boolean`	`false`	Enables the CloudWatch sink. Only one sink can be enabled at a time.
`region`	string	`""`	AWS region of the target log group. Required when `enabled` is `true`.
`logGroupName`	string	`/astronomer/houston/audit`	Target CloudWatch log group. The log group must exist and the IAM principal used by Vector must be allowed to write to it.
`useIRSA`	`boolean`	`true`	When `true`, Vector authenticates with AWS using IAM Roles for Service Accounts (IRSA). The `eks.amazonaws.com/role-arn` annotation on `houston.serviceAccount.annotations` must reference the IRSA role.
`secretName`	string	`houston-cloudwatch-creds`	Name of a Kubernetes secret containing `aws_access_key_id` and `aws_secret_access_key`. Used when `useIRSA` is `false`.

GCP Cloud Logging sink values

Set under houston.logging.loggingSidecar.gcpCloudLogging. Use this sink on Google Kubernetes Engine (GKE).

Key	Type	Default	Description
`enabled`	`boolean`	`false`	Enables the GCP Cloud Logging sink. Only one sink can be enabled at a time.
`projectId`	string	`""`	Google Cloud project that receives the logs. Required when `enabled` is `true`.
`logId`	string	`houston-audit`	Custom log ID that identifies this APC audit stream in Cloud Logging.
`resource.type`	string	`k8s_container`	Monitored resource type. `k8s_container` is the expected value for GKE Pods.
`resource.location`	string	`""`	GKE cluster location, for example `us-east4` or `us-east4-b`. Required when `enabled` is `true`.
`resource.clusterName`	string	`""`	GKE cluster name as it appears in Cloud Logging. Required when `enabled` is `true`.
`severityKey`	string	`level`	Field in each audit event that Vector maps to GCP severity.
`useWorkloadIdentity`	`boolean`	`true`	When `true`, Vector authenticates with GCP through Workload Identity. The `iam.gke.io/gcp-service-account` annotation on `houston.serviceAccount.annotations` must reference the Google service account.
`credentialsSecretName`	string	`houston-gcp-logging-creds`	Name of a Kubernetes secret that contains a GCP service account JSON key. Used when `useWorkloadIdentity` is `false`.
`credentialsSecretKey`	string	`key.json`	Key within `credentialsSecretName` that holds the JSON key file. The file is mounted at `/etc/gcp-credentials/<credentialsSecretKey>`.

projectId, resource.location, and resource.clusterName are required when gcpCloudLogging.enabled is true. Empty or whitespace-only values are rejected by the chart.

Elasticsearch sink values

Set under houston.logging.loggingSidecar.elasticsearch. Use this sink to ship events to an external Elasticsearch cluster. The Elasticsearch sink is supported when the Astro Private Cloud control plane runs on Amazon EKS, GKE, or AKS.

Key	Type	Default	Description
`enabled`	`boolean`	`false`	Enables the Elasticsearch sink. Only one sink can be enabled at a time.
`endpoint`	string	`~` (null)	External Elasticsearch URL, for example `https://es.example.com:9200`. Required when `enabled` is `true`.
`index`	string	`houston-audit-%Y.%m.%d`	Index name pattern. Accepts `strftime` tokens for date-based indices.
`apiVersion`	string	`v8`	Elasticsearch API version.
`auth.strategy`	string	`basic`	Authentication strategy. Supported values are `basic` and `none`.
`auth.secretName`	string	`houston-elasticsearch-creds`	Name of a Kubernetes secret that contains `username` and `password` keys. Required when `auth.strategy` is `basic`.
`tls.enabled`	`boolean`	`false`	When `true`, Vector uses the CA certificate in `caSecretName` to validate the Elasticsearch server certificate.
`tls.caSecretName`	string	`""`	Name of a Kubernetes secret that contains a `ca.pem` entry. The chart mounts the secret at `/etc/es-tls/ca.pem`. Required when `tls.enabled` is `true`.

auth.strategy and tls.enabled are independent. The chart supports all four combinations: none, basic, none with a custom CA, and basic with a custom CA.

APC service account annotations

The IRSA and Workload Identity integration points are annotations on the <release>-houston-bootstrapper service account. The chart passes any key-value pairs you set on houston.serviceAccount.annotations through to the rendered ServiceAccount manifest.

Annotation	Use with
`eks.amazonaws.com/role-arn`	CloudWatch sink with `useIRSA: true`
`iam.gke.io/gcp-service-account`	GCP Cloud Logging sink with `useWorkloadIdentity: true`

Both the APC API and APC Worker Pods use the same <release>-houston-bootstrapper service account, so a single annotation applies to both deployments.

Validation rules

The chart validates houston.logging.loggingSidecar at render time. The following rules fail helm upgrade with a descriptive error when violated:

When loggingSidecar.enabled is true, exactly one of cloudwatch.enabled, gcpCloudLogging.enabled, or elasticsearch.enabled must also be true.
When gcpCloudLogging.enabled is true, projectId, resource.location, and resource.clusterName must each be set to a non-whitespace value.
When elasticsearch.enabled is true, endpoint must be set.

Unsupported values

extraSinks on houston.logging.loggingSidecar isn’t accepted by the chart. APC audit logging ships only to the three sinks documented on this page.

Next steps

To apply these values to an installation, see Set up audit log shipping.
For the shape of each audit event and the list of audited operations, see Audit log schema and operations.