Operations
Dashboard
The Layer dashboard is the operator UI that ships in-cluster alongside
the gateway, as the layer-dashboard Deployment and Service. This page covers
running it: the access it needs, how to reach it, how to gate it, and how to
turn it off.
Access it needs
The dashboard is read-mostly and backed by three sources, each with its own grant:
- The gateway API — the same endpoints customers use, plus the
Prometheus-compatible metrics proxy at
/v2/metrics. Authenticated with a gateway bearer (LAYER_GATEWAY_API_KEY). InderiveFromStoremode this is the defaultVectorStorecredential; inkeysmode it is the configured inbound worker key. It does not touch PostgreSQL, Aerospike, or VictoriaMetrics directly — metrics and cost arrive through the gateway proxy and/v2/cost. - The Kubernetes API — reads
hevlayer.comCRDs (VectorStores, Indexes, InfraRules, Pipelines) and the workload objects behind them (pods, deployments/statefulsets, HPAs, KEDA ScaledObjects, nodes) through RBAC bound to its ServiceAccount.dashboard.kubeAccess.enabledgrants the read role; with it off the dashboard still runs but the cluster/scaling views show a “kube access not configured” banner.dashboard.writeAccess.enabledadds the operator write role: Index spec patches, Karpenter NodePool disruption, VectorStore and Warehouse create/edit, and namespace-scoped Secret writes for credentials. Set itfalsefor a read-only install. - Cost data — the cost view reads the gateway cost API. turbopuffer spend
is metered from upstream billing counters; AWS spend is read by the gateway
from Cost Explorer using the gateway IRSA role. The dashboard does not need
direct AWS cost API permissions for the standard cost view. In a Terraform
install, still pass
dashboard.serviceAccount.roleArnfrom thelayer_dashboard_role_arnoutput so the dashboard ServiceAccount is annotated with its cluster-specific IRSA role at first boot.
Networking
The dashboard is an operator tool. Reach it over a port-forward rather than exposing it publicly:
kubectl port-forward -n <release-namespace> svc/layer-dashboard 8081:8081
Then open http://localhost:8081. Customer workloads only ever receive the
gateway base URL and credentials — never the dashboard.
Basic auth
HTTP Basic auth sits in front of every dashboard route and is required — the dashboard refuses to start without it. Set credentials through the chart:
dashboard:
basicAuth:
user: ops
password: <strong-password>
The chart render fails if either field is blank while the dashboard is enabled.
Disabling the dashboard
The dashboard is optional. Disable it and the Deployment, Service, RBAC, and ingress all skip rendering:
dashboard:
enabled: false
The gateway and transform runtime run unchanged without it; you lose only the operator UI.
Operational notes
Pipeline queue states
The pipeline overview combines gateway queue counters with the matching
Pipeline resources and their operator-managed Deployments and KEDA
ScaledObjects. A queue with pending work is presented as:
- PAUSED when every matching
Pipelinehasspec.paused: true. Its workers are intentionally at zero replicas; pending documents remain queued. - CRON-GATED when its cron ScaledObject is inactive. The card shows the next UTC window, scaler activity, and managed worker replica counts.
- STALLED when work is pending with no processing or indexing activity and neither an intentional pause nor a closed cron window explains the stop.
Failed-document counts, operator condition messages, and missing or inactive managed workers appear as reason hints on the same card. A growing queue that is still processing remains BACKLOG rather than STALLED.
The data tab is split into indexes, vector store, and warehouse views.
Indexes come from /v2/namespaces; vector stores and warehouses come from
the gateway’s /v2/vectorstores and /v2/warehouses projections, so the
dashboard shows the same credential-safe shape as the CLI and SDKs.
When write access is enabled, the vector store and warehouse panes can create and edit those CRDs. Raw credentials are accepted only in the form submission; the dashboard writes them into Kubernetes Secrets first, then creates or patches the CR. The read views keep showing only Secret references.