Skip to main content
This feature is available in Odigos Enterprise tier only. Please contact the Odigos team to inquire about access to the Enterprise version.

Overview

Odigos Central is a centralized management layer for multi-cluster observability. Instead of configuring instrumentation, sampling rules, and destinations separately in each Kubernetes cluster, Odigos Central provides a single pane of glass to manage all your clusters from one place.

Why Use Odigos Central?

  • Unified Management - Configure instrumentation, sampling rules, and observability pipelines across all clusters from a single UI
  • Reduced Operational Overhead - No need to SSH or kubectl into each cluster separately
  • Centralized Access Control - Manage user authentication and authorization with support for SSO providers like Okta
  • Consistent Configuration - Apply the same sampling and instrumentation rules uniformly across environments
  • Audit and Compliance - Single point of control for observability configuration changes

Architecture

Odigos Central consists of components deployed in a central (management) cluster and a lightweight proxy in each remote cluster.

Components

ComponentDescription
Central UIWeb interface for managing all connected clusters, sources, destinations, and sampling configurations
Central BackendAPI server that stores configuration in Redis and communicates with remote clusters via WebSocket
Central ProxyLightweight service deployed in each remote cluster that bridges the central backend to local Odigos components

Prerequisites

Before installing Odigos Central, ensure you have:
  • Kubernetes version 1.19.0 or higher
  • Odigos Enterprise license token (contact Odigos team to obtain)
  • Helm 3.x (if using Helm installation method)
  • Network connectivity from remote clusters to the Central Backend endpoint

Installation

You can install Odigos Central using the CLI or Helm chart.
Use the odigos pro central install command with --set flags:
odigos pro central install --set onPremToken=<token>
This installs:
  • central-backend
  • central-ui
  • redis (for state)
  • keycloak (as identity provider)

CLI Flags

FlagDefaultDescription
--set onPremToken(required)Your Odigos Enterprise license token
--set centralProxy.centralBackendURL(optional)URL of the central backend
--set auth.adminPassword(auto-generated)Admin password for Keycloak. If not provided, a random password is generated
--set auth.adminUsernameadminAdmin username for Keycloak
--namespace, -nodigos-centralTarget namespace for installation
--version(current)Specify a specific version to install
Example with all options:
odigos pro central install \
  --set onPremToken=<token> \
  --namespace odigos-central \
  --version v1.0.0

Accessing the Central UI

After installation, access the Central UI using port-forward: 
odigos pro central ui
This forwards:
  • Central UI to http://localhost:3000
  • Central Backend to http://localhost:8081

Options

FlagDefaultDescription
--addresslocalhostAddress to bind the port-forward to
--namespace, -nodigos-centralNamespace where Odigos Central is installed
Example: To access from other machines on your network: 
odigos pro central ui --address 0.0.0.0

Connecting Remote Clusters

Once Odigos Central is running, you need to configure your remote clusters to connect to it. This is done by installing Odigos in each remote cluster with the Central Proxy configuration.
Remote clusters require the same Odigos Enterprise license token as the central installation.

Using CLI

odigos install \
  --onprem-token <token> \
  --set centralProxy.centralBackendURL=<your-central-backend-url> \
  --set clusterName=<your-cluster-name>
Example: 
odigos install \
  --onprem-token <token> \
  --set centralProxy.centralBackendURL=https://central-backend.example.com:8081 \
  --set clusterName=production-east-1

Using Helm

Add the following to your remote cluster’s values.yaml: 
clusterName: 'production-east-1'

centralProxy:
  centralBackendURL: 'https://central-backend.example.com:8081'
Then install: 
helm upgrade --install odigos odigos/odigos \
  --namespace odigos-system \
  --create-namespace \
  -f values.yaml

TLS Configuration

For production deployments, configure TLS for secure communication between the Central Proxy and Central Backend: 
centralProxy:
  centralBackendURL: 'https://central-backend.example.com:8081'
  tls:
    # Skip certificate verification (for testing/self-signed certificates only)
    skipVerify: false

    # Secret name containing CA certificate (key: 'ca.crt')
    caSecretName: 'central-ca-cert'

    # Secret name for mTLS client certificate (keys: 'tls.crt', 'tls.key')
    clientCertSecretName: 'central-client-cert'
Create the CA certificate secret: 
kubectl create secret generic central-ca-cert \
  --from-file=ca.crt=/path/to/ca.crt \
  -n odigos-system
Create the client certificate secret (for mTLS): 
kubectl create secret generic central-client-cert \
  --from-file=tls.crt=/path/to/client.crt \
  --from-file=tls.key=/path/to/client.key \
  -n odigos-system

Authentication

By default, Odigos Central installs Keycloak and uses it as the identity provider for the Central UI.

Okta Authentication (SSO via Keycloak)

If your organization uses Okta, the recommended setup is to keep the bundled Keycloak and configure Okta as a SAML Identity Provider in Keycloak (Keycloak identity brokering).
1

Create the SAML Identity Provider in the Odigos Central UI

Create the SAML IdP through the Odigos Central UI (the same place you’d add an OIDC Identity Provider).
Odigos Central will create/update the required configuration in the bundled Keycloak for you. Avoid configuring the identity provider directly in Keycloak unless you’re troubleshooting.
2

Create an Okta SAML app integration

In Okta, create a SAML 2.0 app integration.
Okta’s UI and exact fields vary. The Okta SAML app configuration needs the Single sign-on URL (ACS URL) and the Audience URI (SP Entity ID) — you’ll copy these from the SAML Identity Provider configuration in the Central UI.
3

Configure the IdP details and copy the ACS URL / SP Entity ID

In the Central UI, open the SAML Identity Provider you created and configure the IdP details from Okta (for example: IdP Entity ID / Issuer, Single Sign-On Service URL, and the X.509 certificate).
The Central UI will show the ACS URL and SP Entity ID for Odigos Central. Copy those into your Okta SAML app integration as:
  • Single sign-on URL (ACS URL)
  • Audience URI (SP Entity ID)
4

Verify Central UI login via Okta

Open the Central UI again (via odigos pro central ui) and verify that login redirects you to Okta and back to Odigos Central successfully.
If you’re looking to enable OIDC for the non-central Odigos UI (not Odigos Central), see the dedicated OIDC documentation: OIDC (OpenID Connect).

Upgrade

To upgrade Odigos Central to a newer version:

Using CLI

odigos pro central upgrade --version <version>
Options:
FlagDefaultDescription
--version(required)Version to upgrade to (e.g., v1.2.0)
--namespace, -nodigos-centralTarget namespace
--yesfalseSkip confirmation prompt
--image-pull-secrets(existing)Update image pull secrets
--central-max-message-size(existing)Update max gRPC message size
Example: 
odigos pro central upgrade --version v1.2.0 --yes

Using Helm

helm repo update
helm upgrade odigos-central odigos/odigos-central \
  --namespace odigos-central \
  --reuse-values \
  --version <chart-version>
When upgrading, the Keycloak admin password is preserved from the existing secret to prevent credential mismatch.

Uninstall

To completely remove Odigos Central:

Using CLI

odigos pro central uninstall
Options:
FlagDefaultDescription
--namespace, -nodigos-centralTarget namespace
--yesfalseSkip confirmation prompt
Example: 
odigos pro central uninstall --namespace odigos-central --yes

Using Helm

helm uninstall odigos-central --namespace odigos-central
kubectl delete namespace odigos-central
Uninstalling Odigos Central will disconnect all remote clusters. Make sure to plan for this accordingly.

Network Requirements

Ensure the following network connectivity:
SourceDestinationPortProtocol
UsersCentral UI3000HTTPS
Central UICentral Backend8081HTTP/HTTPS
Central BackendRedis6379TCP
Central BackendKeycloak8080HTTP
Remote Cluster ProxiesCentral Backend8081WebSocket (WSS)
Odigos Central is an Enterprise feature and requires a valid license token. Make sure your --onprem-token is valid and has the necessary permissions.