See it in action on the hev-shop demo store.

Operations

Dashboard

The Layer dashboard is the operator UI that ships in-cluster alongside the gateway, as the layer-dashboard Deployment and Service. This page covers running it: the access it needs, how to reach it, how to gate it, and how to turn it off.

Access it needs

The dashboard is read-mostly and backed by three sources, each with its own grant:

  • The gateway API — the same endpoints customers use, plus the Prometheus-compatible metrics proxy at /v2/metrics. Authenticated with a gateway bearer (LAYER_GATEWAY_API_KEY). In deriveFromStore mode this is the default VectorStore credential; in keys mode it is the configured inbound worker key. It does not touch PostgreSQL, Aerospike, or VictoriaMetrics directly — metrics arrive through the gateway proxy.
  • The Kubernetes API — reads hevlayer.com CRDs (VectorStores, Indexes, InfraRules) and the workload objects behind them (pods, deployments/statefulsets, HPAs, KEDA ScaledObjects, nodes) through RBAC bound to its ServiceAccount. dashboard.kubeAccess.enabled grants the read role; with it off the dashboard still runs but the cluster/scaling views show a “kube access not configured” banner. dashboard.writeAccess.enabled adds a narrow write role for operator controls (Index spec patches, Karpenter NodePool disruption); set it false for a read-only install.
  • AWS cost APIs — the cost view reads the AWS Pricing API and CloudWatch via IRSA (dashboard.serviceAccount.roleArn). Attribution is infra-level only; there is no per-namespace cost modeling.

Networking

The dashboard is an operator tool. Reach it over a port-forward rather than exposing it publicly:

kubectl port-forward -n <release-namespace> svc/layer-dashboard 8081:8081

Then open http://localhost:8081. Customer workloads only ever receive the gateway base URL and credentials — never the dashboard.

Basic auth

HTTP Basic auth sits in front of every dashboard route and is required — the dashboard refuses to start without it. Set credentials through the chart:

dashboard:
  basicAuth:
    user: ops
    password: <strong-password>

The chart render fails if either field is blank while the dashboard is enabled.

Disabling the dashboard

The dashboard is optional. Disable it and the Deployment, Service, RBAC, and ingress all skip rendering:

dashboard:
  enabled: false

The gateway and transform runtime run unchanged without it; you lose only the operator UI.

Operational notes

esc
ask AI · open hev/ask