Install Application Service Adapter

You can install and configure Application Service Adapter for VMware Tanzu Application Platform by following the steps in this topic.

After you complete the steps in Installing Prerequisites, set the Kubernetes context to the cluster where you installed kpack and Contour.

Add the Application Service Adapter package repository

Adding the Application Service Adapter package repository makes Application Service Adapter available for installation.

To add the Application Service Adapter package repository to your cluster:

Set up environment variables for the installation:
```
export TAS_ADAPTER_VERSION=VERSION-NUMBER
```
Where:
- VERSION-NUMBER is the version of Application Service Adapter you want to install. For example, 1.3.0.
Verify that the tap-install namespace exists in your cluster.
```
kubectl get ns tap-install
```
The output lists the status of the tap-install namespace:
```
NAME          STATUS   AGE
tap-install   Active   2d
```
Create a registry secret to store your VMware Tanzu Network credentials in the tap-install namespace. These are required so that the Kubernetes cluster can pull images for the Application Service Adapter system components from the VMware Tanzu Network registry.
```
tanzu secret registry add tanzunet-tas-adapter-registry \
  --username "TANZU-NET-USERNAME" \
  --password "TANZU-NET-PASSWORD" \
  --server registry.tanzu.vmware.com \
  --export-to-all-namespaces \
  --yes \
  --namespace tap-install
```
Where:
- TANZU-NET-USERNAME is your user name on VMware Tanzu Network.
- TANZU-NET-PASSWORD the password for your user name on VMware Tanzu Network.

Add the Application Service Adapter package repository to the cluster.

tanzu package repository add tas-adapter-repository \
  --url registry.tanzu.vmware.com/app-service-adapter/tas-adapter-package-repo:${TAS_ADAPTER_VERSION} \
  --namespace tap-install

Verify that the package repository contains the Application Service Adapter package.

tanzu package available list \
  --namespace tap-install

The output includes the Application Service Adapter package:

NAME                                          DISPLAY-NAME                 SHORT-DESCRIPTION                                                   LATEST-VERSION
...
application-service-adapter.tanzu.vmware.com  Application Service Adapter  Application Service Adapter for VMware Tanzu® Application Platform  1.3.0
...

List the installation settings for the application-service-adapter package.

tanzu package available get application-service-adapter.tanzu.vmware.com/${TAS_ADAPTER_VERSION} --values-schema --namespace tap-install

It should output a list of settings similar to:

| Retrieving package details for application-service-adapter.tanzu.vmware.com/1.3.0...
  KEY                         DEFAULT  TYPE     DESCRIPTION
  api_auth_proxy.ca_cert.data          string   TLS CA certificate of your cluster's auth proxy
  api_auth_proxy.host                  string   FQDN of your cluster's auth proxy
  api_ingress.fqdn                     string   FQDN used to access the Application Service Adapter API
  api_ingress.tls.secret_name          string   Name of the secret containing the TLS certificate for the Application Service Adapter API (PEM format)
  api_ingress.tls.namespace            string   Namespace containing the Application Service Adapter API TLS secret
  app_ingress.default_domain           string   Default application domain
  app_ingress.tls.secret_name          string   Name of the secret containing the TLS certificate for the default application domain (PEM format)
  app_ingress.tls.namespace            string   Namespace containing the default application domain TLS secret
  app_registry.path.droplets           string   Container registry repository where staged, runnable app images (droplets) will be stored
  app_registry.path.packages           string   Container registry repository where uploaded app source code (packages) will be stored
  kpack_clusterbuilder_name   default  string   Name of the kpack cluster builder to use for staging
  ...

Configure the installation settings

To configure the installation settings:

If you do not already have a secret containing a certificate and private key pair for HTTPS ingress to the Application Service Adapter API:

Note You do not need to create secrets containing certificates for HTTPS ingress for either the Application Service Adapter API or application workloads if you intend to use the shared certificate issuer from Tanzu Application Platform.

If you have a certificate and private key pair, create a secret containing them:

kubectl create namespace API-TLS-SECRET-NAMESPACE
kubectl create secret tls API-TLS-SECRET-NAME \
  --cert=tls.crt \
  --key=tls.key \
  --namespace API-TLS-SECRET-NAMESPACE

If you do not have a certificate and private key pair, you can use cert-manager to generate a secret containing a self-signed certificate in the cert-manager documentation:

kubectl apply -f - <<EOF
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: API-TLS-SECRET-NAMESPACE
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: api-selfsigned-certificate
  namespace: API-TLS-SECRET-NAMESPACE
spec:
  commonName: API-FQDN
  dnsNames:
    - API-FQDN
  issuerRef:
    name: selfsigned-issuer
  privateKey:
    algorithm: RSA
  secretName: API-TLS-SECRET-NAME
  usages:
  - server auth
  - client auth
EOF

If you do not already have a secret containing a wildcard certificate and private key pair for HTTPS application ingress:

If you have a wildcard certificate and private key pair, create a secret containing them:

kubectl create namespace APP-TLS-SECRET-NAMESPACE
kubectl create secret tls APP-TLS-SECRET-NAME \
  --cert=tls.crt \
  --key=tls.key \
  --namespace APP-TLS-SECRET-NAMESPACE

If you do not have a wildcard certificate and private key pair, you can use cert-manager to generate a Secret containing a self-signed wildcard certificate in the cert-manager documentation:

kubectl apply -f - <<EOF
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: APP-TLS-SECRET-NAMESPACE
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: app-domain-selfsigned-certificate
  namespace: APP-TLS-SECRET-NAMESPACE
spec:
  commonName: *.DEFAULT-APP-DOMAIN
  dnsNames:
    - *.DEFAULT-APP-DOMAIN
  issuerRef:
    name: selfsigned-issuer
  privateKey:
    algorithm: RSA
  secretName: APP-TLS-SECRET-NAME
  usages:
  - server auth
  - client auth
EOF

If you do not already have a secret containing the host name, user name, and password for your application image registry, create one:

Note The app registry secret and secret export are not required when using Amazon Elastic Container Registry (ECR).
```
kubectl create namespace APP-REGISTRY-CREDENTIALS-SECRET-NAMESPACE
kubectl create secret docker-registry APP-REGISTRY-CREDENTIALS-SECRET-NAME \
  --docker-server=APP-REGISTRY-SERVER \
  --docker-username=APP-REGISTRY-USERNAME \
  --docker-password=$(cat /path/to/APP-REGISTRY-PASSWORD) \
  --namespace APP-REGISTRY-CREDENTIALS-SECRET-NAMESPACE
```
Where:
- APP-REGISTRY-SERVER is the address of the registry used for app packages and droplets. This value is the same as the server name in a dockerconfigjson Kubernetes secret. For example:
  - Harbor has the form my-harbor.io.
  - Docker Hub the form https://index.docker.io/v1/.
  - Google Container Registry has the form gcr.io.

Create a SecretExport to allow Application Service Adapter to copy the application image registry credentials secret into the cf namespace.

kubectl apply -f - <<EOF
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: APP-REGISTRY-CREDENTIALS-SECRET-NAME
  namespace: APP-REGISTRY-CREDENTIALS-SECRET-NAMESPACE
spec:
  toNamespace: cf
EOF

If using the experimental Choreographer integration, this SecretExport also must grant access to the secret in every cf space namespace. To do so, either:

Update the SecretExport spec.toNamespace field to "*".

Caution The wildcard namespace makes the secret available for import in all namespaces for users with the ability to create a SecretImport or set the "secretgen.carvel.dev/image-pull-secret" annotation on a secret.

Manually identify each cf space's namespace and update the spec to list each one under spec.toNamespaces.

For example:

Export to all namespaces:

kubectl apply -f - <<EOF
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: APP-REGISTRY-CREDENTIALS-SECRET-NAME
  namespace: APP-REGISTRY-CREDENTIALS-SECRET-NAMESPACE
spec:
  toNamespace: "*"
EOF

Export manually to each known namespace:

kubectl apply -f - <<EOF
---
apiVersion: secretgen.carvel.dev/v1alpha1
kind: SecretExport
metadata:
  name: APP-REGISTRY-CREDENTIALS-SECRET-NAME
  namespace: APP-REGISTRY-CREDENTIALS-SECRET-NAMESPACE
spec:
  toNamespaces:
  - cf
  - cf-space-<cf-space-guid>
EOF

Create a tas-adapter-values.yaml file with the installation settings that you want, following the schema specified for the package.

The following values are required:
```
ceip_policy_disclosed: FALSE-OR-TRUE-VALUE # Installation fails if this is not set to the boolean value true. Not a string.
api_ingress:
  fqdn: "API-FQDN"
app_ingress:
  default_domain: "DEFAULT-APP-DOMAIN"
app_registry:
  credentials:
    secret_name: "APP-REGISTRY-CREDENTIALS-SECRET-NAME"
    namespace: "APP-REGISTRY-CREDENTIALS-SECRET-NAMESPACE"
    aws_iam_role_arn: "AWS-IAM-ROLE-ARN"
  repository_prefix: "REPOSITORY-PREFIX"
```
Where:
- API-FQDN is the fully qualified domain name (FQDN) that you want to use for the Application Service Adapter API. Example: api.example.com
- DEFAULT-APP-DOMAIN is the domain that you want to use for automatically configured application routes. Example: apps.example.com.
- APP-REGISTRY-CREDENTIALS-SECRET-NAME is the kubernetes.io/dockerconfigjson secret containing the host, user name, and password for the application image registry.
  - Not required if you intend to use ECR as the application image registry.
- APP-REGISTRY-CREDENTIALS-SECRET-NAMESPACE is the namespace containing the application image registry secret.
  - Not required if you intend to use ECR as the application image registry.
- AWS-IAM-ROLE-ARN is the Amazon Resource Name (ARN) of an AWS IAM role that can be used to access Elastic Container Registries (ECR). Refer to additional Application Service Adapter requirements in AWS IAM Configuration for ECR.
  - Required if you intend to use ECR as the application image registry. Do not set the app_registry.credentials.secret_name and app_registry.credentials.namespace fields when this field is set.
- REPOSITORY-PREFIX is the host and path combination used as the base for package and droplet images produced by Application Service Adapter.

Repository Prefix Examples:

Registry	containerRepositoryPrefix	Resultant Image Ref	Notes
ACR	`<projectID>.azurecr.io/foo/bar/tas-adapter-`	`<projectID>.azurecr.io/foo/bar/tas-adapter-<appGUID>-packages`	Repositories are created dynamically during push by ACR
DockerHub	`index.docker.io/<dockerOrganisation>/`	`index.docker.io/<dockerOrganisation>/<appGUID>-packages`	Docker does not support nested repositories
ECR	`<projectID>.dkr.ecr.<region>.amazonaws.com/foo/bar/tas-adapter-`	`<projectID>.dkr.ecr.<region>.amazonaws.com/foo/bar/tas-adapter-<appGUID>-packages`	Application Service Adapter creates the repository before pushing, as dynamic repository creation is not possible on ECR
GAR	`<region>-docker.pkg.dev/<projectID>/foo/bar/tas-adapter-`	`<region>-docker.pkg.dev/<projectID>/foo/bar/tas-adapter-<appGUID>-packages`	The `foo` repository must already exist in GAR
GCR	`gcr.io/<projectID>/foo/bar/tas-adapter-`	`gcr.io/<projectID>/foo/bar/tas-adapter-<appGUID>-packages`	Repositories are created dynamically during push by GCR

(Optional) Configure your admin users

VMware recommends configuring one or more administrative users for Application Service Adapter. To do this:

Include the following values in your tas-adapter-values.yaml file:
```
admin:
  users:
  - "ADMIN-USERNAME"
  ...
```
Where:
- ADMIN-USERNAME is the name of an existing user in the Kubernetes cluster to whom you want to grant system admin privileges. You can specify as many users as you want, one per line. These names are identifiers for Kubernetes user accounts, not Kubernetes service accounts.
  - For Amazon EKS, see the AWS IAM user management for EKS section of the User Management topic for information about additional required cluster configuration to map AWS IAM users and roles to Kubernetes roles.
  - For clusters configured to use authentication proxies such as Pinniped, you can authenticate to the cluster and use the output of cf curl /whoami to see the user account name to provide.
Note These user names must be identities that can be recognized as users in the subject section of Kubernetes RBAC resources, such as RoleBindings. They might not match the user entries in your local Kubeconfig file. During the initial installation, you can leave this entry blank if you're unsure of the user name. After installation, log in with the cf CLI and run the cf curl /whoami command to confirm the user name. Then update the installation with the correct name value. For more information about user subject names in Kubernetes, see Referring to subjects section of Using RBAC Authorization and Authenticating in the Kubernetes project documentation.

(Optional) Configure the Kpack cluster builder to use for staging

Application Service Adapter uses the default cluster builder provided by Tanzu Build Service. To create your own builder, see Managing Builders in the Tanzu Build Service documentation, and update this setting with the corresponding builder name.

To configure Application Service Adapter to use a different Kpack cluster builder for staging:

View the available cluster builders:
```
kubectl get clusterbuilder
```
Include the following values in your tas-adapter-values.yaml file:
```
kpack_clusterbuilder_name: "KPACK-CLUSTER-BUILDER-NAME"
```
Where:
- KPACK-CLUSTER-BUILDER-NAME is the name of the kpack cluster builder to use for staging. Tanzu Build Service provides two cluster builders named base and default. To create your own builder, see Managing Builders in the Tanzu Build Service documentation, and update this setting with the corresponding builder name.

(Optional) Configure the size of the persistent build cache used for staging

Application Service Adapter configures Tanzu Build Service to create a persistent volume per application that is used for caching staging resources. The size of these volumes is set to be 2048 MB by default, but this can be overridden globally for all Application Service Adapter apps.

To configure Application Service Adapter to use a different build cache size for staging:

Include the following values in your tas-adapter-values.yaml file:
```
staging_resources:
  build_cache_mb: SIZE-IN-MEGABYTES
```
Where:
- SIZE-IN-MEGABYTES is the size of the persistent volume in megabytes. Default is 2048.

(Optional) Configuration for OpenShift

To configure Application Service Adapter for installation on OpenShift:

Include the following values in your tas-adapter-values.yaml file:
```
shared:
  kubernetes_distribution: "openshift"
  kubernetes_version: "KUBERNETES-VERSION"
```
Where:
- KUBERNETES-VERSION is the Kubernetes version of the cluster. Default is 1.23.3.
To force the creation of a custom Application Service Adapter Security Context Constraint (SCC) on OpenShift, include the following value in your tas-adapter-values.yaml file:
```
openshift:
  create_scc: true
```
Note The custom SCC ensures that containers run with a predictable UID of 1000, which is a requirement for workloads created by using Application Service Adapter. OpenShift assigns the restricted or restricted-v2 SCCs to workloads deployed by using the project's default Kubernetes service account. This means that an arbitrary UID is chosen for the container runtime.

(Optional) Use AWS IAM authentication for registry credentials

Tanzu Build Service supports using AWS IAM roles to authenticate with Amazon Elastic Container Registry (ECR) on Amazon Elastic Kubernetes Service (EKS) clusters.

To use AWS IAM authentication:

Configure an AWS IAM role that has read and write access to the repository in the container image registry used when installing Tanzu Application Platform.
Include the following values in your tas-adapter-values.yaml file:
```
app_registry:
  credentials:
    aws_iam_role_arn: "AWS-IAM-ROLE-ARN"
```
Where:
- AWS-IAM-ROLE-ARN is the Amazon Resource Name (ARN) of an AWS IAM role that can be used to access an Elastic Container Registry (ECR).
Note The app_registry.credentials.secret_name and app_registry.credentials.namespace properties should be omitted from your tas-adapter-values.yaml file.

(Optional) Configure a registry with a custom Certificate Authority

Note Your Kubernetes cluster nodes and the Tanzu Build Service component of Tanzu Application Platform must also both be configured to trust this Certificate Authority for the registry.

To configure Application Service Adapter to trust a registry that has a custom or self-signed certificate authority:

Include the following values in your tas-adapter-values.yaml file:
```
app_registry:
  ca_cert:
    data: |
      PEM-ENCODED-CERTIFICATE-CONTENTS
```
Where:
- PEM-ENCODED-CERTIFICATE-CONTENTS is a PEM-encoded multiline string containing the certificate authority (CA) certificate. The value must be inserted into your values file as a YAML multiline string with a block scalar literal.

(Optional) Configure a registry using the legacy installation settings

Note These settings have been deprecated as of Application Service Adapter v1.1 and will be removed in a future version.

To configure Application Service Adapter's registry using the legacy installation settings:

Include the following values in your tas-adapter-values.yaml file:
```
app_registry:
  hostname: "APP-REGISTRY-HOSTNAME"
  path:
    droplets: "APP-REGISTRY-PATH-DROPLETS"
```
Where:
- APP-REGISTRY-HOSTNAME is the host name of the registry used for app packages and droplets. For example:
  - Harbor has the form hostname: "my-harbor.io".
  - Docker Hub has the form hostname: "index.docker.io".
  - Google Container Registry has the form hostname: "gcr.io".
- APP-REGISTRY-PATH-DROPLETS is the path to the directory or project in the app registry where Application Service Adapter uploads droplets, such as runnable application images. This value does not include the registry host name itself. Examples:
  - Harbor has the form droplets: "project-name/my-repo-name".
  - Docker Hub has the form droplets: "my-dockerhub-username".
  - Google Container Registry has the form droplets: "project-id/my-repo-name".
The values specified for app_registry.hostname and app_registry.path.droplets are combined (separated by a /) to form the value for the new app_registry.repository_prefix setting. The value of the app_registry.path.packages setting is ignored. Source package images are stored in the specified droplets repository.

(Optional) Configure registry cleanup

By default, Application Service Adapter retains up to 5 package and build images per application in the configured image registry. To retain a different number of images:

Include the following values in your tas-adapter-values.yaml file:
```
cleanup:
  max_retained_builds_per_app: MAX-RETAINED-BUILDS-PER-APP
  max_retained_packages_per_app: MAX-RETAINED-PACKAGES-PER-APP
```
Where:
- MAX-RETAINED-BUILDS-PER-APP is the number of builds to be retained for each app. Default is 5.
- MAX-RETAINED-BUILDS-PER-APP is the number of packages to be retained for each app. Default is 5.

(Optional) Configure the Cert Manager certificate issuer to use for ingress certificates

By default, Application Service Adapter uses the tap-ingress-selfsigned cluster issuer provided by Tanzu Application Platform. To configure Application Service Adapter to use a different Cert Manager certificate issuer:

Include the following values in your tas-adapter-values.yaml file:
```
shared:
  ingress_issuer: "CERTIFICATE-ISSUER-NAME"
```
Where:
- CERTIFICATE-ISSUER-NAME is the name of the cert-manager cluster issuer to use to generate certificates for HTTPS ingress to Application Service Adapter. Default is tap-ingress-selfsigned.

(Optional) Configure ingress certificates using a secret name and namespace

Users can provide their own certificates for either the Application Service Adapter API or applications, or both.

To configure the ingress certificate for the API:

Include the following values in your tas-adapter-values.yaml file:
```
api_ingress:
  tls:
    secret_name: API-TLS-SECRET-NAME
    namespace: API-TLS-SECRET-NAMESPACE
```
Where:
- API-TLS-SECRET-NAME is the kubernetes.io/tls secret containing the PEM-encoded public certificate for the Application Service Adapter API.
- API-TLS-SECRET-NAMESPACE is the namespace containing the API TLS secret.
To configure the ingress certificate for workloads, include the following values in your tas-adapter-values.yaml file:
```
app_ingress:
  tls:
    secret_name: APP-TLS-SECRET-NAME
    namespace: APP-TLS-SECRET-NAMESPACE
```
Where:
- APP-TLS-SECRET-NAME is the kubernetes.io/tls secret containing the PEM-encoded public certificate for applications deployed using Application Service Adapter.
- APP-TLS-SECRET-NAMESPACE is the namespace containing the application TLS secret.

(Optional) Configure the experimental Cartographer integration

Note Opting into the experimental Cartographer integration requires a larger set of Tanzu Application Platform packages to be installed. See Required components for experimental Cartographer integration in Install Prerequisites.

To configure the experimental Cartographer integration:

Include the following values in your tas-adapter-values.yaml file:
```
experimental_use_cartographer: true
```

(Optional) Configure logging level for Application Service Adapter components

To configure the logging level for each component of Application Service Adapter:

Include the following values in your tas-adapter-values.yaml file:
```
log_level:
  cartographer_builder_runner: LOG-LEVEL
  korifi_api: LOG-LEVEL
  korifi_controllers: LOG-LEVEL
```
Where:
- LOG-LEVEL is the log level that you want for each component. Valid values are: error, warn, info, and debug. All components default to info.

(Optional) Scale Application Service Adapter components

To configure the scaling parameters for each component of Application Service Adapter:

Include the following values in your tas-adapter-values.yaml file:
```
scaling:
  korifi_api:
    limits:
      cpu: "API-CPU-LIMIT"
      memory: "API-MEMORY-LIMIT"
    requests:
      cpu: "API-CPU-REQUEST"
      memory: "API-MEMORY-REQUEST"
    replicas: API-REPLICA-COUNT
  korifi_controllers:
    ... #! scaling keys are the same as above
  cartographer_builder_runner:
    ... #! scaling keys are the same as above
```
Where:
- API-CPU-LIMIT is the CPU resource limit for the pods that you want in the specified deployment. Default is 1 CPU.
- API-MEMORY-LIMIT is the memory resource limit that you want for the pods in the specified deployment. Default is 1000Mi.
- API-CPU-REQUEST is the CPU resource request that you want for the pods in the specified deployment. Default is 50m.
- API-MEMORY-REQUEST is the memory resource request that you want for the pods in the specified deployment. Default is 100Mi.
- API-REPLICA-COUNT is the number of replicas that you want for the specified deployment. Default is 1.
Note The requests and limits text boxes map directly to the resource requests and limits text boxes on the Kubernetes containers for these system components. For more information, see Resource requests and limits of Pod and container in the Kubernetes documentation.

(Optional) Configure a custom API ingress port

By default, the Application Service Adapter API is configured to listen on port 443, the standard port for HTTPS traffic. To change this value:

Include the following values in your tas-adapter-values.yaml file:
```
api_ingress:
  port: "API-PORT"
```
Where:
- API-PORT is the port number that clients can use to connect to the Application Service Adapter API. The API includes this number in URLs that direct back to itself, but when set to 0 or left unset, no port number is in those URLs. In that case, clients can connect to port 443, the standard port for HTTPS traffic.

(Optional) Configure an authentication proxy

To configure Application Service Adapter to use an authentication proxy:

Include the following values in your tas-adapter-values.yaml file:
```
api_auth_proxy:
  ca_cert:
    data: |
      API-AUTH-PROXY-TLS-CRT
  host: "API-AUTH-PROXY-FQDN"
```
Where:
- API-AUTH-PROXY-TLS-CRT is the CA certificate from the authentication proxy running along side your Kubernetes cluster.
- API-AUTH-PROXY-FQDN is the FQDN for the authentication proxy running along side your Kubernetes cluster.

(Optional) Configure the task time-to-live (TTL)

By default, Application Service Adapter retails task workloads for 30 days to allow users to view logs from past tasks. If you have configured your cluster to egress logs to an external aggregation service, you can reduce this time to eliminate resources from the cluster.

Note Task logs are no longer viewable using the cf logs command once a task has been purged from Application Service Adapter due to its age.

Include the following values in your tas-adapter-values.yaml file:
```
tasks:
  ttl: "TASK-TTL-AGE"
```
Where:
- TASK-TTL-AGE is the length of time until completed tasks are purged from the cluster. You can specify this value as a time duration in seconds, minutes, hours, or days. For example, "86400s", "1440m", "24h", or "1d".

(Optional) Configure the user certificate expiration warning duration

For security, the Application Service Adapter API returns a warning in the X-Cf-Warnings header of the /v3/orgs endpoint when a user authenticates with a certificate that is valid for longer than the specified duration. To change this value:

Include the following values in your tas-adapter-values.yaml file:
```
user_certificate_expiration_warning_duration: "USER-CERT-EXPIRY-WARNING-DURATION"
```
Where:
- USER-CERT-EXPIRY-WARNING-DURATION is the duration beyond which users are warned to use short-lived certificates for authentication. Default is 168 hours. This value must be specified as a time duration in hours. For example, "168h", not "7d".