apisix
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
allowInsecureImages: false
33
## Compatibility adaptations for Kubernetes platforms
34
##
35
compatibility:
36
## Compatibility adaptations for Openshift
37
##
38
openshift:
39
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
40
##
41
adaptSecurityContext: auto
42
org: ""
43
## @section Common parameters
44
##
45
46
## @param kubeVersion Override Kubernetes version
47
##
48
kubeVersion: ""
49
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
50
##
51
apiVersions: []
52
## @param nameOverride String to partially override common.names.name
53
##
54
nameOverride: ""
55
## @param fullnameOverride String to fully override common.names.fullname
56
##
57
fullnameOverride: ""
58
## @param namespaceOverride String to fully override common.names.namespace
59
##
60
namespaceOverride: ""
61
## @param commonLabels Labels to add to all deployed objects
62
##
63
commonLabels: {}
64
## @param commonAnnotations Annotations to add to all deployed objects
65
##
66
commonAnnotations: {}
67
## @param clusterDomain Kubernetes cluster domain name
68
##
69
clusterDomain: cluster.local
70
## @param extraDeploy Array of extra objects to deploy with the release
71
##
72
extraDeploy: []
73
## @param usePasswordFiles Mount credentials as files instead of using environment variables
74
##
75
usePasswordFiles: true
76
## Enable diagnostic mode in the deployment
77
##
78
diagnosticMode:
79
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
80
##
81
enabled: false
82
## @param diagnosticMode.command Command to override all containers in the deployment
83
##
84
command:
85
- sleep
86
## @param diagnosticMode.args Args to override all containers in the deployment
87
##
88
args:
89
- infinity
90
## Iamguarded APISIX image
91
## @param image.registry [default: REGISTRY_NAME] APISIX image registry
92
## @param image.repository [default: REPOSITORY_NAME/apisix] APISIX image repository
93
## @skip image.tag APISIX image tag (immutable tags are recommended)
94
## @param image.digest APISIX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
95
## @param image.pullPolicy APISIX image pull policy
96
## @param image.pullSecrets APISIX image pull secrets
97
## @param image.debug Enable APISIX image debug mode
98
##
99
image:
100
registry: cgr.dev
101
repository: chainguard-private/apache-apisix-iamguarded
102
tag: 3.15.0
103
digest: ""
104
## Specify a imagePullPolicy
105
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
106
##
107
pullPolicy: IfNotPresent
108
## Optionally specify an array of imagePullSecrets.
109
## Secrets must be manually created in the namespace.
110
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
111
## e.g:
112
## pullSecrets:
113
## - myRegistryKeySecretName
114
##
115
pullSecrets: []
116
## Enable debug mode
117
##
118
debug: false
119
## @section APISIX Data Plane parameters
120
##
121
dataPlane:
122
## @param dataPlane.enabled Enable APISIX Data Plane
123
##
124
enabled: true
125
## @param dataPlane.useDaemonSet Deploy Data Plane as DaemonSet
126
##
127
useDaemonSet: false
128
## @param dataPlane.replicaCount Number of APISIX Data Plane replicas to deploy
129
##
130
replicaCount: 1
131
## @param dataPlane.hostNetwork Use hostNetwork in APISIX Data Plane
132
##
133
hostNetwork: false
134
## @param dataPlane.dnsPolicy DNS policy for APISIX Data Plane pods
135
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policies
136
## NOTE: If you set hostNetwork=true, you must set dnsPolicy=ClusterFirstWithHostNet
137
##
138
dnsPolicy: ClusterFirst
139
## @param dataPlane.containerPorts.http APISIX Data Plane HTTP container port
140
## @param dataPlane.containerPorts.https APISIX Data Plane HTTPS container port
141
## @param dataPlane.containerPorts.control APISIX Data Plane control container port
142
## @param dataPlane.containerPorts.metrics APISIX Data Plane metrics container port
143
##
144
containerPorts:
145
http: 9080
146
https: 9443
147
control: 9090
148
metrics: 9099
149
## Configure extra options for APISIX Data Plane containers' liveness and readiness probes
150
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
151
## @param dataPlane.livenessProbe.enabled Enable livenessProbe on APISIX Data Plane containers
152
## @param dataPlane.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
153
## @param dataPlane.livenessProbe.periodSeconds Period seconds for livenessProbe
154
## @param dataPlane.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
155
## @param dataPlane.livenessProbe.failureThreshold Failure threshold for livenessProbe
156
## @param dataPlane.livenessProbe.successThreshold Success threshold for livenessProbe
157
##
158
livenessProbe:
159
enabled: true
160
initialDelaySeconds: 5
161
periodSeconds: 10
162
timeoutSeconds: 5
163
failureThreshold: 5
164
successThreshold: 1
165
## @param dataPlane.readinessProbe.enabled Enable readinessProbe on APISIX Data Plane containers
166
## @param dataPlane.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
167
## @param dataPlane.readinessProbe.periodSeconds Period seconds for readinessProbe
168
## @param dataPlane.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
169
## @param dataPlane.readinessProbe.failureThreshold Failure threshold for readinessProbe
170
## @param dataPlane.readinessProbe.successThreshold Success threshold for readinessProbe
171
##
172
readinessProbe:
173
enabled: true
174
initialDelaySeconds: 5
175
periodSeconds: 10
176
timeoutSeconds: 5
177
failureThreshold: 5
178
successThreshold: 1
179
## @param dataPlane.startupProbe.enabled Enable startupProbe on APISIX Data Plane containers
180
## @param dataPlane.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
181
## @param dataPlane.startupProbe.periodSeconds Period seconds for startupProbe
182
## @param dataPlane.startupProbe.timeoutSeconds Timeout seconds for startupProbe
183
## @param dataPlane.startupProbe.failureThreshold Failure threshold for startupProbe
184
## @param dataPlane.startupProbe.successThreshold Success threshold for startupProbe
185
##
186
startupProbe:
187
enabled: false
188
initialDelaySeconds: 5
189
periodSeconds: 10
190
timeoutSeconds: 5
191
failureThreshold: 5
192
successThreshold: 1
193
## @param dataPlane.customLivenessProbe Custom livenessProbe that overrides the default one
194
##
195
customLivenessProbe: {}
196
## @param dataPlane.customReadinessProbe Custom readinessProbe that overrides the default one
197
##
198
customReadinessProbe: {}
199
## @param dataPlane.customStartupProbe Custom startupProbe that overrides the default one
200
##
201
customStartupProbe: {}
202
## APISIX Data Plane resource requests and limits
203
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
204
## @param dataPlane.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dataPlane.resources is set (dataPlane.resources is recommended for production).
205
##
206
resourcesPreset: "nano"
207
## @param dataPlane.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
208
## Example:
209
## resources:
210
## requests:
211
## cpu: 2
212
## memory: 512Mi
213
## limits:
214
## cpu: 3
215
## memory: 1024Mi
216
##
217
resources: {}
218
## Configure Pods Security Context
219
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
220
## @param dataPlane.podSecurityContext.enabled Enabled APISIX Data Plane pods' Security Context
221
## @param dataPlane.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
222
## @param dataPlane.podSecurityContext.sysctls Set kernel settings using the sysctl interface
223
## @param dataPlane.podSecurityContext.supplementalGroups Set filesystem extra groups
224
## @param dataPlane.podSecurityContext.fsGroup Set APISIX Data Plane pod's Security Context fsGroup
225
##
226
podSecurityContext:
227
enabled: true
228
fsGroupChangePolicy: Always
229
sysctls: []
230
supplementalGroups: []
231
fsGroup: 1001
232
## Configure Container Security Context
233
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
234
## @param dataPlane.containerSecurityContext.enabled Enabled APISIX Data Plane containers' Security Context
235
## @param dataPlane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
236
## @param dataPlane.containerSecurityContext.runAsUser Set APISIX Data Plane containers' Security Context runAsUser
237
## @param dataPlane.containerSecurityContext.runAsGroup Set APISIX Data Plane containers' Security Context runAsGroup
238
## @param dataPlane.containerSecurityContext.runAsNonRoot Set APISIX Data Plane containers' Security Context runAsNonRoot
239
## @param dataPlane.containerSecurityContext.privileged Set APISIX Data Plane containers' Security Context privileged
240
## @param dataPlane.containerSecurityContext.readOnlyRootFilesystem Set APISIX Data Plane containers' Security Context runAsNonRoot
241
## @param dataPlane.containerSecurityContext.allowPrivilegeEscalation Set APISIX Data Plane container's privilege escalation
242
## @param dataPlane.containerSecurityContext.capabilities.drop Set APISIX Data Plane container's Security Context runAsNonRoot
243
## @param dataPlane.containerSecurityContext.seccompProfile.type Set APISIX Data Plane container's Security Context seccomp profile
244
##
245
containerSecurityContext:
246
enabled: true
247
seLinuxOptions: {}
248
runAsUser: 1001
249
runAsGroup: 1001
250
runAsNonRoot: true
251
privileged: false
252
readOnlyRootFilesystem: true
253
allowPrivilegeEscalation: false
254
capabilities:
255
drop: ["ALL"]
256
seccompProfile:
257
type: RuntimeDefault
258
## @param dataPlane.command Override default container command (useful when using custom images)
259
##
260
command: []
261
## @param dataPlane.args Override default container args (useful when using custom images)
262
##
263
args: []
264
## @param dataPlane.automountServiceAccountToken Mount Service Account token in pod
265
##
266
automountServiceAccountToken: true
267
## @param dataPlane.hostAliases APISIX Data Plane pods host aliases
268
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
269
##
270
hostAliases: []
271
## @param dataPlane.defaultConfig [string] APISIX Data Plane configuration (evaluated as a template)
272
##
273
defaultConfig: |
274
{{- if .Values.dataPlane.metrics.enabled }}
275
plugin_attr:
276
prometheus:
277
export_uri: /apisix/prometheus/metrics
278
metric_prefix: apisix_
279
enable_export_server: true
280
export_addr:
281
ip: 0.0.0.0
282
port: {{ .Values.dataPlane.containerPorts.metrics }}
283
{{- end }}
284
apisix:
285
node_listen: {{ .Values.dataPlane.containerPorts.http }}
286
enable_admin: false
287
{{- if .Values.dataPlane.tls.enabled }}
288
ssl:
289
enable: true
290
listen:
291
- port: {{ .Values.dataPlane.containerPorts.https }}
292
ssl_trusted_certificate: /iamguarded/certs/{{ .Values.dataPlane.tls.certCAFilename }}
293
enable_http2: true
294
{{- end }}
295
control:
296
ip: 0.0.0.0
297
port: {{ .Values.dataPlane.containerPorts.control }}
298
nginx_config:
299
error_log: /dev/stderr
300
stream:
301
access_log: /dev/stdout
302
http:
303
access_log: /dev/stdout
304
http_configuration_snippet: |
305
proxy_buffering off;
306
deployment:
307
role: data_plane
308
role_data_plane:
309
config_provider: etcd
310
{{- if .Values.controlPlane.enabled }}
311
control_plane:
312
host:
313
- {{ ternary "https" "http" .Values.controlPlane.tls.enabled }}://{{ include "apisix.control-plane.fullname" . }}:{{ .Values.controlPlane.service.ports.configServer }}
314
prefix: /apisix
315
timeout: 30
316
{{- end }}
317
{{- if or .Values.etcd.enabled .Values.externalEtcd.servers }}
318
etcd:
319
host:
320
{{- if .Values.etcd.enabled }}
321
{{- $replicas := $.Values.etcd.replicaCount | int }}
322
{{- range $i, $_e := until $replicas }}
323
- {{ printf "%s://%s-%d.%s:%v" (ternary "https" "http" $.Values.etcd.auth.client.secureTransport) (include "apisix.etcd.fullname" $ ) $i (include "apisix.etcd.headlessServiceName" $) ( include "apisix.etcd.port" $ ) }}
324
{{- end }}
325
{{- else }}
326
{{- range $node := .Values.externalEtcd.servers }}
327
- {{ ternary "https" "http" $.Values.externalEtcd.secureTransport }}://{{ printf "%s:%v" $node (include "apisix.etcd.port" $) }}
328
{{- end }}
329
{{- end }}
330
prefix: /apisix
331
timeout: 30
332
use_grpc: false
333
startup_retry: 60
334
{{- if (include "apisix.etcd.authEnabled" .) }}
335
user: "{{ print "{{APISIX_ETCD_USER}}" }}"
336
password: "{{ print "{{APISIX_ETCD_PASSWORD}}" }}"
337
{{- end }}
338
{{- end }}
339
{{- if .Values.dataPlane.tls.enabled }}
340
certs:
341
{{- if .Values.dataPlane.tls.enabled }}
342
cert: /iamguarded/certs/{{ .Values.dataPlane.tls.certFilename }}
343
cert_key: /iamguarded/certs/{{ .Values.dataPlane.tls.certKeyFilename }}
344
{{- if .Values.dataPlane.tls.certCAFilename }}
345
client_ca_cert: /iamguarded/certs/{{ .Values.dataPlane.tls.certCAFilename }}
346
{{- end }}
347
{{- end }}
348
{{- end }}
349
discovery:
350
kubernetes:
351
service:
352
# apiserver schema, options [http, https]
353
schema: https #default https
354
355
# apiserver host, options [ipv4, ipv6, domain, environment variable]
356
host: ${KUBERNETES_SERVICE_HOST} #default ${KUBERNETES_SERVICE_HOST}
357
358
# apiserver port, options [port number, environment variable]
359
port: ${KUBERNETES_SERVICE_PORT} #default ${KUBERNETES_SERVICE_PORT}
360
361
client:
362
# serviceaccount token or token_file
363
token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
364
365
default_weight: 50 # weight assigned to each discovered endpoint. default 50, minimum 0
366
## @param dataPlane.extraConfig [object] extra configuration parameters to add to the config.yaml file in APISIX Data Plane
367
##
368
extraConfig: {}
369
## @param dataPlane.existingConfigMap name of a ConfigMap with existing configuration for APISIX Data Plane
370
##
371
existingConfigMap: ""
372
## @param dataPlane.extraConfigExistingConfigMap name of a ConfigMap with existing configuration for APISIX Data Plane
373
##
374
extraConfigExistingConfigMap: ""
375
tls:
376
## @param dataPlane.tls.enabled Enable TLS transport in APISIX Data Plane
377
##
378
enabled: true
379
## @param dataPlane.tls.autoGenerated Auto-generate self-signed certificates
380
##
381
autoGenerated: true
382
## @param dataPlane.tls.existingSecret Name of a secret containing the certificates
383
##
384
existingSecret: ""
385
## @param dataPlane.tls.certFilename Path of the certificate file when mounted as a secret
386
##
387
certFilename: tls.crt
388
## @param dataPlane.tls.certKeyFilename Path of the certificate key file when mounted as a secret
389
##
390
certKeyFilename: tls.key
391
## @param dataPlane.tls.certCAFilename Path of the certificate CA file when mounted as a secret
392
##
393
certCAFilename: ca.crt
394
## @param dataPlane.tls.cert Content of the certificate to be added to the secret
395
##
396
cert: ""
397
## @param dataPlane.tls.key Content of the certificate key to be added to the secret
398
##
399
key: ""
400
## @param dataPlane.tls.ca Content of the certificate CA to be added to the secret
401
##
402
ca: ""
403
## @param dataPlane.podLabels Extra labels for APISIX Data Plane pods
404
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
405
##
406
podLabels: {}
407
## @param dataPlane.podAnnotations Annotations for APISIX Data Plane pods
408
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
409
##
410
podAnnotations: {}
411
## @param dataPlane.podAffinityPreset Pod affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
412
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
413
##
414
podAffinityPreset: ""
415
## @param dataPlane.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
416
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
417
##
418
podAntiAffinityPreset: soft
419
## Pod Disruption Budget configuration
420
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
421
## @param dataPlane.pdb.create Enable/disable a Pod Disruption Budget creation
422
## @param dataPlane.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
423
## @param dataPlane.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
424
##
425
pdb:
426
create: true
427
minAvailable: ""
428
maxUnavailable: ""
429
## Node apisix.affinity preset
430
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
431
##
432
nodeAffinityPreset:
433
## @param dataPlane.nodeAffinityPreset.type Node affinity preset type. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
434
##
435
type: ""
436
## @param dataPlane.nodeAffinityPreset.key Node label key to match. Ignored if `apisix.affinity` is set
437
##
438
key: ""
439
## @param dataPlane.nodeAffinityPreset.values Node label values to match. Ignored if `apisix.affinity` is set
440
## E.g.
441
## values:
442
## - e2e-az1
443
## - e2e-az2
444
##
445
values: []
446
## @param dataPlane.affinity Affinity for APISIX Data Plane pods assignment
447
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
448
## NOTE: `apisix.podAffinityPreset`, `apisix.podAntiAffinityPreset`, and `apisix.nodeAffinityPreset` will be ignored when it's set
449
##
450
affinity: {}
451
## @param dataPlane.nodeSelector Node labels for APISIX Data Plane pods assignment
452
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
453
##
454
nodeSelector: {}
455
## @param dataPlane.tolerations Tolerations for APISIX Data Plane pods assignment
456
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
457
##
458
tolerations: []
459
## @param dataPlane.updateStrategy.type APISIX Data Plane statefulset strategy type
460
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
461
##
462
updateStrategy:
463
## StrategyType
464
## Can be set to RollingUpdate or OnDelete
465
##
466
type: RollingUpdate
467
## @param dataPlane.priorityClassName APISIX Data Plane pods' priorityClassName
468
##
469
priorityClassName: ""
470
## @param dataPlane.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
471
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
472
##
473
topologySpreadConstraints: []
474
## @param dataPlane.schedulerName Name of the k8s scheduler (other than default) for APISIX Data Plane pods
475
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
476
##
477
schedulerName: ""
478
## @param dataPlane.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
479
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
480
##
481
terminationGracePeriodSeconds: ""
482
## @param dataPlane.lifecycleHooks for the APISIX Data Plane container(s) to automate configuration before or after startup
483
##
484
lifecycleHooks: {}
485
## @param dataPlane.extraEnvVars Array with extra environment variables to add to APISIX Data Plane nodes
486
## e.g:
487
## extraEnvVars:
488
## - name: FOO
489
## value: "bar"
490
##
491
extraEnvVars: []
492
## @param dataPlane.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for APISIX Data Plane nodes
493
##
494
extraEnvVarsCM: ""
495
## @param dataPlane.extraEnvVarsSecret Name of existing Secret containing extra env vars for APISIX Data Plane nodes
496
##
497
extraEnvVarsSecret: ""
498
## @param dataPlane.extraVolumes Optionally specify extra list of additional volumes for the APISIX Data Plane pod(s)
499
##
500
extraVolumes: []
501
## @param dataPlane.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the APISIX Data Plane container(s)
502
##
503
extraVolumeMounts: []
504
## @param dataPlane.sidecars Add additional sidecar containers to the APISIX Data Plane pod(s)
505
## e.g:
506
## sidecars:
507
## - name: your-image-name
508
## image: your-image
509
## imagePullPolicy: Always
510
## ports:
511
## - name: portname
512
## containerPort: 1234
513
##
514
sidecars: []
515
## @param dataPlane.initContainers Add additional init containers to the APISIX Data Plane pod(s)
516
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
517
## e.g:
518
## initContainers:
519
## - name: your-image-name
520
## image: your-image
521
## imagePullPolicy: Always
522
## command: ['sh', '-c', 'echo "hello world"']
523
##
524
initContainers: []
525
## @section APISIX Data Plane Traffic Exposure Parameters
526
##
527
service:
528
## @param dataPlane.service.type APISIX Data Plane service type
529
##
530
type: LoadBalancer
531
## @param dataPlane.service.ports.http APISIX Data Plane service HTTP port
532
## @param dataPlane.service.ports.https APISIX Data Plane service HTTPS port
533
## @param dataPlane.service.ports.metrics APISIX Data Plane service HTTPS port
534
##
535
ports:
536
http: 80
537
https: 443
538
metrics: 8080
539
## Node ports to expose
540
## @param dataPlane.service.nodePorts.http Node port for HTTP
541
## @param dataPlane.service.nodePorts.https Node port for HTTPS
542
## @param dataPlane.service.nodePorts.metrics Node port for metrics
543
## NOTE: choose port between <30000-32767>
544
##
545
nodePorts:
546
http: ""
547
https: ""
548
metrics: ""
549
## @param dataPlane.service.clusterIP APISIX Data Plane service Cluster IP
550
## e.g.:
551
## clusterIP: None
552
##
553
clusterIP: ""
554
## @param dataPlane.service.loadBalancerIP APISIX Data Plane service Load Balancer IP
555
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
556
##
557
loadBalancerIP: ""
558
## @param dataPlane.service.loadBalancerSourceRanges APISIX Data Plane service Load Balancer sources
559
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
560
## e.g:
561
## loadBalancerSourceRanges:
562
## - 10.10.10.0/24
563
##
564
loadBalancerSourceRanges: []
565
## @param dataPlane.service.externalIPs APISIX Data Plane service External IPs
566
## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
567
## e.g.
568
## externalIPs:
569
## - 10.10.10.1
570
## - 201.22.30.1
571
##
572
externalIPs: []
573
## @param dataPlane.service.externalTrafficPolicy APISIX Data Plane service external traffic policy
574
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-web-source-ip
575
##
576
externalTrafficPolicy: Cluster
577
## @param dataPlane.service.annotations Additional custom annotations for APISIX Data Plane service
578
##
579
annotations: {}
580
## @param dataPlane.service.extraPorts Extra ports to expose in APISIX Data Plane service (normally used with the `sidecars` value)
581
##
582
extraPorts: []
583
## @param dataPlane.service.sessionAffinity Control where web requests go, to the same pod or round-robin
584
## Values: WebIP or None
585
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
586
##
587
sessionAffinity: None
588
## @param dataPlane.service.sessionAffinityConfig Additional settings for the sessionAffinity
589
## sessionAffinityConfig:
590
## webIP:
591
## timeoutSeconds: 300
592
##
593
sessionAffinityConfig: {}
594
## Network Policies
595
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
596
##
597
networkPolicy:
598
## @param dataPlane.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
599
##
600
enabled: true
601
## @param dataPlane.networkPolicy.allowExternal Don't require server label for connections
602
## The Policy model to apply. When set to false, only pods with the correct
603
## server label will have network access to the ports server is listening
604
## on. When true, server will accept connections from any source
605
## (with the correct destination port).
606
##
607
allowExternal: true
608
## @param dataPlane.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
609
##
610
allowExternalEgress: true
611
## @param dataPlane.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
612
##
613
kubeAPIServerPorts: [443, 6443, 8443]
614
## @param dataPlane.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
615
## e.g:
616
## extraIngress:
617
## - ports:
618
## - port: 1234
619
## from:
620
## - podSelector:
621
## - matchLabels:
622
## - role: frontend
623
## - podSelector:
624
## - matchExpressions:
625
## - key: role
626
## operator: In
627
## values:
628
## - frontend
629
extraIngress: []
630
## @param dataPlane.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
631
## e.g:
632
## extraEgress:
633
## - ports:
634
## - port: 1234
635
## to:
636
## - podSelector:
637
## - matchLabels:
638
## - role: frontend
639
## - podSelector:
640
## - matchExpressions:
641
## - key: role
642
## operator: In
643
## values:
644
## - frontend
645
##
646
extraEgress: []
647
## @param dataPlane.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
648
## @param dataPlane.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
649
##
650
ingressNSMatchLabels: {}
651
ingressNSPodMatchLabels: {}
652
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
653
##
654
ingress:
655
## @param dataPlane.ingress.enabled Enable ingress record generation for APISIX Data Plane
656
##
657
enabled: false
658
## @param dataPlane.ingress.pathType Ingress path type
659
##
660
pathType: ImplementationSpecific
661
## @param dataPlane.ingress.apiVersion Force Ingress API version (automatically detected if not set)
662
##
663
apiVersion: ""
664
## @param dataPlane.ingress.hostname Default host for the ingress record
665
##
666
hostname: apisix-data-plane.local
667
## @param dataPlane.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
668
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
669
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
670
##
671
ingressClassName: ""
672
## @param dataPlane.ingress.path Default path for the ingress record
673
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
674
##
675
path: /
676
## @param dataPlane.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
677
## Use this parameter to set the required annotations for cert-manager, see
678
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
679
## e.g:
680
## annotations:
681
## kubernetes.io/ingress.class: nginx
682
## cert-manager.io/cluster-issuer: cluster-issuer-name
683
##
684
annotations: {}
685
## @param dataPlane.ingress.tls Enable TLS configuration for the host defined at `dataPlane.ingress.hostname` parameter
686
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
687
## You can:
688
## - Use the `dataPlane.ingress.secrets` parameter to create this TLS secret
689
## - Rely on cert-manager to create it by setting the corresponding annotations
690
## - Rely on Helm to create self-signed certificates by setting `dataPlane.ingress.selfSigned=true`
691
##
692
tls: false
693
## @param dataPlane.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
694
##
695
selfSigned: false
696
## @param dataPlane.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
697
## e.g:
698
## extraHosts:
699
## - name: apisix.local
700
## path: /
701
##
702
extraHosts: []
703
## @param dataPlane.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
704
## e.g:
705
## extraPaths:
706
## - path: /*
707
## backend:
708
## serviceName: ssl-redirect
709
## servicePort: use-annotation
710
##
711
extraPaths: []
712
## @param dataPlane.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
713
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
714
## e.g:
715
## extraTls:
716
## - hosts:
717
## - apisix.local
718
## secretName: apisix.local-tls
719
##
720
extraTls: []
721
## @param dataPlane.ingress.secrets Custom TLS certificates as secrets
722
## NOTE: 'key' and 'certificate' are expected in PEM format
723
## NOTE: 'name' should line up with a 'secretName' set further up
724
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
725
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
726
## It is also possible to create and manage the certificates outside of this helm chart
727
## Please see README.md for more information
728
## e.g:
729
## secrets:
730
## - name: apisix.local-tls
731
## key: |-
732
## -----BEGIN RSA PRIVATE KEY-----
733
## ...
734
## -----END RSA PRIVATE KEY-----
735
## certificate: |-
736
## -----BEGIN CERTIFICATE-----
737
## ...
738
## -----END CERTIFICATE-----
739
##
740
secrets: []
741
## @param dataPlane.ingress.extraRules Additional rules to be covered with this ingress record
742
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
743
## e.g:
744
## extraRules:
745
## - host: example.local
746
## http:
747
## path: /
748
## backend:
749
## service:
750
## name: example-svc
751
## port:
752
## name: http
753
##
754
extraRules: []
755
## @section APISIX Data Plane Autoscaling configuration
756
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
757
##
758
autoscaling:
759
vpa:
760
## @param dataPlane.autoscaling.vpa.enabled Enable VPA
761
##
762
enabled: false
763
## @param dataPlane.autoscaling.vpa.annotations Annotations for VPA resource
764
##
765
annotations: {}
766
## @param dataPlane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
767
##
768
controlledResources: []
769
## @param dataPlane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
770
## cpu: 200m
771
## memory: 100Mi
772
maxAllowed: {}
773
## @param dataPlane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
774
## cpu: 200m
775
## memory: 100Mi
776
minAllowed: {}
777
updatePolicy:
778
## @param dataPlane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
779
## Possible values are "Off", "Initial", "Recreate", and "Auto".
780
##
781
updateMode: Auto
782
hpa:
783
## @param dataPlane.autoscaling.hpa.enabled Enable HPA for APISIX Data Plane
784
##
785
enabled: false
786
## @param dataPlane.autoscaling.hpa.minReplicas Minimum number of APISIX Data Plane replicas
787
##
788
minReplicas: ""
789
## @param dataPlane.autoscaling.hpa.maxReplicas Maximum number of APISIX Data Plane replicas
790
##
791
maxReplicas: ""
792
## @param dataPlane.autoscaling.hpa.targetCPU Target CPU utilization percentage
793
##
794
targetCPU: ""
795
## @param dataPlane.autoscaling.hpa.targetMemory Target Memory utilization percentage
796
##
797
targetMemory: ""
798
## @section APISIX Data Plane RBAC Parameters
799
##
800
801
## RBAC configuration
802
##
803
rbac:
804
## @param dataPlane.rbac.create Specifies whether RBAC resources should be created
805
##
806
create: true
807
## @param dataPlane.rbac.rules Custom RBAC rules to set
808
## e.g:
809
## rules:
810
## - apiGroups:
811
## - ""
812
## resources:
813
## - pods
814
## verbs:
815
## - get
816
## - list
817
##
818
rules: []
819
## ServiceAccount configuration
820
##
821
serviceAccount:
822
## @param dataPlane.serviceAccount.create Specifies whether a ServiceAccount should be created
823
##
824
create: true
825
## @param dataPlane.serviceAccount.name The name of the ServiceAccount to use.
826
## If not set and create is true, a name is generated using the common.names.fullname template
827
##
828
name: ""
829
## @param dataPlane.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
830
##
831
annotations: {}
832
## @param dataPlane.serviceAccount.automountServiceAccountToken Automount service account token for the APISIX Data Plane service account
833
##
834
automountServiceAccountToken: false
835
## @section APISIX Data Plane Metrics Parameters
836
##
837
838
## Prometheus metrics
839
##
840
metrics:
841
## @param dataPlane.metrics.enabled Enable the export of Prometheus metrics
842
##
843
enabled: false
844
## @param dataPlane.metrics.annotations [object] Annotations for the APISIX Data Plane service in order to scrape metrics
845
annotations:
846
prometheus.io/scrape: "true"
847
prometheus.io/port: "{{ .Values.dataPlane.service.ports.metrics }}"
848
prometheus.io/path: "/apisix/prometheus/metrics"
849
## Prometheus Operator ServiceMonitor configuration
850
##
851
serviceMonitor:
852
## @param dataPlane.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
853
##
854
enabled: false
855
## @param dataPlane.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
856
##
857
namespace: ""
858
## @param dataPlane.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
859
##
860
annotations: {}
861
## @param dataPlane.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
862
##
863
labels: {}
864
## @param dataPlane.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
865
##
866
jobLabel: ""
867
## @param dataPlane.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
868
##
869
honorLabels: false
870
## @param dataPlane.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
871
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
872
## e.g:
873
## interval: 10s
874
##
875
interval: ""
876
## @param dataPlane.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
877
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
878
## e.g:
879
## scrapeTimeout: 10s
880
##
881
scrapeTimeout: ""
882
## @param dataPlane.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
883
##
884
metricRelabelings: []
885
## @param dataPlane.metrics.serviceMonitor.relabelings Specify general relabeling
886
##
887
relabelings: []
888
## @param dataPlane.metrics.serviceMonitor.selector Prometheus instance selector labels
889
## selector:
890
## prometheus: my-prometheus
891
##
892
selector: {}
893
## @section APISIX Control Plane Parameters
894
##
895
controlPlane:
896
## @param controlPlane.enabled Enable APISIX Control Plane
897
##
898
enabled: true
899
## @param controlPlane.replicaCount Number of APISIX Control Plane replicas to deploy
900
##
901
replicaCount: 1
902
## @param controlPlane.hostNetwork Use hostNetwork
903
##
904
hostNetwork: false
905
## @param controlPlane.dnsPolicy DNS policy for APISIX Control Plane pods
906
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policies
907
## NOTE: If you set hostNetwork=true, you must set dnsPolicy=ClusterFirstWithHostNet
908
##
909
dnsPolicy: ClusterFirst
910
## @param controlPlane.useDaemonSet Deploy as DaemonSet
911
##
912
useDaemonSet: false
913
## @param controlPlane.dashboardEnabled Enable APISIX Control Plane to expose APISIX Dashboards
914
##
915
dashboardEnabled: true
916
## @param controlPlane.containerPorts.adminAPI APISIX Control Plane Admin API port
917
## @param controlPlane.containerPorts.configServer APISIX Control Plane config port
918
## @param controlPlane.containerPorts.control APISIX Control Plane control port
919
## @param controlPlane.containerPorts.metrics APISIX Control Plane metrics port
920
##
921
containerPorts:
922
adminAPI: 9180
923
configServer: 9280
924
control: 9090
925
metrics: 9099
926
## Configure extra options for APISIX Control Plane containers' liveness and readiness probes
927
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
928
## @param controlPlane.livenessProbe.enabled Enable livenessProbe on APISIX Control Plane containers
929
## @param controlPlane.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
930
## @param controlPlane.livenessProbe.periodSeconds Period seconds for livenessProbe
931
## @param controlPlane.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
932
## @param controlPlane.livenessProbe.failureThreshold Failure threshold for livenessProbe
933
## @param controlPlane.livenessProbe.successThreshold Success threshold for livenessProbe
934
##
935
livenessProbe:
936
enabled: true
937
initialDelaySeconds: 5
938
periodSeconds: 10
939
timeoutSeconds: 5
940
failureThreshold: 5
941
successThreshold: 1
942
## @param controlPlane.readinessProbe.enabled Enable readinessProbe on APISIX Control Plane containers
943
## @param controlPlane.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
944
## @param controlPlane.readinessProbe.periodSeconds Period seconds for readinessProbe
945
## @param controlPlane.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
946
## @param controlPlane.readinessProbe.failureThreshold Failure threshold for readinessProbe
947
## @param controlPlane.readinessProbe.successThreshold Success threshold for readinessProbe
948
##
949
readinessProbe:
950
enabled: true
951
initialDelaySeconds: 5
952
periodSeconds: 10
953
timeoutSeconds: 5
954
failureThreshold: 5
955
successThreshold: 1
956
## @param controlPlane.startupProbe.enabled Enable startupProbe on APISIX Control Plane containers
957
## @param controlPlane.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
958
## @param controlPlane.startupProbe.periodSeconds Period seconds for startupProbe
959
## @param controlPlane.startupProbe.timeoutSeconds Timeout seconds for startupProbe
960
## @param controlPlane.startupProbe.failureThreshold Failure threshold for startupProbe
961
## @param controlPlane.startupProbe.successThreshold Success threshold for startupProbe
962
##
963
startupProbe:
964
enabled: false
965
initialDelaySeconds: 5
966
periodSeconds: 10
967
timeoutSeconds: 5
968
failureThreshold: 5
969
successThreshold: 1
970
## @param controlPlane.customLivenessProbe Custom livenessProbe that overrides the default one
971
##
972
customLivenessProbe: {}
973
## @param controlPlane.customReadinessProbe Custom readinessProbe that overrides the default one
974
##
975
customReadinessProbe: {}
976
## @param controlPlane.customStartupProbe Custom startupProbe that overrides the default one
977
##
978
customStartupProbe: {}
979
## APISIX Control Plane resource requests and limits
980
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
981
## @param controlPlane.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controlPlane.resources is set (controlPlane.resources is recommended for production).
982
##
983
resourcesPreset: "nano"
984
## @param controlPlane.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
985
## Example:
986
## resources:
987
## requests:
988
## cpu: 2
989
## memory: 512Mi
990
## limits:
991
## cpu: 3
992
## memory: 1024Mi
993
##
994
resources: {}
995
## Configure Pods Security Context
996
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
997
## @param controlPlane.podSecurityContext.enabled Enabled APISIX Control Plane pods' Security Context
998
## @param controlPlane.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
999
## @param controlPlane.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1000
## @param controlPlane.podSecurityContext.supplementalGroups Set filesystem extra groups
1001
## @param controlPlane.podSecurityContext.fsGroup Set APISIX Control Plane pod's Security Context fsGroup
1002
##
1003
podSecurityContext:
1004
enabled: true
1005
fsGroupChangePolicy: Always
1006
sysctls: []
1007
supplementalGroups: []
1008
fsGroup: 1001
1009
## Configure Container Security Context
1010
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1011
## @param controlPlane.containerSecurityContext.enabled Enabled APISIX Control Plane containers' Security Context
1012
## @param controlPlane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1013
## @param controlPlane.containerSecurityContext.runAsUser Set APISIX Control Plane containers' Security Context runAsUser
1014
## @param controlPlane.containerSecurityContext.runAsGroup Set APISIX Control Plane containers' Security Context runAsGroup
1015
## @param controlPlane.containerSecurityContext.runAsNonRoot Set APISIX Control Plane containers' Security Context runAsNonRoot
1016
## @param controlPlane.containerSecurityContext.privileged Set APISIX Control Plane containers' Security Context privileged
1017
## @param controlPlane.containerSecurityContext.readOnlyRootFilesystem Set APISIX Control Plane containers' Security Context runAsNonRoot
1018
## @param controlPlane.containerSecurityContext.allowPrivilegeEscalation Set APISIX Control Plane container's privilege escalation
1019
## @param controlPlane.containerSecurityContext.capabilities.drop Set APISIX Control Plane container's Security Context runAsNonRoot
1020
## @param controlPlane.containerSecurityContext.seccompProfile.type Set APISIX Control Plane container's Security Context seccomp profile
1021
##
1022
containerSecurityContext:
1023
enabled: true
1024
seLinuxOptions: {}
1025
runAsUser: 1001
1026
runAsGroup: 1001
1027
runAsNonRoot: true
1028
privileged: false
1029
readOnlyRootFilesystem: true
1030
allowPrivilegeEscalation: false
1031
capabilities:
1032
drop: ["ALL"]
1033
seccompProfile:
1034
type: RuntimeDefault
1035
## @param controlPlane.command Override default container command (useful when using custom images)
1036
##
1037
command: []
1038
## @param controlPlane.args Override default container args (useful when using custom images)
1039
##
1040
args: []
1041
## @param controlPlane.automountServiceAccountToken Mount Service Account token in pod
1042
##
1043
automountServiceAccountToken: true
1044
## @param controlPlane.hostAliases APISIX Control Plane pods host aliases
1045
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1046
##
1047
hostAliases: []
1048
## @param controlPlane.apiTokenAdmin Admin API Token for APISIX Control Plane
1049
##
1050
apiTokenAdmin: ""
1051
## @param controlPlane.apiTokenViewer Viewer API Token for APISIX Control Plane
1052
##
1053
apiTokenViewer: ""
1054
## @param controlPlane.existingSecret Name of a secret containing API Tokens for APISIX Control Plane
1055
##
1056
existingSecret: ""
1057
## @param controlPlane.existingSecretAdminTokenKey Key inside the secret containing the Admin API Tokens for APISIX Control Plane
1058
##
1059
existingSecretAdminTokenKey: ""
1060
## @param controlPlane.existingSecretViewerTokenKey Key inside the secret containing the Viewer API Tokens for APISIX Control Plane
1061
##
1062
existingSecretViewerTokenKey: ""
1063
## @param controlPlane.defaultConfig [string] APISIX Control Plane configuration (evaluated as a template)
1064
##
1065
defaultConfig: |
1066
{{- if .Values.controlPlane.metrics.enabled }}
1067
plugin_attr:
1068
prometheus:
1069
export_uri: /apisix/prometheus/metrics
1070
metric_prefix: apisix_
1071
enable_export_server: true
1072
export_addr:
1073
ip: 0.0.0.0
1074
port: {{ .Values.controlPlane.containerPorts.metrics }}
1075
{{- end }}
1076
nginx_config:
1077
error_log: /dev/stderr
1078
stream:
1079
access_log: /dev/stdout
1080
http:
1081
access_log: /dev/stdout
1082
http_configuration_snippet: |
1083
proxy_buffering off;
1084
apisix:
1085
control:
1086
ip: 0.0.0.0
1087
port: {{ .Values.controlPlane.containerPorts.control }}
1088
deployment:
1089
role: control_plane
1090
role_control_plane:
1091
config_provider: etcd
1092
conf_server:
1093
listen: 0.0.0.0:{{ .Values.controlPlane.containerPorts.configServer }}
1094
cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certFilename }}
1095
cert_key: /iamguarded/certs/{{ .Values.controlPlane.tls.certKeyFilename }}
1096
etcd:
1097
host:
1098
{{- if .Values.etcd.enabled }}
1099
{{- $replicas := $.Values.etcd.replicaCount | int }}
1100
{{- range $i, $_e := until $replicas }}
1101
- {{ printf "%s://%s-%d.%s:%v" (ternary "https" "http" $.Values.etcd.auth.client.secureTransport) (include "apisix.etcd.fullname" $ ) $i (include "apisix.etcd.headlessServiceName" $) ( include "apisix.etcd.port" $ ) }} {{- end }}
1102
{{- else }}
1103
{{- range $node := .Values.externalEtcd.servers }}
1104
- {{ ternary "https" "http" $.Values.externalEtcd.secureTransport }}://{{ printf "%s:%v" $node (include "apisix.etcd.port" $) }}
1105
{{- end }}
1106
{{- end }}
1107
prefix: /apisix
1108
timeout: 30
1109
use_grpc: false
1110
startup_retry: 60
1111
{{- if (include "apisix.etcd.authEnabled" .) }}
1112
user: "{{ print "{{APISIX_ETCD_USER}}" }}"
1113
password: "{{ print "{{APISIX_ETCD_PASSWORD}}" }}"
1114
{{- end }}
1115
{{- if .Values.controlPlane.tls.enabled }}
1116
certs:
1117
{{- if .Values.controlPlane.tls.enabled }}
1118
cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certFilename }}
1119
cert_key: /iamguarded/certs/{{ .Values.controlPlane.tls.certKeyFilename }}
1120
{{- if .Values.controlPlane.tls.certCAFilename }}
1121
client_ca_cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certCAFilename }}
1122
{{- end }}
1123
{{- end }}
1124
{{- end }}
1125
admin:
1126
{{- if .Values.controlPlane.tls.enabled }}
1127
https_admin: true
1128
admin_api_mtls:
1129
admin_ssl_cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certFilename }}
1130
admin_ssl_cert_key: /iamguarded/certs/{{ .Values.controlPlane.tls.certKeyFilename }}
1131
{{- end }}
1132
allow_admin:
1133
- 0.0.0.0/0
1134
admin_key:
1135
- name: admin
1136
key: "{{ print "{{APISIX_ADMIN_API_TOKEN}}" }}"
1137
role: admin
1138
- name: viewer
1139
key: "{{ print "{{APISIX_VIEWER_API_TOKEN}}" }}"
1140
role: viewer
1141
admin_listen:
1142
port: {{ .Values.controlPlane.containerPorts.adminAPI }}
1143
enable_admin_cors: true # Admin API support CORS response headers.
1144
enable_admin_ui: {{ ternary "true" "false" .Values.controlPlane.dashboardEnabled }}
1145
discovery:
1146
kubernetes:
1147
service:
1148
schema: https #default https
1149
# apiserver host, options [ipv4, ipv6, domain, environment variable]
1150
host: ${KUBERNETES_SERVICE_HOST}
1151
# apiserver port, options [port number, environment variable]
1152
port: ${KUBERNETES_SERVICE_PORT}
1153
client:
1154
# serviceaccount token or token_file
1155
token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
1156
default_weight: 50 # weight assigned to each discovered endpoint. default 50, minimum 0
1157
## @param controlPlane.extraConfig [object] extra configuration parameters to add to the config.yaml file in APISIX Control plane
1158
##
1159
extraConfig: {}
1160
## @param controlPlane.existingConfigMap name of a ConfigMap with existing configuration for APISIX Control Plane
1161
##
1162
existingConfigMap: ""
1163
## @param controlPlane.extraConfigExistingConfigMap name of a ConfigMap with existing configuration for APISIX Control Plane
1164
##
1165
extraConfigExistingConfigMap: ""
1166
tls:
1167
## @param controlPlane.tls.enabled Enable TLS transport in APISIX Control Plane
1168
##
1169
enabled: true
1170
## @param controlPlane.tls.autoGenerated Auto-generate self-signed certificates
1171
##
1172
autoGenerated: true
1173
## @param controlPlane.tls.existingSecret Name of a secret containing the certificates
1174
##
1175
existingSecret: ""
1176
## @param controlPlane.tls.certFilename Path of the certificate file when mounted as a secret
1177
##
1178
certFilename: tls.crt
1179
## @param controlPlane.tls.certKeyFilename Path of the certificate key file when mounted as a secret
1180
##
1181
certKeyFilename: tls.key
1182
## @param controlPlane.tls.certCAFilename Path of the certificate CA file when mounted as a secret
1183
##
1184
certCAFilename: ca.crt
1185
## @param controlPlane.tls.cert Content of the certificate to be added to the secret
1186
##
1187
cert: ""
1188
## @param controlPlane.tls.key Content of the certificate key to be added to the secret
1189
##
1190
key: ""
1191
## @param controlPlane.tls.ca Content of the certificate CA to be added to the secret
1192
##
1193
ca: ""
1194
## @param controlPlane.podLabels Extra labels for APISIX Control Plane pods
1195
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1196
##
1197
podLabels: {}
1198
## @param controlPlane.podAnnotations Annotations for APISIX Control Plane pods
1199
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1200
##
1201
podAnnotations: {}
1202
## @param controlPlane.podAffinityPreset Pod affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
1203
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1204
##
1205
podAffinityPreset: ""
1206
## @param controlPlane.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
1207
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1208
##
1209
podAntiAffinityPreset: soft
1210
## Pod Disruption Budget configuration
1211
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1212
## @param controlPlane.pdb.create Enable/disable a Pod Disruption Budget creation
1213
## @param controlPlane.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1214
## @param controlPlane.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
1215
##
1216
pdb:
1217
create: true
1218
minAvailable: ""
1219
maxUnavailable: ""
1220
## Node apisix.affinity preset
1221
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1222
##
1223
nodeAffinityPreset:
1224
## @param controlPlane.nodeAffinityPreset.type Node affinity preset type. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
1225
##
1226
type: ""
1227
## @param controlPlane.nodeAffinityPreset.key Node label key to match. Ignored if `apisix.affinity` is set
1228
##
1229
key: ""
1230
## @param controlPlane.nodeAffinityPreset.values Node label values to match. Ignored if `apisix.affinity` is set
1231
## E.g.
1232
## values:
1233
## - e2e-az1
1234
## - e2e-az2
1235
##
1236
values: []
1237
## @param controlPlane.affinity Affinity for APISIX Control Plane pods assignment
1238
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1239
## NOTE: `apisix.podAffinityPreset`, `apisix.podAntiAffinityPreset`, and `apisix.nodeAffinityPreset` will be ignored when it's set
1240
##
1241
affinity: {}
1242
## @param controlPlane.nodeSelector Node labels for APISIX Control Plane pods assignment
1243
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1244
##
1245
nodeSelector: {}
1246
## @param controlPlane.tolerations Tolerations for APISIX Control Plane pods assignment
1247
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1248
##
1249
tolerations: []
1250
## @param controlPlane.updateStrategy.type APISIX Control Plane statefulset strategy type
1251
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1252
##
1253
updateStrategy:
1254
## StrategyType
1255
## Can be set to RollingUpdate or OnDelete
1256
##
1257
type: RollingUpdate
1258
## @param controlPlane.priorityClassName APISIX Control Plane pods' priorityClassName
1259
##
1260
priorityClassName: ""
1261
## @param controlPlane.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1262
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1263
##
1264
topologySpreadConstraints: []
1265
## @param controlPlane.schedulerName Name of the k8s scheduler (other than default) for APISIX Control Plane pods
1266
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1267
##
1268
schedulerName: ""
1269
## @param controlPlane.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
1270
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1271
##
1272
terminationGracePeriodSeconds: ""
1273
## @param controlPlane.lifecycleHooks for the APISIX Control Plane container(s) to automate configuration before or after startup
1274
##
1275
lifecycleHooks: {}
1276
## @param controlPlane.extraEnvVars Array with extra environment variables to add to APISIX Control Plane nodes
1277
## e.g:
1278
## extraEnvVars:
1279
## - name: FOO
1280
## value: "bar"
1281
##
1282
extraEnvVars: []
1283
## @param controlPlane.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for APISIX Control Plane nodes
1284
##
1285
extraEnvVarsCM: ""
1286
## @param controlPlane.extraEnvVarsSecret Name of existing Secret containing extra env vars for APISIX Control Plane nodes
1287
##
1288
extraEnvVarsSecret: ""
1289
## @param controlPlane.extraVolumes Optionally specify extra list of additional volumes for the APISIX Control Plane pod(s)
1290
##
1291
extraVolumes: []
1292
## @param controlPlane.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the APISIX Control Plane container(s)
1293
##
1294
extraVolumeMounts: []
1295
## @param controlPlane.sidecars Add additional sidecar containers to the APISIX Control Plane pod(s)
1296
## e.g:
1297
## sidecars:
1298
## - name: your-image-name
1299
## image: your-image
1300
## imagePullPolicy: Always
1301
## ports:
1302
## - name: portname
1303
## containerPort: 1234
1304
##
1305
sidecars: []
1306
## @param controlPlane.initContainers Add additional init containers to the APISIX Control Plane pod(s)
1307
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1308
## e.g:
1309
## initContainers:
1310
## - name: your-image-name
1311
## image: your-image
1312
## imagePullPolicy: Always
1313
## command: ['sh', '-c', 'echo "hello world"']
1314
##
1315
initContainers: []
1316
## @section APISIX Control Plane Traffic Exposure Parameters
1317
##
1318
service:
1319
## @param controlPlane.service.type APISIX Control Plane service type
1320
##
1321
type: ClusterIP
1322
## @param controlPlane.service.ports.adminAPI APISIX Control Plane service Admin API port
1323
## @param controlPlane.service.ports.configServer APISIX Control Plane service Config Server port
1324
## @param controlPlane.service.ports.metrics APISIX Control Plane service metrics port
1325
##
1326
ports:
1327
adminAPI: 9180
1328
configServer: 9280
1329
metrics: 8080
1330
## Node ports to expose
1331
## @param controlPlane.service.nodePorts.adminAPI Node port for Admin API
1332
## @param controlPlane.service.nodePorts.configServer Node port for Config Server
1333
## @param controlPlane.service.nodePorts.metrics Node port for Metrics
1334
## NOTE: choose port between <30000-32767>
1335
##
1336
nodePorts:
1337
adminAPI: ""
1338
configServer: ""
1339
metrics: ""
1340
## @param controlPlane.service.clusterIP APISIX Control Plane service Cluster IP
1341
## e.g.:
1342
## clusterIP: None
1343
##
1344
clusterIP: ""
1345
## @param controlPlane.service.loadBalancerIP APISIX Control Plane service Load Balancer IP
1346
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1347
##
1348
loadBalancerIP: ""
1349
## @param controlPlane.service.loadBalancerSourceRanges APISIX Control Plane service Load Balancer sources
1350
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1351
## e.g:
1352
## loadBalancerSourceRanges:
1353
## - 10.10.10.0/24
1354
##
1355
loadBalancerSourceRanges: []
1356
## @param controlPlane.service.externalIPs APISIX Control Plane service External IPs
1357
## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
1358
## e.g.
1359
## externalIPs:
1360
## - 10.10.10.1
1361
## - 201.22.30.1
1362
##
1363
externalIPs: []
1364
## @param controlPlane.service.externalTrafficPolicy APISIX Control Plane service external traffic policy
1365
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-web-source-ip
1366
##
1367
externalTrafficPolicy: Cluster
1368
## @param controlPlane.service.annotations Additional custom annotations for APISIX Control Plane service
1369
##
1370
annotations: {}
1371
## @param controlPlane.service.extraPorts Extra ports to expose in APISIX Control Plane service (normally used with the `sidecars` value)
1372
##
1373
extraPorts: []
1374
## @param controlPlane.service.sessionAffinity Control where web requests go, to the same pod or round-robin
1375
## Values: WebIP or None
1376
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1377
##
1378
sessionAffinity: None
1379
## @param controlPlane.service.sessionAffinityConfig Additional settings for the sessionAffinity
1380
## sessionAffinityConfig:
1381
## webIP:
1382
## timeoutSeconds: 300
1383
##
1384
sessionAffinityConfig: {}
1385
## Network Policies
1386
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1387
##
1388
networkPolicy:
1389
## @param controlPlane.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1390
##
1391
enabled: true
1392
## @param controlPlane.networkPolicy.allowExternal Don't require server label for connections
1393
## The Policy model to apply. When set to false, only pods with the correct
1394
## server label will have network access to the ports server is listening
1395
## on. When true, server will accept connections from any source
1396
## (with the correct destination port).
1397
##
1398
allowExternal: true
1399
## @param controlPlane.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1400
##
1401
allowExternalEgress: true
1402
## @param controlPlane.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
1403
##
1404
kubeAPIServerPorts: [443, 6443, 8443]
1405
## @param controlPlane.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1406
## e.g:
1407
## extraIngress:
1408
## - ports:
1409
## - port: 1234
1410
## from:
1411
## - podSelector:
1412
## - matchLabels:
1413
## - role: frontend
1414
## - podSelector:
1415
## - matchExpressions:
1416
## - key: role
1417
## operator: In
1418
## values:
1419
## - frontend
1420
extraIngress: []
1421
## @param controlPlane.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
1422
## e.g:
1423
## extraEgress:
1424
## - ports:
1425
## - port: 1234
1426
## to:
1427
## - podSelector:
1428
## - matchLabels:
1429
## - role: frontend
1430
## - podSelector:
1431
## - matchExpressions:
1432
## - key: role
1433
## operator: In
1434
## values:
1435
## - frontend
1436
##
1437
extraEgress: []
1438
## @param controlPlane.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1439
## @param controlPlane.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1440
##
1441
ingressNSMatchLabels: {}
1442
ingressNSPodMatchLabels: {}
1443
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
1444
##
1445
ingress:
1446
## @param controlPlane.ingress.enabled Enable ingress record generation for APISIX Control Plane
1447
##
1448
enabled: false
1449
## @param controlPlane.ingress.pathType Ingress path type
1450
##
1451
pathType: ImplementationSpecific
1452
## @param controlPlane.ingress.apiVersion Force Ingress API version (automatically detected if not set)
1453
##
1454
apiVersion: ""
1455
## @param controlPlane.ingress.hostname Default host for the ingress record
1456
##
1457
hostname: apisix-control-plane.local
1458
## @param controlPlane.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1459
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
1460
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1461
##
1462
ingressClassName: ""
1463
## @param controlPlane.ingress.path Default path for the ingress record
1464
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
1465
##
1466
path: /
1467
## @param controlPlane.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
1468
## Use this parameter to set the required annotations for cert-manager, see
1469
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1470
## e.g:
1471
## annotations:
1472
## kubernetes.io/ingress.class: nginx
1473
## cert-manager.io/cluster-issuer: cluster-issuer-name
1474
##
1475
annotations: {}
1476
## @param controlPlane.ingress.tls Enable TLS configuration for the host defined at `controlPlane.ingress.hostname` parameter
1477
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
1478
## You can:
1479
## - Use the `controlPlane.ingress.secrets` parameter to create this TLS secret
1480
## - Rely on cert-manager to create it by setting the corresponding annotations
1481
## - Rely on Helm to create self-signed certificates by setting `controlPlane.ingress.selfSigned=true`
1482
##
1483
tls: false
1484
## @param controlPlane.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
1485
##
1486
selfSigned: false
1487
## @param controlPlane.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
1488
## e.g:
1489
## extraHosts:
1490
## - name: apisix.local
1491
## path: /
1492
##
1493
extraHosts: []
1494
## @param controlPlane.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
1495
## e.g:
1496
## extraPaths:
1497
## - path: /*
1498
## backend:
1499
## serviceName: ssl-redirect
1500
## servicePort: use-annotation
1501
##
1502
extraPaths: []
1503
## @param controlPlane.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
1504
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1505
## e.g:
1506
## extraTls:
1507
## - hosts:
1508
## - apisix.local
1509
## secretName: apisix.local-tls
1510
##
1511
extraTls: []
1512
## @param controlPlane.ingress.secrets Custom TLS certificates as secrets
1513
## NOTE: 'key' and 'certificate' are expected in PEM format
1514
## NOTE: 'name' should line up with a 'secretName' set further up
1515
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
1516
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
1517
## It is also possible to create and manage the certificates outside of this helm chart
1518
## Please see README.md for more information
1519
## e.g:
1520
## secrets:
1521
## - name: apisix.local-tls
1522
## key: |-
1523
## -----BEGIN RSA PRIVATE KEY-----
1524
## ...
1525
## -----END RSA PRIVATE KEY-----
1526
## certificate: |-
1527
## -----BEGIN CERTIFICATE-----
1528
## ...
1529
## -----END CERTIFICATE-----
1530
##
1531
secrets: []
1532
## @param controlPlane.ingress.extraRules Additional rules to be covered with this ingress record
1533
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
1534
## e.g:
1535
## extraRules:
1536
## - host: example.local
1537
## http:
1538
## path: /
1539
## backend:
1540
## service:
1541
## name: example-svc
1542
## port:
1543
## name: http
1544
##
1545
extraRules: []
1546
## @section APISIX Control Plane Autoscaling configuration
1547
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
1548
##
1549
autoscaling:
1550
vpa:
1551
## @param controlPlane.autoscaling.vpa.enabled Enable VPA
1552
##
1553
enabled: false
1554
## @param controlPlane.autoscaling.vpa.annotations Annotations for VPA resource
1555
##
1556
annotations: {}
1557
## @param controlPlane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1558
##
1559
controlledResources: []
1560
## @param controlPlane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1561
## cpu: 200m
1562
## memory: 100Mi
1563
maxAllowed: {}
1564
## @param controlPlane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1565
## cpu: 200m
1566
## memory: 100Mi
1567
minAllowed: {}
1568
updatePolicy:
1569
## @param controlPlane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1570
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1571
##
1572
updateMode: Auto
1573
hpa:
1574
## @param controlPlane.autoscaling.hpa.enabled Enable HPA for APISIX Control Plane
1575
##
1576
enabled: false
1577
## @param controlPlane.autoscaling.hpa.minReplicas Minimum number of APISIX Control Plane replicas
1578
##
1579
minReplicas: ""
1580
## @param controlPlane.autoscaling.hpa.maxReplicas Maximum number of APISIX Control Plane replicas
1581
##
1582
maxReplicas: ""
1583
## @param controlPlane.autoscaling.hpa.targetCPU Target CPU utilization percentage
1584
##
1585
targetCPU: ""
1586
## @param controlPlane.autoscaling.hpa.targetMemory Target Memory utilization percentage
1587
##
1588
targetMemory: ""
1589
## @section APISIX Control Plane RBAC parameters
1590
##
1591
1592
## RBAC configuration
1593
##
1594
rbac:
1595
## @param controlPlane.rbac.create Specifies whether RBAC resources should be created
1596
##
1597
create: true
1598
## @param controlPlane.rbac.rules Custom RBAC rules to set
1599
## e.g:
1600
## rules:
1601
## - apiGroups:
1602
## - ""
1603
## resources:
1604
## - pods
1605
## verbs:
1606
## - get
1607
## - list
1608
##
1609
rules: []
1610
## ServiceAccount configuration
1611
##
1612
serviceAccount:
1613
## @param controlPlane.serviceAccount.create Specifies whether a ServiceAccount should be created
1614
##
1615
create: true
1616
## @param controlPlane.serviceAccount.name The name of the ServiceAccount to use.
1617
## If not set and create is true, a name is generated using the common.names.fullname template
1618
##
1619
name: ""
1620
## @param controlPlane.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
1621
##
1622
annotations: {}
1623
## @param controlPlane.serviceAccount.automountServiceAccountToken Automount service account token for the APISIX Control Plane service account
1624
##
1625
automountServiceAccountToken: false
1626
## @section APISIX Control Plane Metrics Parameters
1627
##
1628
1629
## Prometheus metrics
1630
##
1631
metrics:
1632
## @param controlPlane.metrics.enabled Enable the export of Prometheus metrics
1633
##
1634
enabled: false
1635
## @param controlPlane.metrics.annotations [object] Annotations for the APISIX Control Plane service in order to scrape metrics
1636
annotations:
1637
prometheus.io/scrape: "true"
1638
prometheus.io/port: "{{ .Values.controlPlane.service.ports.metrics }}"
1639
prometheus.io/path: "/apisix/prometheus/metrics"
1640
## Prometheus Operator ServiceMonitor configuration
1641
##
1642
serviceMonitor:
1643
## @param controlPlane.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
1644
##
1645
enabled: false
1646
## @param controlPlane.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
1647
##
1648
namespace: ""
1649
## @param controlPlane.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
1650
##
1651
annotations: {}
1652
## @param controlPlane.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1653
##
1654
labels: {}
1655
## @param controlPlane.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
1656
##
1657
jobLabel: ""
1658
## @param controlPlane.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1659
##
1660
honorLabels: false
1661
## @param controlPlane.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
1662
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1663
## e.g:
1664
## interval: 10s
1665
##
1666
interval: ""
1667
## @param controlPlane.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1668
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1669
## e.g:
1670
## scrapeTimeout: 10s
1671
##
1672
scrapeTimeout: ""
1673
## @param controlPlane.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
1674
##
1675
metricRelabelings: []
1676
## @param controlPlane.metrics.serviceMonitor.relabelings Specify general relabeling
1677
##
1678
relabelings: []
1679
## @param controlPlane.metrics.serviceMonitor.selector Prometheus instance selector labels
1680
## selector:
1681
## prometheus: my-prometheus
1682
##
1683
selector: {}
1684
## @section APISIX Ingress Controller Parameters
1685
##
1686
ingressController:
1687
## @param ingressController.enabled Enable APISIX Ingress Controller
1688
##
1689
enabled: true
1690
## Iamguarded APISIX Ingress Controller image
1691
## @param ingressController.image.registry [default: REGISTRY_NAME] APISIX Ingress Controller image registry
1692
## @param ingressController.image.repository [default: REPOSITORY_NAME/apisix-ingress-controller] APISIX Ingress Controller image repository
1693
## @skip ingressController.image.tag APISIX Ingress Controller image tag (immutable tags are recommended)
1694
## @param ingressController.image.digest APISIX Ingress Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
1695
## @param ingressController.image.pullPolicy APISIX Ingress Controller image pull policy
1696
## @param ingressController.image.pullSecrets APISIX Ingress Controller image pull secrets
1697
## @param ingressController.image.debug Enable APISIX Ingress Controller image debug mode
1698
##
1699
image:
1700
registry: cgr.dev
1701
repository: chainguard-private/apisix-ingress-controller-iamguarded
1702
tag: 2.0.1
1703
digest: ""
1704
## Specify a imagePullPolicy
1705
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1706
##
1707
pullPolicy: IfNotPresent
1708
## Optionally specify an array of imagePullSecrets.
1709
## Secrets must be manually created in the namespace.
1710
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1711
## e.g:
1712
## pullSecrets:
1713
## - myRegistryKeySecretName
1714
##
1715
pullSecrets: []
1716
## Enable debug mode
1717
##
1718
debug: false
1719
## ADC server sidecar image (required by the new APISIX ingress controller to communicate with APISIX)
1720
## @param ingressController.adcServer.image.registry ADC server image registry
1721
## @param ingressController.adcServer.image.repository ADC server image repository
1722
## @param ingressController.adcServer.image.tag ADC server image tag
1723
## @param ingressController.adcServer.image.digest ADC server image digest (overrides tag when set)
1724
## @param ingressController.adcServer.image.pullPolicy ADC server image pull policy
1725
## @param ingressController.adcServer.logLevel ADC server log level
1726
##
1727
adcServer:
1728
image:
1729
registry: cgr.dev
1730
repository: chainguard-private/adc-iamguarded
1731
tag: 0.24.2
1732
digest: ""
1733
pullPolicy: IfNotPresent
1734
logLevel: "info"
1735
## @param ingressController.replicaCount Number of APISIX Ingress Controller replicas to deploy
1736
##
1737
replicaCount: 1
1738
## @param ingressController.containerPorts.http APISIX Ingress Controller http container port (metrics)
1739
## @param ingressController.containerPorts.https APISIX Ingress Controller https container port
1740
## @param ingressController.containerPorts.probe APISIX Ingress Controller health probe container port
1741
##
1742
containerPorts:
1743
http: 8080
1744
https: 8443
1745
probe: 8081
1746
## @param ingressController.gatewayProxy.create Create a GatewayProxy resource pointing to the APISIX control plane
1747
##
1748
gatewayProxy:
1749
create: true
1750
## Configure extra options for APISIX Ingress Controller containers' liveness and readiness probes
1751
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1752
## @param ingressController.livenessProbe.enabled Enable livenessProbe on APISIX Ingress Controller containers
1753
## @param ingressController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1754
## @param ingressController.livenessProbe.periodSeconds Period seconds for livenessProbe
1755
## @param ingressController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1756
## @param ingressController.livenessProbe.failureThreshold Failure threshold for livenessProbe
1757
## @param ingressController.livenessProbe.successThreshold Success threshold for livenessProbe
1758
##
1759
livenessProbe:
1760
enabled: true
1761
initialDelaySeconds: 5
1762
periodSeconds: 10
1763
timeoutSeconds: 5
1764
failureThreshold: 5
1765
successThreshold: 1
1766
## @param ingressController.readinessProbe.enabled Enable readinessProbe on APISIX Ingress Controller containers
1767
## @param ingressController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1768
## @param ingressController.readinessProbe.periodSeconds Period seconds for readinessProbe
1769
## @param ingressController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1770
## @param ingressController.readinessProbe.failureThreshold Failure threshold for readinessProbe
1771
## @param ingressController.readinessProbe.successThreshold Success threshold for readinessProbe
1772
##
1773
readinessProbe:
1774
enabled: true
1775
initialDelaySeconds: 5
1776
periodSeconds: 10
1777
timeoutSeconds: 5
1778
failureThreshold: 5
1779
successThreshold: 1
1780
## @param ingressController.startupProbe.enabled Enable startupProbe on APISIX Ingress Controller containers
1781
## @param ingressController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1782
## @param ingressController.startupProbe.periodSeconds Period seconds for startupProbe
1783
## @param ingressController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1784
## @param ingressController.startupProbe.failureThreshold Failure threshold for startupProbe
1785
## @param ingressController.startupProbe.successThreshold Success threshold for startupProbe
1786
##
1787
startupProbe:
1788
enabled: false
1789
initialDelaySeconds: 5
1790
periodSeconds: 10
1791
timeoutSeconds: 5
1792
failureThreshold: 5
1793
successThreshold: 1
1794
## @param ingressController.customLivenessProbe Custom livenessProbe that overrides the default one
1795
##
1796
customLivenessProbe: {}
1797
## @param ingressController.customReadinessProbe Custom readinessProbe that overrides the default one
1798
##
1799
customReadinessProbe: {}
1800
## @param ingressController.customStartupProbe Custom startupProbe that overrides the default one
1801
##
1802
customStartupProbe: {}
1803
## APISIX Ingress Controller resource requests and limits
1804
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1805
## @param ingressController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ingressController.resources is set (ingressController.resources is recommended for production).
1806
##
1807
resourcesPreset: "nano"
1808
## @param ingressController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1809
## Example:
1810
## resources:
1811
## requests:
1812
## cpu: 2
1813
## memory: 512Mi
1814
## limits:
1815
## cpu: 3
1816
## memory: 1024Mi
1817
##
1818
resources: {}
1819
## Configure Pods Security Context
1820
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1821
## @param ingressController.podSecurityContext.enabled Enabled APISIX Ingress Controller pods' Security Context
1822
## @param ingressController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1823
## @param ingressController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1824
## @param ingressController.podSecurityContext.supplementalGroups Set filesystem extra groups
1825
## @param ingressController.podSecurityContext.fsGroup Set APISIX Ingress Controller pod's Security Context fsGroup
1826
##
1827
podSecurityContext:
1828
enabled: true
1829
fsGroupChangePolicy: Always
1830
sysctls: []
1831
supplementalGroups: []
1832
fsGroup: 1001
1833
## Configure Container Security Context
1834
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1835
## @param ingressController.containerSecurityContext.enabled Enabled APISIX Ingress Controller containers' Security Context
1836
## @param ingressController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1837
## @param ingressController.containerSecurityContext.runAsUser Set APISIX Ingress Controller containers' Security Context runAsUser
1838
## @param ingressController.containerSecurityContext.runAsGroup Set APISIX Ingress Controller containers' Security Context runAsGroup
1839
## @param ingressController.containerSecurityContext.runAsNonRoot Set APISIX Ingress Controller containers' Security Context runAsNonRoot
1840
## @param ingressController.containerSecurityContext.privileged Set APISIX Ingress Controller containers' Security Context privileged
1841
## @param ingressController.containerSecurityContext.readOnlyRootFilesystem Set APISIX Ingress Controller containers' Security Context runAsNonRoot
1842
## @param ingressController.containerSecurityContext.allowPrivilegeEscalation Set APISIX Ingress Controller container's privilege escalation
1843
## @param ingressController.containerSecurityContext.capabilities.drop Set APISIX Ingress Controller container's Security Context runAsNonRoot
1844
## @param ingressController.containerSecurityContext.seccompProfile.type Set APISIX Ingress Controller container's Security Context seccomp profile
1845
##
1846
containerSecurityContext:
1847
enabled: true
1848
seLinuxOptions: {}
1849
runAsUser: 1001
1850
runAsGroup: 1001
1851
runAsNonRoot: true
1852
privileged: false
1853
readOnlyRootFilesystem: true
1854
allowPrivilegeEscalation: false
1855
capabilities:
1856
drop: ["ALL"]
1857
seccompProfile:
1858
type: RuntimeDefault
1859
## @param ingressController.command Override default container command (useful when using custom images)
1860
##
1861
command: []
1862
## @param ingressController.args Override default container args (useful when using custom images)
1863
##
1864
args: []
1865
## @param ingressController.automountServiceAccountToken Mount Service Account token in pod
1866
##
1867
automountServiceAccountToken: true
1868
## @param ingressController.hostAliases APISIX Ingress Controller pods host aliases
1869
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1870
##
1871
hostAliases: []
1872
## @param ingressController.podLabels Extra labels for APISIX Ingress Controller pods
1873
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1874
##
1875
podLabels: {}
1876
## @param ingressController.podAnnotations Annotations for APISIX Ingress Controller pods
1877
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1878
##
1879
podAnnotations: {}
1880
## @param ingressController.podAffinityPreset Pod affinity preset. Ignored if `injector.affinity` is set. Allowed values: `soft` or `hard`
1881
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1882
##
1883
podAffinityPreset: ""
1884
## @param ingressController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `injector.affinity` is set. Allowed values: `soft` or `hard`
1885
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1886
##
1887
podAntiAffinityPreset: soft
1888
## Pod Disruption Budget configuration
1889
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1890
## @param ingressController.pdb.create Enable/disable a Pod Disruption Budget creation
1891
## @param ingressController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1892
## @param ingressController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
1893
##
1894
pdb:
1895
create: true
1896
minAvailable: ""
1897
maxUnavailable: ""
1898
## Node injector.affinity preset
1899
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1900
##
1901
nodeAffinityPreset:
1902
## @param ingressController.nodeAffinityPreset.type Node affinity preset type. Ignored if `injector.affinity` is set. Allowed values: `soft` or `hard`
1903
##
1904
type: ""
1905
## @param ingressController.nodeAffinityPreset.key Node label key to match. Ignored if `injector.affinity` is set
1906
##
1907
key: ""
1908
## @param ingressController.nodeAffinityPreset.values Node label values to match. Ignored if `injector.affinity` is set
1909
## E.g.
1910
## values:
1911
## - e2e-az1
1912
## - e2e-az2
1913
##
1914
values: []
1915
## @param ingressController.affinity Affinity for APISIX Ingress Controller pods assignment
1916
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1917
## NOTE: `injector.podAffinityPreset`, `injector.podAntiAffinityPreset`, and `injector.nodeAffinityPreset` will be ignored when it's set
1918
##
1919
affinity: {}
1920
## @param ingressController.nodeSelector Node labels for APISIX Ingress Controller pods assignment
1921
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1922
##
1923
nodeSelector: {}
1924
## @param ingressController.tolerations Tolerations for APISIX Ingress Controller pods assignment
1925
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1926
##
1927
tolerations: []
1928
## @param ingressController.updateStrategy.type APISIX Ingress Controller statefulset strategy type
1929
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1930
##
1931
updateStrategy:
1932
## StrategyType
1933
## Can be set to RollingUpdate or OnDelete
1934
##
1935
type: RollingUpdate
1936
## @param ingressController.priorityClassName APISIX Ingress Controller pods' priorityClassName
1937
##
1938
priorityClassName: ""
1939
## @param ingressController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1940
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1941
##
1942
topologySpreadConstraints: []
1943
## @param ingressController.schedulerName Name of the k8s scheduler (other than default) for APISIX Ingress Controller pods
1944
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1945
##
1946
schedulerName: ""
1947
## @param ingressController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
1948
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1949
##
1950
terminationGracePeriodSeconds: ""
1951
## @param ingressController.lifecycleHooks for the APISIX Ingress Controller container(s) to automate configuration before or after startup
1952
##
1953
lifecycleHooks: {}
1954
## @param ingressController.extraEnvVars Array with extra environment variables to add to APISIX Ingress Controller nodes
1955
## e.g:
1956
## extraEnvVars:
1957
## - name: FOO
1958
## value: "bar"
1959
##
1960
extraEnvVars: []
1961
## @param ingressController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for APISIX Ingress Controller nodes
1962
##
1963
extraEnvVarsCM: ""
1964
## @param ingressController.extraEnvVarsSecret Name of existing Secret containing extra env vars for APISIX Ingress Controller nodes
1965
##
1966
extraEnvVarsSecret: ""
1967
## @param ingressController.extraVolumes Optionally specify extra list of additional volumes for the APISIX Ingress Controller pod(s)
1968
##
1969
extraVolumes: []
1970
## @param ingressController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the APISIX Ingress Controller container(s)
1971
##
1972
extraVolumeMounts: []
1973
## @param ingressController.sidecars Add additional sidecar containers to the APISIX Ingress Controller pod(s)
1974
## e.g:
1975
## sidecars:
1976
## - name: your-image-name
1977
## image: your-image
1978
## imagePullPolicy: Always
1979
## ports:
1980
## - name: portname
1981
## containerPort: 1234
1982
##
1983
sidecars: []
1984
## @param ingressController.initContainers Add additional init containers to the APISIX Ingress Controller pod(s)
1985
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1986
## e.g:
1987
## initContainers:
1988
## - name: your-image-name
1989
## image: your-image
1990
## imagePullPolicy: Always
1991
## command: ['sh', '-c', 'echo "hello world"']
1992
##
1993
initContainers: []
1994
## @param ingressController.ingressClass.create Specifies whether a IngressClass should be created
1995
## @param ingressController.ingressClass.name IngressClass that will be be used to implement the APISIX Ingress Controller Ingress
1996
## @param ingressController.ingressClass.annotations Additional annotations for the APISIX Ingress Controller IngressClass
1997
##
1998
ingressClass:
1999
create: true
2000
name: "apisix"
2001
annotations: {}
2002
## @param ingressController.defaultConfig [string] APISIX Ingress Controller configuration (evaluated as a template)
2003
##
2004
defaultConfig: |
2005
# log options
2006
log_level: "info"
2007
log_output: "stderr"
2008
{{- if .Values.ingressController.tls.enabled }}
2009
https_listen: ":{{ .Values.ingressController.containerPorts.https }}"
2010
cert_file: "/iamguarded/certs/{{ .Values.ingressController.tls.certFilename }}"
2011
key_file: "/iamguarded/certs/{{ .Values.ingressController.tls.certKeyFilename }}"
2012
{{- end }}
2013
http_listen: ":{{ .Values.ingressController.containerPorts.http }}"
2014
ingress_publish_service: "{{ include "common.names.namespace" . }}/{{ ternary (include "apisix.data-plane.fullname" .) (include "apisix.control-plane.fullname" .) .Values.dataPlane.enabled }}"
2015
enable_profiling: true
2016
apisix-resource-sync-interval: 1h
2017
kubernetes:
2018
kubeconfig: ""
2019
resync_interval: "6h"
2020
election_id: "{{ include "apisix.ingress-controller.fullname" . }}-leader"
2021
ingress_class: {{ .Values.ingressController.ingressClass.name | quote }}
2022
ingress_version: "networking/v1"
2023
watch_endpointslices: false
2024
apisix_route_version: "apisix.apache.org/v2"
2025
enable_gateway_api: false
2026
apisix_version: "apisix.apache.org/v2"
2027
plugin_metadata_cm: ""
2028
apisix:
2029
admin_api_version: "v3"
2030
default_cluster_base_url: {{ ternary "https" "http" .Values.controlPlane.tls.enabled }}://{{ include "apisix.control-plane.fullname" . }}:{{ .Values.controlPlane.service.ports.adminAPI }}/apisix/admin
2031
default_cluster_admin_key: "{{ print "{{APISIX_ADMIN_API_TOKEN}}" }}"
2032
default_cluster_name: "default"
2033
## @param ingressController.extraConfig Extra configuration parameters for APISIX Ingress Controller
2034
##
2035
extraConfig: {}
2036
## @param ingressController.existingConfigMap name of a ConfigMap with existing configuration for the APISIX Ingress Controller
2037
##
2038
existingConfigMap: ""
2039
## @param ingressController.extraConfigExistingConfigMap name of a ConfigMap with existing configuration for the APISIX Ingress Controller
2040
##
2041
extraConfigExistingConfigMap: ""
2042
tls:
2043
## @param ingressController.tls.enabled Enable TLS transport in APISIX Ingress Controller
2044
##
2045
enabled: true
2046
## @param ingressController.tls.autoGenerated Auto-generate self-signed certificates
2047
##
2048
autoGenerated: true
2049
## @param ingressController.tls.existingSecret Name of a secret containing the certificates
2050
##
2051
existingSecret: ""
2052
## @param ingressController.tls.certFilename Path of the certificate file when mounted as a secret
2053
##
2054
certFilename: tls.crt
2055
## @param ingressController.tls.certKeyFilename Path of the certificate key file when mounted as a secret
2056
##
2057
certKeyFilename: tls.key
2058
## @param ingressController.tls.certCAFilename Path of the certificate CA file when mounted as a secret
2059
##
2060
certCAFilename: ca.crt
2061
## @param ingressController.tls.cert Content of the certificate to be added to the secret
2062
##
2063
cert: ""
2064
## @param ingressController.tls.key Content of the certificate key to be added to the secret
2065
##
2066
key: ""
2067
## @param ingressController.tls.ca Content of the certificate CA to be added to the secret
2068
##
2069
ca: ""
2070
## @section APISIX Ingress Controller Traffic Exposure Parameters
2071
##
2072
service:
2073
## @param ingressController.service.type APISIX Ingress Controller service type
2074
##
2075
type: ClusterIP
2076
## @param ingressController.service.ports.http APISIX Ingress Controller service HTTP port
2077
## @param ingressController.service.ports.https APISIX Ingress Controller service HTTPS port
2078
##
2079
ports:
2080
http: 80
2081
https: 443
2082
## Node ports to expose
2083
## @param ingressController.service.nodePorts.http Node port for HTTP
2084
## @param ingressController.service.nodePorts.https Node port for HTTPS
2085
## NOTE: choose port between <30000-32767>
2086
##
2087
nodePorts:
2088
http: ""
2089
https: ""
2090
## @param ingressController.service.clusterIP APISIX Ingress Controller service Cluster IP
2091
## e.g.:
2092
## clusterIP: None
2093
##
2094
clusterIP: ""
2095
## @param ingressController.service.loadBalancerIP APISIX Ingress Controller service Load Balancer IP
2096
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2097
##
2098
loadBalancerIP: ""
2099
## @param ingressController.service.loadBalancerSourceRanges APISIX Ingress Controller service Load Balancer sources
2100
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2101
## e.g:
2102
## loadBalancerSourceRanges:
2103
## - 10.10.10.0/24
2104
##
2105
loadBalancerSourceRanges: []
2106
## @param ingressController.service.externalIPs APISIX Ingress Controller service External IPs
2107
## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
2108
## e.g.
2109
## externalIPs:
2110
## - 10.10.10.1
2111
## - 201.22.30.1
2112
##
2113
externalIPs: []
2114
## @param ingressController.service.externalTrafficPolicy APISIX Ingress Controller service external traffic policy
2115
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-web-source-ip
2116
##
2117
externalTrafficPolicy: Cluster
2118
## @param ingressController.service.annotations Additional custom annotations for APISIX Ingress Controller service
2119
##
2120
annotations: {}
2121
## @param ingressController.service.extraPorts Extra ports to expose in APISIX Ingress Controller service (normally used with the `sidecars` value)
2122
##
2123
extraPorts: []
2124
## @param ingressController.service.sessionAffinity Control where web requests go, to the same pod or round-robin
2125
## Values: WebIP or None
2126
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2127
##
2128
sessionAffinity: None
2129
## @param ingressController.service.sessionAffinityConfig Additional settings for the sessionAffinity
2130
## sessionAffinityConfig:
2131
## webIP:
2132
## timeoutSeconds: 300
2133
##
2134
sessionAffinityConfig: {}
2135
## Network Policies
2136
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
2137
##
2138
networkPolicy:
2139
## @param ingressController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
2140
##
2141
enabled: true
2142
## @param ingressController.networkPolicy.allowExternal Don't require server label for connections
2143
## The Policy model to apply. When set to false, only pods with the correct
2144
## server label will have network access to the ports server is listening
2145
## on. When true, server will accept connections from any source
2146
## (with the correct destination port).
2147
##
2148
allowExternal: true
2149
## @param ingressController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
2150
##
2151
allowExternalEgress: true
2152
## @param ingressController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
2153
##
2154
kubeAPIServerPorts: [443, 6443, 8443]
2155
## @param ingressController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
2156
## e.g:
2157
## extraIngress:
2158
## - ports:
2159
## - port: 1234
2160
## from:
2161
## - podSelector:
2162
## - matchLabels:
2163
## - role: frontend
2164
## - podSelector:
2165
## - matchExpressions:
2166
## - key: role
2167
## operator: In
2168
## values:
2169
## - frontend
2170
extraIngress: []
2171
## @param ingressController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
2172
## e.g:
2173
## extraEgress:
2174
## - ports:
2175
## - port: 1234
2176
## to:
2177
## - podSelector:
2178
## - matchLabels:
2179
## - role: frontend
2180
## - podSelector:
2181
## - matchExpressions:
2182
## - key: role
2183
## operator: In
2184
## values:
2185
## - frontend
2186
##
2187
extraEgress: []
2188
## @param ingressController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2189
## @param ingressController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2190
##
2191
ingressNSMatchLabels: {}
2192
ingressNSPodMatchLabels: {}
2193
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
2194
##
2195
ingress:
2196
## @param ingressController.ingress.enabled Enable ingress record generation for APISIX Ingress Controller
2197
##
2198
enabled: false
2199
## @param ingressController.ingress.pathType Ingress path type
2200
##
2201
pathType: ImplementationSpecific
2202
## @param ingressController.ingress.apiVersion Force Ingress API version (automatically detected if not set)
2203
##
2204
apiVersion: ""
2205
## @param ingressController.ingress.hostname Default host for the ingress record
2206
##
2207
hostname: apisix-ingress-controller.local
2208
## @param ingressController.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
2209
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
2210
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
2211
##
2212
ingressClassName: ""
2213
## @param ingressController.ingress.path Default path for the ingress record
2214
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
2215
##
2216
path: /
2217
## @param ingressController.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
2218
## Use this parameter to set the required annotations for cert-manager, see
2219
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
2220
## e.g:
2221
## annotations:
2222
## kubernetes.io/ingress.class: nginx
2223
## cert-manager.io/cluster-issuer: cluster-issuer-name
2224
##
2225
annotations: {}
2226
## @param ingressController.ingress.tls Enable TLS configuration for the host defined at `ingressController.ingress.hostname` parameter
2227
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
2228
## You can:
2229
## - Use the `ingressController.ingress.secrets` parameter to create this TLS secret
2230
## - Rely on cert-manager to create it by setting the corresponding annotations
2231
## - Rely on Helm to create self-signed certificates by setting `ingressController.ingress.selfSigned=true`
2232
##
2233
tls: false
2234
## @param ingressController.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
2235
##
2236
selfSigned: false
2237
## @param ingressController.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
2238
## e.g:
2239
## extraHosts:
2240
## - name: apisix.local
2241
## path: /
2242
##
2243
extraHosts: []
2244
## @param ingressController.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
2245
## e.g:
2246
## extraPaths:
2247
## - path: /*
2248
## backend:
2249
## serviceName: ssl-redirect
2250
## servicePort: use-annotation
2251
##
2252
extraPaths: []
2253
## @param ingressController.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
2254
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
2255
## e.g:
2256
## extraTls:
2257
## - hosts:
2258
## - apisix.local
2259
## secretName: apisix.local-tls
2260
##
2261
extraTls: []
2262
## @param ingressController.ingress.secrets Custom TLS certificates as secrets
2263
## NOTE: 'key' and 'certificate' are expected in PEM format
2264
## NOTE: 'name' should line up with a 'secretName' set further up
2265
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
2266
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
2267
## It is also possible to create and manage the certificates outside of this helm chart
2268
## Please see README.md for more information
2269
## e.g:
2270
## secrets:
2271
## - name: apisix.local-tls
2272
## key: |-
2273
## -----BEGIN RSA PRIVATE KEY-----
2274
## ...
2275
## -----END RSA PRIVATE KEY-----
2276
## certificate: |-
2277
## -----BEGIN CERTIFICATE-----
2278
## ...
2279
## -----END CERTIFICATE-----
2280
##
2281
secrets: []
2282
## @param ingressController.ingress.extraRules Additional rules to be covered with this ingress record
2283
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
2284
## e.g:
2285
## extraRules:
2286
## - host: example.local
2287
## http:
2288
## path: /
2289
## backend:
2290
## service:
2291
## name: example-svc
2292
## port:
2293
## name: http
2294
##
2295
extraRules: []
2296
## @section APISIX Ingress Controller Autoscaling configuration
2297
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
2298
##
2299
autoscaling:
2300
vpa:
2301
## @param ingressController.autoscaling.vpa.enabled Enable VPA
2302
##
2303
enabled: false
2304
## @param ingressController.autoscaling.vpa.annotations Annotations for VPA resource
2305
##
2306
annotations: {}
2307
## @param ingressController.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
2308
##
2309
controlledResources: []
2310
## @param ingressController.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
2311
## cpu: 200m
2312
## memory: 100Mi
2313
maxAllowed: {}
2314
## @param ingressController.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
2315
## cpu: 200m
2316
## memory: 100Mi
2317
minAllowed: {}
2318
updatePolicy:
2319
## @param ingressController.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
2320
## Possible values are "Off", "Initial", "Recreate", and "Auto".
2321
##
2322
updateMode: Auto
2323
hpa:
2324
## @param ingressController.autoscaling.hpa.enabled Enable HPA for APISIX Ingress Controller
2325
##
2326
enabled: false
2327
## @param ingressController.autoscaling.hpa.minReplicas Minimum number of APISIX Ingress Controller replicas
2328
##
2329
minReplicas: ""
2330
## @param ingressController.autoscaling.hpa.maxReplicas Maximum number of APISIX Ingress Controller replicas
2331
##
2332
maxReplicas: ""
2333
## @param ingressController.autoscaling.hpa.targetCPU Target CPU utilization percentage
2334
##
2335
targetCPU: ""
2336
## @param ingressController.autoscaling.hpa.targetMemory Target Memory utilization percentage
2337
##
2338
targetMemory: ""
2339
## @section APISIX Ingress Controller RBAC Parameters
2340
##
2341
2342
## RBAC configuration
2343
##
2344
rbac:
2345
## @param ingressController.rbac.create Specifies whether RBAC resources should be created
2346
##
2347
create: true
2348
## @param ingressController.rbac.rules Custom RBAC rules to set
2349
## e.g:
2350
## rules:
2351
## - apiGroups:
2352
## - ""
2353
## resources:
2354
## - pods
2355
## verbs:
2356
## - get
2357
## - list
2358
##
2359
rules: []
2360
## ServiceAccount configuration
2361
##
2362
serviceAccount:
2363
## @param ingressController.serviceAccount.create Specifies whether a ServiceAccount should be created
2364
##
2365
create: true
2366
## @param ingressController.serviceAccount.name The name of the ServiceAccount to use.
2367
## If not set and create is true, a name is generated using the common.names.fullname template
2368
##
2369
name: ""
2370
## @param ingressController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
2371
##
2372
annotations: {}
2373
## @param ingressController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
2374
##
2375
automountServiceAccountToken: false
2376
## Prometheus metrics
2377
##
2378
metrics:
2379
## @param ingressController.metrics.enabled Enable the export of Prometheus metrics
2380
##
2381
enabled: false
2382
## @param ingressController.metrics.annotations [object] Annotations for the APISIX Ingress Controller service in order to scrape metrics
2383
annotations:
2384
prometheus.io/scrape: "true"
2385
prometheus.io/port: "{{ .Values.ingressController.service.ports.http }}"
2386
## Prometheus Operator ServiceMonitor configuration
2387
##
2388
serviceMonitor:
2389
## @param ingressController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
2390
##
2391
enabled: false
2392
## @param ingressController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
2393
##
2394
namespace: ""
2395
## @param ingressController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
2396
##
2397
annotations: {}
2398
## @param ingressController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
2399
##
2400
labels: {}
2401
## @param ingressController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
2402
##
2403
jobLabel: ""
2404
## @param ingressController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
2405
##
2406
honorLabels: false
2407
## @param ingressController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
2408
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2409
## e.g:
2410
## interval: 10s
2411
##
2412
interval: ""
2413
## @param ingressController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2414
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2415
## e.g:
2416
## scrapeTimeout: 10s
2417
##
2418
scrapeTimeout: ""
2419
## @param ingressController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
2420
##
2421
metricRelabelings: []
2422
## @param ingressController.metrics.serviceMonitor.relabelings Specify general relabeling
2423
##
2424
relabelings: []
2425
## @param ingressController.metrics.serviceMonitor.selector Prometheus instance selector labels
2426
## selector:
2427
## prometheus: my-prometheus
2428
##
2429
selector: {}
2430
## @section Init containers parameters
2431
##
2432
waitContainer:
2433
## @param waitContainer.image.registry [default: REGISTRY_NAME] Init container wait-container image registry
2434
## @param waitContainer.image.repository [default: REPOSITORY_NAME/os-shell] Init container wait-container image name
2435
## @skip waitContainer.image.tag Init container wait-container image tag
2436
## @param waitContainer.image.digest Init container wait-container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2437
##
2438
image:
2439
registry: cgr.dev
2440
repository: chainguard-private/os-shell-iamguarded
2441
tag: 1.0.0
2442
digest: ""
2443
## @param waitContainer.image.pullPolicy Init container wait-container image pull policy
2444
##
2445
pullPolicy: IfNotPresent
2446
## @param waitContainer.image.pullSecrets [array] Specify docker-registry secret names as an array
2447
## Optionally specify an array of imagePullSecrets.
2448
## Secrets must be manually created in the namespace.
2449
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2450
## e.g:
2451
## pullSecrets:
2452
## - myRegistryKeySecretName
2453
##
2454
pullSecrets: []
2455
## Configure Container Security Context
2456
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2457
## @param waitContainer.containerSecurityContext.enabled Enabled APISIX Ingress Controller containers' Security Context
2458
## @param waitContainer.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2459
## @param waitContainer.containerSecurityContext.runAsUser Set APISIX Ingress Controller containers' Security Context runAsUser
2460
## @param waitContainer.containerSecurityContext.runAsGroup Set APISIX Ingress Controller containers' Security Context runAsGroup
2461
## @param waitContainer.containerSecurityContext.runAsNonRoot Set APISIX Ingress Controller containers' Security Context runAsNonRoot
2462
## @param waitContainer.containerSecurityContext.privileged Set APISIX Ingress Controller containers' Security Context privileged
2463
## @param waitContainer.containerSecurityContext.readOnlyRootFilesystem Set APISIX Ingress Controller containers' Security Context readOnlyRootFilesystem
2464
## @param waitContainer.containerSecurityContext.allowPrivilegeEscalation Set APISIX Ingress Controller containers' Security Context allowPrivilegeEscalation
2465
## @param waitContainer.containerSecurityContext.capabilities.drop Set APISIX Ingress Controller containers' Security Context capabilities.drop
2466
## @param waitContainer.containerSecurityContext.seccompProfile.type Set APISIX Ingress Controller containers' Security Context seccompProfile.type
2467
##
2468
containerSecurityContext:
2469
enabled: true
2470
seLinuxOptions: {}
2471
runAsUser: 1001
2472
runAsGroup: 1001
2473
runAsNonRoot: true
2474
privileged: false
2475
readOnlyRootFilesystem: true
2476
allowPrivilegeEscalation: false
2477
capabilities:
2478
drop: ["ALL"]
2479
seccompProfile:
2480
type: RuntimeDefault
2481
## @section External etcd settings
2482
##
2483
externalEtcd:
2484
## @param externalEtcd.servers List of hostnames of the external etcd
2485
##
2486
servers: []
2487
## @param externalEtcd.port Port of the external etcd instance
2488
##
2489
port: 2379
2490
## @param externalEtcd.user User of the external etcd instance
2491
##
2492
user: root
2493
## @param externalEtcd.password Password of the external etcd instance
2494
##
2495
password: ""
2496
## @param externalEtcd.existingSecret Name of a secret containing the external etcd password
2497
##
2498
existingSecret: ""
2499
## @param externalEtcd.existingSecretPasswordKey Key inside the secret containing the external etcd password
2500
##
2501
existingSecretPasswordKey: "etcd-root-password"
2502
## @param externalEtcd.secureTransport Use TLS for client-to-server communications
2503
##
2504
secureTransport: false
2505
## @section etcd sub-chart parameters
2506
##
2507
etcd:
2508
## @param etcd.enabled Deploy etcd sub-chart
2509
##
2510
enabled: true
2511
## @param etcd.replicaCount Number of etcd replicas
2512
##
2513
replicaCount: 3
2514
## @param etcd.containerPorts.client Container port for etcd
2515
##
2516
containerPorts:
2517
client: 2379
2518
## @param etcd.auth.rbac.create Switch to enable RBAC authentication
2519
## @param etcd.auth.rbac.rootPassword etcd root password
2520
## @param etcd.auth.client.secureTransport use TLS for client-to-server communications
2521
##
2522
auth:
2523
rbac:
2524
## Currently the data_plane is not working with etcd credentials enabled. This should be
2525
## changed when this is fixed by APISIX
2526
create: false
2527
rootPassword: ""
2528
client:
2529
secureTransport: false
2530
## @param etcd.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
2531
##
2532
resourcesPreset: "micro"
2533
## @param etcd.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2534
## Example:
2535
## resources:
2536
## requests:
2537
## cpu: 2
2538
## memory: 512Mi
2539
## limits:
2540
## cpu: 3
2541
## memory: 1024Mi
2542
##
2543
resources: {}
2544
image:
2545
registry: cgr.dev
2546
repository: chainguard-private/etcd-iamguarded
2547
tag: 3.6.8
2548
digest: ""
2549
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.