ingress-nginx
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
## nginx configuration
2
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
3
##
4
5
global:
6
image:
7
# -- Registry host to pull images from.
8
registry: cgr.dev
9
## Overrides for generated resource names
10
# See templates/_helpers.tpl
11
# nameOverride:
12
# fullnameOverride:
13
14
# -- Override the deployment namespace; defaults to .Release.Namespace
15
namespaceOverride: ""
16
## Labels to apply to all resources
17
##
18
commonLabels: {}
19
# scmhash: abc123
20
# myLabel: aakkmd
21
22
controller:
23
name: controller
24
enableAnnotationValidations: true
25
image:
26
## Keep false as default for now!
27
chroot: false
28
# registry: registry.k8s.io
29
image: chainguard-private/ingress-nginx-controller
30
## for backwards compatibility consider setting the full image url via the repository value below
31
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
32
## repository:
33
tag: latest
34
digest: sha256:e929a38f935422a5f7679621916fd423032c9e1b034de1cb0bc9f5123cd16498
35
digestChroot: sha256:af31d00c9d82c612896b380a9003bd36843b7647b98e4588251c66325317bc72
36
pullPolicy: IfNotPresent
37
runAsNonRoot: true
38
# -- This value must not be changed using the official image.
39
# uid=101(www-data) gid=82(www-data) groups=82(www-data)
40
runAsUser: 101
41
# -- This value must not be changed using the official image.
42
# uid=101(www-data) gid=82(www-data) groups=82(www-data)
43
runAsGroup: 82
44
allowPrivilegeEscalation: false
45
seccompProfile:
46
type: RuntimeDefault
47
readOnlyRootFilesystem: false
48
# -- Configures the controller container name
49
containerName: controller
50
# -- Configures the ports that the nginx-controller listens on
51
containerPort:
52
http: 80
53
https: 443
54
# -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
55
# Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
56
config: {}
57
# -- Annotations to be added to the controller config configuration configmap.
58
configAnnotations: {}
59
# -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
60
proxySetHeaders: {}
61
# -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
62
addHeaders: {}
63
# -- Optionally customize the pod dnsConfig.
64
dnsConfig: {}
65
# -- Optionally customize the pod hostAliases.
66
hostAliases: []
67
# - ip: 127.0.0.1
68
# hostnames:
69
# - foo.local
70
# - bar.local
71
# - ip: 10.1.2.3
72
# hostnames:
73
# - foo.remote
74
# - bar.remote
75
# -- Optionally customize the pod hostname.
76
hostname: {}
77
# -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
78
# By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
79
# to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
80
dnsPolicy: ClusterFirst
81
# -- Instruct the kubelet to use the named RuntimeClass to run the pod
82
runtimeClassName: ""
83
# -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
84
# Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
85
reportNodeInternalIp: false
86
# -- Process Ingress objects without ingressClass annotation/ingressClassName field
87
# Overrides value for --watch-ingress-without-class flag of the controller binary
88
# Defaults to false
89
watchIngressWithoutClass: false
90
# -- Process IngressClass per name (additionally as per spec.controller).
91
ingressClassByName: false
92
# -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto"
93
# Defaults to false
94
enableTopologyAwareRouting: false
95
# -- This configuration disable Nginx Controller Leader Election
96
disableLeaderElection: false
97
# -- Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s)
98
electionTTL: ""
99
# -- This configuration defines if Ingress Controller should allow users to set
100
# their own *-snippet annotations, otherwise this is forbidden / dropped
101
# when users add those annotations.
102
# Global snippets in ConfigMap are still respected
103
allowSnippetAnnotations: false
104
# -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
105
# since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
106
# is merged
107
hostNetwork: false
108
## Use host ports 80 and 443
109
## Disabled by default
110
hostPort:
111
# -- Enable 'hostPort' or not
112
enabled: false
113
ports:
114
# -- 'hostPort' http port
115
http: 80
116
# -- 'hostPort' https port
117
https: 443
118
# NetworkPolicy for controller component.
119
networkPolicy:
120
# -- Enable 'networkPolicy' or not
121
enabled: false
122
# -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
123
electionID: ""
124
# -- This section refers to the creation of the IngressClass resource.
125
# IngressClasses are immutable and cannot be changed after creation.
126
# We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required.
127
ingressClassResource:
128
# -- Name of the IngressClass
129
name: nginx
130
# -- Create the IngressClass or not
131
enabled: true
132
# -- If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation.
133
# Ingress creation gets rejected if there are multiple default IngressClasses.
134
# Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
135
default: false
136
# -- Annotations to be added to the IngressClass resource.
137
annotations: {}
138
# -- Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value.
139
# This value is also being set as the `--controller-class` argument of this Ingress Controller.
140
# Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
141
controllerValue: k8s.io/ingress-nginx
142
# -- Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name.
143
# Useful for development environments with only one Ingress Controller but production-like Ingress resources.
144
# `default` gets enabled on the original IngressClass only.
145
aliases: []
146
# aliases:
147
# - nginx-alias-1
148
# - nginx-alias-2
149
# -- A link to a custom resource containing additional configuration for the controller.
150
# This is optional if the controller consuming this IngressClass does not require additional parameters.
151
# Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
152
parameters: {}
153
# parameters:
154
# apiGroup: k8s.example.com
155
# kind: IngressParameters
156
# name: external-lb
157
# -- For backwards compatibility with ingress.class annotation, use ingressClass.
158
# Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation
159
ingressClass: nginx
160
# -- Labels to add to the pod container metadata
161
podLabels: {}
162
# key: value
163
164
# -- Security context for controller pods
165
podSecurityContext: {}
166
# -- sysctls for controller pods
167
## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
168
sysctls: {}
169
# sysctls:
170
# "net.core.somaxconn": "8192"
171
# -- Security context for controller containers
172
containerSecurityContext: {}
173
# -- Allows customization of the source of the IP address or FQDN to report
174
# in the ingress status field. By default, it reads the information provided
175
# by the service. If disable, the status field reports the IP address of the
176
# node or nodes where an ingress controller pod is running.
177
publishService:
178
# -- Enable 'publishService' or not
179
enabled: true
180
# -- Allows overriding of the publish service to bind to
181
# Must be <namespace>/<service_name>
182
pathOverride: ""
183
# Limit the scope of the controller to a specific namespace
184
scope:
185
# -- Enable 'scope' or not
186
enabled: false
187
# -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE)
188
namespace: ""
189
# -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
190
# only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
191
namespaceSelector: ""
192
# -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE)
193
configMapNamespace: ""
194
tcp:
195
# -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE)
196
configMapNamespace: ""
197
# -- Annotations to be added to the tcp config configmap
198
annotations: {}
199
udp:
200
# -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE)
201
configMapNamespace: ""
202
# -- Annotations to be added to the udp config configmap
203
annotations: {}
204
# -- Maxmind license key to download GeoLite2 Databases.
205
## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
206
maxmindLicenseKey: ""
207
# -- Additional command line arguments to pass to Ingress-Nginx Controller
208
# E.g. to specify the default SSL certificate you can use
209
extraArgs: {}
210
## extraArgs:
211
## default-ssl-certificate: "<namespace>/<secret_name>"
212
## time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
213
## length-buckets: "10,20,30,40,50,60,70,80,90,100"
214
## size-buckets: "10,100,1000,10000,100000,1e+06,1e+07"
215
216
# -- Additional environment variables to set
217
extraEnvs: []
218
# extraEnvs:
219
# - name: FOO
220
# valueFrom:
221
# secretKeyRef:
222
# key: FOO
223
# name: secret-resource
224
225
# -- Use a `DaemonSet` or `Deployment`
226
kind: Deployment
227
# -- Annotations to be added to the controller Deployment or DaemonSet
228
##
229
annotations: {}
230
# keel.sh/pollSchedule: "@every 60m"
231
232
# -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels
233
##
234
labels: {}
235
# keel.sh/policy: patch
236
# keel.sh/trigger: poll
237
238
# -- The update strategy to apply to the Deployment or DaemonSet
239
##
240
updateStrategy: {}
241
# rollingUpdate:
242
# maxUnavailable: 1
243
# type: RollingUpdate
244
245
# -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed.
246
# Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
247
progressDeadlineSeconds: 0
248
# -- `minReadySeconds` to avoid killing pods before we are ready
249
##
250
minReadySeconds: 0
251
# -- Node tolerations for server scheduling to nodes with taints
252
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
253
##
254
tolerations: []
255
# - key: "key"
256
# operator: "Equal|Exists"
257
# value: "value"
258
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
259
260
# -- Affinity and anti-affinity rules for server scheduling to nodes
261
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
262
##
263
affinity: {}
264
# # An example of preferred pod anti-affinity, weight is in the range 1-100
265
# podAntiAffinity:
266
# preferredDuringSchedulingIgnoredDuringExecution:
267
# - weight: 100
268
# podAffinityTerm:
269
# labelSelector:
270
# matchExpressions:
271
# - key: app.kubernetes.io/name
272
# operator: In
273
# values:
274
# - '{{ include "ingress-nginx.name" . }}'
275
# - key: app.kubernetes.io/instance
276
# operator: In
277
# values:
278
# - '{{ .Release.Name }}'
279
# - key: app.kubernetes.io/component
280
# operator: In
281
# values:
282
# - controller
283
# topologyKey: kubernetes.io/hostname
284
285
# # An example of required pod anti-affinity
286
# podAntiAffinity:
287
# requiredDuringSchedulingIgnoredDuringExecution:
288
# - labelSelector:
289
# matchExpressions:
290
# - key: app.kubernetes.io/name
291
# operator: In
292
# values:
293
# - '{{ include "ingress-nginx.name" . }}'
294
# - key: app.kubernetes.io/instance
295
# operator: In
296
# values:
297
# - '{{ .Release.Name }}'
298
# - key: app.kubernetes.io/component
299
# operator: In
300
# values:
301
# - controller
302
# topologyKey: kubernetes.io/hostname
303
304
# -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
305
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
306
##
307
topologySpreadConstraints: []
308
# - labelSelector:
309
# matchLabels:
310
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
311
# app.kubernetes.io/instance: '{{ .Release.Name }}'
312
# app.kubernetes.io/component: controller
313
# matchLabelKeys:
314
# - pod-template-hash
315
# topologyKey: topology.kubernetes.io/zone
316
# maxSkew: 1
317
# whenUnsatisfiable: ScheduleAnyway
318
# - labelSelector:
319
# matchLabels:
320
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
321
# app.kubernetes.io/instance: '{{ .Release.Name }}'
322
# app.kubernetes.io/component: controller
323
# matchLabelKeys:
324
# - pod-template-hash
325
# topologyKey: kubernetes.io/hostname
326
# maxSkew: 1
327
# whenUnsatisfiable: ScheduleAnyway
328
329
# -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
330
## wait up to five minutes for the drain of connections
331
##
332
terminationGracePeriodSeconds: 300
333
# -- Node labels for controller pod assignment
334
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
335
##
336
nodeSelector:
337
kubernetes.io/os: linux
338
## Liveness and readiness probe values
339
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
340
##
341
## startupProbe:
342
## httpGet:
343
## # should match container.healthCheckPath
344
## path: "/healthz"
345
## port: 10254
346
## scheme: HTTP
347
## initialDelaySeconds: 5
348
## periodSeconds: 5
349
## timeoutSeconds: 2
350
## successThreshold: 1
351
## failureThreshold: 5
352
livenessProbe:
353
httpGet:
354
# should match container.healthCheckPath
355
path: "/healthz"
356
port: 10254
357
scheme: HTTP
358
initialDelaySeconds: 10
359
periodSeconds: 10
360
timeoutSeconds: 1
361
successThreshold: 1
362
failureThreshold: 5
363
readinessProbe:
364
httpGet:
365
# should match container.healthCheckPath
366
path: "/healthz"
367
port: 10254
368
scheme: HTTP
369
initialDelaySeconds: 10
370
periodSeconds: 10
371
timeoutSeconds: 1
372
successThreshold: 1
373
failureThreshold: 3
374
# -- Path of the health check endpoint. All requests received on the port defined by
375
# the healthz-port parameter are forwarded internally to this path.
376
healthCheckPath: "/healthz"
377
# -- Address to bind the health check endpoint.
378
# It is better to set this option to the internal node address
379
# if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode.
380
healthCheckHost: ""
381
# -- Annotations to be added to controller pods
382
##
383
podAnnotations: {}
384
replicaCount: 1
385
# -- Minimum available pods set in PodDisruptionBudget.
386
# Define either 'minAvailable' or 'maxUnavailable', never both.
387
minAvailable: 1
388
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
389
# maxUnavailable: 1
390
# -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
391
# Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
392
unhealthyPodEvictionPolicy: ""
393
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
394
## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
395
## Ideally, there should be no limits.
396
## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
397
resources:
398
## limits:
399
## cpu: 100m
400
## memory: 90Mi
401
requests:
402
cpu: 100m
403
memory: 90Mi
404
# -- Resize policy for controller containers.
405
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources
406
resizePolicy: []
407
# - resourceName: cpu
408
# restartPolicy: NotRequired
409
# - resourceName: memory
410
# restartPolicy: RestartContainer
411
# Mutually exclusive with keda autoscaling
412
autoscaling:
413
enabled: false
414
annotations: {}
415
minReplicas: 1
416
maxReplicas: 11
417
targetCPUUtilizationPercentage: 50
418
targetMemoryUtilizationPercentage: 50
419
behavior: {}
420
# scaleDown:
421
# stabilizationWindowSeconds: 300
422
# policies:
423
# - type: Pods
424
# value: 1
425
# periodSeconds: 180
426
# scaleUp:
427
# stabilizationWindowSeconds: 300
428
# policies:
429
# - type: Pods
430
# value: 2
431
# periodSeconds: 60
432
autoscalingTemplate: []
433
# Custom or additional autoscaling metrics
434
# ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
435
# - type: Pods
436
# pods:
437
# metric:
438
# name: nginx_ingress_controller_nginx_process_requests_total
439
# target:
440
# type: AverageValue
441
# averageValue: 10000m
442
443
# Mutually exclusive with hpa autoscaling
444
keda:
445
apiVersion: "keda.sh/v1alpha1"
446
## apiVersion changes with keda 1.x vs 2.x
447
## 2.x = keda.sh/v1alpha1
448
## 1.x = keda.k8s.io/v1alpha1
449
enabled: false
450
minReplicas: 1
451
maxReplicas: 11
452
pollingInterval: 30
453
cooldownPeriod: 300
454
# fallback:
455
# failureThreshold: 3
456
# replicas: 11
457
restoreToOriginalReplicaCount: false
458
scaledObject:
459
annotations: {}
460
# Custom annotations for ScaledObject resource
461
# annotations:
462
# key: value
463
triggers: []
464
# - type: prometheus
465
# metadata:
466
# serverAddress: http://<prometheus-host>:9090
467
# metricName: http_requests_total
468
# threshold: '100'
469
# query: sum(rate(http_requests_total{deployment="my-deployment"}[2m]))
470
471
behavior: {}
472
# scaleDown:
473
# stabilizationWindowSeconds: 300
474
# policies:
475
# - type: Pods
476
# value: 1
477
# periodSeconds: 180
478
# scaleUp:
479
# stabilizationWindowSeconds: 300
480
# policies:
481
# - type: Pods
482
# value: 2
483
# periodSeconds: 60
484
# -- Enable mimalloc as a drop-in replacement for malloc.
485
## ref: https://github.com/microsoft/mimalloc
486
##
487
enableMimalloc: true
488
## Override NGINX template
489
customTemplate:
490
configMapName: ""
491
configMapKey: ""
492
service:
493
# -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service.
494
enabled: true
495
external:
496
# -- Enable the external controller service or not. Useful for internal-only deployments.
497
enabled: true
498
# -- Labels to be added to the external controller service.
499
labels: {}
500
# -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
501
annotations: {}
502
# -- Labels to be added to both controller services.
503
labels: {}
504
# -- Type of the external controller service.
505
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
506
type: LoadBalancer
507
# -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services.
508
# This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
509
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
510
clusterIP: ""
511
# -- Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services.
512
# This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
513
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
514
clusterIPs: []
515
# -- List of node IP addresses at which the external controller service is available.
516
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
517
externalIPs: []
518
# -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
519
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
520
loadBalancerIP: ""
521
# -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default.
522
loadBalancerSourceRanges: []
523
# -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
524
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
525
loadBalancerClass: ""
526
# -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only.
527
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
528
# allocateLoadBalancerNodePorts: true
529
530
# -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
531
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
532
externalTrafficPolicy: ""
533
# -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
534
# Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
535
sessionAffinity: ""
536
# -- Specifies the health check node port (numeric port number) for the external controller service.
537
# If not specified, the service controller allocates a port from your cluster's node port range.
538
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
539
# healthCheckNodePort: 0
540
541
# -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
542
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
543
trafficDistribution: ""
544
# -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
545
# Fields `ipFamilies` and `clusterIP` depend on the value of this field.
546
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
547
ipFamilyPolicy: SingleStack
548
# -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
549
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
550
ipFamilies:
551
- IPv4
552
# -- Enable the HTTP listener on both controller services or not.
553
enableHttp: true
554
# -- Enable the HTTPS listener on both controller services or not.
555
enableHttps: true
556
ports:
557
# -- Port the external HTTP listener is published with.
558
http: 80
559
# -- Port the external HTTPS listener is published with.
560
https: 443
561
targetPorts:
562
# -- Port of the ingress controller the external HTTP listener is mapped to.
563
http: http
564
# -- Port of the ingress controller the external HTTPS listener is mapped to.
565
https: https
566
# -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
567
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
568
appProtocol: true
569
nodePorts:
570
# -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
571
http: ""
572
# -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
573
https: ""
574
# -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range.
575
# Example:
576
# tcp:
577
# 8080: 30080
578
tcp: {}
579
# -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range.
580
# Example:
581
# udp:
582
# 53: 30053
583
udp: {}
584
internal:
585
# -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
586
enabled: false
587
# -- Labels to be added to the internal controller service.
588
labels: {}
589
# -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
590
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
591
annotations: {}
592
# -- Type of the internal controller service.
593
# Defaults to the value of `controller.service.type`.
594
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
595
type: ""
596
# -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services.
597
# This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
598
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
599
clusterIP: ""
600
# -- Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services.
601
# This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
602
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
603
clusterIPs: []
604
# -- List of node IP addresses at which the internal controller service is available.
605
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
606
externalIPs: []
607
# -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
608
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
609
loadBalancerIP: ""
610
# -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default.
611
loadBalancerSourceRanges: []
612
# -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
613
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
614
loadBalancerClass: ""
615
# -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only.
616
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
617
# allocateLoadBalancerNodePorts: true
618
619
# -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
620
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
621
externalTrafficPolicy: ""
622
# -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
623
# Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
624
sessionAffinity: ""
625
# -- Specifies the health check node port (numeric port number) for the internal controller service.
626
# If not specified, the service controller allocates a port from your cluster's node port range.
627
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
628
# healthCheckNodePort: 0
629
630
# -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
631
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
632
trafficDistribution: ""
633
# -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
634
# Fields `ipFamilies` and `clusterIP` depend on the value of this field.
635
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
636
ipFamilyPolicy: SingleStack
637
# -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
638
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
639
ipFamilies:
640
- IPv4
641
ports: {}
642
# -- Port the internal HTTP listener is published with.
643
# Defaults to the value of `controller.service.ports.http`.
644
# http: 80
645
# -- Port the internal HTTPS listener is published with.
646
# Defaults to the value of `controller.service.ports.https`.
647
# https: 443
648
649
targetPorts: {}
650
# -- Port of the ingress controller the internal HTTP listener is mapped to.
651
# Defaults to the value of `controller.service.targetPorts.http`.
652
# http: http
653
# -- Port of the ingress controller the internal HTTPS listener is mapped to.
654
# Defaults to the value of `controller.service.targetPorts.https`.
655
# https: https
656
657
# -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
658
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
659
appProtocol: true
660
nodePorts:
661
# -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range.
662
http: ""
663
# -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
664
https: ""
665
# -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range.
666
# Example:
667
# tcp:
668
# 8080: 30080
669
tcp: {}
670
# -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range.
671
# Example:
672
# udp:
673
# 53: 30053
674
udp: {}
675
# shareProcessNamespace enables process namespace sharing within the pod.
676
# This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
677
shareProcessNamespace: false
678
# -- Additional containers to be added to the controller pod.
679
# See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
680
extraContainers: []
681
# - name: my-sidecar
682
# image: nginx:latest
683
# - name: lemonldap-ng-controller
684
# image: lemonldapng/lemonldap-ng-controller:0.2.0
685
# args:
686
# - /lemonldap-ng-controller
687
# - --alsologtostderr
688
# - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration
689
# env:
690
# - name: POD_NAME
691
# valueFrom:
692
# fieldRef:
693
# fieldPath: metadata.name
694
# - name: POD_NAMESPACE
695
# valueFrom:
696
# fieldRef:
697
# fieldPath: metadata.namespace
698
# volumeMounts:
699
# - name: copy-portal-skins
700
# mountPath: /srv/var/lib/lemonldap-ng/portal/skins
701
702
# -- Additional volumeMounts to the controller main container.
703
extraVolumeMounts: []
704
# - name: copy-portal-skins
705
# mountPath: /var/lib/lemonldap-ng/portal/skins
706
707
# -- Additional volumes to the controller pod.
708
extraVolumes: []
709
# - name: copy-portal-skins
710
# emptyDir: {}
711
712
# -- Containers, which are run before the app containers are started. Values may contain Helm templates.
713
extraInitContainers: []
714
# - name: init-myservice
715
# image: busybox
716
# command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
717
# - name: init-dynamic
718
# image: busybox
719
# command:
720
# - sh
721
# - -c
722
# - echo "Release={{ .Release.Name }} Namespace={{ .Release.Namespace }}"
723
724
# -- Modules, which are mounted into the core nginx image.
725
extraModules: []
726
# - name: mytestmodule
727
# image:
728
# # registry: registry.k8s.io
729
# image: ingress-nginx/mytestmodule
730
# ## for backwards compatibility consider setting the full image url via the repository value below
731
# ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
732
# ## repository:
733
# tag: "v1.0.0"
734
# digest: ""
735
# distroless: false
736
# containerSecurityContext:
737
# runAsNonRoot: true
738
# runAsUser: <user-id>
739
# runAsGroup: <group-id>
740
# allowPrivilegeEscalation: false
741
# seccompProfile:
742
# type: RuntimeDefault
743
# capabilities:
744
# drop:
745
# - ALL
746
# readOnlyRootFilesystem: true
747
# resources: {}
748
#
749
# The image must contain a `/usr/local/bin/init_module.sh` executable, which
750
# will be executed as initContainers, to move its config files within the
751
# mounted volume.
752
753
admissionWebhooks:
754
name: admission
755
annotations: {}
756
# ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
757
758
## Additional annotations to the admission webhooks.
759
## These annotations will be added to the ValidatingWebhookConfiguration and
760
## the Jobs Spec of the admission webhooks.
761
enabled: true
762
# -- Additional environment variables to set
763
extraEnvs: []
764
# extraEnvs:
765
# - name: FOO
766
# valueFrom:
767
# secretKeyRef:
768
# key: FOO
769
# name: secret-resource
770
# -- Admission Webhook failure policy to use
771
failurePolicy: Fail
772
# timeoutSeconds: 10
773
port: 8443
774
certificate: "/usr/local/certificates/cert"
775
key: "/usr/local/certificates/key"
776
namespaceSelector: {}
777
objectSelector: {}
778
# -- Labels to be added to admission webhooks
779
labels: {}
780
service:
781
annotations: {}
782
# clusterIP: ""
783
externalIPs: []
784
# loadBalancerIP: ""
785
loadBalancerSourceRanges: []
786
servicePort: 443
787
type: ClusterIP
788
createSecretJob:
789
name: create
790
# -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced.
791
activeDeadlineSeconds: 0
792
# -- Security context for secret creation containers
793
securityContext:
794
runAsNonRoot: true
795
runAsUser: 65532
796
runAsGroup: 65532
797
allowPrivilegeEscalation: false
798
seccompProfile:
799
type: RuntimeDefault
800
capabilities:
801
drop:
802
- ALL
803
readOnlyRootFilesystem: true
804
resources: {}
805
# limits:
806
# cpu: 10m
807
# memory: 20Mi
808
# requests:
809
# cpu: 10m
810
# memory: 20Mi
811
# -- Volume mounts for secret creation containers
812
volumeMounts: []
813
# - name: certs
814
# mountPath: /etc/webhook/certs
815
# readOnly: true
816
# -- Volumes for secret creation pod
817
volumes: []
818
# - name: certs
819
# secret:
820
# secretName: my-webhook-secret
821
patchWebhookJob:
822
name: patch
823
# -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced.
824
activeDeadlineSeconds: 0
825
# -- Security context for webhook patch containers
826
securityContext:
827
runAsNonRoot: true
828
runAsUser: 65532
829
runAsGroup: 65532
830
allowPrivilegeEscalation: false
831
seccompProfile:
832
type: RuntimeDefault
833
capabilities:
834
drop:
835
- ALL
836
readOnlyRootFilesystem: true
837
resources: {}
838
# -- Volume mounts for webhook patch containers
839
volumeMounts: []
840
# - name: certs
841
# mountPath: /etc/webhook/certs
842
# readOnly: true
843
# -- Volumes for webhook patch pod
844
volumes: []
845
# - name: certs
846
# secret:
847
# secretName: my-webhook-secret
848
patch:
849
enabled: true
850
image:
851
# registry: registry.k8s.io
852
image: chainguard-private/kube-webhook-certgen
853
## for backwards compatibility consider setting the full image url via the repository value below
854
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
855
## repository:
856
tag: latest
857
digest: sha256:1f2157ebf63c7ebfc135640afd44383e43898fb372c2a38c1509d47cf7dd08c0
858
pullPolicy: IfNotPresent
859
# -- Provide a priority class name to the webhook patching job
860
##
861
priorityClassName: ""
862
# -- Instruct the kubelet to use the named RuntimeClass to run the pod
863
runtimeClassName: ""
864
podAnnotations: {}
865
# NetworkPolicy for webhook patch
866
networkPolicy:
867
# -- Enable 'networkPolicy' or not
868
enabled: false
869
nodeSelector:
870
kubernetes.io/os: linux
871
tolerations: []
872
# -- Labels to be added to patch job resources
873
labels: {}
874
# -- Security context for secret creation & webhook patch pods
875
securityContext: {}
876
# -- Admission webhook patch job RBAC
877
rbac:
878
# -- Create RBAC or not
879
create: true
880
# -- Admission webhook patch job service account
881
serviceAccount:
882
# -- Create a service account or not
883
create: true
884
# -- Custom service account name
885
name: ""
886
# -- Auto-mount service account token or not
887
automountServiceAccountToken: true
888
# Use certmanager to generate webhook certs
889
certManager:
890
enabled: false
891
# self-signed root certificate
892
rootCert:
893
# default to be 5y
894
duration: ""
895
# -- Revision history limit of the root certificate.
896
# Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
897
revisionHistoryLimit: 0
898
admissionCert:
899
# default to be 1y
900
duration: ""
901
# -- Revision history limit of the webhook certificate.
902
# Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
903
revisionHistoryLimit: 0
904
# issuerRef:
905
# name: "issuer"
906
# kind: "ClusterIssuer"
907
metrics:
908
port: 10254
909
portName: metrics
910
# if this port is changed, change healthz-port: in extraArgs: accordingly
911
enabled: false
912
service:
913
# -- Enable the metrics service or not.
914
enabled: true
915
annotations: {}
916
# prometheus.io/scrape: "true"
917
# prometheus.io/port: "10254"
918
# -- Labels to be added to the metrics service resource
919
labels: {}
920
# clusterIP: ""
921
922
# -- List of IP addresses at which the stats-exporter service is available
923
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
924
##
925
externalIPs: []
926
# loadBalancerIP: ""
927
loadBalancerSourceRanges: []
928
servicePort: 10254
929
type: ClusterIP
930
# externalTrafficPolicy: ""
931
# nodePort: ""
932
serviceMonitor:
933
enabled: false
934
additionalLabels: {}
935
# -- Annotations to be added to the ServiceMonitor.
936
annotations: {}
937
## The label to use to retrieve the job name from.
938
## jobLabel: "app.kubernetes.io/name"
939
namespace: ""
940
namespaceSelector: {}
941
## Default: scrape .Release.Namespace or namespaceOverride only
942
## To scrape all, use the following:
943
## namespaceSelector:
944
## any: true
945
scrapeInterval: 30s
946
# -- Timeout after which the scrape is ended. Not being set if empty and therefore defaults to the global Prometheus scrape timeout.
947
scrapeTimeout: ""
948
# honorLabels: true
949
targetLabels: []
950
relabelings: []
951
metricRelabelings: []
952
# -- Per-scrape limit on number of labels that will be accepted for a sample.
953
labelLimit: 0
954
# -- Per-scrape limit on length of labels name that will be accepted for a sample.
955
labelNameLengthLimit: 0
956
# -- Per-scrape limit on length of labels value that will be accepted for a sample.
957
labelValueLengthLimit: 0
958
# -- Defines a per-scrape limit on the number of scraped samples that will be accepted.
959
sampleLimit: 0
960
# -- Defines a limit on the number of scraped targets that will be accepted.
961
targetLimit: 0
962
prometheusRule:
963
enabled: false
964
additionalLabels: {}
965
# -- Annotations to be added to the PrometheusRule.
966
annotations: {}
967
# namespace: ""
968
rules: []
969
# # These are just examples rules, please adapt them to your needs
970
# - alert: NGINXConfigFailed
971
# expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
972
# for: 1s
973
# labels:
974
# severity: critical
975
# annotations:
976
# description: bad ingress config - nginx config test failed
977
# summary: uninstall the latest ingress changes to allow config reloads to resume
978
# # By default a fake self-signed certificate is generated as default and
979
# # it is fine if it expires. If `--default-ssl-certificate` flag is used
980
# # and a valid certificate passed please do not filter for `host` label!
981
# # (i.e. delete `{host!="_"}` so also the default SSL certificate is
982
# # checked for expiration)
983
# - alert: NGINXCertificateExpiry
984
# expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800
985
# for: 1s
986
# labels:
987
# severity: critical
988
# annotations:
989
# description: ssl certificate(s) will expire in less then a week
990
# summary: renew expiring certificates to avoid downtime
991
# - alert: NGINXTooMany500s
992
# expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
993
# for: 1m
994
# labels:
995
# severity: warning
996
# annotations:
997
# description: Too many 5XXs
998
# summary: More than 5% of all requests returned 5XX, this requires your attention
999
# - alert: NGINXTooMany400s
1000
# expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
1001
# for: 1m
1002
# labels:
1003
# severity: warning
1004
# annotations:
1005
# description: Too many 4XXs
1006
# summary: More than 5% of all requests returned 4XX, this requires your attention
1007
# -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
1008
# With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
1009
# to 300, allowing the draining of connections up to five minutes.
1010
# If the active connections end before that, the pod will terminate gracefully at that time.
1011
# To effectively take advantage of this feature, the Configmap feature
1012
# worker-shutdown-timeout new value is 240s instead of 10s.
1013
##
1014
lifecycle:
1015
preStop:
1016
exec:
1017
command:
1018
- /wait-shutdown
1019
priorityClassName: ""
1020
# -- Rollback limit
1021
##
1022
revisionHistoryLimit: 10
1023
## Default 404 backend
1024
##
1025
defaultBackend:
1026
##
1027
enabled: false
1028
name: defaultbackend
1029
image:
1030
# registry: registry.k8s.io
1031
image: chainguard-private/ingress-nginx-custom-error-pages
1032
## for backwards compatibility consider setting the full image url via the repository value below
1033
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
1034
## repository:
1035
tag: latest
1036
pullPolicy: IfNotPresent
1037
runAsNonRoot: true
1038
# nobody user -> uid 65534
1039
runAsUser: 65534
1040
runAsGroup: 65534
1041
allowPrivilegeEscalation: false
1042
seccompProfile:
1043
type: RuntimeDefault
1044
readOnlyRootFilesystem: true
1045
digest: sha256:d253d5b31d3ac5780ec0b18c99315282f78afcf9c6cb179bb6cd2946b55a50ea
1046
extraArgs: {}
1047
serviceAccount:
1048
create: true
1049
name: ""
1050
automountServiceAccountToken: true
1051
# -- Additional environment variables to set for defaultBackend pods
1052
extraEnvs: []
1053
port: 8080
1054
## Readiness and liveness probes for default backend
1055
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
1056
##
1057
livenessProbe:
1058
failureThreshold: 3
1059
initialDelaySeconds: 30
1060
periodSeconds: 10
1061
successThreshold: 1
1062
timeoutSeconds: 5
1063
readinessProbe:
1064
failureThreshold: 6
1065
initialDelaySeconds: 0
1066
periodSeconds: 5
1067
successThreshold: 1
1068
timeoutSeconds: 5
1069
# -- The update strategy to apply to the Deployment or DaemonSet
1070
##
1071
updateStrategy: {}
1072
# rollingUpdate:
1073
# maxUnavailable: 1
1074
# type: RollingUpdate
1075
1076
# -- `minReadySeconds` to avoid killing pods before we are ready
1077
##
1078
minReadySeconds: 0
1079
# -- Node tolerations for server scheduling to nodes with taints
1080
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
1081
##
1082
tolerations: []
1083
# - key: "key"
1084
# operator: "Equal|Exists"
1085
# value: "value"
1086
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
1087
1088
# -- Affinity and anti-affinity rules for server scheduling to nodes
1089
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1090
affinity: {}
1091
# # An example of preferred pod anti-affinity, weight is in the range 1-100
1092
# podAntiAffinity:
1093
# preferredDuringSchedulingIgnoredDuringExecution:
1094
# - weight: 100
1095
# podAffinityTerm:
1096
# labelSelector:
1097
# matchExpressions:
1098
# - key: app.kubernetes.io/name
1099
# operator: In
1100
# values:
1101
# - '{{ include "ingress-nginx.name" . }}'
1102
# - key: app.kubernetes.io/instance
1103
# operator: In
1104
# values:
1105
# - '{{ .Release.Name }}'
1106
# - key: app.kubernetes.io/component
1107
# operator: In
1108
# values:
1109
# - default-backend
1110
# topologyKey: kubernetes.io/hostname
1111
1112
# # An example of required pod anti-affinity
1113
# podAntiAffinity:
1114
# requiredDuringSchedulingIgnoredDuringExecution:
1115
# - labelSelector:
1116
# matchExpressions:
1117
# - key: app.kubernetes.io/name
1118
# operator: In
1119
# values:
1120
# - '{{ include "ingress-nginx.name" . }}'
1121
# - key: app.kubernetes.io/instance
1122
# operator: In
1123
# values:
1124
# - '{{ .Release.Name }}'
1125
# - key: app.kubernetes.io/component
1126
# operator: In
1127
# values:
1128
# - default-backend
1129
# topologyKey: kubernetes.io/hostname
1130
1131
# -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
1132
# Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
1133
topologySpreadConstraints: []
1134
# - labelSelector:
1135
# matchLabels:
1136
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
1137
# app.kubernetes.io/instance: '{{ .Release.Name }}'
1138
# app.kubernetes.io/component: default-backend
1139
# matchLabelKeys:
1140
# - pod-template-hash
1141
# topologyKey: topology.kubernetes.io/zone
1142
# maxSkew: 1
1143
# whenUnsatisfiable: ScheduleAnyway
1144
# - labelSelector:
1145
# matchLabels:
1146
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
1147
# app.kubernetes.io/instance: '{{ .Release.Name }}'
1148
# app.kubernetes.io/component: default-backend
1149
# matchLabelKeys:
1150
# - pod-template-hash
1151
# topologyKey: kubernetes.io/hostname
1152
# maxSkew: 1
1153
# whenUnsatisfiable: ScheduleAnyway
1154
# -- Security context for default backend pods
1155
podSecurityContext: {}
1156
# -- Security context for default backend containers
1157
containerSecurityContext: {}
1158
# -- Labels to add to the pod container metadata
1159
podLabels: {}
1160
# key: value
1161
1162
# -- Node labels for default backend pod assignment
1163
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1164
##
1165
nodeSelector:
1166
kubernetes.io/os: linux
1167
# -- Annotations to be added to default backend pods
1168
##
1169
podAnnotations: {}
1170
replicaCount: 1
1171
# -- Minimum available pods set in PodDisruptionBudget.
1172
# Define either 'minAvailable' or 'maxUnavailable', never both.
1173
minAvailable: 1
1174
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
1175
# maxUnavailable: 1
1176
# -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
1177
# Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
1178
unhealthyPodEvictionPolicy: ""
1179
resources: {}
1180
# limits:
1181
# cpu: 10m
1182
# memory: 20Mi
1183
# requests:
1184
# cpu: 10m
1185
# memory: 20Mi
1186
1187
extraVolumeMounts: []
1188
## Additional volumeMounts to the default backend container.
1189
# - name: copy-portal-skins
1190
# mountPath: /var/lib/lemonldap-ng/portal/skins
1191
1192
extraVolumes: []
1193
## Additional volumes to the default backend pod.
1194
# - name: copy-portal-skins
1195
# emptyDir: {}
1196
1197
extraConfigMaps: []
1198
## Additional configmaps to the default backend pod.
1199
# - name: my-extra-configmap-1
1200
# labels:
1201
# type: config-1
1202
# data:
1203
# extra_file_1.html: |
1204
# <!-- Extra HTML content for ConfigMap 1 -->
1205
# - name: my-extra-configmap-2
1206
# labels:
1207
# type: config-2
1208
# data:
1209
# extra_file_2.html: |
1210
# <!-- Extra HTML content for ConfigMap 2 -->
1211
1212
autoscaling:
1213
annotations: {}
1214
enabled: false
1215
minReplicas: 1
1216
maxReplicas: 2
1217
targetCPUUtilizationPercentage: 50
1218
targetMemoryUtilizationPercentage: 50
1219
# NetworkPolicy for default backend component.
1220
networkPolicy:
1221
# -- Enable 'networkPolicy' or not
1222
enabled: false
1223
service:
1224
annotations: {}
1225
# clusterIP: ""
1226
# -- Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services.
1227
# This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
1228
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
1229
clusterIPs: []
1230
# -- List of IP addresses at which the default backend service is available
1231
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
1232
##
1233
externalIPs: []
1234
# loadBalancerIP: ""
1235
loadBalancerSourceRanges: []
1236
servicePort: 80
1237
type: ClusterIP
1238
priorityClassName: ""
1239
# -- Instruct the kubelet to use the named RuntimeClass to run the pod
1240
runtimeClassName: ""
1241
# -- Labels to be added to the default backend resources
1242
labels: {}
1243
## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
1244
rbac:
1245
create: true
1246
scope: false
1247
serviceAccount:
1248
create: true
1249
name: ""
1250
automountServiceAccountToken: true
1251
# -- Annotations for the controller service account
1252
annotations: {}
1253
# -- Optional array of imagePullSecrets containing private registry credentials
1254
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1255
imagePullSecrets: []
1256
# - name: secretName
1257
1258
# -- TCP service key-value pairs
1259
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
1260
##
1261
tcp: {}
1262
# "8080": "default/example-tcp-svc:9000"
1263
1264
# -- UDP service key-value pairs
1265
## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
1266
##
1267
udp: {}
1268
# "53": "kube-system/kube-dns:53"
1269
1270
# -- Prefix for TCP and UDP ports names in ingress controller service
1271
## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration
1272
portNamePrefix: ""
1273
# -- (string) A base64-encoded Diffie-Hellman parameter.
1274
# This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
1275
## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
1276
dhParam: ""
1277
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.