apisix
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
allowInsecureImages: false
33
## Compatibility adaptations for Kubernetes platforms
34
##
35
compatibility:
36
## Compatibility adaptations for Openshift
37
##
38
openshift:
39
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
40
##
41
adaptSecurityContext: auto
42
org: ""
43
## @section Common parameters
44
##
45
46
## @param kubeVersion Override Kubernetes version
47
##
48
kubeVersion: ""
49
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
50
##
51
apiVersions: []
52
## @param nameOverride String to partially override common.names.name
53
##
54
nameOverride: ""
55
## @param fullnameOverride String to fully override common.names.fullname
56
##
57
fullnameOverride: ""
58
## @param namespaceOverride String to fully override common.names.namespace
59
##
60
namespaceOverride: ""
61
## @param commonLabels Labels to add to all deployed objects
62
##
63
commonLabels: {}
64
## @param commonAnnotations Annotations to add to all deployed objects
65
##
66
commonAnnotations: {}
67
## @param clusterDomain Kubernetes cluster domain name
68
##
69
clusterDomain: cluster.local
70
## @param extraDeploy Array of extra objects to deploy with the release
71
##
72
extraDeploy: []
73
## @param usePasswordFiles Mount credentials as files instead of using environment variables
74
##
75
usePasswordFiles: true
76
## Enable diagnostic mode in the deployment
77
##
78
diagnosticMode:
79
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
80
##
81
enabled: false
82
## @param diagnosticMode.command Command to override all containers in the deployment
83
##
84
command:
85
- sleep
86
## @param diagnosticMode.args Args to override all containers in the deployment
87
##
88
args:
89
- infinity
90
## Iamguarded APISIX image
91
## @param image.registry [default: REGISTRY_NAME] APISIX image registry
92
## @param image.repository [default: REPOSITORY_NAME/apisix] APISIX image repository
93
## @skip image.tag APISIX image tag (immutable tags are recommended)
94
## @param image.digest APISIX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
95
## @param image.pullPolicy APISIX image pull policy
96
## @param image.pullSecrets APISIX image pull secrets
97
## @param image.debug Enable APISIX image debug mode
98
##
99
image:
100
registry: cgr.dev
101
repository: chainguard-private/apache-apisix-iamguarded
102
tag: 3.14.1
103
digest: ""
104
## Specify a imagePullPolicy
105
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
106
##
107
pullPolicy: IfNotPresent
108
## Optionally specify an array of imagePullSecrets.
109
## Secrets must be manually created in the namespace.
110
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
111
## e.g:
112
## pullSecrets:
113
## - myRegistryKeySecretName
114
##
115
pullSecrets: []
116
## Enable debug mode
117
##
118
debug: false
119
## @section APISIX Data Plane parameters
120
##
121
dataPlane:
122
## @param dataPlane.enabled Enable APISIX Data Plane
123
##
124
enabled: true
125
## @param dataPlane.useDaemonSet Deploy Data Plane as DaemonSet
126
##
127
useDaemonSet: false
128
## @param dataPlane.replicaCount Number of APISIX Data Plane replicas to deploy
129
##
130
replicaCount: 1
131
## @param dataPlane.hostNetwork Use hostNetwork in APISIX Data Plane
132
##
133
hostNetwork: false
134
## @param dataPlane.dnsPolicy DNS policy for APISIX Data Plane pods
135
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policies
136
## NOTE: If you set hostNetwork=true, you must set dnsPolicy=ClusterFirstWithHostNet
137
##
138
dnsPolicy: ClusterFirst
139
## @param dataPlane.containerPorts.http APISIX Data Plane HTTP container port
140
## @param dataPlane.containerPorts.https APISIX Data Plane HTTPS container port
141
## @param dataPlane.containerPorts.control APISIX Data Plane control container port
142
## @param dataPlane.containerPorts.metrics APISIX Data Plane metrics container port
143
##
144
containerPorts:
145
http: 9080
146
https: 9443
147
control: 9090
148
metrics: 9099
149
## Configure extra options for APISIX Data Plane containers' liveness and readiness probes
150
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
151
## @param dataPlane.livenessProbe.enabled Enable livenessProbe on APISIX Data Plane containers
152
## @param dataPlane.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
153
## @param dataPlane.livenessProbe.periodSeconds Period seconds for livenessProbe
154
## @param dataPlane.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
155
## @param dataPlane.livenessProbe.failureThreshold Failure threshold for livenessProbe
156
## @param dataPlane.livenessProbe.successThreshold Success threshold for livenessProbe
157
##
158
livenessProbe:
159
enabled: true
160
initialDelaySeconds: 5
161
periodSeconds: 10
162
timeoutSeconds: 5
163
failureThreshold: 5
164
successThreshold: 1
165
## @param dataPlane.readinessProbe.enabled Enable readinessProbe on APISIX Data Plane containers
166
## @param dataPlane.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
167
## @param dataPlane.readinessProbe.periodSeconds Period seconds for readinessProbe
168
## @param dataPlane.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
169
## @param dataPlane.readinessProbe.failureThreshold Failure threshold for readinessProbe
170
## @param dataPlane.readinessProbe.successThreshold Success threshold for readinessProbe
171
##
172
readinessProbe:
173
enabled: true
174
initialDelaySeconds: 5
175
periodSeconds: 10
176
timeoutSeconds: 5
177
failureThreshold: 5
178
successThreshold: 1
179
## @param dataPlane.startupProbe.enabled Enable startupProbe on APISIX Data Plane containers
180
## @param dataPlane.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
181
## @param dataPlane.startupProbe.periodSeconds Period seconds for startupProbe
182
## @param dataPlane.startupProbe.timeoutSeconds Timeout seconds for startupProbe
183
## @param dataPlane.startupProbe.failureThreshold Failure threshold for startupProbe
184
## @param dataPlane.startupProbe.successThreshold Success threshold for startupProbe
185
##
186
startupProbe:
187
enabled: false
188
initialDelaySeconds: 5
189
periodSeconds: 10
190
timeoutSeconds: 5
191
failureThreshold: 5
192
successThreshold: 1
193
## @param dataPlane.customLivenessProbe Custom livenessProbe that overrides the default one
194
##
195
customLivenessProbe: {}
196
## @param dataPlane.customReadinessProbe Custom readinessProbe that overrides the default one
197
##
198
customReadinessProbe: {}
199
## @param dataPlane.customStartupProbe Custom startupProbe that overrides the default one
200
##
201
customStartupProbe: {}
202
## APISIX Data Plane resource requests and limits
203
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
204
## @param dataPlane.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dataPlane.resources is set (dataPlane.resources is recommended for production).
205
##
206
resourcesPreset: "nano"
207
## @param dataPlane.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
208
## Example:
209
## resources:
210
## requests:
211
## cpu: 2
212
## memory: 512Mi
213
## limits:
214
## cpu: 3
215
## memory: 1024Mi
216
##
217
resources: {}
218
## Configure Pods Security Context
219
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
220
## @param dataPlane.podSecurityContext.enabled Enabled APISIX Data Plane pods' Security Context
221
## @param dataPlane.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
222
## @param dataPlane.podSecurityContext.sysctls Set kernel settings using the sysctl interface
223
## @param dataPlane.podSecurityContext.supplementalGroups Set filesystem extra groups
224
## @param dataPlane.podSecurityContext.fsGroup Set APISIX Data Plane pod's Security Context fsGroup
225
##
226
podSecurityContext:
227
enabled: true
228
fsGroupChangePolicy: Always
229
sysctls: []
230
supplementalGroups: []
231
fsGroup: 1001
232
## Configure Container Security Context
233
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
234
## @param dataPlane.containerSecurityContext.enabled Enabled APISIX Data Plane containers' Security Context
235
## @param dataPlane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
236
## @param dataPlane.containerSecurityContext.runAsUser Set APISIX Data Plane containers' Security Context runAsUser
237
## @param dataPlane.containerSecurityContext.runAsGroup Set APISIX Data Plane containers' Security Context runAsGroup
238
## @param dataPlane.containerSecurityContext.runAsNonRoot Set APISIX Data Plane containers' Security Context runAsNonRoot
239
## @param dataPlane.containerSecurityContext.privileged Set APISIX Data Plane containers' Security Context privileged
240
## @param dataPlane.containerSecurityContext.readOnlyRootFilesystem Set APISIX Data Plane containers' Security Context runAsNonRoot
241
## @param dataPlane.containerSecurityContext.allowPrivilegeEscalation Set APISIX Data Plane container's privilege escalation
242
## @param dataPlane.containerSecurityContext.capabilities.drop Set APISIX Data Plane container's Security Context runAsNonRoot
243
## @param dataPlane.containerSecurityContext.seccompProfile.type Set APISIX Data Plane container's Security Context seccomp profile
244
##
245
containerSecurityContext:
246
enabled: true
247
seLinuxOptions: {}
248
runAsUser: 1001
249
runAsGroup: 1001
250
runAsNonRoot: true
251
privileged: false
252
readOnlyRootFilesystem: true
253
allowPrivilegeEscalation: false
254
capabilities:
255
drop: ["ALL"]
256
seccompProfile:
257
type: RuntimeDefault
258
## @param dataPlane.command Override default container command (useful when using custom images)
259
##
260
command: []
261
## @param dataPlane.args Override default container args (useful when using custom images)
262
##
263
args: []
264
## @param dataPlane.automountServiceAccountToken Mount Service Account token in pod
265
##
266
automountServiceAccountToken: true
267
## @param dataPlane.hostAliases APISIX Data Plane pods host aliases
268
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
269
##
270
hostAliases: []
271
## @param dataPlane.defaultConfig [string] APISIX Data Plane configuration (evaluated as a template)
272
##
273
defaultConfig: |
274
{{- if .Values.dataPlane.metrics.enabled }}
275
plugin_attr:
276
prometheus:
277
export_uri: /apisix/prometheus/metrics
278
metric_prefix: apisix_
279
enable_export_server: true
280
export_addr:
281
ip: 0.0.0.0
282
port: {{ .Values.dataPlane.containerPorts.metrics }}
283
{{- end }}
284
apisix:
285
node_listen: {{ .Values.dataPlane.containerPorts.http }}
286
enable_admin: false
287
{{- if .Values.dataPlane.tls.enabled }}
288
ssl:
289
enable: true
290
listen:
291
- port: {{ .Values.dataPlane.containerPorts.https }}
292
ssl_trusted_certificate: /iamguarded/certs/{{ .Values.dataPlane.tls.certCAFilename }}
293
enable_http2: true
294
{{- end }}
295
control:
296
ip: 0.0.0.0
297
port: {{ .Values.dataPlane.containerPorts.control }}
298
nginx_config:
299
error_log: /dev/stderr
300
stream:
301
access_log: /dev/stdout
302
http:
303
access_log: /dev/stdout
304
http_configuration_snippet: |
305
proxy_buffering off;
306
deployment:
307
role: data_plane
308
role_data_plane:
309
config_provider: etcd
310
{{- if .Values.controlPlane.enabled }}
311
control_plane:
312
host:
313
- {{ ternary "https" "http" .Values.controlPlane.tls.enabled }}://{{ include "apisix.control-plane.fullname" . }}:{{ .Values.controlPlane.service.ports.configServer }}
314
prefix: /apisix
315
timeout: 30
316
{{- end }}
317
{{- if or .Values.etcd.enabled .Values.externalEtcd.servers }}
318
etcd:
319
host:
320
{{- if .Values.etcd.enabled }}
321
{{- $replicas := $.Values.etcd.replicaCount | int }}
322
{{- range $i, $_e := until $replicas }}
323
- {{ printf "%s://%s-%d.%s:%v" (ternary "https" "http" $.Values.etcd.auth.client.secureTransport) (include "apisix.etcd.fullname" $ ) $i (include "apisix.etcd.headlessServiceName" $) ( include "apisix.etcd.port" $ ) }}
324
{{- end }}
325
{{- else }}
326
{{- range $node := .Values.externalEtcd.servers }}
327
- {{ ternary "https" "http" $.Values.externalEtcd.secureTransport }}://{{ printf "%s:%v" $node (include "apisix.etcd.port" $) }}
328
{{- end }}
329
{{- end }}
330
prefix: /apisix
331
timeout: 30
332
use_grpc: false
333
startup_retry: 60
334
{{- if (include "apisix.etcd.authEnabled" .) }}
335
user: "{{ print "{{APISIX_ETCD_USER}}" }}"
336
password: "{{ print "{{APISIX_ETCD_PASSWORD}}" }}"
337
{{- end }}
338
{{- end }}
339
{{- if .Values.dataPlane.tls.enabled }}
340
certs:
341
{{- if .Values.dataPlane.tls.enabled }}
342
cert: /iamguarded/certs/{{ .Values.dataPlane.tls.certFilename }}
343
cert_key: /iamguarded/certs/{{ .Values.dataPlane.tls.certKeyFilename }}
344
{{- if .Values.dataPlane.tls.certCAFilename }}
345
client_ca_cert: /iamguarded/certs/{{ .Values.dataPlane.tls.certCAFilename }}
346
{{- end }}
347
{{- end }}
348
{{- end }}
349
discovery:
350
kubernetes:
351
service:
352
# apiserver schema, options [http, https]
353
schema: https #default https
354
355
# apiserver host, options [ipv4, ipv6, domain, environment variable]
356
host: ${KUBERNETES_SERVICE_HOST} #default ${KUBERNETES_SERVICE_HOST}
357
358
# apiserver port, options [port number, environment variable]
359
port: ${KUBERNETES_SERVICE_PORT} #default ${KUBERNETES_SERVICE_PORT}
360
361
client:
362
# serviceaccount token or token_file
363
token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
364
365
default_weight: 50 # weight assigned to each discovered endpoint. default 50, minimum 0
366
## @param dataPlane.extraConfig [object] extra configuration parameters to add to the config.yaml file in APISIX Data Plane
367
##
368
extraConfig: {}
369
## @param dataPlane.existingConfigMap name of a ConfigMap with existing configuration for APISIX Data Plane
370
##
371
existingConfigMap: ""
372
## @param dataPlane.extraConfigExistingConfigMap name of a ConfigMap with existing configuration for APISIX Data Plane
373
##
374
extraConfigExistingConfigMap: ""
375
tls:
376
## @param dataPlane.tls.enabled Enable TLS transport in APISIX Data Plane
377
##
378
enabled: true
379
## @param dataPlane.tls.autoGenerated Auto-generate self-signed certificates
380
##
381
autoGenerated: true
382
## @param dataPlane.tls.existingSecret Name of a secret containing the certificates
383
##
384
existingSecret: ""
385
## @param dataPlane.tls.certFilename Path of the certificate file when mounted as a secret
386
##
387
certFilename: tls.crt
388
## @param dataPlane.tls.certKeyFilename Path of the certificate key file when mounted as a secret
389
##
390
certKeyFilename: tls.key
391
## @param dataPlane.tls.certCAFilename Path of the certificate CA file when mounted as a secret
392
##
393
certCAFilename: ca.crt
394
## @param dataPlane.tls.cert Content of the certificate to be added to the secret
395
##
396
cert: ""
397
## @param dataPlane.tls.key Content of the certificate key to be added to the secret
398
##
399
key: ""
400
## @param dataPlane.tls.ca Content of the certificate CA to be added to the secret
401
##
402
ca: ""
403
## @param dataPlane.podLabels Extra labels for APISIX Data Plane pods
404
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
405
##
406
podLabels: {}
407
## @param dataPlane.podAnnotations Annotations for APISIX Data Plane pods
408
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
409
##
410
podAnnotations: {}
411
## @param dataPlane.podAffinityPreset Pod affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
412
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
413
##
414
podAffinityPreset: ""
415
## @param dataPlane.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
416
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
417
##
418
podAntiAffinityPreset: soft
419
## Pod Disruption Budget configuration
420
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
421
## @param dataPlane.pdb.create Enable/disable a Pod Disruption Budget creation
422
## @param dataPlane.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
423
## @param dataPlane.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
424
##
425
pdb:
426
create: true
427
minAvailable: ""
428
maxUnavailable: ""
429
## Node apisix.affinity preset
430
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
431
##
432
nodeAffinityPreset:
433
## @param dataPlane.nodeAffinityPreset.type Node affinity preset type. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
434
##
435
type: ""
436
## @param dataPlane.nodeAffinityPreset.key Node label key to match. Ignored if `apisix.affinity` is set
437
##
438
key: ""
439
## @param dataPlane.nodeAffinityPreset.values Node label values to match. Ignored if `apisix.affinity` is set
440
## E.g.
441
## values:
442
## - e2e-az1
443
## - e2e-az2
444
##
445
values: []
446
## @param dataPlane.affinity Affinity for APISIX Data Plane pods assignment
447
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
448
## NOTE: `apisix.podAffinityPreset`, `apisix.podAntiAffinityPreset`, and `apisix.nodeAffinityPreset` will be ignored when it's set
449
##
450
affinity: {}
451
## @param dataPlane.nodeSelector Node labels for APISIX Data Plane pods assignment
452
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
453
##
454
nodeSelector: {}
455
## @param dataPlane.tolerations Tolerations for APISIX Data Plane pods assignment
456
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
457
##
458
tolerations: []
459
## @param dataPlane.updateStrategy.type APISIX Data Plane statefulset strategy type
460
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
461
##
462
updateStrategy:
463
## StrategyType
464
## Can be set to RollingUpdate or OnDelete
465
##
466
type: RollingUpdate
467
## @param dataPlane.priorityClassName APISIX Data Plane pods' priorityClassName
468
##
469
priorityClassName: ""
470
## @param dataPlane.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
471
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
472
##
473
topologySpreadConstraints: []
474
## @param dataPlane.schedulerName Name of the k8s scheduler (other than default) for APISIX Data Plane pods
475
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
476
##
477
schedulerName: ""
478
## @param dataPlane.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
479
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
480
##
481
terminationGracePeriodSeconds: ""
482
## @param dataPlane.lifecycleHooks for the APISIX Data Plane container(s) to automate configuration before or after startup
483
##
484
lifecycleHooks: {}
485
## @param dataPlane.extraEnvVars Array with extra environment variables to add to APISIX Data Plane nodes
486
## e.g:
487
## extraEnvVars:
488
## - name: FOO
489
## value: "bar"
490
##
491
extraEnvVars: []
492
## @param dataPlane.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for APISIX Data Plane nodes
493
##
494
extraEnvVarsCM: ""
495
## @param dataPlane.extraEnvVarsSecret Name of existing Secret containing extra env vars for APISIX Data Plane nodes
496
##
497
extraEnvVarsSecret: ""
498
## @param dataPlane.extraVolumes Optionally specify extra list of additional volumes for the APISIX Data Plane pod(s)
499
##
500
extraVolumes: []
501
## @param dataPlane.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the APISIX Data Plane container(s)
502
##
503
extraVolumeMounts: []
504
## @param dataPlane.sidecars Add additional sidecar containers to the APISIX Data Plane pod(s)
505
## e.g:
506
## sidecars:
507
## - name: your-image-name
508
## image: your-image
509
## imagePullPolicy: Always
510
## ports:
511
## - name: portname
512
## containerPort: 1234
513
##
514
sidecars: []
515
## @param dataPlane.initContainers Add additional init containers to the APISIX Data Plane pod(s)
516
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
517
## e.g:
518
## initContainers:
519
## - name: your-image-name
520
## image: your-image
521
## imagePullPolicy: Always
522
## command: ['sh', '-c', 'echo "hello world"']
523
##
524
initContainers: []
525
## @section APISIX Data Plane Traffic Exposure Parameters
526
##
527
service:
528
## @param dataPlane.service.type APISIX Data Plane service type
529
##
530
type: LoadBalancer
531
## @param dataPlane.service.ports.http APISIX Data Plane service HTTP port
532
## @param dataPlane.service.ports.https APISIX Data Plane service HTTPS port
533
## @param dataPlane.service.ports.metrics APISIX Data Plane service HTTPS port
534
##
535
ports:
536
http: 80
537
https: 443
538
metrics: 8080
539
## Node ports to expose
540
## @param dataPlane.service.nodePorts.http Node port for HTTP
541
## @param dataPlane.service.nodePorts.https Node port for HTTPS
542
## @param dataPlane.service.nodePorts.metrics Node port for metrics
543
## NOTE: choose port between <30000-32767>
544
##
545
nodePorts:
546
http: ""
547
https: ""
548
metrics: ""
549
## @param dataPlane.service.clusterIP APISIX Data Plane service Cluster IP
550
## e.g.:
551
## clusterIP: None
552
##
553
clusterIP: ""
554
## @param dataPlane.service.loadBalancerIP APISIX Data Plane service Load Balancer IP
555
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
556
##
557
loadBalancerIP: ""
558
## @param dataPlane.service.loadBalancerSourceRanges APISIX Data Plane service Load Balancer sources
559
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
560
## e.g:
561
## loadBalancerSourceRanges:
562
## - 10.10.10.0/24
563
##
564
loadBalancerSourceRanges: []
565
## @param dataPlane.service.externalIPs APISIX Data Plane service External IPs
566
## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
567
## e.g.
568
## externalIPs:
569
## - 10.10.10.1
570
## - 201.22.30.1
571
##
572
externalIPs: []
573
## @param dataPlane.service.externalTrafficPolicy APISIX Data Plane service external traffic policy
574
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-web-source-ip
575
##
576
externalTrafficPolicy: Cluster
577
## @param dataPlane.service.annotations Additional custom annotations for APISIX Data Plane service
578
##
579
annotations: {}
580
## @param dataPlane.service.extraPorts Extra ports to expose in APISIX Data Plane service (normally used with the `sidecars` value)
581
##
582
extraPorts: []
583
## @param dataPlane.service.sessionAffinity Control where web requests go, to the same pod or round-robin
584
## Values: WebIP or None
585
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
586
##
587
sessionAffinity: None
588
## @param dataPlane.service.sessionAffinityConfig Additional settings for the sessionAffinity
589
## sessionAffinityConfig:
590
## webIP:
591
## timeoutSeconds: 300
592
##
593
sessionAffinityConfig: {}
594
## Network Policies
595
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
596
##
597
networkPolicy:
598
## @param dataPlane.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
599
##
600
enabled: true
601
## @param dataPlane.networkPolicy.allowExternal Don't require server label for connections
602
## The Policy model to apply. When set to false, only pods with the correct
603
## server label will have network access to the ports server is listening
604
## on. When true, server will accept connections from any source
605
## (with the correct destination port).
606
##
607
allowExternal: true
608
## @param dataPlane.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
609
##
610
allowExternalEgress: true
611
## @param dataPlane.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
612
##
613
kubeAPIServerPorts: [443, 6443, 8443]
614
## @param dataPlane.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
615
## e.g:
616
## extraIngress:
617
## - ports:
618
## - port: 1234
619
## from:
620
## - podSelector:
621
## - matchLabels:
622
## - role: frontend
623
## - podSelector:
624
## - matchExpressions:
625
## - key: role
626
## operator: In
627
## values:
628
## - frontend
629
extraIngress: []
630
## @param dataPlane.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
631
## e.g:
632
## extraEgress:
633
## - ports:
634
## - port: 1234
635
## to:
636
## - podSelector:
637
## - matchLabels:
638
## - role: frontend
639
## - podSelector:
640
## - matchExpressions:
641
## - key: role
642
## operator: In
643
## values:
644
## - frontend
645
##
646
extraEgress: []
647
## @param dataPlane.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
648
## @param dataPlane.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
649
##
650
ingressNSMatchLabels: {}
651
ingressNSPodMatchLabels: {}
652
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
653
##
654
ingress:
655
## @param dataPlane.ingress.enabled Enable ingress record generation for APISIX Data Plane
656
##
657
enabled: false
658
## @param dataPlane.ingress.pathType Ingress path type
659
##
660
pathType: ImplementationSpecific
661
## @param dataPlane.ingress.apiVersion Force Ingress API version (automatically detected if not set)
662
##
663
apiVersion: ""
664
## @param dataPlane.ingress.hostname Default host for the ingress record
665
##
666
hostname: apisix-data-plane.local
667
## @param dataPlane.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
668
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
669
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
670
##
671
ingressClassName: ""
672
## @param dataPlane.ingress.path Default path for the ingress record
673
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
674
##
675
path: /
676
## @param dataPlane.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
677
## Use this parameter to set the required annotations for cert-manager, see
678
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
679
## e.g:
680
## annotations:
681
## kubernetes.io/ingress.class: nginx
682
## cert-manager.io/cluster-issuer: cluster-issuer-name
683
##
684
annotations: {}
685
## @param dataPlane.ingress.tls Enable TLS configuration for the host defined at `dataPlane.ingress.hostname` parameter
686
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
687
## You can:
688
## - Use the `dataPlane.ingress.secrets` parameter to create this TLS secret
689
## - Rely on cert-manager to create it by setting the corresponding annotations
690
## - Rely on Helm to create self-signed certificates by setting `dataPlane.ingress.selfSigned=true`
691
##
692
tls: false
693
## @param dataPlane.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
694
##
695
selfSigned: false
696
## @param dataPlane.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
697
## e.g:
698
## extraHosts:
699
## - name: apisix.local
700
## path: /
701
##
702
extraHosts: []
703
## @param dataPlane.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
704
## e.g:
705
## extraPaths:
706
## - path: /*
707
## backend:
708
## serviceName: ssl-redirect
709
## servicePort: use-annotation
710
##
711
extraPaths: []
712
## @param dataPlane.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
713
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
714
## e.g:
715
## extraTls:
716
## - hosts:
717
## - apisix.local
718
## secretName: apisix.local-tls
719
##
720
extraTls: []
721
## @param dataPlane.ingress.secrets Custom TLS certificates as secrets
722
## NOTE: 'key' and 'certificate' are expected in PEM format
723
## NOTE: 'name' should line up with a 'secretName' set further up
724
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
725
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
726
## It is also possible to create and manage the certificates outside of this helm chart
727
## Please see README.md for more information
728
## e.g:
729
## secrets:
730
## - name: apisix.local-tls
731
## key: |-
732
## -----BEGIN RSA PRIVATE KEY-----
733
## ...
734
## -----END RSA PRIVATE KEY-----
735
## certificate: |-
736
## -----BEGIN CERTIFICATE-----
737
## ...
738
## -----END CERTIFICATE-----
739
##
740
secrets: []
741
## @param dataPlane.ingress.extraRules Additional rules to be covered with this ingress record
742
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
743
## e.g:
744
## extraRules:
745
## - host: example.local
746
## http:
747
## path: /
748
## backend:
749
## service:
750
## name: example-svc
751
## port:
752
## name: http
753
##
754
extraRules: []
755
## @section APISIX Data Plane Autoscaling configuration
756
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
757
##
758
autoscaling:
759
vpa:
760
## @param dataPlane.autoscaling.vpa.enabled Enable VPA
761
##
762
enabled: false
763
## @param dataPlane.autoscaling.vpa.annotations Annotations for VPA resource
764
##
765
annotations: {}
766
## @param dataPlane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
767
##
768
controlledResources: []
769
## @param dataPlane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
770
## cpu: 200m
771
## memory: 100Mi
772
maxAllowed: {}
773
## @param dataPlane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
774
## cpu: 200m
775
## memory: 100Mi
776
minAllowed: {}
777
updatePolicy:
778
## @param dataPlane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
779
## Possible values are "Off", "Initial", "Recreate", and "Auto".
780
##
781
updateMode: Auto
782
hpa:
783
## @param dataPlane.autoscaling.hpa.enabled Enable HPA for APISIX Data Plane
784
##
785
enabled: false
786
## @param dataPlane.autoscaling.hpa.minReplicas Minimum number of APISIX Data Plane replicas
787
##
788
minReplicas: ""
789
## @param dataPlane.autoscaling.hpa.maxReplicas Maximum number of APISIX Data Plane replicas
790
##
791
maxReplicas: ""
792
## @param dataPlane.autoscaling.hpa.targetCPU Target CPU utilization percentage
793
##
794
targetCPU: ""
795
## @param dataPlane.autoscaling.hpa.targetMemory Target Memory utilization percentage
796
##
797
targetMemory: ""
798
## @section APISIX Data Plane RBAC Parameters
799
##
800
801
## RBAC configuration
802
##
803
rbac:
804
## @param dataPlane.rbac.create Specifies whether RBAC resources should be created
805
##
806
create: true
807
## @param dataPlane.rbac.rules Custom RBAC rules to set
808
## e.g:
809
## rules:
810
## - apiGroups:
811
## - ""
812
## resources:
813
## - pods
814
## verbs:
815
## - get
816
## - list
817
##
818
rules: []
819
## ServiceAccount configuration
820
##
821
serviceAccount:
822
## @param dataPlane.serviceAccount.create Specifies whether a ServiceAccount should be created
823
##
824
create: true
825
## @param dataPlane.serviceAccount.name The name of the ServiceAccount to use.
826
## If not set and create is true, a name is generated using the common.names.fullname template
827
##
828
name: ""
829
## @param dataPlane.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
830
##
831
annotations: {}
832
## @param dataPlane.serviceAccount.automountServiceAccountToken Automount service account token for the APISIX Data Plane service account
833
##
834
automountServiceAccountToken: false
835
## @section APISIX Data Plane Metrics Parameters
836
##
837
838
## Prometheus metrics
839
##
840
metrics:
841
## @param dataPlane.metrics.enabled Enable the export of Prometheus metrics
842
##
843
enabled: false
844
## @param dataPlane.metrics.annotations [object] Annotations for the APISIX Data Plane service in order to scrape metrics
845
annotations:
846
prometheus.io/scrape: "true"
847
prometheus.io/port: "{{ .Values.dataPlane.service.ports.metrics }}"
848
prometheus.io/path: "/apisix/prometheus/metrics"
849
## Prometheus Operator ServiceMonitor configuration
850
##
851
serviceMonitor:
852
## @param dataPlane.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
853
##
854
enabled: false
855
## @param dataPlane.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
856
##
857
namespace: ""
858
## @param dataPlane.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
859
##
860
annotations: {}
861
## @param dataPlane.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
862
##
863
labels: {}
864
## @param dataPlane.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
865
##
866
jobLabel: ""
867
## @param dataPlane.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
868
##
869
honorLabels: false
870
## @param dataPlane.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
871
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
872
## e.g:
873
## interval: 10s
874
##
875
interval: ""
876
## @param dataPlane.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
877
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
878
## e.g:
879
## scrapeTimeout: 10s
880
##
881
scrapeTimeout: ""
882
## @param dataPlane.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
883
##
884
metricRelabelings: []
885
## @param dataPlane.metrics.serviceMonitor.relabelings Specify general relabeling
886
##
887
relabelings: []
888
## @param dataPlane.metrics.serviceMonitor.selector Prometheus instance selector labels
889
## selector:
890
## prometheus: my-prometheus
891
##
892
selector: {}
893
## @section APISIX Control Plane Parameters
894
##
895
controlPlane:
896
## @param controlPlane.enabled Enable APISIX Control Plane
897
##
898
enabled: true
899
## @param controlPlane.replicaCount Number of APISIX Control Plane replicas to deploy
900
##
901
replicaCount: 1
902
## @param controlPlane.hostNetwork Use hostNetwork
903
##
904
hostNetwork: false
905
## @param controlPlane.dnsPolicy DNS policy for APISIX Control Plane pods
906
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-policies
907
## NOTE: If you set hostNetwork=true, you must set dnsPolicy=ClusterFirstWithHostNet
908
##
909
dnsPolicy: ClusterFirst
910
## @param controlPlane.useDaemonSet Deploy as DaemonSet
911
##
912
useDaemonSet: false
913
## @param controlPlane.dashboardEnabled Enable APISIX Control Plane to expose APISIX Dashboards
914
##
915
dashboardEnabled: true
916
## @param controlPlane.containerPorts.adminAPI APISIX Control Plane Admin API port
917
## @param controlPlane.containerPorts.configServer APISIX Control Plane config port
918
## @param controlPlane.containerPorts.control APISIX Control Plane control port
919
## @param controlPlane.containerPorts.metrics APISIX Control Plane metrics port
920
##
921
containerPorts:
922
adminAPI: 9180
923
configServer: 9280
924
control: 9090
925
metrics: 9099
926
## Configure extra options for APISIX Control Plane containers' liveness and readiness probes
927
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
928
## @param controlPlane.livenessProbe.enabled Enable livenessProbe on APISIX Control Plane containers
929
## @param controlPlane.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
930
## @param controlPlane.livenessProbe.periodSeconds Period seconds for livenessProbe
931
## @param controlPlane.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
932
## @param controlPlane.livenessProbe.failureThreshold Failure threshold for livenessProbe
933
## @param controlPlane.livenessProbe.successThreshold Success threshold for livenessProbe
934
##
935
livenessProbe:
936
enabled: true
937
initialDelaySeconds: 5
938
periodSeconds: 10
939
timeoutSeconds: 5
940
failureThreshold: 5
941
successThreshold: 1
942
## @param controlPlane.readinessProbe.enabled Enable readinessProbe on APISIX Control Plane containers
943
## @param controlPlane.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
944
## @param controlPlane.readinessProbe.periodSeconds Period seconds for readinessProbe
945
## @param controlPlane.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
946
## @param controlPlane.readinessProbe.failureThreshold Failure threshold for readinessProbe
947
## @param controlPlane.readinessProbe.successThreshold Success threshold for readinessProbe
948
##
949
readinessProbe:
950
enabled: true
951
initialDelaySeconds: 5
952
periodSeconds: 10
953
timeoutSeconds: 5
954
failureThreshold: 5
955
successThreshold: 1
956
## @param controlPlane.startupProbe.enabled Enable startupProbe on APISIX Control Plane containers
957
## @param controlPlane.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
958
## @param controlPlane.startupProbe.periodSeconds Period seconds for startupProbe
959
## @param controlPlane.startupProbe.timeoutSeconds Timeout seconds for startupProbe
960
## @param controlPlane.startupProbe.failureThreshold Failure threshold for startupProbe
961
## @param controlPlane.startupProbe.successThreshold Success threshold for startupProbe
962
##
963
startupProbe:
964
enabled: false
965
initialDelaySeconds: 5
966
periodSeconds: 10
967
timeoutSeconds: 5
968
failureThreshold: 5
969
successThreshold: 1
970
## @param controlPlane.customLivenessProbe Custom livenessProbe that overrides the default one
971
##
972
customLivenessProbe: {}
973
## @param controlPlane.customReadinessProbe Custom readinessProbe that overrides the default one
974
##
975
customReadinessProbe: {}
976
## @param controlPlane.customStartupProbe Custom startupProbe that overrides the default one
977
##
978
customStartupProbe: {}
979
## APISIX Control Plane resource requests and limits
980
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
981
## @param controlPlane.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controlPlane.resources is set (controlPlane.resources is recommended for production).
982
##
983
resourcesPreset: "nano"
984
## @param controlPlane.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
985
## Example:
986
## resources:
987
## requests:
988
## cpu: 2
989
## memory: 512Mi
990
## limits:
991
## cpu: 3
992
## memory: 1024Mi
993
##
994
resources: {}
995
## Configure Pods Security Context
996
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
997
## @param controlPlane.podSecurityContext.enabled Enabled APISIX Control Plane pods' Security Context
998
## @param controlPlane.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
999
## @param controlPlane.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1000
## @param controlPlane.podSecurityContext.supplementalGroups Set filesystem extra groups
1001
## @param controlPlane.podSecurityContext.fsGroup Set APISIX Control Plane pod's Security Context fsGroup
1002
##
1003
podSecurityContext:
1004
enabled: true
1005
fsGroupChangePolicy: Always
1006
sysctls: []
1007
supplementalGroups: []
1008
fsGroup: 1001
1009
## Configure Container Security Context
1010
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1011
## @param controlPlane.containerSecurityContext.enabled Enabled APISIX Control Plane containers' Security Context
1012
## @param controlPlane.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1013
## @param controlPlane.containerSecurityContext.runAsUser Set APISIX Control Plane containers' Security Context runAsUser
1014
## @param controlPlane.containerSecurityContext.runAsGroup Set APISIX Control Plane containers' Security Context runAsGroup
1015
## @param controlPlane.containerSecurityContext.runAsNonRoot Set APISIX Control Plane containers' Security Context runAsNonRoot
1016
## @param controlPlane.containerSecurityContext.privileged Set APISIX Control Plane containers' Security Context privileged
1017
## @param controlPlane.containerSecurityContext.readOnlyRootFilesystem Set APISIX Control Plane containers' Security Context runAsNonRoot
1018
## @param controlPlane.containerSecurityContext.allowPrivilegeEscalation Set APISIX Control Plane container's privilege escalation
1019
## @param controlPlane.containerSecurityContext.capabilities.drop Set APISIX Control Plane container's Security Context runAsNonRoot
1020
## @param controlPlane.containerSecurityContext.seccompProfile.type Set APISIX Control Plane container's Security Context seccomp profile
1021
##
1022
containerSecurityContext:
1023
enabled: true
1024
seLinuxOptions: {}
1025
runAsUser: 1001
1026
runAsGroup: 1001
1027
runAsNonRoot: true
1028
privileged: false
1029
readOnlyRootFilesystem: true
1030
allowPrivilegeEscalation: false
1031
capabilities:
1032
drop: ["ALL"]
1033
seccompProfile:
1034
type: RuntimeDefault
1035
## @param controlPlane.command Override default container command (useful when using custom images)
1036
##
1037
command: []
1038
## @param controlPlane.args Override default container args (useful when using custom images)
1039
##
1040
args: []
1041
## @param controlPlane.automountServiceAccountToken Mount Service Account token in pod
1042
##
1043
automountServiceAccountToken: true
1044
## @param controlPlane.hostAliases APISIX Control Plane pods host aliases
1045
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1046
##
1047
hostAliases: []
1048
## @param controlPlane.apiTokenAdmin Admin API Token for APISIX Control Plane
1049
##
1050
apiTokenAdmin: ""
1051
## @param controlPlane.apiTokenViewer Viewer API Token for APISIX Control Plane
1052
##
1053
apiTokenViewer: ""
1054
## @param controlPlane.existingSecret Name of a secret containing API Tokens for APISIX Control Plane
1055
##
1056
existingSecret: ""
1057
## @param controlPlane.existingSecretAdminTokenKey Key inside the secret containing the Admin API Tokens for APISIX Control Plane
1058
##
1059
existingSecretAdminTokenKey: ""
1060
## @param controlPlane.existingSecretViewerTokenKey Key inside the secret containing the Viewer API Tokens for APISIX Control Plane
1061
##
1062
existingSecretViewerTokenKey: ""
1063
## @param controlPlane.defaultConfig [string] APISIX Control Plane configuration (evaluated as a template)
1064
##
1065
defaultConfig: |
1066
{{- if .Values.controlPlane.metrics.enabled }}
1067
plugin_attr:
1068
prometheus:
1069
export_uri: /apisix/prometheus/metrics
1070
metric_prefix: apisix_
1071
enable_export_server: true
1072
export_addr:
1073
ip: 0.0.0.0
1074
port: {{ .Values.controlPlane.containerPorts.metrics }}
1075
{{- end }}
1076
nginx_config:
1077
error_log: /dev/stderr
1078
stream:
1079
access_log: /dev/stdout
1080
http:
1081
access_log: /dev/stdout
1082
http_configuration_snippet: |
1083
proxy_buffering off;
1084
apisix:
1085
control:
1086
ip: 0.0.0.0
1087
port: {{ .Values.controlPlane.containerPorts.control }}
1088
deployment:
1089
role: control_plane
1090
role_control_plane:
1091
config_provider: etcd
1092
conf_server:
1093
listen: 0.0.0.0:{{ .Values.controlPlane.containerPorts.configServer }}
1094
cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certFilename }}
1095
cert_key: /iamguarded/certs/{{ .Values.controlPlane.tls.certKeyFilename }}
1096
etcd:
1097
host:
1098
{{- if .Values.etcd.enabled }}
1099
{{- $replicas := $.Values.etcd.replicaCount | int }}
1100
{{- range $i, $_e := until $replicas }}
1101
- {{ printf "%s://%s-%d.%s:%v" (ternary "https" "http" $.Values.etcd.auth.client.secureTransport) (include "apisix.etcd.fullname" $ ) $i (include "apisix.etcd.headlessServiceName" $) ( include "apisix.etcd.port" $ ) }} {{- end }}
1102
{{- else }}
1103
{{- range $node := .Values.externalEtcd.servers }}
1104
- {{ ternary "https" "http" $.Values.externalEtcd.secureTransport }}://{{ printf "%s:%v" $node (include "apisix.etcd.port" $) }}
1105
{{- end }}
1106
{{- end }}
1107
prefix: /apisix
1108
timeout: 30
1109
use_grpc: false
1110
startup_retry: 60
1111
{{- if (include "apisix.etcd.authEnabled" .) }}
1112
user: "{{ print "{{APISIX_ETCD_USER}}" }}"
1113
password: "{{ print "{{APISIX_ETCD_PASSWORD}}" }}"
1114
{{- end }}
1115
{{- if .Values.controlPlane.tls.enabled }}
1116
certs:
1117
{{- if .Values.controlPlane.tls.enabled }}
1118
cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certFilename }}
1119
cert_key: /iamguarded/certs/{{ .Values.controlPlane.tls.certKeyFilename }}
1120
{{- if .Values.controlPlane.tls.certCAFilename }}
1121
client_ca_cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certCAFilename }}
1122
{{- end }}
1123
{{- end }}
1124
{{- end }}
1125
admin:
1126
{{- if .Values.controlPlane.tls.enabled }}
1127
https_admin: true
1128
admin_api_mtls:
1129
admin_ssl_cert: /iamguarded/certs/{{ .Values.controlPlane.tls.certFilename }}
1130
admin_ssl_cert_key: /iamguarded/certs/{{ .Values.controlPlane.tls.certKeyFilename }}
1131
{{- end }}
1132
allow_admin:
1133
- 0.0.0.0/0
1134
admin_key:
1135
- name: admin
1136
key: "{{ print "{{APISIX_ADMIN_API_TOKEN}}" }}"
1137
role: admin
1138
- name: viewer
1139
key: "{{ print "{{APISIX_VIEWER_API_TOKEN}}" }}"
1140
role: viewer
1141
admin_listen:
1142
port: {{ .Values.controlPlane.containerPorts.adminAPI }}
1143
enable_admin_cors: true # Admin API support CORS response headers.
1144
enable_admin_ui: {{ ternary "true" "false" .Values.controlPlane.dashboardEnabled }}
1145
discovery:
1146
kubernetes:
1147
service:
1148
schema: https #default https
1149
# apiserver host, options [ipv4, ipv6, domain, environment variable]
1150
host: ${KUBERNETES_SERVICE_HOST}
1151
# apiserver port, options [port number, environment variable]
1152
port: ${KUBERNETES_SERVICE_PORT}
1153
client:
1154
# serviceaccount token or token_file
1155
token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
1156
default_weight: 50 # weight assigned to each discovered endpoint. default 50, minimum 0
1157
## @param controlPlane.extraConfig [object] extra configuration parameters to add to the config.yaml file in APISIX Control plane
1158
##
1159
extraConfig: {}
1160
## @param controlPlane.existingConfigMap name of a ConfigMap with existing configuration for APISIX Control Plane
1161
##
1162
existingConfigMap: ""
1163
## @param controlPlane.extraConfigExistingConfigMap name of a ConfigMap with existing configuration for APISIX Control Plane
1164
##
1165
extraConfigExistingConfigMap: ""
1166
tls:
1167
## @param controlPlane.tls.enabled Enable TLS transport in APISIX Control Plane
1168
##
1169
enabled: true
1170
## @param controlPlane.tls.autoGenerated Auto-generate self-signed certificates
1171
##
1172
autoGenerated: true
1173
## @param controlPlane.tls.existingSecret Name of a secret containing the certificates
1174
##
1175
existingSecret: ""
1176
## @param controlPlane.tls.certFilename Path of the certificate file when mounted as a secret
1177
##
1178
certFilename: tls.crt
1179
## @param controlPlane.tls.certKeyFilename Path of the certificate key file when mounted as a secret
1180
##
1181
certKeyFilename: tls.key
1182
## @param controlPlane.tls.certCAFilename Path of the certificate CA file when mounted as a secret
1183
##
1184
certCAFilename: ca.crt
1185
## @param controlPlane.tls.cert Content of the certificate to be added to the secret
1186
##
1187
cert: ""
1188
## @param controlPlane.tls.key Content of the certificate key to be added to the secret
1189
##
1190
key: ""
1191
## @param controlPlane.tls.ca Content of the certificate CA to be added to the secret
1192
##
1193
ca: ""
1194
## @param controlPlane.podLabels Extra labels for APISIX Control Plane pods
1195
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1196
##
1197
podLabels: {}
1198
## @param controlPlane.podAnnotations Annotations for APISIX Control Plane pods
1199
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1200
##
1201
podAnnotations: {}
1202
## @param controlPlane.podAffinityPreset Pod affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
1203
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1204
##
1205
podAffinityPreset: ""
1206
## @param controlPlane.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
1207
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1208
##
1209
podAntiAffinityPreset: soft
1210
## Pod Disruption Budget configuration
1211
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1212
## @param controlPlane.pdb.create Enable/disable a Pod Disruption Budget creation
1213
## @param controlPlane.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1214
## @param controlPlane.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
1215
##
1216
pdb:
1217
create: true
1218
minAvailable: ""
1219
maxUnavailable: ""
1220
## Node apisix.affinity preset
1221
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1222
##
1223
nodeAffinityPreset:
1224
## @param controlPlane.nodeAffinityPreset.type Node affinity preset type. Ignored if `apisix.affinity` is set. Allowed values: `soft` or `hard`
1225
##
1226
type: ""
1227
## @param controlPlane.nodeAffinityPreset.key Node label key to match. Ignored if `apisix.affinity` is set
1228
##
1229
key: ""
1230
## @param controlPlane.nodeAffinityPreset.values Node label values to match. Ignored if `apisix.affinity` is set
1231
## E.g.
1232
## values:
1233
## - e2e-az1
1234
## - e2e-az2
1235
##
1236
values: []
1237
## @param controlPlane.affinity Affinity for APISIX Control Plane pods assignment
1238
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1239
## NOTE: `apisix.podAffinityPreset`, `apisix.podAntiAffinityPreset`, and `apisix.nodeAffinityPreset` will be ignored when it's set
1240
##
1241
affinity: {}
1242
## @param controlPlane.nodeSelector Node labels for APISIX Control Plane pods assignment
1243
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1244
##
1245
nodeSelector: {}
1246
## @param controlPlane.tolerations Tolerations for APISIX Control Plane pods assignment
1247
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1248
##
1249
tolerations: []
1250
## @param controlPlane.updateStrategy.type APISIX Control Plane statefulset strategy type
1251
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1252
##
1253
updateStrategy:
1254
## StrategyType
1255
## Can be set to RollingUpdate or OnDelete
1256
##
1257
type: RollingUpdate
1258
## @param controlPlane.priorityClassName APISIX Control Plane pods' priorityClassName
1259
##
1260
priorityClassName: ""
1261
## @param controlPlane.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1262
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1263
##
1264
topologySpreadConstraints: []
1265
## @param controlPlane.schedulerName Name of the k8s scheduler (other than default) for APISIX Control Plane pods
1266
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1267
##
1268
schedulerName: ""
1269
## @param controlPlane.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
1270
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1271
##
1272
terminationGracePeriodSeconds: ""
1273
## @param controlPlane.lifecycleHooks for the APISIX Control Plane container(s) to automate configuration before or after startup
1274
##
1275
lifecycleHooks: {}
1276
## @param controlPlane.extraEnvVars Array with extra environment variables to add to APISIX Control Plane nodes
1277
## e.g:
1278
## extraEnvVars:
1279
## - name: FOO
1280
## value: "bar"
1281
##
1282
extraEnvVars: []
1283
## @param controlPlane.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for APISIX Control Plane nodes
1284
##
1285
extraEnvVarsCM: ""
1286
## @param controlPlane.extraEnvVarsSecret Name of existing Secret containing extra env vars for APISIX Control Plane nodes
1287
##
1288
extraEnvVarsSecret: ""
1289
## @param controlPlane.extraVolumes Optionally specify extra list of additional volumes for the APISIX Control Plane pod(s)
1290
##
1291
extraVolumes: []
1292
## @param controlPlane.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the APISIX Control Plane container(s)
1293
##
1294
extraVolumeMounts: []
1295
## @param controlPlane.sidecars Add additional sidecar containers to the APISIX Control Plane pod(s)
1296
## e.g:
1297
## sidecars:
1298
## - name: your-image-name
1299
## image: your-image
1300
## imagePullPolicy: Always
1301
## ports:
1302
## - name: portname
1303
## containerPort: 1234
1304
##
1305
sidecars: []
1306
## @param controlPlane.initContainers Add additional init containers to the APISIX Control Plane pod(s)
1307
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1308
## e.g:
1309
## initContainers:
1310
## - name: your-image-name
1311
## image: your-image
1312
## imagePullPolicy: Always
1313
## command: ['sh', '-c', 'echo "hello world"']
1314
##
1315
initContainers: []
1316
## @section APISIX Control Plane Traffic Exposure Parameters
1317
##
1318
service:
1319
## @param controlPlane.service.type APISIX Control Plane service type
1320
##
1321
type: ClusterIP
1322
## @param controlPlane.service.ports.adminAPI APISIX Control Plane service Admin API port
1323
## @param controlPlane.service.ports.configServer APISIX Control Plane service Config Server port
1324
## @param controlPlane.service.ports.metrics APISIX Control Plane service metrics port
1325
##
1326
ports:
1327
adminAPI: 9180
1328
configServer: 9280
1329
metrics: 8080
1330
## Node ports to expose
1331
## @param controlPlane.service.nodePorts.adminAPI Node port for Admin API
1332
## @param controlPlane.service.nodePorts.configServer Node port for Config Server
1333
## @param controlPlane.service.nodePorts.metrics Node port for Metrics
1334
## NOTE: choose port between <30000-32767>
1335
##
1336
nodePorts:
1337
adminAPI: ""
1338
configServer: ""
1339
metrics: ""
1340
## @param controlPlane.service.clusterIP APISIX Control Plane service Cluster IP
1341
## e.g.:
1342
## clusterIP: None
1343
##
1344
clusterIP: ""
1345
## @param controlPlane.service.loadBalancerIP APISIX Control Plane service Load Balancer IP
1346
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1347
##
1348
loadBalancerIP: ""
1349
## @param controlPlane.service.loadBalancerSourceRanges APISIX Control Plane service Load Balancer sources
1350
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1351
## e.g:
1352
## loadBalancerSourceRanges:
1353
## - 10.10.10.0/24
1354
##
1355
loadBalancerSourceRanges: []
1356
## @param controlPlane.service.externalIPs APISIX Control Plane service External IPs
1357
## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
1358
## e.g.
1359
## externalIPs:
1360
## - 10.10.10.1
1361
## - 201.22.30.1
1362
##
1363
externalIPs: []
1364
## @param controlPlane.service.externalTrafficPolicy APISIX Control Plane service external traffic policy
1365
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-web-source-ip
1366
##
1367
externalTrafficPolicy: Cluster
1368
## @param controlPlane.service.annotations Additional custom annotations for APISIX Control Plane service
1369
##
1370
annotations: {}
1371
## @param controlPlane.service.extraPorts Extra ports to expose in APISIX Control Plane service (normally used with the `sidecars` value)
1372
##
1373
extraPorts: []
1374
## @param controlPlane.service.sessionAffinity Control where web requests go, to the same pod or round-robin
1375
## Values: WebIP or None
1376
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1377
##
1378
sessionAffinity: None
1379
## @param controlPlane.service.sessionAffinityConfig Additional settings for the sessionAffinity
1380
## sessionAffinityConfig:
1381
## webIP:
1382
## timeoutSeconds: 300
1383
##
1384
sessionAffinityConfig: {}
1385
## Network Policies
1386
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1387
##
1388
networkPolicy:
1389
## @param controlPlane.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1390
##
1391
enabled: true
1392
## @param controlPlane.networkPolicy.allowExternal Don't require server label for connections
1393
## The Policy model to apply. When set to false, only pods with the correct
1394
## server label will have network access to the ports server is listening
1395
## on. When true, server will accept connections from any source
1396
## (with the correct destination port).
1397
##
1398
allowExternal: true
1399
## @param controlPlane.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1400
##
1401
allowExternalEgress: true
1402
## @param controlPlane.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
1403
##
1404
kubeAPIServerPorts: [443, 6443, 8443]
1405
## @param controlPlane.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1406
## e.g:
1407
## extraIngress:
1408
## - ports:
1409
## - port: 1234
1410
## from:
1411
## - podSelector:
1412
## - matchLabels:
1413
## - role: frontend
1414
## - podSelector:
1415
## - matchExpressions:
1416
## - key: role
1417
## operator: In
1418
## values:
1419
## - frontend
1420
extraIngress: []
1421
## @param controlPlane.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
1422
## e.g:
1423
## extraEgress:
1424
## - ports:
1425
## - port: 1234
1426
## to:
1427
## - podSelector:
1428
## - matchLabels:
1429
## - role: frontend
1430
## - podSelector:
1431
## - matchExpressions:
1432
## - key: role
1433
## operator: In
1434
## values:
1435
## - frontend
1436
##
1437
extraEgress: []
1438
## @param controlPlane.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1439
## @param controlPlane.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1440
##
1441
ingressNSMatchLabels: {}
1442
ingressNSPodMatchLabels: {}
1443
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
1444
##
1445
ingress:
1446
## @param controlPlane.ingress.enabled Enable ingress record generation for APISIX Control Plane
1447
##
1448
enabled: false
1449
## @param controlPlane.ingress.pathType Ingress path type
1450
##
1451
pathType: ImplementationSpecific
1452
## @param controlPlane.ingress.apiVersion Force Ingress API version (automatically detected if not set)
1453
##
1454
apiVersion: ""
1455
## @param controlPlane.ingress.hostname Default host for the ingress record
1456
##
1457
hostname: apisix-control-plane.local
1458
## @param controlPlane.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1459
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
1460
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1461
##
1462
ingressClassName: ""
1463
## @param controlPlane.ingress.path Default path for the ingress record
1464
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
1465
##
1466
path: /
1467
## @param controlPlane.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
1468
## Use this parameter to set the required annotations for cert-manager, see
1469
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1470
## e.g:
1471
## annotations:
1472
## kubernetes.io/ingress.class: nginx
1473
## cert-manager.io/cluster-issuer: cluster-issuer-name
1474
##
1475
annotations: {}
1476
## @param controlPlane.ingress.tls Enable TLS configuration for the host defined at `controlPlane.ingress.hostname` parameter
1477
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
1478
## You can:
1479
## - Use the `controlPlane.ingress.secrets` parameter to create this TLS secret
1480
## - Rely on cert-manager to create it by setting the corresponding annotations
1481
## - Rely on Helm to create self-signed certificates by setting `controlPlane.ingress.selfSigned=true`
1482
##
1483
tls: false
1484
## @param controlPlane.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
1485
##
1486
selfSigned: false
1487
## @param controlPlane.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
1488
## e.g:
1489
## extraHosts:
1490
## - name: apisix.local
1491
## path: /
1492
##
1493
extraHosts: []
1494
## @param controlPlane.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
1495
## e.g:
1496
## extraPaths:
1497
## - path: /*
1498
## backend:
1499
## serviceName: ssl-redirect
1500
## servicePort: use-annotation
1501
##
1502
extraPaths: []
1503
## @param controlPlane.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
1504
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1505
## e.g:
1506
## extraTls:
1507
## - hosts:
1508
## - apisix.local
1509
## secretName: apisix.local-tls
1510
##
1511
extraTls: []
1512
## @param controlPlane.ingress.secrets Custom TLS certificates as secrets
1513
## NOTE: 'key' and 'certificate' are expected in PEM format
1514
## NOTE: 'name' should line up with a 'secretName' set further up
1515
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
1516
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
1517
## It is also possible to create and manage the certificates outside of this helm chart
1518
## Please see README.md for more information
1519
## e.g:
1520
## secrets:
1521
## - name: apisix.local-tls
1522
## key: |-
1523
## -----BEGIN RSA PRIVATE KEY-----
1524
## ...
1525
## -----END RSA PRIVATE KEY-----
1526
## certificate: |-
1527
## -----BEGIN CERTIFICATE-----
1528
## ...
1529
## -----END CERTIFICATE-----
1530
##
1531
secrets: []
1532
## @param controlPlane.ingress.extraRules Additional rules to be covered with this ingress record
1533
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
1534
## e.g:
1535
## extraRules:
1536
## - host: example.local
1537
## http:
1538
## path: /
1539
## backend:
1540
## service:
1541
## name: example-svc
1542
## port:
1543
## name: http
1544
##
1545
extraRules: []
1546
## @section APISIX Control Plane Autoscaling configuration
1547
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
1548
##
1549
autoscaling:
1550
vpa:
1551
## @param controlPlane.autoscaling.vpa.enabled Enable VPA
1552
##
1553
enabled: false
1554
## @param controlPlane.autoscaling.vpa.annotations Annotations for VPA resource
1555
##
1556
annotations: {}
1557
## @param controlPlane.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1558
##
1559
controlledResources: []
1560
## @param controlPlane.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1561
## cpu: 200m
1562
## memory: 100Mi
1563
maxAllowed: {}
1564
## @param controlPlane.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1565
## cpu: 200m
1566
## memory: 100Mi
1567
minAllowed: {}
1568
updatePolicy:
1569
## @param controlPlane.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1570
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1571
##
1572
updateMode: Auto
1573
hpa:
1574
## @param controlPlane.autoscaling.hpa.enabled Enable HPA for APISIX Control Plane
1575
##
1576
enabled: false
1577
## @param controlPlane.autoscaling.hpa.minReplicas Minimum number of APISIX Control Plane replicas
1578
##
1579
minReplicas: ""
1580
## @param controlPlane.autoscaling.hpa.maxReplicas Maximum number of APISIX Control Plane replicas
1581
##
1582
maxReplicas: ""
1583
## @param controlPlane.autoscaling.hpa.targetCPU Target CPU utilization percentage
1584
##
1585
targetCPU: ""
1586
## @param controlPlane.autoscaling.hpa.targetMemory Target Memory utilization percentage
1587
##
1588
targetMemory: ""
1589
## @section APISIX Control Plane RBAC parameters
1590
##
1591
1592
## RBAC configuration
1593
##
1594
rbac:
1595
## @param controlPlane.rbac.create Specifies whether RBAC resources should be created
1596
##
1597
create: true
1598
## @param controlPlane.rbac.rules Custom RBAC rules to set
1599
## e.g:
1600
## rules:
1601
## - apiGroups:
1602
## - ""
1603
## resources:
1604
## - pods
1605
## verbs:
1606
## - get
1607
## - list
1608
##
1609
rules: []
1610
## ServiceAccount configuration
1611
##
1612
serviceAccount:
1613
## @param controlPlane.serviceAccount.create Specifies whether a ServiceAccount should be created
1614
##
1615
create: true
1616
## @param controlPlane.serviceAccount.name The name of the ServiceAccount to use.
1617
## If not set and create is true, a name is generated using the common.names.fullname template
1618
##
1619
name: ""
1620
## @param controlPlane.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
1621
##
1622
annotations: {}
1623
## @param controlPlane.serviceAccount.automountServiceAccountToken Automount service account token for the APISIX Control Plane service account
1624
##
1625
automountServiceAccountToken: false
1626
## @section APISIX Control Plane Metrics Parameters
1627
##
1628
1629
## Prometheus metrics
1630
##
1631
metrics:
1632
## @param controlPlane.metrics.enabled Enable the export of Prometheus metrics
1633
##
1634
enabled: false
1635
## @param controlPlane.metrics.annotations [object] Annotations for the APISIX Control Plane service in order to scrape metrics
1636
annotations:
1637
prometheus.io/scrape: "true"
1638
prometheus.io/port: "{{ .Values.controlPlane.service.ports.metrics }}"
1639
prometheus.io/path: "/apisix/prometheus/metrics"
1640
## Prometheus Operator ServiceMonitor configuration
1641
##
1642
serviceMonitor:
1643
## @param controlPlane.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
1644
##
1645
enabled: false
1646
## @param controlPlane.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
1647
##
1648
namespace: ""
1649
## @param controlPlane.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
1650
##
1651
annotations: {}
1652
## @param controlPlane.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1653
##
1654
labels: {}
1655
## @param controlPlane.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
1656
##
1657
jobLabel: ""
1658
## @param controlPlane.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1659
##
1660
honorLabels: false
1661
## @param controlPlane.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
1662
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1663
## e.g:
1664
## interval: 10s
1665
##
1666
interval: ""
1667
## @param controlPlane.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1668
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1669
## e.g:
1670
## scrapeTimeout: 10s
1671
##
1672
scrapeTimeout: ""
1673
## @param controlPlane.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
1674
##
1675
metricRelabelings: []
1676
## @param controlPlane.metrics.serviceMonitor.relabelings Specify general relabeling
1677
##
1678
relabelings: []
1679
## @param controlPlane.metrics.serviceMonitor.selector Prometheus instance selector labels
1680
## selector:
1681
## prometheus: my-prometheus
1682
##
1683
selector: {}
1684
## @section APISIX Ingress Controller Parameters
1685
##
1686
ingressController:
1687
## @param ingressController.enabled Enable APISIX Ingress Controller
1688
##
1689
enabled: true
1690
## Iamguarded APISIX Ingress Controller image
1691
## @param ingressController.image.registry [default: REGISTRY_NAME] APISIX Ingress Controller image registry
1692
## @param ingressController.image.repository [default: REPOSITORY_NAME/apisix-ingress-controller] APISIX Ingress Controller image repository
1693
## @skip ingressController.image.tag APISIX Ingress Controller image tag (immutable tags are recommended)
1694
## @param ingressController.image.digest APISIX Ingress Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
1695
## @param ingressController.image.pullPolicy APISIX Ingress Controller image pull policy
1696
## @param ingressController.image.pullSecrets APISIX Ingress Controller image pull secrets
1697
## @param ingressController.image.debug Enable APISIX Ingress Controller image debug mode
1698
##
1699
image:
1700
registry: cgr.dev
1701
repository: chainguard-private/apisix-ingress-controller-iamguarded
1702
tag: 1.8.4
1703
digest: ""
1704
## Specify a imagePullPolicy
1705
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1706
##
1707
pullPolicy: IfNotPresent
1708
## Optionally specify an array of imagePullSecrets.
1709
## Secrets must be manually created in the namespace.
1710
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1711
## e.g:
1712
## pullSecrets:
1713
## - myRegistryKeySecretName
1714
##
1715
pullSecrets: []
1716
## Enable debug mode
1717
##
1718
debug: false
1719
## @param ingressController.replicaCount Number of APISIX Ingress Controller replicas to deploy
1720
##
1721
replicaCount: 1
1722
## @param ingressController.containerPorts.http APISIX Ingress Controller http container port
1723
## @param ingressController.containerPorts.https APISIX Ingress Controller https container port
1724
##
1725
containerPorts:
1726
http: 8080
1727
https: 8443
1728
## Configure extra options for APISIX Ingress Controller containers' liveness and readiness probes
1729
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1730
## @param ingressController.livenessProbe.enabled Enable livenessProbe on APISIX Ingress Controller containers
1731
## @param ingressController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1732
## @param ingressController.livenessProbe.periodSeconds Period seconds for livenessProbe
1733
## @param ingressController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1734
## @param ingressController.livenessProbe.failureThreshold Failure threshold for livenessProbe
1735
## @param ingressController.livenessProbe.successThreshold Success threshold for livenessProbe
1736
##
1737
livenessProbe:
1738
enabled: true
1739
initialDelaySeconds: 5
1740
periodSeconds: 10
1741
timeoutSeconds: 5
1742
failureThreshold: 5
1743
successThreshold: 1
1744
## @param ingressController.readinessProbe.enabled Enable readinessProbe on APISIX Ingress Controller containers
1745
## @param ingressController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1746
## @param ingressController.readinessProbe.periodSeconds Period seconds for readinessProbe
1747
## @param ingressController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1748
## @param ingressController.readinessProbe.failureThreshold Failure threshold for readinessProbe
1749
## @param ingressController.readinessProbe.successThreshold Success threshold for readinessProbe
1750
##
1751
readinessProbe:
1752
enabled: true
1753
initialDelaySeconds: 5
1754
periodSeconds: 10
1755
timeoutSeconds: 5
1756
failureThreshold: 5
1757
successThreshold: 1
1758
## @param ingressController.startupProbe.enabled Enable startupProbe on APISIX Ingress Controller containers
1759
## @param ingressController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1760
## @param ingressController.startupProbe.periodSeconds Period seconds for startupProbe
1761
## @param ingressController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1762
## @param ingressController.startupProbe.failureThreshold Failure threshold for startupProbe
1763
## @param ingressController.startupProbe.successThreshold Success threshold for startupProbe
1764
##
1765
startupProbe:
1766
enabled: false
1767
initialDelaySeconds: 5
1768
periodSeconds: 10
1769
timeoutSeconds: 5
1770
failureThreshold: 5
1771
successThreshold: 1
1772
## @param ingressController.customLivenessProbe Custom livenessProbe that overrides the default one
1773
##
1774
customLivenessProbe: {}
1775
## @param ingressController.customReadinessProbe Custom readinessProbe that overrides the default one
1776
##
1777
customReadinessProbe: {}
1778
## @param ingressController.customStartupProbe Custom startupProbe that overrides the default one
1779
##
1780
customStartupProbe: {}
1781
## APISIX Ingress Controller resource requests and limits
1782
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1783
## @param ingressController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ingressController.resources is set (ingressController.resources is recommended for production).
1784
##
1785
resourcesPreset: "nano"
1786
## @param ingressController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1787
## Example:
1788
## resources:
1789
## requests:
1790
## cpu: 2
1791
## memory: 512Mi
1792
## limits:
1793
## cpu: 3
1794
## memory: 1024Mi
1795
##
1796
resources: {}
1797
## Configure Pods Security Context
1798
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1799
## @param ingressController.podSecurityContext.enabled Enabled APISIX Ingress Controller pods' Security Context
1800
## @param ingressController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1801
## @param ingressController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1802
## @param ingressController.podSecurityContext.supplementalGroups Set filesystem extra groups
1803
## @param ingressController.podSecurityContext.fsGroup Set APISIX Ingress Controller pod's Security Context fsGroup
1804
##
1805
podSecurityContext:
1806
enabled: true
1807
fsGroupChangePolicy: Always
1808
sysctls: []
1809
supplementalGroups: []
1810
fsGroup: 1001
1811
## Configure Container Security Context
1812
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1813
## @param ingressController.containerSecurityContext.enabled Enabled APISIX Ingress Controller containers' Security Context
1814
## @param ingressController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1815
## @param ingressController.containerSecurityContext.runAsUser Set APISIX Ingress Controller containers' Security Context runAsUser
1816
## @param ingressController.containerSecurityContext.runAsGroup Set APISIX Ingress Controller containers' Security Context runAsGroup
1817
## @param ingressController.containerSecurityContext.runAsNonRoot Set APISIX Ingress Controller containers' Security Context runAsNonRoot
1818
## @param ingressController.containerSecurityContext.privileged Set APISIX Ingress Controller containers' Security Context privileged
1819
## @param ingressController.containerSecurityContext.readOnlyRootFilesystem Set APISIX Ingress Controller containers' Security Context runAsNonRoot
1820
## @param ingressController.containerSecurityContext.allowPrivilegeEscalation Set APISIX Ingress Controller container's privilege escalation
1821
## @param ingressController.containerSecurityContext.capabilities.drop Set APISIX Ingress Controller container's Security Context runAsNonRoot
1822
## @param ingressController.containerSecurityContext.seccompProfile.type Set APISIX Ingress Controller container's Security Context seccomp profile
1823
##
1824
containerSecurityContext:
1825
enabled: true
1826
seLinuxOptions: {}
1827
runAsUser: 1001
1828
runAsGroup: 1001
1829
runAsNonRoot: true
1830
privileged: false
1831
readOnlyRootFilesystem: true
1832
allowPrivilegeEscalation: false
1833
capabilities:
1834
drop: ["ALL"]
1835
seccompProfile:
1836
type: RuntimeDefault
1837
## @param ingressController.command Override default container command (useful when using custom images)
1838
##
1839
command: []
1840
## @param ingressController.args Override default container args (useful when using custom images)
1841
##
1842
args: []
1843
## @param ingressController.automountServiceAccountToken Mount Service Account token in pod
1844
##
1845
automountServiceAccountToken: true
1846
## @param ingressController.hostAliases APISIX Ingress Controller pods host aliases
1847
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1848
##
1849
hostAliases: []
1850
## @param ingressController.podLabels Extra labels for APISIX Ingress Controller pods
1851
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1852
##
1853
podLabels: {}
1854
## @param ingressController.podAnnotations Annotations for APISIX Ingress Controller pods
1855
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1856
##
1857
podAnnotations: {}
1858
## @param ingressController.podAffinityPreset Pod affinity preset. Ignored if `injector.affinity` is set. Allowed values: `soft` or `hard`
1859
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1860
##
1861
podAffinityPreset: ""
1862
## @param ingressController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `injector.affinity` is set. Allowed values: `soft` or `hard`
1863
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1864
##
1865
podAntiAffinityPreset: soft
1866
## Pod Disruption Budget configuration
1867
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1868
## @param ingressController.pdb.create Enable/disable a Pod Disruption Budget creation
1869
## @param ingressController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1870
## @param ingressController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
1871
##
1872
pdb:
1873
create: true
1874
minAvailable: ""
1875
maxUnavailable: ""
1876
## Node injector.affinity preset
1877
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1878
##
1879
nodeAffinityPreset:
1880
## @param ingressController.nodeAffinityPreset.type Node affinity preset type. Ignored if `injector.affinity` is set. Allowed values: `soft` or `hard`
1881
##
1882
type: ""
1883
## @param ingressController.nodeAffinityPreset.key Node label key to match. Ignored if `injector.affinity` is set
1884
##
1885
key: ""
1886
## @param ingressController.nodeAffinityPreset.values Node label values to match. Ignored if `injector.affinity` is set
1887
## E.g.
1888
## values:
1889
## - e2e-az1
1890
## - e2e-az2
1891
##
1892
values: []
1893
## @param ingressController.affinity Affinity for APISIX Ingress Controller pods assignment
1894
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1895
## NOTE: `injector.podAffinityPreset`, `injector.podAntiAffinityPreset`, and `injector.nodeAffinityPreset` will be ignored when it's set
1896
##
1897
affinity: {}
1898
## @param ingressController.nodeSelector Node labels for APISIX Ingress Controller pods assignment
1899
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1900
##
1901
nodeSelector: {}
1902
## @param ingressController.tolerations Tolerations for APISIX Ingress Controller pods assignment
1903
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1904
##
1905
tolerations: []
1906
## @param ingressController.updateStrategy.type APISIX Ingress Controller statefulset strategy type
1907
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1908
##
1909
updateStrategy:
1910
## StrategyType
1911
## Can be set to RollingUpdate or OnDelete
1912
##
1913
type: RollingUpdate
1914
## @param ingressController.priorityClassName APISIX Ingress Controller pods' priorityClassName
1915
##
1916
priorityClassName: ""
1917
## @param ingressController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1918
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1919
##
1920
topologySpreadConstraints: []
1921
## @param ingressController.schedulerName Name of the k8s scheduler (other than default) for APISIX Ingress Controller pods
1922
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1923
##
1924
schedulerName: ""
1925
## @param ingressController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
1926
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1927
##
1928
terminationGracePeriodSeconds: ""
1929
## @param ingressController.lifecycleHooks for the APISIX Ingress Controller container(s) to automate configuration before or after startup
1930
##
1931
lifecycleHooks: {}
1932
## @param ingressController.extraEnvVars Array with extra environment variables to add to APISIX Ingress Controller nodes
1933
## e.g:
1934
## extraEnvVars:
1935
## - name: FOO
1936
## value: "bar"
1937
##
1938
extraEnvVars: []
1939
## @param ingressController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for APISIX Ingress Controller nodes
1940
##
1941
extraEnvVarsCM: ""
1942
## @param ingressController.extraEnvVarsSecret Name of existing Secret containing extra env vars for APISIX Ingress Controller nodes
1943
##
1944
extraEnvVarsSecret: ""
1945
## @param ingressController.extraVolumes Optionally specify extra list of additional volumes for the APISIX Ingress Controller pod(s)
1946
##
1947
extraVolumes: []
1948
## @param ingressController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the APISIX Ingress Controller container(s)
1949
##
1950
extraVolumeMounts: []
1951
## @param ingressController.sidecars Add additional sidecar containers to the APISIX Ingress Controller pod(s)
1952
## e.g:
1953
## sidecars:
1954
## - name: your-image-name
1955
## image: your-image
1956
## imagePullPolicy: Always
1957
## ports:
1958
## - name: portname
1959
## containerPort: 1234
1960
##
1961
sidecars: []
1962
## @param ingressController.initContainers Add additional init containers to the APISIX Ingress Controller pod(s)
1963
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1964
## e.g:
1965
## initContainers:
1966
## - name: your-image-name
1967
## image: your-image
1968
## imagePullPolicy: Always
1969
## command: ['sh', '-c', 'echo "hello world"']
1970
##
1971
initContainers: []
1972
## @param ingressController.ingressClass.create Specifies whether a IngressClass should be created
1973
## @param ingressController.ingressClass.name IngressClass that will be be used to implement the APISIX Ingress Controller Ingress
1974
## @param ingressController.ingressClass.annotations Additional annotations for the APISIX Ingress Controller IngressClass
1975
##
1976
ingressClass:
1977
create: true
1978
name: "apisix"
1979
annotations: {}
1980
## @param ingressController.defaultConfig [string] APISIX Ingress Controller configuration (evaluated as a template)
1981
##
1982
defaultConfig: |
1983
# log options
1984
log_level: "info"
1985
log_output: "stderr"
1986
{{- if .Values.ingressController.tls.enabled }}
1987
https_listen: ":{{ .Values.ingressController.containerPorts.https }}"
1988
cert_file: "/iamguarded/certs/{{ .Values.ingressController.tls.certFilename }}"
1989
key_file: "/iamguarded/certs/{{ .Values.ingressController.tls.certKeyFilename }}"
1990
{{- end }}
1991
http_listen: ":{{ .Values.ingressController.containerPorts.http }}"
1992
ingress_publish_service: "{{ include "common.names.namespace" . }}/{{ ternary (include "apisix.data-plane.fullname" .) (include "apisix.control-plane.fullname" .) .Values.dataPlane.enabled }}"
1993
enable_profiling: true
1994
apisix-resource-sync-interval: 1h
1995
kubernetes:
1996
kubeconfig: ""
1997
resync_interval: "6h"
1998
election_id: "{{ include "apisix.ingress-controller.fullname" . }}-leader"
1999
ingress_class: {{ .Values.ingressController.ingressClass.name | quote }}
2000
ingress_version: "networking/v1"
2001
watch_endpointslices: false
2002
apisix_route_version: "apisix.apache.org/v2"
2003
enable_gateway_api: false
2004
apisix_version: "apisix.apache.org/v2"
2005
plugin_metadata_cm: ""
2006
apisix:
2007
admin_api_version: "v3"
2008
default_cluster_base_url: {{ ternary "https" "http" .Values.controlPlane.tls.enabled }}://{{ include "apisix.control-plane.fullname" . }}:{{ .Values.controlPlane.service.ports.adminAPI }}/apisix/admin
2009
default_cluster_admin_key: "{{ print "{{APISIX_ADMIN_API_TOKEN}}" }}"
2010
default_cluster_name: "default"
2011
## @param ingressController.extraConfig Extra configuration parameters for APISIX Ingress Controller
2012
##
2013
extraConfig: {}
2014
## @param ingressController.existingConfigMap name of a ConfigMap with existing configuration for the APISIX Ingress Controller
2015
##
2016
existingConfigMap: ""
2017
## @param ingressController.extraConfigExistingConfigMap name of a ConfigMap with existing configuration for the APISIX Ingress Controller
2018
##
2019
extraConfigExistingConfigMap: ""
2020
tls:
2021
## @param ingressController.tls.enabled Enable TLS transport in APISIX Ingress Controller
2022
##
2023
enabled: true
2024
## @param ingressController.tls.autoGenerated Auto-generate self-signed certificates
2025
##
2026
autoGenerated: true
2027
## @param ingressController.tls.existingSecret Name of a secret containing the certificates
2028
##
2029
existingSecret: ""
2030
## @param ingressController.tls.certFilename Path of the certificate file when mounted as a secret
2031
##
2032
certFilename: tls.crt
2033
## @param ingressController.tls.certKeyFilename Path of the certificate key file when mounted as a secret
2034
##
2035
certKeyFilename: tls.key
2036
## @param ingressController.tls.certCAFilename Path of the certificate CA file when mounted as a secret
2037
##
2038
certCAFilename: ca.crt
2039
## @param ingressController.tls.cert Content of the certificate to be added to the secret
2040
##
2041
cert: ""
2042
## @param ingressController.tls.key Content of the certificate key to be added to the secret
2043
##
2044
key: ""
2045
## @param ingressController.tls.ca Content of the certificate CA to be added to the secret
2046
##
2047
ca: ""
2048
## @section APISIX Ingress Controller Traffic Exposure Parameters
2049
##
2050
service:
2051
## @param ingressController.service.type APISIX Ingress Controller service type
2052
##
2053
type: ClusterIP
2054
## @param ingressController.service.ports.http APISIX Ingress Controller service HTTP port
2055
## @param ingressController.service.ports.https APISIX Ingress Controller service HTTPS port
2056
##
2057
ports:
2058
http: 80
2059
https: 443
2060
## Node ports to expose
2061
## @param ingressController.service.nodePorts.http Node port for HTTP
2062
## @param ingressController.service.nodePorts.https Node port for HTTPS
2063
## NOTE: choose port between <30000-32767>
2064
##
2065
nodePorts:
2066
http: ""
2067
https: ""
2068
## @param ingressController.service.clusterIP APISIX Ingress Controller service Cluster IP
2069
## e.g.:
2070
## clusterIP: None
2071
##
2072
clusterIP: ""
2073
## @param ingressController.service.loadBalancerIP APISIX Ingress Controller service Load Balancer IP
2074
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2075
##
2076
loadBalancerIP: ""
2077
## @param ingressController.service.loadBalancerSourceRanges APISIX Ingress Controller service Load Balancer sources
2078
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2079
## e.g:
2080
## loadBalancerSourceRanges:
2081
## - 10.10.10.0/24
2082
##
2083
loadBalancerSourceRanges: []
2084
## @param ingressController.service.externalIPs APISIX Ingress Controller service External IPs
2085
## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
2086
## e.g.
2087
## externalIPs:
2088
## - 10.10.10.1
2089
## - 201.22.30.1
2090
##
2091
externalIPs: []
2092
## @param ingressController.service.externalTrafficPolicy APISIX Ingress Controller service external traffic policy
2093
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-web-source-ip
2094
##
2095
externalTrafficPolicy: Cluster
2096
## @param ingressController.service.annotations Additional custom annotations for APISIX Ingress Controller service
2097
##
2098
annotations: {}
2099
## @param ingressController.service.extraPorts Extra ports to expose in APISIX Ingress Controller service (normally used with the `sidecars` value)
2100
##
2101
extraPorts: []
2102
## @param ingressController.service.sessionAffinity Control where web requests go, to the same pod or round-robin
2103
## Values: WebIP or None
2104
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2105
##
2106
sessionAffinity: None
2107
## @param ingressController.service.sessionAffinityConfig Additional settings for the sessionAffinity
2108
## sessionAffinityConfig:
2109
## webIP:
2110
## timeoutSeconds: 300
2111
##
2112
sessionAffinityConfig: {}
2113
## Network Policies
2114
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
2115
##
2116
networkPolicy:
2117
## @param ingressController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
2118
##
2119
enabled: true
2120
## @param ingressController.networkPolicy.allowExternal Don't require server label for connections
2121
## The Policy model to apply. When set to false, only pods with the correct
2122
## server label will have network access to the ports server is listening
2123
## on. When true, server will accept connections from any source
2124
## (with the correct destination port).
2125
##
2126
allowExternal: true
2127
## @param ingressController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
2128
##
2129
allowExternalEgress: true
2130
## @param ingressController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
2131
##
2132
kubeAPIServerPorts: [443, 6443, 8443]
2133
## @param ingressController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
2134
## e.g:
2135
## extraIngress:
2136
## - ports:
2137
## - port: 1234
2138
## from:
2139
## - podSelector:
2140
## - matchLabels:
2141
## - role: frontend
2142
## - podSelector:
2143
## - matchExpressions:
2144
## - key: role
2145
## operator: In
2146
## values:
2147
## - frontend
2148
extraIngress: []
2149
## @param ingressController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
2150
## e.g:
2151
## extraEgress:
2152
## - ports:
2153
## - port: 1234
2154
## to:
2155
## - podSelector:
2156
## - matchLabels:
2157
## - role: frontend
2158
## - podSelector:
2159
## - matchExpressions:
2160
## - key: role
2161
## operator: In
2162
## values:
2163
## - frontend
2164
##
2165
extraEgress: []
2166
## @param ingressController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2167
## @param ingressController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2168
##
2169
ingressNSMatchLabels: {}
2170
ingressNSPodMatchLabels: {}
2171
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
2172
##
2173
ingress:
2174
## @param ingressController.ingress.enabled Enable ingress record generation for APISIX Ingress Controller
2175
##
2176
enabled: false
2177
## @param ingressController.ingress.pathType Ingress path type
2178
##
2179
pathType: ImplementationSpecific
2180
## @param ingressController.ingress.apiVersion Force Ingress API version (automatically detected if not set)
2181
##
2182
apiVersion: ""
2183
## @param ingressController.ingress.hostname Default host for the ingress record
2184
##
2185
hostname: apisix-ingress-controller.local
2186
## @param ingressController.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
2187
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
2188
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
2189
##
2190
ingressClassName: ""
2191
## @param ingressController.ingress.path Default path for the ingress record
2192
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
2193
##
2194
path: /
2195
## @param ingressController.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
2196
## Use this parameter to set the required annotations for cert-manager, see
2197
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
2198
## e.g:
2199
## annotations:
2200
## kubernetes.io/ingress.class: nginx
2201
## cert-manager.io/cluster-issuer: cluster-issuer-name
2202
##
2203
annotations: {}
2204
## @param ingressController.ingress.tls Enable TLS configuration for the host defined at `ingressController.ingress.hostname` parameter
2205
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
2206
## You can:
2207
## - Use the `ingressController.ingress.secrets` parameter to create this TLS secret
2208
## - Rely on cert-manager to create it by setting the corresponding annotations
2209
## - Rely on Helm to create self-signed certificates by setting `ingressController.ingress.selfSigned=true`
2210
##
2211
tls: false
2212
## @param ingressController.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
2213
##
2214
selfSigned: false
2215
## @param ingressController.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
2216
## e.g:
2217
## extraHosts:
2218
## - name: apisix.local
2219
## path: /
2220
##
2221
extraHosts: []
2222
## @param ingressController.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
2223
## e.g:
2224
## extraPaths:
2225
## - path: /*
2226
## backend:
2227
## serviceName: ssl-redirect
2228
## servicePort: use-annotation
2229
##
2230
extraPaths: []
2231
## @param ingressController.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
2232
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
2233
## e.g:
2234
## extraTls:
2235
## - hosts:
2236
## - apisix.local
2237
## secretName: apisix.local-tls
2238
##
2239
extraTls: []
2240
## @param ingressController.ingress.secrets Custom TLS certificates as secrets
2241
## NOTE: 'key' and 'certificate' are expected in PEM format
2242
## NOTE: 'name' should line up with a 'secretName' set further up
2243
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
2244
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
2245
## It is also possible to create and manage the certificates outside of this helm chart
2246
## Please see README.md for more information
2247
## e.g:
2248
## secrets:
2249
## - name: apisix.local-tls
2250
## key: |-
2251
## -----BEGIN RSA PRIVATE KEY-----
2252
## ...
2253
## -----END RSA PRIVATE KEY-----
2254
## certificate: |-
2255
## -----BEGIN CERTIFICATE-----
2256
## ...
2257
## -----END CERTIFICATE-----
2258
##
2259
secrets: []
2260
## @param ingressController.ingress.extraRules Additional rules to be covered with this ingress record
2261
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
2262
## e.g:
2263
## extraRules:
2264
## - host: example.local
2265
## http:
2266
## path: /
2267
## backend:
2268
## service:
2269
## name: example-svc
2270
## port:
2271
## name: http
2272
##
2273
extraRules: []
2274
## @section APISIX Ingress Controller Autoscaling configuration
2275
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
2276
##
2277
autoscaling:
2278
vpa:
2279
## @param ingressController.autoscaling.vpa.enabled Enable VPA
2280
##
2281
enabled: false
2282
## @param ingressController.autoscaling.vpa.annotations Annotations for VPA resource
2283
##
2284
annotations: {}
2285
## @param ingressController.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
2286
##
2287
controlledResources: []
2288
## @param ingressController.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
2289
## cpu: 200m
2290
## memory: 100Mi
2291
maxAllowed: {}
2292
## @param ingressController.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
2293
## cpu: 200m
2294
## memory: 100Mi
2295
minAllowed: {}
2296
updatePolicy:
2297
## @param ingressController.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
2298
## Possible values are "Off", "Initial", "Recreate", and "Auto".
2299
##
2300
updateMode: Auto
2301
hpa:
2302
## @param ingressController.autoscaling.hpa.enabled Enable HPA for APISIX Ingress Controller
2303
##
2304
enabled: false
2305
## @param ingressController.autoscaling.hpa.minReplicas Minimum number of APISIX Ingress Controller replicas
2306
##
2307
minReplicas: ""
2308
## @param ingressController.autoscaling.hpa.maxReplicas Maximum number of APISIX Ingress Controller replicas
2309
##
2310
maxReplicas: ""
2311
## @param ingressController.autoscaling.hpa.targetCPU Target CPU utilization percentage
2312
##
2313
targetCPU: ""
2314
## @param ingressController.autoscaling.hpa.targetMemory Target Memory utilization percentage
2315
##
2316
targetMemory: ""
2317
## @section APISIX Ingress Controller RBAC Parameters
2318
##
2319
2320
## RBAC configuration
2321
##
2322
rbac:
2323
## @param ingressController.rbac.create Specifies whether RBAC resources should be created
2324
##
2325
create: true
2326
## @param ingressController.rbac.rules Custom RBAC rules to set
2327
## e.g:
2328
## rules:
2329
## - apiGroups:
2330
## - ""
2331
## resources:
2332
## - pods
2333
## verbs:
2334
## - get
2335
## - list
2336
##
2337
rules: []
2338
## ServiceAccount configuration
2339
##
2340
serviceAccount:
2341
## @param ingressController.serviceAccount.create Specifies whether a ServiceAccount should be created
2342
##
2343
create: true
2344
## @param ingressController.serviceAccount.name The name of the ServiceAccount to use.
2345
## If not set and create is true, a name is generated using the common.names.fullname template
2346
##
2347
name: ""
2348
## @param ingressController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
2349
##
2350
annotations: {}
2351
## @param ingressController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
2352
##
2353
automountServiceAccountToken: false
2354
## Prometheus metrics
2355
##
2356
metrics:
2357
## @param ingressController.metrics.enabled Enable the export of Prometheus metrics
2358
##
2359
enabled: false
2360
## @param ingressController.metrics.annotations [object] Annotations for the APISIX Ingress Controller service in order to scrape metrics
2361
annotations:
2362
prometheus.io/scrape: "true"
2363
prometheus.io/port: "{{ .Values.ingressController.service.ports.http }}"
2364
## Prometheus Operator ServiceMonitor configuration
2365
##
2366
serviceMonitor:
2367
## @param ingressController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
2368
##
2369
enabled: false
2370
## @param ingressController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
2371
##
2372
namespace: ""
2373
## @param ingressController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
2374
##
2375
annotations: {}
2376
## @param ingressController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
2377
##
2378
labels: {}
2379
## @param ingressController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
2380
##
2381
jobLabel: ""
2382
## @param ingressController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
2383
##
2384
honorLabels: false
2385
## @param ingressController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
2386
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2387
## e.g:
2388
## interval: 10s
2389
##
2390
interval: ""
2391
## @param ingressController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2392
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2393
## e.g:
2394
## scrapeTimeout: 10s
2395
##
2396
scrapeTimeout: ""
2397
## @param ingressController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
2398
##
2399
metricRelabelings: []
2400
## @param ingressController.metrics.serviceMonitor.relabelings Specify general relabeling
2401
##
2402
relabelings: []
2403
## @param ingressController.metrics.serviceMonitor.selector Prometheus instance selector labels
2404
## selector:
2405
## prometheus: my-prometheus
2406
##
2407
selector: {}
2408
## @section Init containers parameters
2409
##
2410
waitContainer:
2411
## @param waitContainer.image.registry [default: REGISTRY_NAME] Init container wait-container image registry
2412
## @param waitContainer.image.repository [default: REPOSITORY_NAME/os-shell] Init container wait-container image name
2413
## @skip waitContainer.image.tag Init container wait-container image tag
2414
## @param waitContainer.image.digest Init container wait-container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2415
##
2416
image:
2417
registry: cgr.dev
2418
repository: chainguard-private/os-shell-iamguarded
2419
tag: 1.0.0
2420
digest: ""
2421
## @param waitContainer.image.pullPolicy Init container wait-container image pull policy
2422
##
2423
pullPolicy: IfNotPresent
2424
## @param waitContainer.image.pullSecrets [array] Specify docker-registry secret names as an array
2425
## Optionally specify an array of imagePullSecrets.
2426
## Secrets must be manually created in the namespace.
2427
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2428
## e.g:
2429
## pullSecrets:
2430
## - myRegistryKeySecretName
2431
##
2432
pullSecrets: []
2433
## Configure Container Security Context
2434
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2435
## @param waitContainer.containerSecurityContext.enabled Enabled APISIX Ingress Controller containers' Security Context
2436
## @param waitContainer.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2437
## @param waitContainer.containerSecurityContext.runAsUser Set APISIX Ingress Controller containers' Security Context runAsUser
2438
## @param waitContainer.containerSecurityContext.runAsGroup Set APISIX Ingress Controller containers' Security Context runAsGroup
2439
## @param waitContainer.containerSecurityContext.runAsNonRoot Set APISIX Ingress Controller containers' Security Context runAsNonRoot
2440
## @param waitContainer.containerSecurityContext.privileged Set APISIX Ingress Controller containers' Security Context privileged
2441
## @param waitContainer.containerSecurityContext.readOnlyRootFilesystem Set APISIX Ingress Controller containers' Security Context readOnlyRootFilesystem
2442
## @param waitContainer.containerSecurityContext.allowPrivilegeEscalation Set APISIX Ingress Controller containers' Security Context allowPrivilegeEscalation
2443
## @param waitContainer.containerSecurityContext.capabilities.drop Set APISIX Ingress Controller containers' Security Context capabilities.drop
2444
## @param waitContainer.containerSecurityContext.seccompProfile.type Set APISIX Ingress Controller containers' Security Context seccompProfile.type
2445
##
2446
containerSecurityContext:
2447
enabled: true
2448
seLinuxOptions: {}
2449
runAsUser: 1001
2450
runAsGroup: 1001
2451
runAsNonRoot: true
2452
privileged: false
2453
readOnlyRootFilesystem: true
2454
allowPrivilegeEscalation: false
2455
capabilities:
2456
drop: ["ALL"]
2457
seccompProfile:
2458
type: RuntimeDefault
2459
## @section External etcd settings
2460
##
2461
externalEtcd:
2462
## @param externalEtcd.servers List of hostnames of the external etcd
2463
##
2464
servers: []
2465
## @param externalEtcd.port Port of the external etcd instance
2466
##
2467
port: 2379
2468
## @param externalEtcd.user User of the external etcd instance
2469
##
2470
user: root
2471
## @param externalEtcd.password Password of the external etcd instance
2472
##
2473
password: ""
2474
## @param externalEtcd.existingSecret Name of a secret containing the external etcd password
2475
##
2476
existingSecret: ""
2477
## @param externalEtcd.existingSecretPasswordKey Key inside the secret containing the external etcd password
2478
##
2479
existingSecretPasswordKey: "etcd-root-password"
2480
## @param externalEtcd.secureTransport Use TLS for client-to-server communications
2481
##
2482
secureTransport: false
2483
## @section etcd sub-chart parameters
2484
##
2485
etcd:
2486
## @param etcd.enabled Deploy etcd sub-chart
2487
##
2488
enabled: true
2489
## @param etcd.replicaCount Number of etcd replicas
2490
##
2491
replicaCount: 3
2492
## @param etcd.containerPorts.client Container port for etcd
2493
##
2494
containerPorts:
2495
client: 2379
2496
## @param etcd.auth.rbac.create Switch to enable RBAC authentication
2497
## @param etcd.auth.rbac.rootPassword etcd root password
2498
## @param etcd.auth.client.secureTransport use TLS for client-to-server communications
2499
##
2500
auth:
2501
rbac:
2502
## Currently the data_plane is not working with etcd credentials enabled. This should be
2503
## changed when this is fixed by APISIX
2504
create: false
2505
rootPassword: ""
2506
client:
2507
secureTransport: false
2508
## @param etcd.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
2509
##
2510
resourcesPreset: "micro"
2511
## @param etcd.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2512
## Example:
2513
## resources:
2514
## requests:
2515
## cpu: 2
2516
## memory: 512Mi
2517
## limits:
2518
## cpu: 3
2519
## memory: 1024Mi
2520
##
2521
resources: {}
2522
image:
2523
registry: cgr.dev
2524
repository: chainguard-private/etcd-iamguarded
2525
tag: 3.6.7
2526
digest: ""
2527
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.