-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
1228 lines (1114 loc) · 43 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Default values for Kong's Helm Chart.
# Declare variables to be passed into your templates.
#
# Sections:
# - Deployment parameters
# - Kong parameters
# - Ingress Controller parameters
# - Postgres sub-chart parameters
# - Miscellaneous parameters
# - Kong Enterprise parameters
# -----------------------------------------------------------------------------
# Deployment parameters
# -----------------------------------------------------------------------------
deployment:
kong:
# Enable or disable Kong itself
# Setting this to false with ingressController.enabled=true will create a
# controller-only release.
enabled: true
## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing,
## for it to be considered available.
# minReadySeconds: 60
## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations
serviceAccount:
create: true
# Automount the service account token. By default, this is disabled, and the token is only mounted on the controller
# container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong
# Lua code, increasing potential attack surface.
automountServiceAccountToken: false
## Optionally specify the name of the service account to create and the annotations to add.
# name:
# annotations: {}
## Optionally specify any extra sidecar containers to be included in the deployment
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# initContainers:
# - name: initcon
# image: initcon:latest
# hostAliases:
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
## Define any volumes and mounts you want present in the Kong proxy container
# userDefinedVolumes:
# - name: "volumeName"
# emptyDir: {}
# userDefinedVolumeMounts:
# - name: "volumeName"
# mountPath: "/opt/user/dir/mount"
test:
# Enable creation of test resources for use with "helm test"
enabled: false
# Use a DaemonSet controller instead of a Deployment controller
daemonset: false
hostNetwork: false
# kong_prefix empty dir size
prefixDir:
sizeLimit: 256Mi
# tmp empty dir size
tmpDir:
sizeLimit: 1Gi
# Override namepsace for Kong chart resources. By default, the chart creates resources in the release namespace.
# This may not be desirable when using this chart as a dependency.
# namespace: "example"
# -----------------------------------------------------------------------------
# Kong parameters
# -----------------------------------------------------------------------------
# Specify Kong configuration
# This chart takes all entries defined under `.env` and transforms them into into `KONG_*`
# environment variables for Kong containers.
# Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default
# See https://docs.konghq.com/latest/configuration also for additional details
# Values here take precedence over values from other sections of values.yaml,
# e.g. setting pg_user here will override the value normally set when postgresql.enabled
# is set below. In general, you should not set values here if they are set elsewhere.
env:
database: "off"
# the chart uses the traditional router (for Kong 3.x+) because the ingress
# controller generates traditional routes. if you do not use the controller,
# you may set this to "traditional_compatible" or "expressions" to use the new
# DSL-based router
#kong_log_level: debug
router_flavor: "traditional"
nginx_worker_processes: "2"
proxy_access_log: /dev/stdout
admin_access_log: /dev/stdout
admin_gui_access_log: /dev/stdout
portal_api_access_log: /dev/stdout
proxy_error_log: /dev/stderr
admin_error_log: /dev/stderr
admin_gui_error_log: /dev/stderr
portal_api_error_log: /dev/stderr
prefix: /kong_prefix/
REAL_IP_HEADER: proxy_protocol
TRUSTED_IPS: 0.0.0.0/0,::/0
PROXY_LISTEN: 0.0.0.0:8000 proxy_protocol, 0.0.0.0:8443 ssl proxy_protocol
# This section is any customer specific environments variables that doesn't require KONG_ prefix.
# These custom environment variables are typicall used in custom plugins or serverless plugins to
# access environment specific credentials or tokens.
# Example as below, uncomment if required and add additional attributes as required.
# Note that these environment variables will only apply to the proxy and init container. The ingress-controller
# container has its own customEnv section.
# customEnv:
# api_token:
# valueFrom:
# secretKeyRef:
# key: token
# name: api_key
# client_name: testClient
# This section can be used to configure some extra labels that will be added to each Kubernetes object generated.
extraLabels: {}
# Specify Kong's Docker image and repository details here
image:
repository: kong
tag: "3.3"
# Kong Enterprise
# repository: kong/kong-gateway
# tag: "3.3"
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistrKeySecretName
# Specify Kong admin API service and listener configuration
admin:
# Enable creating a Kubernetes service for the admin API
# Disabling this is recommended for most ingress controller configurations
# Enterprise users that wish to use Kong Manager with the controller should enable this
enabled: true
type: NodePort
loadBalancerClass:
# To specify annotations or labels for the admin service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
http:
# Enable plaintext HTTP listen for the admin API
# Disabling this and using a TLS listen only is recommended for most configuration
enabled: true
servicePort: 8001
containerPort: 8001
# Set a nodePort which is available if service type is NodePort
nodePort: 32080
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: []
tls:
# Enable HTTPS listen for the admin API
enabled: true
servicePort: 8444
containerPort: 8444
# Set a target port for the TLS port in the admin API service, useful when using TLS
# termination on an ELB.
# overrideServiceTargetPort: 8000
# Set a nodePort which is available if service type is NodePort
nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
# Specify the CA certificate to use for TLS verification of the Admin API client by:
# - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
# - caBundle (PEM-encoded certificate string).
# If both are set, caBundle takes precedence.
client:
caBundle: ""
secretName: ""
# Kong admin ingress settings. Useful if you want to expose the Admin
# API of Kong outside the k8s cluster.
ingress:
# Enable/disable exposure using ingress.
enabled: true
ingressClassName:
# TLS secret name.
# tls: kong-admin.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# Specify Kong status listener configuration
# This listen is internal-only. It cannot be exposed through a service or ingress.
status:
enabled: true
http:
# Enable plaintext HTTP listen for the status listen
enabled: true
containerPort: 8100
parameters: []
tls:
# Enable HTTPS listen for the status listen
# Kong versions prior to 2.1 do not support TLS status listens.
# This setting must remain false on those versions
enabled: false
containerPort: 8543
parameters: []
# Name the kong hybrid cluster CA certificate secret
clusterCaSecretName: ""
# Specify Kong cluster service and listener configuration
#
# The cluster service *must* use TLS. It does not support the "http" block
# available on other services.
#
# The cluster service cannot be exposed through an Ingress, as it must perform
# TLS client validation directly and is not compatible with TLS-terminating
# proxies. If you need to expose it externally, you must use "type:
# LoadBalancer" and use a TCP-only load balancer (check your Kubernetes
# provider's documentation, as the configuration required for this varies).
cluster:
enabled: false
# To specify annotations or labels for the cluster service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
#service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
tls:
enabled: false
servicePort: 8005
containerPort: 8005
parameters: []
type: ClusterIP
loadBalancerClass:
# Kong cluster ingress settings. Useful if you want to split CP and DP
# in different clusters.
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# TLS secret name.
# tls: kong-cluster.example.com-tls
# Ingress hostname
hostname:
# Map of ingress annotations.
annotations: {}
# Ingress path.
path: /
# Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# Specify Kong proxy service configuration
proxy:
# Enable creating a Kubernetes service for the proxy
enabled: true
type: LoadBalancer
loadBalancerClass:
# Override proxy Service name
nameOverride: ""
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations:
service.beta.kubernetes.io/linode-loadbalancer-proxy-protocol: v1
# If terminating TLS at the ELB, the following annotations can be used
# "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "*",
# "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled": "true",
# "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:REGION:ACCOUNT:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX",
# "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "kong-proxy-tls",
# "service.beta.kubernetes.io/aws-load-balancer-type": "elb"
labels:
enable-metrics: "true"
http:
# Enable plaintext HTTP listen for the proxy
enabled: true
servicePort: 80
containerPort: 8000
# Set a nodePort which is available if service type is NodePort
# nodePort: 32080
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters: []
tls:
# Enable HTTPS listen for the proxy
enabled: true
servicePort: 443
containerPort: 8443
# Set a target port for the TLS port in proxy service
# overrideServiceTargetPort: 8000
# Set a nodePort which is available if service type is NodePort
# nodePort: 32443
# Additional listen parameters, e.g. "reuseport", "backlog=16384"
parameters:
- http2
# Define stream (TCP) listen
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their containerPort,
# e.g. "stream-9000" for the below.
# Note: although you can select the protocol here, you cannot set UDP if you
# use a LoadBalancer Service due to limitations in current Kubernetes versions.
# To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
# in the next section and place all UDP stream listen configuration under it.
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
# - containerPort: 9000
# servicePort: 9000
# protocol: TCP
# # Optionally set a static nodePort if the service type is NodePort
# # nodePort: 32080
# # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
# # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
# parameters: []
# Kong proxy ingress settings.
# Note: You need this only if you are using another Ingress Controller
# to expose Kong outside the k8s cluster.
ingress:
# Enable/disable exposure using ingress.
enabled: false
ingressClassName:
# To specify annotations or labels for the ingress, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
labels: {}
# Ingress hostname
hostname:
# Ingress path (when used with hostname above).
path: /
# Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations
hosts: []
# - host: kong-proxy.example.com
# paths:
# # Ingress path.
# - path: /*
# # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
# pathType: ImplementationSpecific
# - host: kong-proxy-other.example.com
# paths:
# # Ingress path.
# - path: /other
# # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
# pathType: ImplementationSpecific
# backend:
# service:
# name: kong-other-proxy
# port:
# number: 80
#
# TLS secret(s)
# tls: kong-proxy.example.com-tls
# Or if multiple hosts/secrets needs to be configured:
# tls:
# - secretName: kong-proxy.example.com-tls
# hosts:
# - kong-proxy.example.com
# - secretName: kong-proxy-other.example.com-tls
# hosts:
# - kong-proxy-other.example.com
# Optionally specify a static load balancer IP.
# loadBalancerIP:
# Specify Kong UDP proxy service configuration
# Currently, LoadBalancer type Services are generally limited to a single transport protocol
# Multi-protocol Services are an alpha feature as of Kubernetes 1.20:
# https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types
# You should enable this Service if you proxy UDP traffic, and configure UDP stream listens under it
udpProxy:
# Enable creating a Kubernetes service for UDP proxying
enabled: false
type: LoadBalancer
loadBalancerClass:
# To specify annotations or labels for the proxy service, add them to the respective
# "annotations" or "labels" dictionaries below.
annotations: {}
# service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
labels: {}
# Optionally specify a static load balancer IP.
# loadBalancerIP:
# Define stream (UDP) listen
# To enable, remove "[]", uncomment the section below, and select your desired
# ports and parameters. Listens are dynamically named after their servicePort,
# e.g. "stream-9000" for the below.
stream: []
# # Set the container (internal) and service (external) ports for this listen.
# # These values should normally be the same. If your environment requires they
# # differ, note that Kong will match routes based on the containerPort only.
# - containerPort: 9000
# servicePort: 9000
# protocol: UDP
# # Optionally set a static nodePort if the service type is NodePort
# # nodePort: 32080
# # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
# # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
# parameters: []
# Custom Kong plugins can be loaded into Kong by mounting the plugin code
# into the file-system of Kong container.
# The plugin code should be present in ConfigMap or Secret inside the same
# namespace as Kong is being installed.
# The `name` property refers to the name of the ConfigMap or Secret
# itself, while the pluginName refers to the name of the plugin as it appears
# in Kong.
# Subdirectories (which are optional) require separate ConfigMaps/Secrets.
# "path" indicates their directory under the main plugin directory: the example
# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
plugins:
configMaps:
- name: my-custom-routing
pluginName: queryrouting
# subdirectories:
# - name: kong-plugin-rewriter-migrations
# path: migrations
# secrets:
# - pluginName: rewriter
# name: kong-plugin-rewriter
# Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/
# This can be used to override default SSL certificates.
# Be aware that the secret name will be used verbatim, and that certain types
# of punctuation (e.g. `.`) can cause issues.
# Example configuration
# secretVolumes:
# - kong-proxy-tls
# - kong-admin-tls
secretVolumes: []
# Enable/disable migration jobs, and set annotations for them
migrations:
# Enable pre-upgrade migrations (run "kong migrations up")
preUpgrade: true
# Enable post-upgrade migrations (run "kong migrations finish")
postUpgrade: true
# Annotations to apply to migrations job pods
# By default, these disable service mesh sidecar injection for Istio and Kuma,
# as the sidecar containers do not terminate and prevent the jobs from completing
annotations:
sidecar.istio.io/inject: false
# Additional annotations to apply to migration jobs
# This is helpful in certain non-Helm installation situations such as GitOps
# where additional control is required around this job creation.
jobAnnotations: {}
# Optionally set a backoffLimit. If none is set, Jobs will use the cluster default
backoffLimit:
resources: {}
# Example reasonable setting for "resources":
# resources:
# limits:
# cpu: 100m
# memory: 256Mi
# requests:
# cpu: 50m
# memory: 128Mi
## Optionally specify any extra sidecar containers to be included in the deployment
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
## Keep in mind these containers should be terminated along with the main
## migration containers
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# Kong's configuration for DB-less mode
# Note: Use this section only if you are deploying Kong in DB-less mode
# and not as an Ingress Controller.
dblessConfig:
# Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
configMap: ""
# Or Kong's configuration is managed from an existing Secret (with Key: kong.yml)
secret: ""
# Or the configuration is passed in full-text below
config: |
# # _format_version: "1.1"
# # services:
# # # Example configuration
# # # - name: example.com
# # # url: http://example.com
# # # routes:
# # # - name: example
# # # paths:
# # # - "/example"
## Optionally specify any extra sidecar containers to be included in the
## migration jobs
## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
# sidecarContainers:
# - name: sidecar
# image: sidecar:latest
# -----------------------------------------------------------------------------
# Ingress Controller parameters
# -----------------------------------------------------------------------------
# Kong Ingress Controller's primary purpose is to satisfy Ingress resources
# created in k8s. It uses CRDs for more fine grained control over routing and
# for Kong specific configuration.
ingressController:
enabled: true
image:
repository: kong/kubernetes-ingress-controller
tag: "2.11"
# Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic
# version of your tag: for example if using a "next" image for an unreleased 3.1.0
# version, set this to "3.1.0".
effectiveSemver:
args: []
gatewayDiscovery:
enabled: false
generateAdminApiService: false
adminApiService:
namespace: ""
name: ""
# Specify individual namespaces to watch for ingress configuration. By default,
# when no namespaces are set, the controller watches all namespaces and uses a
# ClusterRole to grant access to Kubernetes resources. When you list specific
# namespaces, the controller will watch those namespaces only and will create
# namespaced-scoped Roles for each of them. The controller will still use a
# ClusterRole for cluster-scoped resources.
# Requires controller 2.0.0 or newer.
watchNamespaces: []
# Specify Kong Ingress Controller configuration via environment variables
env:
# The controller disables TLS verification by default because Kong
# generates self-signed certificates by default. Set this to false once you
# have installed CA-signed certificates.
kong_admin_tls_skip_verify: true
# If using Kong Enterprise with RBAC enabled, uncomment the section below
# and specify the secret/key containing your admin token.
# kong_admin_token:
# valueFrom:
# secretKeyRef:
# name: CHANGEME-admin-token-secret
# key: CHANGEME-admin-token-key
# This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix.
# Example as below, uncomment if required and add additional attributes as required.
# customEnv:
# TZ: "Europe/Berlin"
admissionWebhook:
enabled: true
failurePolicy: Ignore
port: 8080
certificate:
provided: false
namespaceSelector: {}
# Specifiy the secretName when the certificate is provided via a TLS secret
# secretName: ""
# Specifiy the CA bundle of the provided certificate.
# This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
# caBundle:
# | Add the CA bundle content here.
service:
# Specify custom labels for the validation webhook service.
labels: {}
ingressClass: kong
# annotations for IngressClass resource (Kubernetes 1.18+)
ingressClassAnnotations: {}
## Define any volumes and mounts you want present in the ingress controller container
## Volumes are defined above in deployment.userDefinedVolumes
# userDefinedVolumeMounts:
# - name: "volumeName"
# mountPath: "/opt/user/dir/mount"
rbac:
# Specifies whether RBAC resources should be created
create: true
# general properties
livenessProbe:
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: "/readyz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
resources: {}
# Example reasonable setting for "resources":
# resources:
# limits:
# cpu: 100m
# memory: 256Mi
# requests:
# cpu: 50m
# memory: 128Mi
konnect:
enabled: false
# Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
runtimeGroupID: ""
# Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
# By default, this is set to US region's production API hostname.
# If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
apiHostname: "us.kic.api.konghq.com"
# Specifies a secret that contains a client TLS certificate that the controller
# will use to authenticate against Konnect APIs.
tlsClientCertSecretName: "konnect-client-tls"
license:
# Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
enabled: false
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: false
# If set to false, Helm will generate certificates for you.
# If set to true, you are expected to provide your own secret (see secretName, caSecretName).
certProvided: false
# Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
secretName: ""
# CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
caSecretName: ""
# -----------------------------------------------------------------------------
# Postgres sub-chart parameters
# -----------------------------------------------------------------------------
# Kong can run without a database or use either Postgres or Cassandra
# as a backend datatstore for it's configuration.
# By default, this chart installs Kong without a database.
# If you would like to use a database, there are two options:
# - (recommended) Deploy and maintain a database and pass the connection
# details to Kong via the `env` section.
# - You can use the below `postgresql` sub-chart to deploy a database
# along-with Kong as part of a single Helm release. Running a database
# independently is recommended for production, but the built-in Postgres is
# useful for quickly creating test instances.
# PostgreSQL chart documentation:
# https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
#
# WARNING: by default, the Postgres chart generates a random password each
# time it upgrades, which breaks access to existing volumes. You should set a
# password explicitly:
# https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#kong-fails-to-start-after-helm-upgrade-when-postgres-is-used-what-do-i-do
postgresql:
enabled: false
auth:
username: kong
database: kong
image:
# use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released
# enterprise (kong-gateway) supports postgres 14
tag: 13.11.0-debian-11-r20
service:
ports:
postgresql: "5432"
# -----------------------------------------------------------------------------
# Configure cert-manager integration
# -----------------------------------------------------------------------------
certificates:
enabled: false
# Set either `issuer` or `clusterIssuer` to the name of the desired cert manager issuer
# If left blank a built in self-signed issuer will be created and utilized
issuer: ""
clusterIssuer: ""
# Set proxy.enabled to true to issue default kong-proxy certificate with cert-manager
proxy:
enabled: true
# Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
# self-signed issuer.
issuer: ""
clusterIssuer: ""
# Use commonName and dnsNames to set the common name and dns alt names which this
# certificate is valid for. Wildcard records are supported by the included self-signed issuer.
commonName: "app.example"
# Remove the "[]" and uncomment/change the examples to add SANs
dnsNames: []
# - "app.example"
# - "*.apps.example"
# - "*.kong.example"
# Set admin.enabled true to issue kong admin api and manager certificate with cert-manager
admin:
enabled: true
# Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
# self-signed issuer.
issuer: ""
clusterIssuer: ""
# Use commonName and dnsNames to set the common name and dns alt names which this
# certificate is valid for. Wildcard records are supported by the included self-signed issuer.
commonName: "kong.example"
# Remove the "[]" and uncomment/change the examples to add SANs
dnsNames: []
# - "manager.kong.example"
# Set portal.enabled to true to issue a developer portal certificate with cert-manager
portal:
enabled: true
# Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
# self-signed issuer.
issuer: ""
clusterIssuer: ""
# Use commonName and dnsNames to set the common name and dns alt names which this
# certificate is valid for. Wildcard records are supported by the included self-signed issuer.
commonName: "developer.example"
# Remove the "{}" and uncomment/change the examples to add SANs
dnsNames: []
# - "manager.kong.example"
# Set cluster.enabled true to issue kong hybrid mtls certificate with cert-manager
cluster:
enabled: true
# Issuers used by the control and data plane releases must match for this certificate.
issuer: ""
clusterIssuer: ""
commonName: "kong_clustering"
dnsNames: []
# -----------------------------------------------------------------------------
# Miscellaneous parameters
# -----------------------------------------------------------------------------
waitImage:
# Wait for the database to come online before starting Kong or running migrations
# If Kong is to access the database through a service mesh that injects a sidecar to
# Kong's container, this must be disabled. Otherwise there'll be a deadlock:
# InitContainer waiting for DB access that requires the sidecar, and the sidecar
# waiting for InitContainers to finish.
enabled: true
# Optionally specify an image that provides bash for pre-migration database
# checks. If none is specified, the chart uses the Kong image. The official
# Kong images provide bash
# repository: bash
# tag: 5
pullPolicy: IfNotPresent
# update strategy
updateStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: "100%"
# maxUnavailable: "0%"
# If you want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
resources: {}
# limits:
# cpu: 1
# memory: 2G
# requests:
# cpu: 1
# memory: 2G
# readinessProbe for Kong pods
readinessProbe:
httpGet:
path: "/status/ready"
port: status
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
# livenessProbe for Kong pods
livenessProbe:
httpGet:
path: "/status"
port: status
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
# startupProbe for Kong pods
# startupProbe:
# httpGet:
# path: "/status"
# port: status
# scheme: HTTP
# initialDelaySeconds: 5
# timeoutSeconds: 5
# periodSeconds: 2
# successThreshold: 1
# failureThreshold: 40
# Proxy container lifecycle hooks
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle:
preStop:
exec:
# kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds.
# Note: together they should be less than the terminationGracePeriodSeconds setting below.
command:
- kong
- quit
- '--wait=15'
# Sets the termination grace period for pods spawned by the Kubernetes Deployment.
# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
terminationGracePeriodSeconds: 30
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
# affinity: {}
# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19)
# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
# topologySpreadConstraints: []
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Annotation to be added to Kong pods
podAnnotations:
kuma.io/gateway: enabled
traffic.sidecar.istio.io/includeInboundPorts: ""
# Labels to be added to Kong pods
podLabels: {}
# Kong pod count.
# It has no effect when autoscaling.enabled is set to true
replicaCount: 1
# Annotations to be added to Kong deployment
deploymentAnnotations: {}
# Enable autoscaling using HorizontalPodAutoscaler
# When configuring an HPA, you must set resource requests on all containers via
# "resources" and, if using the controller, "ingressController.resources" in values.yaml
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 5
behavior: {}
## targetCPUUtilizationPercentage only used if the cluster doesn't support autoscaling/v2 or autoscaling/v2beta
targetCPUUtilizationPercentage:
## Otherwise for clusters that do support autoscaling/v2 or autoscaling/v2beta, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
# Kong Pod Disruption Budget
podDisruptionBudget:
enabled: false
# Uncomment only one of the following when enabled is set to true
# maxUnavailable: "50%"
# minAvailable: "50%"
podSecurityPolicy:
enabled: false
labels: {}
annotations: {}
spec:
privileged: false
fsGroup:
rule: RunAsAny
runAsUser:
rule: RunAsAny
runAsGroup:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'configMap'
- 'secret'
- 'emptyDir'
- 'projected'
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
# Make the root filesystem read-only. This is not compatible with Kong Enterprise <1.5.
# If you use Kong Enterprise <1.5, this must be set to false.
readOnlyRootFilesystem: true
priorityClassName: ""
# securityContext for Kong pods.
securityContext: {}
# securityContext for containers.
containerSecurityContext:
readOnlyRootFilesystem: true
## Optional DNS configuration for Kong pods
# dnsPolicy: ClusterFirst
# dnsConfig:
# nameservers:
# - "10.100.0.10"
# options:
# - name: ndots
# value: "5"
# searches:
# - default.svc.cluster.local
# - svc.cluster.local
# - cluster.local
# - us-east-1.compute.internal
serviceMonitor:
# Specifies whether ServiceMonitor for Prometheus operator should be created
# If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
# https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
enabled: false
# interval: 10s
# Specifies namespace, where ServiceMonitor should be installed
# namespace: monitoring
# labels:
# foo: bar
# targetLabels:
# - foo
# honorLabels: false
# metricRelabelings: []
# -----------------------------------------------------------------------------
# Kong Enterprise parameters
# -----------------------------------------------------------------------------
# Toggle Kong Enterprise features on or off
# RBAC and SMTP configuration have additional options that must all be set together
# Other settings should be added to the "env" settings below
enterprise:
enabled: false
# Kong Enterprise license secret name
# This secret must contain a single 'license' key, containing your base64-encoded license data
# The license secret is required to unlock all Enterprise features. If you omit it,
# Kong will run in free mode, with some Enterprise features disabled.
# license_secret: kong-enterprise-license
vitals:
enabled: true
portal:
enabled: false
rbac: