contour

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

# This file has been modified by Chainguard, Inc.

# Chainguard, Inc. modifications are subject to the license

# available at: https://www.chainguard.dev/legal/software-license-agreement

# SPDX-License-Identifier: APACHE-2.0

## @section Global parameters

## Global Docker image parameters

## Please, note that this will override the image parameters, including dependencies, configured to use the global value

## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass

## @param global.imageRegistry Global Docker image registry

## @param global.imagePullSecrets [array] Global Docker registry secret names as an array

## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)

## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead

global:

imageRegistry: ""

## E.g.

## imagePullSecrets:

## - myRegistryKeySecretName

imagePullSecrets: []

defaultStorageClass: ""

storageClass: ""

## Security parameters

security:

## @param global.security.allowInsecureImages Allows skipping image verification

allowInsecureImages: false

## Compatibility adaptations for Kubernetes platforms

compatibility:

## Compatibility adaptations for Openshift

openshift:

## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)

adaptSecurityContext: auto

org: ""

## @section Common parameters

## @param nameOverride String to partially override contour.fullname include (will maintain the release name)

nameOverride: ""

## @param fullnameOverride String to fully override contour.fullname template

fullnameOverride: ""

## @param namespaceOverride String to fully override common.names.namespace

namespaceOverride: ""

## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)

kubeVersion: ""

## @param extraDeploy [array] Array of extra objects to deploy with the release

extraDeploy: []

## @param commonLabels Labels to add to all deployed objects

commonLabels: {}

## @param commonAnnotations Annotations to add to all deployed objects

commonAnnotations: {}

## Diagnostic mode in the deployment

diagnosticMode:

## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)

enabled: false

## @param diagnosticMode.command [array] Command to override all containers in the deployment

command:

- sleep

## @param diagnosticMode.args [array] Args to override all containers in the deployment

args:

- infinity

## @section Contour parameters

## To configure Contour, you must specify ONE of the following two options.

## @param existingConfigMap Specifies the name of an externally-defined ConfigMap to use as the configuration (this is mutually exclusive with `configInline`)

## Helm will not manage the contents of this ConfigMap, it is your responsibility to create it.

## e.g:

## existingConfigMap: contour

existingConfigMap: ""

## @param configInline [object] Specifies Contour's configuration directly in YAML format

## When configInline is used, Helm manages Contour's configuration ConfigMap as

## part of the release, and existingConfigMap is ignored.

## Refer to https://projectcontour.io/docs/latest/configuration for available options.

configInline:

disablePermitInsecure: false

100

tls:

101

fallback-certificate: {}

102

accesslog-format: envoy

103

contour:

104

## @param contour.enabled Contour Deployment creation.

105

106

enabled: true

107

## @param contour.image.registry [default: REGISTRY_NAME] Contour image registry

108

## @param contour.image.repository [default: REPOSITORY_NAME/contour] Contour image name

109

## @skip contour.image.tag Contour image tag

110

## @param contour.image.digest Contour image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

111

## @param contour.image.pullPolicy Contour Image pull policy

112

## @param contour.image.pullSecrets [array] Contour Image pull secrets

113

## @param contour.image.debug Enable image debug mode

114

115

image:

116

registry: cgr.dev

117

repository: chainguard-private/contour-iamguarded

118

tag: 1.33.2

119

digest: ""

120

## Specify a imagePullPolicy

121

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

122

123

pullPolicy: IfNotPresent

124

## Optionally specify an array of imagePullSecrets.

125

## Secrets must be manually created in the namespace.

126

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

127

## e.g:

128

## pullSecrets:

129

## - myRegistryKeySecretName

130

131

pullSecrets: []

132

debug: false

133

## @param contour.contourConfigName Contour Deployment with ContourConfiguration CRD.

134

135

contourConfigName: "contour"

136

## @param contour.configPath Contour Deployment with configmap.

137

138

configPath: true

139

## @param contour.replicaCount Number of Contour Pod replicas

140

141

replicaCount: 1

142

## @param contour.priorityClassName Priority class assigned to the pods

143

## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

144

145

priorityClassName: ""

146

## @param contour.schedulerName Name of the k8s scheduler (other than default)

147

## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

148

149

schedulerName: ""

150

## @param contour.terminationGracePeriodSeconds In seconds, time the given to the Contour pod needs to terminate gracefully

151

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

152

153

terminationGracePeriodSeconds: ""

154

## @param contour.topologySpreadConstraints Topology Spread Constraints for pod assignment

155

## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

156

## The value is evaluated as a template

157

158

topologySpreadConstraints: []

159

## Configures the ports the Envoy proxy listens on

160

## @param contour.containerPorts.xds Set xds port inside Contour pod

161

## @param contour.containerPorts.metrics Set metrics port inside Contour pod

162

163

containerPorts:

164

xds: 8001

165

metrics: 8000

166

## @param contour.automountServiceAccountToken Mount Service Account token in pod

167

168

automountServiceAccountToken: true

169

## @param contour.hostAliases [array] Add deployment host aliases

170

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

171

172

hostAliases: []

173

## @param contour.updateStrategy Strategy to use to update Pods

174

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies

175

176

updateStrategy: {}

177

## @param contour.extraArgs [array] Extra arguments passed to Contour container

178

179

extraArgs: []

180

## Contour container resource requests and limits

181

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

182

## ref: https://projectcontour.io/guides/resource-limits/

183

## We usually recommend not to specify default resources and to leave this as a conscious

184

## choice for the user. This also increases chances charts run on environments with little

185

## resources, such as Minikube. If you do want to specify resources, uncomment the following

186

## lines, adjust them as necessary, and remove the curly braces after 'resources:'.

187

## @param contour.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production).

188

## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15

189

190

resourcesPreset: "nano"

191

## @param contour.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

192

## Example:

193

## resources:

194

## requests:

195

## cpu: 2

196

## memory: 512Mi

197

## limits:

198

## cpu: 3

199

## memory: 1024Mi

200

201

resources: {}

202

## @param contour.manageCRDs Manage the creation, upgrade and deletion of Contour CRDs.

203

204

manageCRDs: true

205

## @param contour.envoyServiceNamespace Namespace of the envoy service to inspect for Ingress status details.

206

207

envoyServiceNamespace: ""

208

## Name of the envoy service to inspect for Ingress status details.

209

## @param contour.envoyServiceName DEPRECATED: use envoy.service.name

210

211

envoyServiceName: ""

212

## @param contour.leaderElectionResourceName Name of the contour (Lease) leader election will lease.

213

214

leaderElectionResourceName: ""

215

## @param contour.ingressStatusAddress Address to set in Ingress object status. It is exclusive with `envoyServiceName` and `envoyServiceNamespace`.

216

217

ingressStatusAddress: ""

218

## @param contour.podAffinityPreset Contour Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

219

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

220

221

podAffinityPreset: ""

222

## @param contour.podAntiAffinityPreset Contour Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

223

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

224

225

podAntiAffinityPreset: soft

226

## @param contour.podLabels [object] Extra labels for Contour pods

227

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

228

229

podLabels: {}

230

## @param contour.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.

231

232

lifecycleHooks: {}

233

## @param contour.customLivenessProbe Override default liveness probe

234

235

customLivenessProbe: {}

236

## @param contour.customReadinessProbe Override default readiness probe

237

238

customReadinessProbe: {}

239

## @param contour.customStartupProbe Override default startup probe

240

241

customStartupProbe: {}

242

## Node affinity preset

243

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

244

## @param contour.nodeAffinityPreset.type Contour Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

245

## @param contour.nodeAffinityPreset.key Contour Node label key to match Ignored if `affinity` is set.

246

## @param contour.nodeAffinityPreset.values [array] Contour Node label values to match. Ignored if `affinity` is set.

247

248

nodeAffinityPreset:

249

type: ""

250

## E.g.

251

## key: "kubernetes.io/e2e-az-name"

252

253

key: ""

254

## E.g.

255

## values:

256

## - e2e-az1

257

## - e2e-az2

258

259

values: []

260

## @param contour.command Override default command

261

262

command: []

263

## @param contour.args Override default args

264

265

args: []

266

## @param contour.affinity [object] Affinity for Contour pod assignment

267

## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

268

## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set

269

270

affinity: {}

271

## @param contour.nodeSelector [object] Node labels for Contour pod assignment

272

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

273

274

nodeSelector: {}

275

## @param contour.tolerations [array] Tolerations for Contour pod assignment

276

## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

277

278

tolerations: []

279

## @param contour.podAnnotations [object] Contour Pod annotations

280

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

281

282

podAnnotations: {}

283

## @param contour.serviceAccount.create Create a serviceAccount for the Contour pod

284

## @param contour.serviceAccount.name Use the serviceAccount with the specified name, a name is generated using the fullname template

285

## @param contour.serviceAccount.automountServiceAccountToken Automount service account token for the server service account

286

## @param contour.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.

287

288

serviceAccount:

289

create: true

290

291

automountServiceAccountToken: false

292

annotations: {}

293

## Contour Security Context

294

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

295

## @param contour.podSecurityContext.enabled Default backend Pod securityContext

296

## @param contour.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

297

## @param contour.podSecurityContext.sysctls Set kernel settings using the sysctl interface

298

## @param contour.podSecurityContext.supplementalGroups Set filesystem extra groups

299

## @param contour.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup

300

301

podSecurityContext:

302

enabled: true

303

fsGroupChangePolicy: Always

304

sysctls: []

305

supplementalGroups: []

306

fsGroup: 1001

307

## Envoy container security context

308

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

309

## @param contour.containerSecurityContext.enabled Enabled contour containers' Security Context

310

## @param contour.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

311

## @param contour.containerSecurityContext.runAsUser Set contour containers' Security Context runAsUser

312

## @param contour.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup

313

## @param contour.containerSecurityContext.runAsNonRoot Set contour containers' Security Context runAsNonRoot

314

## @param contour.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte

315

## @param contour.containerSecurityContext.privileged Set contour container's Security Context privileged

316

## @param contour.containerSecurityContext.allowPrivilegeEscalation Set contour container's Security Context allowPrivilegeEscalation

317

## @param contour.containerSecurityContext.capabilities.drop List of capabilities to be dropped

318

## @param contour.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

319

320

containerSecurityContext:

321

enabled: true

322

seLinuxOptions: {}

323

runAsUser: 1001

324

runAsGroup: 1001

325

runAsNonRoot: true

326

privileged: false

327

allowPrivilegeEscalation: false

328

capabilities:

329

drop: ["ALL"]

330

seccompProfile:

331

type: "RuntimeDefault"

332

readOnlyRootFilesystem: true

333

## @param contour.livenessProbe.enabled Enable/disable the Liveness probe

334

## @param contour.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated

335

## @param contour.livenessProbe.periodSeconds How often to perform the probe

336

## @param contour.livenessProbe.timeoutSeconds When the probe times out

337

## @param contour.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

338

## @param contour.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

339

340

livenessProbe:

341

enabled: true

342

initialDelaySeconds: 120

343

periodSeconds: 20

344

timeoutSeconds: 5

345

failureThreshold: 6

346

successThreshold: 1

347

## @param contour.readinessProbe.enabled Enable/disable the readiness probe

348

## @param contour.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

349

## @param contour.readinessProbe.periodSeconds How often to perform the probe

350

## @param contour.readinessProbe.timeoutSeconds When the probe times out

351

## @param contour.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

352

## @param contour.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

353

354

readinessProbe:

355

enabled: true

356

initialDelaySeconds: 15

357

periodSeconds: 10

358

timeoutSeconds: 5

359

failureThreshold: 3

360

successThreshold: 1

361

## @param contour.startupProbe.enabled Enable/disable the startup probe

362

## @param contour.startupProbe.initialDelaySeconds Delay before startup probe is initiated

363

## @param contour.startupProbe.periodSeconds How often to perform the probe

364

## @param contour.startupProbe.timeoutSeconds When the probe times out

365

## @param contour.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

366

## @param contour.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

367

368

startupProbe:

369

enabled: false

370

initialDelaySeconds: 15

371

periodSeconds: 10

372

timeoutSeconds: 5

373

failureThreshold: 3

374

successThreshold: 1

375

## Contour certgen configs

376

377

certgen:

378

## @param contour.certgen.serviceAccount.create Create a serviceAccount for the Contour pod

379

## @param contour.certgen.serviceAccount.name Use the serviceAccount with the specified name, a name is generated using the fullname template

380

## @param contour.certgen.serviceAccount.automountServiceAccountToken Automount service account token for the server service account

381

## @param contour.certgen.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.

382

383

serviceAccount:

384

create: true

385

386

automountServiceAccountToken: false

387

annotations: {}

388

## @param contour.certgen.certificateLifetime Generated certificate lifetime (in days).

389

390

certificateLifetime: 365

391

## @param contour.certgen.automountServiceAccountToken Mount Service Account token in pod

392

393

automountServiceAccountToken: true

394

## Network Policies

395

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

396

397

networkPolicy:

398

## @param contour.certgen.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

399

400

enabled: true

401

## @param contour.certgen.networkPolicy.allowExternal Don't require server label for connections

402

## The Policy model to apply. When set to false, only pods with the correct

403

## server label will have network access to the ports server is listening

404

## on. When true, server will accept connections from any source

405

## (with the correct destination port).

406

407

allowExternal: true

408

## @param contour.certgen.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

409

410

allowExternalEgress: true

411

## @param contour.certgen.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)

412

413

kubeAPIServerPorts: [443, 6443, 8443]

414

## @param contour.certgen.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

415

## e.g:

416

## extraIngress:

417

## - ports:

418

## - port: 1234

419

## from:

420

## - podSelector:

421

## - matchLabels:

422

## - role: frontend

423

## - podSelector:

424

## - matchExpressions:

425

## - key: role

426

## operator: In

427

## values:

428

## - frontend

429

extraIngress: []

430

## @param contour.certgen.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

431

## e.g:

432

## extraEgress:

433

## - ports:

434

## - port: 1234

435

## to:

436

## - podSelector:

437

## - matchLabels:

438

## - role: frontend

439

## - podSelector:

440

## - matchExpressions:

441

## - key: role

442

## operator: In

443

## values:

444

## - frontend

445

446

extraEgress: []

447

## @param contour.certgen.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

448

## @param contour.certgen.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

449

450

ingressNSMatchLabels: {}

451

ingressNSPodMatchLabels: {}

452

## @param contour.tlsExistingSecret Name of the existingSecret to be use in Contour deployment. If it is not nil `contour.certgen` will be disabled.

453

## It will override `tlsExistingSecret`

454

455

tlsExistingSecret: ""

456

## Contour Service properties

457

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services

458

459

service:

460

## @param contour.service.type Service type

461

462

type: ClusterIP

463

## @param contour.service.ports.xds Contour service xds port

464

## @param contour.service.ports.metrics Contour service xds port

465

466

ports:

467

xds: 8001

468

metrics: 8000

469

## Node ports to expose

470

## @param contour.service.nodePorts.xds Node port for HTTP

471

## NOTE: choose port between <30000-32767>

472

473

nodePorts:

474

xds: ""

475

## @param contour.service.clusterIP Contour service Cluster IP

476

## e.g.:

477

## clusterIP: None

478

479

clusterIP: ""

480

## @param contour.service.loadBalancerIP Contour service Load Balancer IP

481

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

482

483

loadBalancerIP: ""

484

## @param contour.service.loadBalancerSourceRanges Contour service Load Balancer sources

485

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

486

## e.g:

487

## loadBalancerSourceRanges:

488

## - 10.10.10.0/24

489

490

loadBalancerSourceRanges: []

491

## @param contour.service.loadBalancerClass Contour service Load Balancer Class

492

## ref https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class

493

494

loadBalancerClass: ""

495

## @param contour.service.externalTrafficPolicy Contour service external traffic policy

496

## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

497

498

externalTrafficPolicy: Cluster

499

## @param contour.service.annotations Additional custom annotations for Contour service

500

501

annotations: {}

502

## @param contour.service.extraPorts Extra port to expose on Contour service

503

504

extraPorts: []

505

## @param contour.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

506

## If "ClientIP", consecutive client requests will be directed to the same Pod

507

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

508

509

sessionAffinity: None

510

## @param contour.service.sessionAffinityConfig Additional settings for the sessionAffinity

511

## sessionAffinityConfig:

512

## clientIP:

513

## timeoutSeconds: 300

514

515

sessionAffinityConfig: {}

516

## Network Policies

517

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

518

519

networkPolicy:

520

## @param contour.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

521

522

enabled: true

523

## @param contour.networkPolicy.allowExternal Don't require server label for connections

524

## The Policy model to apply. When set to false, only pods with the correct

525

## server label will have network access to the ports server is listening

526

## on. When true, server will accept connections from any source

527

## (with the correct destination port).

528

529

allowExternal: true

530

## @param contour.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

531

532

allowExternalEgress: true

533

## @param contour.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)

534

535

kubeAPIServerPorts: [443, 6443, 8443]

536

## @param contour.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

537

## e.g:

538

## extraIngress:

539

## - ports:

540

## - port: 1234

541

## from:

542

## - podSelector:

543

## - matchLabels:

544

## - role: frontend

545

## - podSelector:

546

## - matchExpressions:

547

## - key: role

548

## operator: In

549

## values:

550

## - frontend

551

extraIngress: []

552

## @param contour.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

553

## e.g:

554

## extraEgress:

555

## - ports:

556

## - port: 1234

557

## to:

558

## - podSelector:

559

## - matchLabels:

560

## - role: frontend

561

## - podSelector:

562

## - matchExpressions:

563

## - key: role

564

## operator: In

565

## values:

566

## - frontend

567

568

extraEgress: []

569

## @param contour.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

570

## @param contour.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

571

572

ingressNSMatchLabels: {}

573

ingressNSPodMatchLabels: {}

574

## @param contour.initContainers [array] Attach additional init containers to Contour pods

575

## For example:

576

## initContainers:

577

## - name: your-image-name

578

## image: your-image

579

## imagePullPolicy: Always

580

581

initContainers: []

582

## @param contour.sidecars [array] Add additional sidecar containers to the Contour pods

583

## Example:

584

## sidecars:

585

## - name: your-image-name

586

## image: your-image

587

## imagePullPolicy: Always

588

## ports:

589

## - name: portname

590

## containerPort: 1234

591

592

sidecars: []

593

## @param contour.extraVolumes [array] Array to add extra volumes

594

595

extraVolumes: []

596

## @param contour.extraVolumeMounts [array] Array to add extra mounts (normally used with extraVolumes)

597

598

extraVolumeMounts: []

599

## @param contour.extraEnvVars [array] Array containing extra env vars to be added to all Contour containers

600

## For example:

601

## extraEnvVars:

602

## - name: MY_ENV_VAR

603

## value: env_var_value

604

605

extraEnvVars: []

606

## @param contour.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Contour containers

607

608

extraEnvVarsCM: ""

609

## @param contour.extraEnvVarsSecret Secret containing extra env vars to be added to all Contour containers

610

611

extraEnvVarsSecret: ""

612

## @param contour.ingressClass.name Name of the ingress class to route through this controller.

613

## @param contour.ingressClass.create Whether to create or not the IngressClass resource

614

## @param contour.ingressClass.default Mark IngressClass resource as default for cluster

615

616

## DEPRECATED: Use a map instead

617

## You can use the the 'contour.ingressClass' as a string to indicate the ingress

618

## class name. This will skip the creation of an IngressClass resource.

619

## e.g:

620

## ingressClass: contour

621

622

ingressClass:

623

624

create: true

625

default: true

626

## @param contour.debug Enable Contour debug log level

627

628

debug: false

629

## @param contour.logFormat Set contour log-format. Default text, either text or json.

630

631

logFormat: text

632

## @param contour.kubernetesDebug Contour kubernetes debug log level, Default 0, minimum 0, maximum 9.

633

634

kubernetesDebug: 0

635

## @param contour.rootNamespaces Restrict Contour to searching these namespaces for root ingress routes.

636

637

rootNamespaces: ""

638

## Exposes configuration of Envoy's Overload Manager through Contour's bootstrapping process

639

## When 95% of max heap size is reached for an Envoy, "shrink heap" operation is triggered.

640

## When 98% of max heap size is reached for an Envoy, it no longer accepts requests.

641

## https://projectcontour.io/docs/main/config/overload-manager/

642

## @param contour.overloadManager.enabled Enable Overload Manager

643

## @param contour.overloadManager.maxHeapBytes Overload Manager's maximum heap size in bytes

644

645

overloadManager:

646

enabled: false

647

maxHeapBytes: "2147483648"

648

## PodDisruptionBudget for default backend

649

## Contour Pod Disruption Budget configuration

650

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

651

## @param contour.pdb.create Enable Pod Disruption Budget configuration

652

## @param contour.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled

653

## @param contour.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled

654

655

pdb:

656

create: true

657

minAvailable: ""

658

maxUnavailable: ""

659

## @section Envoy parameters

660

661

envoy:

662

## @param envoy.enabled Envoy Proxy creation

663

664

enabled: true

665

## Iamguarded Envoy image

666

## ref: https://hub.docker.com/r/iamguarded/envoy/tags/

667

## @param envoy.image.registry [default: REGISTRY_NAME] Envoy Proxy image registry

668

## @param envoy.image.repository [default: REPOSITORY_NAME/envoy] Envoy Proxy image repository

669

## @skip envoy.image.tag Envoy Proxy image tag (immutable tags are recommended)

670

## @param envoy.image.digest Envoy Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

671

## @param envoy.image.pullPolicy Envoy image pull policy

672

## @param envoy.image.pullSecrets [array] Envoy image pull secrets

673

674

image:

675

registry: cgr.dev

676

repository: chainguard-private/envoy-iamguarded

677

tag: 1.37.0

678

digest: ""

679

## Specify a imagePullPolicy

680

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

681

682

pullPolicy: IfNotPresent

683

## Optionally specify an array of imagePullSecrets.

684

## Secrets must be manually created in the namespace.

685

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

686

## e.g:

687

## pullSecrets:

688

## - myRegistryKeySecretName

689

690

pullSecrets: []

691

## @param envoy.priorityClassName Priority class assigned to the pods

692

## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

693

694

priorityClassName: ""

695

## @param envoy.schedulerName Name of the k8s scheduler (other than default)

696

## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

697

698

schedulerName: ""

699

## @param envoy.topologySpreadConstraints Topology Spread Constraints for pod assignment

700

## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

701

## The value is evaluated as a template

702

703

topologySpreadConstraints: []

704

## @param envoy.extraArgs [array] Extra arguments passed to Envoy container

705

706

extraArgs: []

707

## @param envoy.automountServiceAccountToken Mount Service Account token in pod

708

709

automountServiceAccountToken: false

710

## @param envoy.hostAliases [array] Add deployment host aliases

711

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

712

713

hostAliases: []

714

## Envoy container resource requests and limits

715

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

716

## ref: https://projectcontour.io/guides/resource-limits/

717

## We usually recommend not to specify default resources and to leave this as a conscious

718

## choice for the user. This also increases chances charts run on environments with little

719

## resources, such as Minikube. If you do want to specify resources, uncomment the following

720

## lines, adjust them as necessary, and remove the curly braces after 'resources:'.

721

## @param envoy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production).

722

## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15

723

724

resourcesPreset: "nano"

725

## @param envoy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

726

## Example:

727

## resources:

728

## requests:

729

## cpu: 2

730

## memory: 512Mi

731

## limits:

732

## cpu: 3

733

## memory: 1024Mi

734

735

resources: {}

736

## @param envoy.command Override default command

737

738

command: []

739

## @param envoy.args Override default args

740

741

args: []

742

## @param envoy.shutdownManager.enabled Contour shutdownManager sidecar

743

## @param envoy.shutdownManager.extraArgs [array] Extra arguments passed to shutdown container

744

## @param envoy.shutdownManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production).

745

## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15

746

## @param envoy.shutdownManager.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

747

## @param envoy.shutdownManager.containerPorts.http Specify Port for shutdown container

748

## @param envoy.shutdownManager.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.

749

750

shutdownManager:

751

lifecycleHooks: {}

752

extraArgs: []

753

enabled: true

754

resourcesPreset: "nano"

755

containerPorts:

756

http: 8090

757

## Example:

758

## resources:

759

## requests:

760

## cpu: 2

761

## memory: 512Mi

762

## limits:

763

## cpu: 3

764

## memory: 1024Mi

765

resources: {}

766

## Shutdown Manager container security context

767

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

768

## @param envoy.shutdownManager.containerSecurityContext.enabled Enabled envoy shutdownManager containers' Security Context

769

## @param envoy.shutdownManager.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

770

## @param envoy.shutdownManager.containerSecurityContext.runAsUser Set envoy shutdownManager containers' Security Context runAsUser

771

## @param envoy.shutdownManager.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup

772

## @param envoy.shutdownManager.containerSecurityContext.runAsNonRoot Set envoy shutdownManager containers' Security Context runAsNonRoot

773

## @param envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte

774

## @param envoy.shutdownManager.containerSecurityContext.privileged Set envoy.shutdownManager container's Security Context privileged

775

## @param envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation Set envoy shutdownManager container's Security Context allowPrivilegeEscalation

776

## @param envoy.shutdownManager.containerSecurityContext.capabilities.drop List of capabilities to be dropped

777

## @param envoy.shutdownManager.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

778

779

containerSecurityContext:

780

enabled: true

781

seLinuxOptions: {}

782

runAsUser: 1001

783

runAsGroup: 1001

784

runAsNonRoot: true

785

privileged: false

786

allowPrivilegeEscalation: false

787

capabilities:

788

drop: ["ALL"]

789

seccompProfile:

790

type: "RuntimeDefault"

791

readOnlyRootFilesystem: true

792

## @param envoy.shutdownManager.livenessProbe.enabled Enable livenessProbe

793

## @param envoy.shutdownManager.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

794

## @param envoy.shutdownManager.livenessProbe.periodSeconds Period seconds for livenessProbe

795

## @param envoy.shutdownManager.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

796

## @param envoy.shutdownManager.livenessProbe.failureThreshold Failure threshold for livenessProbe

797

## @param envoy.shutdownManager.livenessProbe.successThreshold Success threshold for livenessProbe

798

799

livenessProbe:

800

enabled: true

801

initialDelaySeconds: 120

802

periodSeconds: 20

803

timeoutSeconds: 5

804

failureThreshold: 6

805

successThreshold: 1

806

## @param envoy.shutdownManager.readinessProbe.enabled Enable/disable the readiness probe

807

## @param envoy.shutdownManager.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

808

## @param envoy.shutdownManager.readinessProbe.periodSeconds How often to perform the probe

809

## @param envoy.shutdownManager.readinessProbe.timeoutSeconds When the probe times out

810

## @param envoy.shutdownManager.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

811

## @param envoy.shutdownManager.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

812

813

readinessProbe:

814

enabled: true

815

initialDelaySeconds: 10

816

periodSeconds: 3

817

timeoutSeconds: 1

818

failureThreshold: 3

819

successThreshold: 1

820

## @param envoy.shutdownManager.startupProbe.enabled Enable/disable the startup probe

821

## @param envoy.shutdownManager.startupProbe.initialDelaySeconds Delay before startup probe is initiated

822

## @param envoy.shutdownManager.startupProbe.periodSeconds How often to perform the probe

823

## @param envoy.shutdownManager.startupProbe.timeoutSeconds When the probe times out

824

## @param envoy.shutdownManager.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

825

## @param envoy.shutdownManager.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

826

827

startupProbe:

828

enabled: false

829

initialDelaySeconds: 15

830

periodSeconds: 10

831

timeoutSeconds: 5

832

failureThreshold: 3

833

successThreshold: 1

834

## @param envoy.shutdownManager.customLivenessProbe Override default liveness probe

835

836

customLivenessProbe: {}

837

## @param envoy.shutdownManager.customReadinessProbe Override default readiness probe

838

839

customReadinessProbe: {}

840

## @param envoy.shutdownManager.customStartupProbe Override default startup probe

841

842

customStartupProbe: {}

843

## @param envoy.kind Install as deployment or daemonset

844

845

kind: daemonset

846

## @param envoy.replicaCount Desired number of Controller pods

847

848

replicaCount: 1

849

## @param envoy.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.

850

851

lifecycleHooks: {}

852

## @param envoy.updateStrategy [object] Strategy to use to update Pods

853

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy

854

## e.g:

855

## updateStrategy:

856

## type: RollingUpdate

857

## rollingUpdate:

858

## maxSurge: 25%

859

## maxUnavailable: 25%

860

861

updateStrategy:

862

type: RollingUpdate

863

## @param envoy.minReadySeconds The minimum number of seconds for which a newly created Pod should be ready

864

865

minReadySeconds: 0

866

## @param envoy.revisionHistoryLimit The number of old history to retain to allow rollback

867

868

revisionHistoryLimit: 10

869

## Controller Autoscaling configuration

870

## @param envoy.autoscaling.enabled Enable autoscaling for Controller

871

## @param envoy.autoscaling.minReplicas Minimum number of Controller replicas

872

## @param envoy.autoscaling.maxReplicas Maximum number of Controller replicas

873

## @param envoy.autoscaling.targetCPU Target CPU utilization percentage

874

## @param envoy.autoscaling.targetMemory Target Memory utilization percentage

875

## @param envoy.autoscaling.behavior HPA Behavior

876

877

autoscaling:

878

enabled: false

879

minReplicas: 1

880

maxReplicas: 11

881

targetCPU: ""

882

targetMemory: ""

883

behavior: {}

884

## @param envoy.podAffinityPreset Envoy Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

885

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

886

## Allowed values: soft, hard

887

888

podAffinityPreset: ""

889

## @param envoy.podAntiAffinityPreset Envoy Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

890

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

891

## Allowed values: soft, hard

892

893

podAntiAffinityPreset: ""

894

## Node affinity preset

895

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

896

## @param envoy.nodeAffinityPreset.type Envoy Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

897

## @param envoy.nodeAffinityPreset.key Envoy Node label key to match Ignored if `affinity` is set.

898

## @param envoy.nodeAffinityPreset.values [array] Envoy Node label values to match. Ignored if `affinity` is set.

899

900

nodeAffinityPreset:

901

type: ""

902

key: ""

903

## E.g.

904

## values:

905

## - e2e-az1

906

## - e2e-az2

907

908

values: []

909

## @param envoy.affinity [object] Affinity for Envoy pod assignment

910

## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

911

## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set

912

913

affinity: {}

914

## @param envoy.nodeSelector [object] Node labels for Envoy pod assignment

915

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

916

917

nodeSelector: {}

918

## @param envoy.tolerations [array] Tolerations for Envoy pod assignment

919

## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

920

921

tolerations: []

922

## @param envoy.podAnnotations [object] Envoy Pod annotations

923

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

924

925

podAnnotations: {}

926

## @param envoy.podLabels Extra labels for Envoy pods

927

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

928

929

podLabels: {}

930

## Pod security context

931

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

932

## @param envoy.podSecurityContext.enabled Envoy Pod securityContext

933

## @param envoy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

934

## @param envoy.podSecurityContext.supplementalGroups Set filesystem extra groups

935

## @param envoy.podSecurityContext.fsGroup User ID for the for the mounted volumes

936

## @param envoy.podSecurityContext.sysctls Array of sysctl options to allow

937

938

podSecurityContext:

939

enabled: true

940

fsGroupChangePolicy: Always

941

supplementalGroups: []

942

fsGroup: 0

943

sysctls: []

944

## Envoy container security context

945

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

946

## @param envoy.containerSecurityContext.enabled Enabled envoy containers' Security Context

947

## @param envoy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

948

## @param envoy.containerSecurityContext.runAsUser Set envoy containers' Security Context runAsUser

949

## @param envoy.containerSecurityContext.runAsGroup Set envoy containers' Security Context runAsGroup

950

## @param envoy.containerSecurityContext.runAsNonRoot Set envoy containers' Security Context runAsNonRoot

951

## @param envoy.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte

952

## @param envoy.containerSecurityContext.privileged Set envoy container's Security Context privileged

953

## @param envoy.containerSecurityContext.allowPrivilegeEscalation Set envoy container's Security Context allowPrivilegeEscalation

954

## @param envoy.containerSecurityContext.capabilities.drop List of capabilities to be dropped

955

## @param envoy.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

956

957

containerSecurityContext:

958

enabled: true

959

seLinuxOptions: {}

960

runAsUser: 1001

961

runAsGroup: 1001

962

runAsNonRoot: true

963

privileged: false

964

allowPrivilegeEscalation: false

965

capabilities:

966

drop: ["ALL"]

967

seccompProfile:

968

type: "RuntimeDefault"

969

readOnlyRootFilesystem: true

970

## @param envoy.hostNetwork Envoy Pod host network access

971

## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces

972

973

hostNetwork: false

974

## @param envoy.dnsPolicy Envoy Pod Dns Policy's DNS Policy

975

## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy

976

977

dnsPolicy: ClusterFirst

978

## @param envoy.tlsExistingSecret Name of the existingSecret to be use in Envoy deployment

979

980

tlsExistingSecret: ""

981

## @param envoy.serviceAccount.create Specifies whether a ServiceAccount should be created

982

## @param envoy.serviceAccount.name The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template

983

## @param envoy.serviceAccount.automountServiceAccountToken Whether to auto mount API credentials for a service account

984

## @param envoy.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.

985

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

986

987

serviceAccount:

988

create: true

989

990

automountServiceAccountToken: false

991

annotations: {}

992

## @param envoy.livenessProbe.enabled Enable livenessProbe

993

## @param envoy.livenessProbe.port LivenessProbe port

994

## @param envoy.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

995

## @param envoy.livenessProbe.periodSeconds Period seconds for livenessProbe

996

## @param envoy.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

997

## @param envoy.livenessProbe.failureThreshold Failure threshold for livenessProbe

998

## @param envoy.livenessProbe.successThreshold Success threshold for livenessProbe

999

1000

livenessProbe:

1001

enabled: true

1002

port: 8002

1003

initialDelaySeconds: 120

1004

periodSeconds: 20

1005

timeoutSeconds: 5

1006

failureThreshold: 6

1007

successThreshold: 1

1008

## @param envoy.readinessProbe.enabled Enable/disable the readiness probe

1009

## @param envoy.readinessProbe.port ReadinessProbe port

1010

## @param envoy.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

1011

## @param envoy.readinessProbe.periodSeconds How often to perform the probe

1012

## @param envoy.readinessProbe.timeoutSeconds When the probe times out

1013

## @param envoy.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

1014

## @param envoy.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

1015

1016

readinessProbe:

1017

enabled: true

1018

port: 8002

1019

initialDelaySeconds: 10

1020

periodSeconds: 3

1021

timeoutSeconds: 1

1022

failureThreshold: 3

1023

successThreshold: 1

1024

## @param envoy.startupProbe.enabled Enable/disable the startup probe

1025

## @param envoy.startupProbe.port StartupProbe port

1026

## @param envoy.startupProbe.initialDelaySeconds Delay before startup probe is initiated

1027

## @param envoy.startupProbe.periodSeconds How often to perform the probe

1028

## @param envoy.startupProbe.timeoutSeconds When the probe times out

1029

## @param envoy.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

1030

## @param envoy.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

1031

1032

startupProbe:

1033

enabled: false

1034

port: 8002

1035

initialDelaySeconds: 15

1036

periodSeconds: 10

1037

timeoutSeconds: 5

1038

failureThreshold: 3

1039

successThreshold: 1

1040

## @param envoy.customLivenessProbe Override default liveness probe

1041

1042

customLivenessProbe: {}

1043

## @param envoy.customReadinessProbe Override default readiness probe

1044

1045

customReadinessProbe: {}

1046

## @param envoy.customStartupProbe Override default startup probe

1047

1048

customStartupProbe: {}

1049

## @param envoy.terminationGracePeriodSeconds Envoy termination grace period in seconds

1050

1051

terminationGracePeriodSeconds: 300

1052

## @param envoy.logLevel Envoy log level

1053

1054

logLevel: info

1055

## Envoy Service properties

1056

1057

service:

1058

## @param envoy.service.name envoy service name

1059

1060

1061

## The multi az feature renders multiple service, so you could attach different service provider loadbalancer to it.

1062

## This feature is primarily used to achieve a high availability with multiple loadbalancer

1063

## @param envoy.service.multiAz.enabled enables the rendering of the multiple services

1064

## @param envoy.service.multiAz.zones defines different zones their annotations and loadBalancerIPs

1065

1066

multiAz:

1067

enabled: false

1068

zones: []

1069

## Example

1070

## - name: "zone1"

1071

## loadBalancerIP: "1.2.3.4"

1072

## annotations:

1073

## service.beta.kubernetes.io/loadbalancer-zone: zone1

1074

## - name: "zone2"

1075

## loadBalancerIP: "5.6.7.8"

1076

## annotations:

1077

## service.beta.kubernetes.io/loadbalancer-zone: zone2

1078

1079

## @param envoy.service.targetPorts [object] Map the controller service HTTP/HTTPS port

1080

1081

targetPorts:

1082

http: http

1083

https: https

1084

metrics: metrics

1085

## @param envoy.service.type Type of Envoy service to create

1086

1087

type: LoadBalancer

1088

## @param envoy.service.externalTrafficPolicy Envoy Service external cluster policy. If `envoy.service.type` is NodePort or LoadBalancer

1089

1090

externalTrafficPolicy: Local

1091

## @param envoy.service.labels Labels to add to te envoy service

1092

1093

labels: {}

1094

## @param envoy.service.clusterIP Internal envoy cluster service IP

1095

## e.g.:

1096

## clusterIP: None

1097

1098

clusterIP: ""

1099

## @param envoy.service.externalIPs [array] Envoy service external IP addresses

1100

1101

externalIPs: []

1102

## @param envoy.service.loadBalancerIP IP address to assign to load balancer (if supported)

1103

1104

loadBalancerIP: ""

1105

## @param envoy.service.loadBalancerSourceRanges [array] List of IP CIDRs allowed access to load balancer (if supported)

1106

1107

loadBalancerSourceRanges: []

1108

## @param envoy.service.loadBalancerClass Envoy service Load Balancer Class

1109

## ref https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class

1110

1111

loadBalancerClass: ""

1112

## @param envoy.service.ipFamilyPolicy [string], support SingleStack, PreferDualStack and RequireDualStack

1113

1114

ipFamilyPolicy: ""

1115

## @param envoy.service.ipFamilies [array] List of IP families (e.g. IPv4, IPv6) assigned to the service.

1116

## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/

1117

## E.g.

1118

## ipFamilies:

1119

## - IPv6

1120

1121

ipFamilies: []

1122

## @param envoy.service.annotations [object] Annotations for Envoy service

1123

1124

annotations: {}

1125

ports:

1126

## @param envoy.service.ports.http Sets service http port

1127

1128

http: 80

1129

## @param envoy.service.ports.https Sets service https port

1130

1131

https: 443

1132

## @param envoy.service.ports.metrics Sets service metrics port

1133

1134

metrics: 8002

1135

## Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types.

1136

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

1137

## @param envoy.service.nodePorts.http HTTP Port. If `envoy.service.type` is NodePort and this is non-empty

1138

## @param envoy.service.nodePorts.https HTTPS Port. If `envoy.service.type` is NodePort and this is non-empty

1139

## @param envoy.service.nodePorts.metrics Metrics Port. If `envoy.service.type` is NodePort and this is non-empty

1140

1141

nodePorts:

1142

http: ""

1143

https: ""

1144

metrics: ""

1145

## @param envoy.service.extraPorts [array] Extra ports to expose (normally used with the `sidecar` value)

1146

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services

1147

1148

extraPorts: []

1149

## @param envoy.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

1150

## If "ClientIP", consecutive client requests will be directed to the same Pod

1151

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

1152

1153

sessionAffinity: None

1154

## @param envoy.service.sessionAffinityConfig Additional settings for the sessionAffinity

1155

## sessionAffinityConfig:

1156

## clientIP:

1157

## timeoutSeconds: 300

1158

1159

sessionAffinityConfig: {}

1160

## @param envoy.service.exposeMetrics Setting to expose the metrics port in the service

1161

exposeMetrics: false

1162

## Network Policies

1163

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

1164

1165

networkPolicy:

1166

## @param envoy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

1167

1168

enabled: true

1169

## @param envoy.networkPolicy.allowExternal Don't require server label for connections

1170

## The Policy model to apply. When set to false, only pods with the correct

1171

## server label will have network access to the ports server is listening

1172

## on. When true, server will accept connections from any source

1173

## (with the correct destination port).

1174

1175

allowExternal: true

1176

## @param envoy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

1177

1178

allowExternalEgress: true

1179

## @param envoy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

1180

## e.g:

1181

## extraIngress:

1182

## - ports:

1183

## - port: 1234

1184

## from:

1185

## - podSelector:

1186

## - matchLabels:

1187

## - role: frontend

1188

## - podSelector:

1189

## - matchExpressions:

1190

## - key: role

1191

## operator: In

1192

## values:

1193

## - frontend

1194

extraIngress: []

1195

## @param envoy.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

1196

## e.g:

1197

## extraEgress:

1198

## - ports:

1199

## - port: 1234

1200

## to:

1201

## - podSelector:

1202

## - matchLabels:

1203

## - role: frontend

1204

## - podSelector:

1205

## - matchExpressions:

1206

## - key: role

1207

## operator: In

1208

## values:

1209

## - frontend

1210

1211

extraEgress: []

1212

## @param envoy.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

1213

## @param envoy.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

1214

1215

ingressNSMatchLabels: {}

1216

ingressNSPodMatchLabels: {}

1217

## @param envoy.useHostPort.http Enable/disable `hostPort` for TCP/80

1218

## @param envoy.useHostPort.https Enable/disable `hostPort` TCP/443

1219

## @param envoy.useHostPort.metrics Enable/disable `hostPort` for TCP/8002

1220

1221

useHostPort:

1222

http: false

1223

https: false

1224

metrics: false

1225

## @param envoy.useHostIP Enable/disable `hostIP`

1226

1227

useHostIP: false

1228

## @param envoy.hostPorts.http Sets `hostPort` http port

1229

## @param envoy.hostPorts.https Sets `hostPort` https port

1230

## @param envoy.hostPorts.metrics Sets `hostPort` metrics port

1231

1232

hostPorts:

1233

http: 80

1234

https: 443

1235

metrics: 8002

1236

## @param envoy.hostIPs.http Sets `hostIP` http IP

1237

## @param envoy.hostIPs.https Sets `hostIP` https IP

1238

## @param envoy.hostIPs.metrics Sets `hostIP` metrics IP

1239

1240

hostIPs:

1241

http: 127.0.0.1

1242

https: 127.0.0.1

1243

metrics: 127.0.0.1

1244

## Configures the ports the Envoy proxy listens on

1245

## @param envoy.containerPorts.http Sets http port inside Envoy pod (change this to >1024 to run envoy as a non-root user)

1246

## @param envoy.containerPorts.https Sets https port inside Envoy pod (change this to >1024 to run envoy as a non-root user)

1247

## @param envoy.containerPorts.metrics Sets metrics port inside Envoy pod (change this to >1024 to run envoy as a non-root user)

1248

1249

containerPorts:

1250

http: 8080

1251

https: 8443

1252

metrics: 8002

1253

## @param envoy.initContainers [array] Attach additional init containers to Envoy pods

1254

## For example:

1255

## initContainers:

1256

## - name: your-image-name

1257

## image: your-image

1258

## imagePullPolicy: Always

1259

1260

initContainers: []

1261

## @param envoy.sidecars Add additional sidecar containers to the Envoy pods

1262

## Example:

1263

## sidecars:

1264

## - name: your-image-name

1265

## image: your-image

1266

## imagePullPolicy: Always

1267

## ports:

1268

## - name: portname

1269

## containerPort: 1234

1270

1271

sidecars: []

1272

## @param envoy.extraVolumes [array] Array to add extra volumes

1273

1274

extraVolumes: []

1275

## @param envoy.extraVolumeMounts [array] Array to add extra mounts (normally used with extraVolumes)

1276

1277

extraVolumeMounts: []

1278

## @param envoy.extraEnvVars [array] Array containing extra env vars to be added to all Envoy containers

1279

## For example:

1280

## extraEnvVars:

1281

## - name: MY_ENV_VAR

1282

## value: env_var_value

1283

1284

extraEnvVars: []

1285

## @param envoy.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Envoy containers

1286

1287

extraEnvVarsCM: ""

1288

## @param envoy.extraEnvVarsSecret Secret containing extra env vars to be added to all Envoy containers

1289

1290

extraEnvVarsSecret: ""

1291

## PodDisruptionBudget for default backend

1292

## Envoy Pod Disruption Budget configuration

1293

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

1294

## @param envoy.pdb.create Enable Pod Disruption Budget configuration

1295

## @param envoy.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled

1296

## @param envoy.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled

1297

1298

pdb:

1299

create: true

1300

minAvailable: ""

1301

maxUnavailable: ""

1302

## Default init Containers

1303

1304

defaultInitContainers:

1305

## 'init-config' init container

1306

## Bootstrap Envoy configuration so it's ready to be consumed by Envoy "main" container

1307

1308

initConfig:

1309

## Configure "init-config" init-container Security Context

1310

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

1311

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.enabled Enabled "init-config" init-containers' Security Context

1312

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "init-config" init-containers

1313

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsUser Set runAsUser in "init-config" init-containers' Security Context

1314

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsGroup Set runAsGroup in "init-config" init-containers' Security Context

1315

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "init-config" init-containers' Security Context

1316

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.privileged Set privileged in "init-config" init-containers' Security Context

1317

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "init-config" init-containers' Security Context

1318

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "init-config" init-containers' Security Context

1319

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "init-config" init-containers

1320

## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.seccompProfile.type Set seccomp profile in "init-config" init-containers

1321

1322

containerSecurityContext:

1323

enabled: true

1324

seLinuxOptions: {}

1325

runAsUser: 1001

1326

runAsGroup: 1001

1327

runAsNonRoot: true

1328

privileged: false

1329

readOnlyRootFilesystem: true

1330

allowPrivilegeEscalation: false

1331

capabilities:

1332

drop: ["ALL"]

1333

seccompProfile:

1334

type: "RuntimeDefault"

1335

## Envoy "init-config" init container resource requests and limits

1336

## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

1337

## @param envoy.defaultInitContainers.initConfig.resourcesPreset Set Envoy "init-config" init container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.defaultInitContainers.initConfig.resources is set (envoy.defaultInitContainers.initConfig.resources is recommended for production).

1338

## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15

1339

1340

resourcesPreset: "nano"

1341

## @param envoy.defaultInitContainers.initConfig.resources Set Envoy "init-config" init container requests and limits for different resources like CPU or memory (essential for production workloads)

1342

## E.g:

1343

## resources:

1344

## requests:

1345

## cpu: 2

1346

## memory: 512Mi

1347

## limits:

1348

## cpu: 3

1349

## memory: 1024Mi

1350

1351

resources: {}

1352

## @section Gateway API parameters

1353

1354

gatewayAPI:

1355

## @param gatewayAPI.manageCRDs Manage the creation, upgrade and deletion of Gateway API CRDs.

1356

1357

manageCRDs: false

1358

## @section Default backend parameters

1359

1360

1361

## Default 404 backend

1362

1363

defaultBackend:

1364

## @param defaultBackend.enabled Enable a default backend based on NGINX

1365

1366

enabled: false

1367

## Iamguarded NGINX image

1368

## ref: https://hub.docker.com/r/iamguarded/nginx/tags/

1369

## @param defaultBackend.image.registry [default: REGISTRY_NAME] Default backend image registry

1370

## @param defaultBackend.image.repository [default: REPOSITORY_NAME/nginx] Default backend image name

1371

## @skip defaultBackend.image.tag Default backend image tag

1372

## @param defaultBackend.image.digest Default backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

1373

## @param defaultBackend.image.pullPolicy Image pull policy

1374

## @param defaultBackend.image.pullSecrets [array] Specify docker-registry secret names as an array

1375

1376

image:

1377

registry: cgr.dev

1378

repository: chainguard-private/nginx-iamguarded

1379

tag: 1.29.5

1380

digest: ""

1381

## Specify a imagePullPolicy

1382

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

1383

1384

pullPolicy: IfNotPresent

1385

## Optionally specify an array of imagePullSecrets.

1386

## Secrets must be manually created in the namespace.

1387

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

1388

## Example:

1389

## pullSecrets:

1390

## - myRegistryKeySecretName

1391

1392

pullSecrets: []

1393

## @param defaultBackend.extraArgs [object] Additional command line arguments to pass to NGINX container

1394

1395

extraArgs: {}

1396

## @param defaultBackend.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.

1397

1398

lifecycleHooks: {}

1399

## @param defaultBackend.extraEnvVars [array] Array containing extra env vars to be added to all Contour containers

1400

## For example:

1401

## extraEnvVars:

1402

## - name: MY_ENV_VAR

1403

## value: env_var_value

1404

1405

extraEnvVars: []

1406

## @param defaultBackend.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Contour containers

1407

1408

extraEnvVarsCM: ""

1409

## @param defaultBackend.extraEnvVarsSecret Secret containing extra env vars to be added to all Contour containers

1410

1411

extraEnvVarsSecret: ""

1412

## @param defaultBackend.extraVolumes [array] Array to add extra volumes

1413

1414

extraVolumes: []

1415

## @param defaultBackend.extraVolumeMounts [array] Array to add extra mounts (normally used with extraVolumes)

1416

1417

extraVolumeMounts: []

1418

## @param defaultBackend.initContainers [array] Attach additional init containers to the http backend pods

1419

## For example:

1420

## initContainers:

1421

## - name: your-image-name

1422

## image: your-image

1423

## imagePullPolicy: Always

1424

1425

initContainers: []

1426

## @param defaultBackend.sidecars [array] Add additional sidecar containers to the default backend

1427

## Example:

1428

## sidecars:

1429

## - name: your-image-name

1430

## image: your-image

1431

## imagePullPolicy: Always

1432

## ports:

1433

## - name: portname

1434

## containerPort: 1234

1435

1436

sidecars: []

1437

## Configures the ports the http backend listens on

1438

## @param defaultBackend.containerPorts.http Set http port inside Contour pod

1439

1440

containerPorts:

1441

http: 8001

1442

## @param defaultBackend.updateStrategy Strategy to use to update Pods

1443

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies

1444

1445

updateStrategy: {}

1446

## @param defaultBackend.command Override default command

1447

1448

command: []

1449

## @param defaultBackend.args Override default args

1450

1451

args: []

1452

## @param defaultBackend.hostAliases [array] Add deployment host aliases

1453

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

1454

1455

hostAliases: []

1456

## @param defaultBackend.replicaCount Desired number of default backend pods

1457

1458

replicaCount: 1

1459

## Default backend pods' Security Context

1460

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

1461

## @param defaultBackend.podSecurityContext.enabled Default backend Pod securityContext

1462

## @param defaultBackend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

1463

## @param defaultBackend.podSecurityContext.sysctls Set kernel settings using the sysctl interface

1464

## @param defaultBackend.podSecurityContext.supplementalGroups Set filesystem extra groups

1465

## @param defaultBackend.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup

1466

1467

podSecurityContext:

1468

enabled: true

1469

fsGroupChangePolicy: Always

1470

sysctls: []

1471

supplementalGroups: []

1472

fsGroup: 1001

1473

## Default backend containers' Security Context (only main container)

1474

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

1475

## @param defaultBackend.containerSecurityContext.enabled Enabled defaultBackend containers' Security Context

1476

## @param defaultBackend.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

1477

## @param defaultBackend.containerSecurityContext.runAsUser Set defaultBackend containers' Security Context runAsUser

1478

## @param defaultBackend.containerSecurityContext.runAsGroup Set defaultBackend containers' Security Context runAsGroup

1479

## @param defaultBackend.containerSecurityContext.runAsNonRoot Set defaultBackend containers' Security Context runAsNonRoot

1480

## @param defaultBackend.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte

1481

## @param defaultBackend.containerSecurityContext.privileged Set defaultBackend container's Security Context privileged

1482

## @param defaultBackend.containerSecurityContext.allowPrivilegeEscalation Set defaultBackend container's Security Context allowPrivilegeEscalation

1483

## @param defaultBackend.containerSecurityContext.capabilities.drop List of capabilities to be dropped

1484

## @param defaultBackend.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

1485

1486

containerSecurityContext:

1487

enabled: true

1488

seLinuxOptions: {}

1489

runAsUser: 1001

1490

runAsGroup: 1001

1491

runAsNonRoot: true

1492

privileged: false

1493

allowPrivilegeEscalation: false

1494

capabilities:

1495

drop: ["ALL"]

1496

seccompProfile:

1497

type: "RuntimeDefault"

1498

readOnlyRootFilesystem: true

1499

## Default backend containers' resource requests and limits

1500

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

1501

## We usually recommend not to specify default resources and to leave this as a conscious

1502

## choice for the user. This also increases chances charts run on environments with little

1503

## resources, such as Minikube.

1504

## @param defaultBackend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production).

1505

## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15

1506

1507

resourcesPreset: "nano"

1508

## @param defaultBackend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

1509

## Example:

1510

## resources:

1511

## requests:

1512

## cpu: 2

1513

## memory: 512Mi

1514

## limits:

1515

## cpu: 3

1516

## memory: 1024Mi

1517

1518

resources: {}

1519

## Default backend containers' liveness probe. Evaluated as a template.

1520

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes

1521

## @param defaultBackend.livenessProbe.enabled Enable livenessProbe

1522

## @param defaultBackend.livenessProbe.httpGet [object] Path, port and scheme for the livenessProbe

1523

## @param defaultBackend.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

1524

## @param defaultBackend.livenessProbe.periodSeconds Period seconds for livenessProbe

1525

## @param defaultBackend.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

1526

## @param defaultBackend.livenessProbe.failureThreshold Failure threshold for livenessProbe

1527

## @param defaultBackend.livenessProbe.successThreshold Success threshold for livenessProbe

1528

1529

livenessProbe:

1530

enabled: true

1531

failureThreshold: 3

1532

initialDelaySeconds: 30

1533

periodSeconds: 10

1534

successThreshold: 1

1535

timeoutSeconds: 5

1536

## Default backend containers' readiness probe. Evaluated as a template.

1537

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes

1538

## @param defaultBackend.readinessProbe.enabled Enable readinessProbe

1539

## @param defaultBackend.readinessProbe.httpGet [object] Path, port and scheme for the readinessProbe

1540

## @param defaultBackend.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe

1541

## @param defaultBackend.readinessProbe.periodSeconds Period seconds for readinessProbe

1542

## @param defaultBackend.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe

1543

## @param defaultBackend.readinessProbe.failureThreshold Failure threshold for readinessProbe

1544

## @param defaultBackend.readinessProbe.successThreshold Success threshold for readinessProbe

1545

1546

readinessProbe:

1547

enabled: true

1548

failureThreshold: 6

1549

initialDelaySeconds: 0

1550

periodSeconds: 5

1551

successThreshold: 1

1552

timeoutSeconds: 5

1553

## @param defaultBackend.startupProbe.enabled Enable/disable the startup probe

1554

## @param defaultBackend.startupProbe.initialDelaySeconds Delay before startup probe is initiated

1555

## @param defaultBackend.startupProbe.periodSeconds How often to perform the probe

1556

## @param defaultBackend.startupProbe.timeoutSeconds When the probe times out

1557

## @param defaultBackend.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.

1558

## @param defaultBackend.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.

1559

1560

startupProbe:

1561

enabled: false

1562

initialDelaySeconds: 15

1563

periodSeconds: 10

1564

timeoutSeconds: 5

1565

failureThreshold: 3

1566

successThreshold: 1

1567

## @param defaultBackend.customLivenessProbe [object] Override default liveness probe, it overrides the default one (evaluated as a template)

1568

1569

customLivenessProbe: {}

1570

## @param defaultBackend.customReadinessProbe [object] Override default readiness probe, it overrides the default one (evaluated as a template)

1571

1572

customReadinessProbe: {}

1573

## @param defaultBackend.customStartupProbe Override default startup probe

1574

1575

customStartupProbe: {}

1576

## @param defaultBackend.podLabels [object] Extra labels for Controller pods

1577

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

1578

1579

podLabels: {}

1580

## @param defaultBackend.podAnnotations [object] Annotations for Controller pods

1581

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

1582

1583

podAnnotations: {}

1584

## @param defaultBackend.priorityClassName Priority class assigned to the pods

1585

## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

1586

1587

priorityClassName: ""

1588

## @param defaultBackend.schedulerName Name of the k8s scheduler (other than default)

1589

## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

1590

1591

schedulerName: ""

1592

## @param defaultBackend.terminationGracePeriodSeconds In seconds, time the given to the default backend pod needs to terminate gracefully

1593

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

1594

1595

terminationGracePeriodSeconds: 60

1596

## @param defaultBackend.topologySpreadConstraints Topology Spread Constraints for pod assignment

1597

## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

1598

## The value is evaluated as a template

1599

1600

topologySpreadConstraints: []

1601

## @param defaultBackend.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

1602

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

1603

## Allowed values: soft, hard

1604

1605

podAffinityPreset: ""

1606

## @param defaultBackend.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

1607

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

1608

## Allowed values: soft, hard

1609

1610

podAntiAffinityPreset: soft

1611

## Node affinity preset

1612

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

1613

## @param defaultBackend.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

1614

## @param defaultBackend.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.

1615

## @param defaultBackend.nodeAffinityPreset.values [array] Node label values to match. Ignored if `affinity` is set.

1616

1617

nodeAffinityPreset:

1618

type: ""

1619

key: ""

1620

## E.g.

1621

## values:

1622

## - e2e-az1

1623

## - e2e-az2

1624

1625

values: []

1626

## @param defaultBackend.affinity [object] Affinity for pod assignment. Evaluated as a template.

1627

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

1628

## Note: defaultBackend.podAffinityPreset, defaultBackend.podAntiAffinityPreset, and defaultBackend.nodeAffinityPreset will be ignored when it's set

1629

1630

affinity: {}

1631

## @param defaultBackend.nodeSelector [object] Node labels for pod assignment. Evaluated as a template.

1632

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

1633

1634

nodeSelector: {}

1635

## @param defaultBackend.tolerations [array] Tolerations for pod assignment. Evaluated as a template.

1636

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

1637

1638

tolerations: []

1639

## Default backend Service parameters

1640

## @param defaultBackend.service.type Service type

1641

## @param defaultBackend.service.ports.http Service port

1642

## @param defaultBackend.service.annotations Annotations to add to the service

1643

1644

service:

1645

type: ClusterIP

1646

ports:

1647

http: 80

1648

annotations: {}

1649

## Network Policies

1650

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

1651

1652

networkPolicy:

1653

## @param defaultBackend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

1654

1655

enabled: true

1656

## @param defaultBackend.networkPolicy.allowExternal Don't require server label for connections

1657

## The Policy model to apply. When set to false, only pods with the correct

1658

## server label will have network access to the ports server is listening

1659

## on. When true, server will accept connections from any source

1660

## (with the correct destination port).

1661

1662

allowExternal: true

1663

## @param defaultBackend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

1664

1665

allowExternalEgress: true

1666

## @param defaultBackend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

1667

## e.g:

1668

## extraIngress:

1669

## - ports:

1670

## - port: 1234

1671

## from:

1672

## - podSelector:

1673

## - matchLabels:

1674

## - role: frontend

1675

## - podSelector:

1676

## - matchExpressions:

1677

## - key: role

1678

## operator: In

1679

## values:

1680

## - frontend

1681

extraIngress: []

1682

## @param defaultBackend.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

1683

## e.g:

1684

## extraEgress:

1685

## - ports:

1686

## - port: 1234

1687

## to:

1688

## - podSelector:

1689

## - matchLabels:

1690

## - role: frontend

1691

## - podSelector:

1692

## - matchExpressions:

1693

## - key: role

1694

## operator: In

1695

## values:

1696

## - frontend

1697

1698

extraEgress: []

1699

## @param defaultBackend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

1700

## @param defaultBackend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

1701

1702

ingressNSMatchLabels: {}

1703

ingressNSPodMatchLabels: {}

1704

## PodDisruptionBudget for default backend

1705

## Default backend Pod Disruption Budget configuration

1706

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

1707

## @param defaultBackend.pdb.create Enable Pod Disruption Budget configuration

1708

## @param defaultBackend.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled

1709

## @param defaultBackend.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled

1710

1711

pdb:

1712

create: true

1713

minAvailable: ""

1714

maxUnavailable: ""

1715

## Ingress parameters

1716

1717

ingress:

1718

## @param ingress.enabled Ingress configuration enabled

1719

## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/

1720

1721

## Enable Ingress.

1722

1723

enabled: false

1724

## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)

1725

1726

apiVersion: ""

1727

## @param ingress.certManager Add annotations for cert-manager

1728

1729

certManager: false

1730

## @param ingress.annotations Annotations to be added to the web ingress.

1731

## Example:

1732

## kubernetes.io/ingress.class: nginx

1733

## kubernetes.io/tls-acme: 'true'

1734

1735

annotations: {}

1736

## Either `hosts` or `rulesOverride` must be provided if Ingress is enabled.

1737

## `hosts` sets up the Ingress with default rules per provided hostname.

1738

## @param ingress.hostname Hostname for the Ingress object

1739

1740

hostname: contour.local

1741

## @param ingress.path The Path to Concourse

1742

1743

path: /

1744

## @param ingress.rulesOverride Ingress rules override

1745

## Either `hosts` or `rulesOverride` must be provided if Ingress is enabled.

1746

## `rulesOverride` allows the user to define the full set of ingress rules, for more complex Ingress setups.

1747

1748

rulesOverride: []

1749

## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm

1750

1751

selfSigned: false

1752

## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)

1753

1754

ingressClassName: ""

1755

## @param ingress.extraPaths Add additional arbitrary paths that may need to be added to the ingress under the main host.

1756

## For example: The ALB ingress controller requires a special rule for handling SSL redirection.

1757

1758

extraPaths: []

1759

## @param ingress.tls TLS configuration.

1760

## Secrets must be manually created in the namespace.

1761

## Example:

1762

## - secretName: concourse-web-tls

1763

## hosts:

1764

## - concourse.domain.com

1765

1766

tls: false

1767

## @param ingress.pathType Ingress Path type

1768

1769

pathType: ImplementationSpecific

1770

## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.

1771

## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array

1772

## extraHosts:

1773

## - name: concourse.local

1774

## path: /

1775

1776

extraHosts: []

1777

## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.

1778

## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

1779

## extraTls:

1780

## - hosts:

1781

## - concourse.local

1782

## secretName: concourse.local-tls

1783

1784

extraTls: []

1785

## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets

1786

## key and certificate should start with -----BEGIN CERTIFICATE----- or

1787

## -----BEGIN RSA PRIVATE KEY-----

1788

1789

## name should line up with a tlsSecret set further up

1790

## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set

1791

1792

## It is also possible to create and manage the certificates outside of this helm chart

1793

## Please see README.md for more information

1794

## Example:

1795

## - name: concourse.local-tls

1796

## key:

1797

## certificate:

1798

1799

secrets: []

1800

## @param ingress.extraRules Additional rules to be covered with this ingress record

1801

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules

1802

## e.g:

1803

## extraRules:

1804

## - host: example.local

1805

## http:

1806

## path: /

1807

## backend:

1808

## service:

1809

## name: example-svc

1810

## port:

1811

## name: http

1812

1813

extraRules: []

1814

## @section Metrics parameters

1815

1816

metrics:

1817

## Prometheus Operator service monitors

1818

1819

serviceMonitor:

1820

## @param metrics.serviceMonitor.namespace Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart)

1821

1822

namespace: ""

1823

## @param metrics.serviceMonitor.enabled Specify if a servicemonitor will be deployed for prometheus-operator.

1824

1825

enabled: false

1826

## @param metrics.serviceMonitor.jobLabel Specify the jobLabel to use for the prometheus-operator

1827

1828

jobLabel: "app.kubernetes.io/name"

1829

## @param metrics.serviceMonitor.interval Specify the scrape interval if not specified use default prometheus scrapeIntervall, the Prometheus default scrape interval is used.

1830

1831

interval: ""

1832

## @param metrics.serviceMonitor.metricRelabelings [array] Specify additional relabeling of metrics.

1833

1834

metricRelabelings: []

1835

## @param metrics.serviceMonitor.relabelings [array] Specify general relabeling.

1836

1837

relabelings: []

1838

## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint

1839

1840

honorLabels: false

1841

## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended

1842

1843

scrapeTimeout: ""

1844

## @param metrics.serviceMonitor.selector Specify honorLabels parameter to add the scrape endpoint

1845

1846

selector: {}

1847

## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor

1848

1849

labels: {}

1850

## Prometheus Operator prometheusRules

1851

1852

prometheusRule:

1853

## @param metrics.prometheusRule.enabled Creates a Prometheus Operator prometheusRule

1854

1855

enabled: false

1856

## @param metrics.prometheusRule.namespace Namespace for the prometheusRule Resource (defaults to the Release Namespace)

1857

1858

namespace: ""

1859

## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRule will be discovered by Prometheus

1860

1861

additionalLabels: {}

1862

## @param metrics.prometheusRule.rules Prometheus Rule definitions

1863

1864

rules: []

1865

## @section Other parameters

1866

1867

1868

## @param rbac.create Create the RBAC roles for API accessibility

1869

1870

rbac:

1871

create: true

1872

## @param rbac.rules [array] Custom RBAC rules to set

1873

## e.g:

1874

## rules:

1875

## - apiGroups:

1876

## - ""

1877

## resources:

1878

## - pods

1879

## verbs:

1880

## - get

1881

## - list

1882

1883

rules: []

1884

## @param tlsExistingSecret Name of the existingSecret to be use in both contour and envoy. If it is not nil `contour.certgen` will be disabled.

1885

1886

tlsExistingSecret: ""

1887

## @param useCertManager Use Cert-manager instead of Contour certgen to issue certificates for TLS connection between Contour and Envoy.

1888

useCertManager: false

1889

The trusted source for open source

Talk to an expert

Privacy

Terms

contour

The trusted source for open source

Product

Solutions

Customers

Resources

Company