contour
Helm chart
iamguarded
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets [array] Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
20
##
21
global:
22
imageRegistry: ""
23
## E.g.
24
## imagePullSecrets:
25
## - myRegistryKeySecretName
26
##
27
imagePullSecrets: []
28
defaultStorageClass: ""
29
storageClass: ""
30
## Security parameters
31
##
32
security:
33
## @param global.security.allowInsecureImages Allows skipping image verification
34
allowInsecureImages: false
35
## Compatibility adaptations for Kubernetes platforms
36
##
37
compatibility:
38
## Compatibility adaptations for Openshift
39
##
40
openshift:
41
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
42
##
43
adaptSecurityContext: auto
44
org: ""
45
## @section Common parameters
46
##
47
48
## @param nameOverride String to partially override contour.fullname include (will maintain the release name)
49
##
50
nameOverride: ""
51
## @param fullnameOverride String to fully override contour.fullname template
52
##
53
fullnameOverride: ""
54
## @param namespaceOverride String to fully override common.names.namespace
55
##
56
namespaceOverride: ""
57
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
58
##
59
kubeVersion: ""
60
## @param extraDeploy [array] Array of extra objects to deploy with the release
61
##
62
extraDeploy: []
63
## @param commonLabels Labels to add to all deployed objects
64
##
65
commonLabels: {}
66
## @param commonAnnotations Annotations to add to all deployed objects
67
##
68
commonAnnotations: {}
69
## Diagnostic mode in the deployment
70
##
71
diagnosticMode:
72
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
73
##
74
enabled: false
75
## @param diagnosticMode.command [array] Command to override all containers in the deployment
76
##
77
command:
78
- sleep
79
## @param diagnosticMode.args [array] Args to override all containers in the deployment
80
##
81
args:
82
- infinity
83
## @section Contour parameters
84
##
85
86
## To configure Contour, you must specify ONE of the following two options.
87
## @param existingConfigMap Specifies the name of an externally-defined ConfigMap to use as the configuration (this is mutually exclusive with `configInline`)
88
## Helm will not manage the contents of this ConfigMap, it is your responsibility to create it.
89
## e.g:
90
## existingConfigMap: contour
91
##
92
existingConfigMap: ""
93
## @param configInline [object] Specifies Contour's configuration directly in YAML format
94
## When configInline is used, Helm manages Contour's configuration ConfigMap as
95
## part of the release, and existingConfigMap is ignored.
96
## Refer to https://projectcontour.io/docs/latest/configuration for available options.
97
##
98
configInline:
99
disablePermitInsecure: false
100
tls:
101
fallback-certificate: {}
102
accesslog-format: envoy
103
contour:
104
## @param contour.enabled Contour Deployment creation.
105
##
106
enabled: true
107
## @param contour.image.registry [default: REGISTRY_NAME] Contour image registry
108
## @param contour.image.repository [default: REPOSITORY_NAME/contour] Contour image name
109
## @skip contour.image.tag Contour image tag
110
## @param contour.image.digest Contour image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
111
## @param contour.image.pullPolicy Contour Image pull policy
112
## @param contour.image.pullSecrets [array] Contour Image pull secrets
113
## @param contour.image.debug Enable image debug mode
114
##
115
image:
116
registry: cgr.dev
117
repository: chainguard-private/contour-iamguarded
118
tag: 1.33.5
119
digest: ""
120
## Specify a imagePullPolicy
121
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
122
##
123
pullPolicy: IfNotPresent
124
## Optionally specify an array of imagePullSecrets.
125
## Secrets must be manually created in the namespace.
126
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
127
## e.g:
128
## pullSecrets:
129
## - myRegistryKeySecretName
130
##
131
pullSecrets: []
132
debug: false
133
## @param contour.contourConfigName Contour Deployment with ContourConfiguration CRD.
134
#
135
contourConfigName: "contour"
136
## @param contour.configPath Contour Deployment with configmap.
137
##
138
configPath: true
139
## @param contour.replicaCount Number of Contour Pod replicas
140
#
141
replicaCount: 1
142
## @param contour.priorityClassName Priority class assigned to the pods
143
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
144
##
145
priorityClassName: ""
146
## @param contour.schedulerName Name of the k8s scheduler (other than default)
147
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
148
##
149
schedulerName: ""
150
## @param contour.terminationGracePeriodSeconds In seconds, time the given to the Contour pod needs to terminate gracefully
151
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
152
##
153
terminationGracePeriodSeconds: ""
154
## @param contour.topologySpreadConstraints Topology Spread Constraints for pod assignment
155
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
156
## The value is evaluated as a template
157
##
158
topologySpreadConstraints: []
159
## Configures the ports the Envoy proxy listens on
160
## @param contour.containerPorts.xds Set xds port inside Contour pod
161
## @param contour.containerPorts.metrics Set metrics port inside Contour pod
162
##
163
containerPorts:
164
xds: 8001
165
metrics: 8000
166
## @param contour.automountServiceAccountToken Mount Service Account token in pod
167
##
168
automountServiceAccountToken: true
169
## @param contour.hostAliases [array] Add deployment host aliases
170
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
171
##
172
hostAliases: []
173
## @param contour.updateStrategy Strategy to use to update Pods
174
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
175
##
176
updateStrategy: {}
177
## @param contour.extraArgs [array] Extra arguments passed to Contour container
178
##
179
extraArgs: []
180
## Contour container resource requests and limits
181
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
182
## ref: https://projectcontour.io/guides/resource-limits/
183
## We usually recommend not to specify default resources and to leave this as a conscious
184
## choice for the user. This also increases chances charts run on environments with little
185
## resources, such as Minikube. If you do want to specify resources, uncomment the following
186
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
187
## @param contour.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production).
188
##
189
resourcesPreset: "nano"
190
## @param contour.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
191
## Example:
192
## resources:
193
## requests:
194
## cpu: 2
195
## memory: 512Mi
196
## limits:
197
## cpu: 3
198
## memory: 1024Mi
199
##
200
resources: {}
201
## @param contour.manageCRDs Manage the creation, upgrade and deletion of Contour CRDs.
202
##
203
manageCRDs: true
204
## @param contour.envoyServiceNamespace Namespace of the envoy service to inspect for Ingress status details.
205
##
206
envoyServiceNamespace: ""
207
## Name of the envoy service to inspect for Ingress status details.
208
## @param contour.envoyServiceName DEPRECATED: use envoy.service.name
209
##
210
envoyServiceName: ""
211
## @param contour.leaderElectionResourceName Name of the contour (Lease) leader election will lease.
212
##
213
leaderElectionResourceName: ""
214
## @param contour.ingressStatusAddress Address to set in Ingress object status. It is exclusive with `envoyServiceName` and `envoyServiceNamespace`.
215
##
216
ingressStatusAddress: ""
217
## @param contour.podAffinityPreset Contour Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
218
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
219
##
220
podAffinityPreset: ""
221
## @param contour.podAntiAffinityPreset Contour Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
222
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
223
##
224
podAntiAffinityPreset: soft
225
## @param contour.podLabels [object] Extra labels for Contour pods
226
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
227
##
228
podLabels: {}
229
## @param contour.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.
230
##
231
lifecycleHooks: {}
232
## @param contour.customLivenessProbe Override default liveness probe
233
##
234
customLivenessProbe: {}
235
## @param contour.customReadinessProbe Override default readiness probe
236
##
237
customReadinessProbe: {}
238
## @param contour.customStartupProbe Override default startup probe
239
##
240
customStartupProbe: {}
241
## Node affinity preset
242
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
243
## @param contour.nodeAffinityPreset.type Contour Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
244
## @param contour.nodeAffinityPreset.key Contour Node label key to match Ignored if `affinity` is set.
245
## @param contour.nodeAffinityPreset.values [array] Contour Node label values to match. Ignored if `affinity` is set.
246
##
247
nodeAffinityPreset:
248
type: ""
249
## E.g.
250
## key: "kubernetes.io/e2e-az-name"
251
##
252
key: ""
253
## E.g.
254
## values:
255
## - e2e-az1
256
## - e2e-az2
257
##
258
values: []
259
## @param contour.command Override default command
260
##
261
command: []
262
## @param contour.args Override default args
263
##
264
args: []
265
## @param contour.affinity [object] Affinity for Contour pod assignment
266
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
267
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
268
##
269
affinity: {}
270
## @param contour.nodeSelector [object] Node labels for Contour pod assignment
271
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
272
##
273
nodeSelector: {}
274
## @param contour.tolerations [array] Tolerations for Contour pod assignment
275
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
276
##
277
tolerations: []
278
## @param contour.podAnnotations [object] Contour Pod annotations
279
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
280
##
281
podAnnotations: {}
282
## @param contour.serviceAccount.create Create a serviceAccount for the Contour pod
283
## @param contour.serviceAccount.name Use the serviceAccount with the specified name, a name is generated using the fullname template
284
## @param contour.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
285
## @param contour.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
286
##
287
serviceAccount:
288
create: true
289
name: ""
290
automountServiceAccountToken: false
291
annotations: {}
292
## Contour Security Context
293
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
294
## @param contour.podSecurityContext.enabled Default backend Pod securityContext
295
## @param contour.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
296
## @param contour.podSecurityContext.sysctls Set kernel settings using the sysctl interface
297
## @param contour.podSecurityContext.supplementalGroups Set filesystem extra groups
298
## @param contour.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup
299
##
300
podSecurityContext:
301
enabled: true
302
fsGroupChangePolicy: Always
303
sysctls: []
304
supplementalGroups: []
305
fsGroup: 1001
306
## Envoy container security context
307
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
308
## @param contour.containerSecurityContext.enabled Enabled contour containers' Security Context
309
## @param contour.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
310
## @param contour.containerSecurityContext.runAsUser Set contour containers' Security Context runAsUser
311
## @param contour.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup
312
## @param contour.containerSecurityContext.runAsNonRoot Set contour containers' Security Context runAsNonRoot
313
## @param contour.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
314
## @param contour.containerSecurityContext.privileged Set contour container's Security Context privileged
315
## @param contour.containerSecurityContext.allowPrivilegeEscalation Set contour container's Security Context allowPrivilegeEscalation
316
## @param contour.containerSecurityContext.capabilities.drop List of capabilities to be dropped
317
## @param contour.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
318
##
319
containerSecurityContext:
320
enabled: true
321
seLinuxOptions: {}
322
runAsUser: 1001
323
runAsGroup: 1001
324
runAsNonRoot: true
325
privileged: false
326
allowPrivilegeEscalation: false
327
capabilities:
328
drop: ["ALL"]
329
seccompProfile:
330
type: "RuntimeDefault"
331
readOnlyRootFilesystem: true
332
## @param contour.livenessProbe.enabled Enable/disable the Liveness probe
333
## @param contour.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated
334
## @param contour.livenessProbe.periodSeconds How often to perform the probe
335
## @param contour.livenessProbe.timeoutSeconds When the probe times out
336
## @param contour.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
337
## @param contour.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
338
##
339
livenessProbe:
340
enabled: true
341
initialDelaySeconds: 120
342
periodSeconds: 20
343
timeoutSeconds: 5
344
failureThreshold: 6
345
successThreshold: 1
346
## @param contour.readinessProbe.enabled Enable/disable the readiness probe
347
## @param contour.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
348
## @param contour.readinessProbe.periodSeconds How often to perform the probe
349
## @param contour.readinessProbe.timeoutSeconds When the probe times out
350
## @param contour.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
351
## @param contour.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
352
##
353
readinessProbe:
354
enabled: true
355
initialDelaySeconds: 15
356
periodSeconds: 10
357
timeoutSeconds: 5
358
failureThreshold: 3
359
successThreshold: 1
360
## @param contour.startupProbe.enabled Enable/disable the startup probe
361
## @param contour.startupProbe.initialDelaySeconds Delay before startup probe is initiated
362
## @param contour.startupProbe.periodSeconds How often to perform the probe
363
## @param contour.startupProbe.timeoutSeconds When the probe times out
364
## @param contour.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
365
## @param contour.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
366
##
367
startupProbe:
368
enabled: false
369
initialDelaySeconds: 15
370
periodSeconds: 10
371
timeoutSeconds: 5
372
failureThreshold: 3
373
successThreshold: 1
374
## Contour certgen configs
375
##
376
certgen:
377
## @param contour.certgen.serviceAccount.create Create a serviceAccount for the Contour pod
378
## @param contour.certgen.serviceAccount.name Use the serviceAccount with the specified name, a name is generated using the fullname template
379
## @param contour.certgen.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
380
## @param contour.certgen.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
381
##
382
serviceAccount:
383
create: true
384
name: ""
385
automountServiceAccountToken: false
386
annotations: {}
387
## @param contour.certgen.certificateLifetime Generated certificate lifetime (in days).
388
##
389
certificateLifetime: 365
390
## @param contour.certgen.automountServiceAccountToken Mount Service Account token in pod
391
##
392
automountServiceAccountToken: true
393
## Network Policies
394
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
395
##
396
networkPolicy:
397
## @param contour.certgen.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
398
##
399
enabled: true
400
## @param contour.certgen.networkPolicy.allowExternal Don't require server label for connections
401
## The Policy model to apply. When set to false, only pods with the correct
402
## server label will have network access to the ports server is listening
403
## on. When true, server will accept connections from any source
404
## (with the correct destination port).
405
##
406
allowExternal: true
407
## @param contour.certgen.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
408
##
409
allowExternalEgress: true
410
## @param contour.certgen.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
411
##
412
kubeAPIServerPorts: [443, 6443, 8443]
413
## @param contour.certgen.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
414
## e.g:
415
## extraIngress:
416
## - ports:
417
## - port: 1234
418
## from:
419
## - podSelector:
420
## - matchLabels:
421
## - role: frontend
422
## - podSelector:
423
## - matchExpressions:
424
## - key: role
425
## operator: In
426
## values:
427
## - frontend
428
extraIngress: []
429
## @param contour.certgen.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
430
## e.g:
431
## extraEgress:
432
## - ports:
433
## - port: 1234
434
## to:
435
## - podSelector:
436
## - matchLabels:
437
## - role: frontend
438
## - podSelector:
439
## - matchExpressions:
440
## - key: role
441
## operator: In
442
## values:
443
## - frontend
444
##
445
extraEgress: []
446
## @param contour.certgen.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
447
## @param contour.certgen.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
448
##
449
ingressNSMatchLabels: {}
450
ingressNSPodMatchLabels: {}
451
## @param contour.tlsExistingSecret Name of the existingSecret to be use in Contour deployment. If it is not nil `contour.certgen` will be disabled.
452
## It will override `tlsExistingSecret`
453
##
454
tlsExistingSecret: ""
455
## Contour Service properties
456
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services
457
##
458
service:
459
## @param contour.service.type Service type
460
##
461
type: ClusterIP
462
## @param contour.service.ports.xds Contour service xds port
463
## @param contour.service.ports.metrics Contour service xds port
464
##
465
ports:
466
xds: 8001
467
metrics: 8000
468
## Node ports to expose
469
## @param contour.service.nodePorts.xds Node port for HTTP
470
## NOTE: choose port between <30000-32767>
471
##
472
nodePorts:
473
xds: ""
474
## @param contour.service.clusterIP Contour service Cluster IP
475
## e.g.:
476
## clusterIP: None
477
##
478
clusterIP: ""
479
## @param contour.service.loadBalancerIP Contour service Load Balancer IP
480
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
481
##
482
loadBalancerIP: ""
483
## @param contour.service.loadBalancerSourceRanges Contour service Load Balancer sources
484
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
485
## e.g:
486
## loadBalancerSourceRanges:
487
## - 10.10.10.0/24
488
##
489
loadBalancerSourceRanges: []
490
## @param contour.service.loadBalancerClass Contour service Load Balancer Class
491
## ref https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
492
##
493
loadBalancerClass: ""
494
## @param contour.service.externalTrafficPolicy Contour service external traffic policy
495
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
496
##
497
externalTrafficPolicy: Cluster
498
## @param contour.service.annotations Additional custom annotations for Contour service
499
##
500
annotations: {}
501
## @param contour.service.extraPorts Extra port to expose on Contour service
502
##
503
extraPorts: []
504
## @param contour.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
505
## If "ClientIP", consecutive client requests will be directed to the same Pod
506
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
507
##
508
sessionAffinity: None
509
## @param contour.service.sessionAffinityConfig Additional settings for the sessionAffinity
510
## sessionAffinityConfig:
511
## clientIP:
512
## timeoutSeconds: 300
513
##
514
sessionAffinityConfig: {}
515
## Network Policies
516
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
517
##
518
networkPolicy:
519
## @param contour.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
520
##
521
enabled: true
522
## @param contour.networkPolicy.allowExternal Don't require server label for connections
523
## The Policy model to apply. When set to false, only pods with the correct
524
## server label will have network access to the ports server is listening
525
## on. When true, server will accept connections from any source
526
## (with the correct destination port).
527
##
528
allowExternal: true
529
## @param contour.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
530
##
531
allowExternalEgress: true
532
## @param contour.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
533
##
534
kubeAPIServerPorts: [443, 6443, 8443]
535
## @param contour.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
536
## e.g:
537
## extraIngress:
538
## - ports:
539
## - port: 1234
540
## from:
541
## - podSelector:
542
## - matchLabels:
543
## - role: frontend
544
## - podSelector:
545
## - matchExpressions:
546
## - key: role
547
## operator: In
548
## values:
549
## - frontend
550
extraIngress: []
551
## @param contour.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
552
## e.g:
553
## extraEgress:
554
## - ports:
555
## - port: 1234
556
## to:
557
## - podSelector:
558
## - matchLabels:
559
## - role: frontend
560
## - podSelector:
561
## - matchExpressions:
562
## - key: role
563
## operator: In
564
## values:
565
## - frontend
566
##
567
extraEgress: []
568
## @param contour.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
569
## @param contour.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
570
##
571
ingressNSMatchLabels: {}
572
ingressNSPodMatchLabels: {}
573
## @param contour.initContainers [array] Attach additional init containers to Contour pods
574
## For example:
575
## initContainers:
576
## - name: your-image-name
577
## image: your-image
578
## imagePullPolicy: Always
579
##
580
initContainers: []
581
## @param contour.sidecars [array] Add additional sidecar containers to the Contour pods
582
## Example:
583
## sidecars:
584
## - name: your-image-name
585
## image: your-image
586
## imagePullPolicy: Always
587
## ports:
588
## - name: portname
589
## containerPort: 1234
590
##
591
sidecars: []
592
## @param contour.extraVolumes [array] Array to add extra volumes
593
##
594
extraVolumes: []
595
## @param contour.extraVolumeMounts [array] Array to add extra mounts (normally used with extraVolumes)
596
##
597
extraVolumeMounts: []
598
## @param contour.extraEnvVars [array] Array containing extra env vars to be added to all Contour containers
599
## For example:
600
## extraEnvVars:
601
## - name: MY_ENV_VAR
602
## value: env_var_value
603
##
604
extraEnvVars: []
605
## @param contour.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Contour containers
606
##
607
extraEnvVarsCM: ""
608
## @param contour.extraEnvVarsSecret Secret containing extra env vars to be added to all Contour containers
609
##
610
extraEnvVarsSecret: ""
611
## @param contour.ingressClass.name Name of the ingress class to route through this controller.
612
## @param contour.ingressClass.create Whether to create or not the IngressClass resource
613
## @param contour.ingressClass.default Mark IngressClass resource as default for cluster
614
##
615
## DEPRECATED: Use a map instead
616
## You can use the the 'contour.ingressClass' as a string to indicate the ingress
617
## class name. This will skip the creation of an IngressClass resource.
618
## e.g:
619
## ingressClass: contour
620
##
621
ingressClass:
622
name: ""
623
create: true
624
default: true
625
## @param contour.debug Enable Contour debug log level
626
##
627
debug: false
628
## @param contour.logFormat Set contour log-format. Default text, either text or json.
629
##
630
logFormat: text
631
## @param contour.kubernetesDebug Contour kubernetes debug log level, Default 0, minimum 0, maximum 9.
632
##
633
kubernetesDebug: 0
634
## @param contour.rootNamespaces Restrict Contour to searching these namespaces for root ingress routes.
635
##
636
rootNamespaces: ""
637
## Exposes configuration of Envoy's Overload Manager through Contour's bootstrapping process
638
## When 95% of max heap size is reached for an Envoy, "shrink heap" operation is triggered.
639
## When 98% of max heap size is reached for an Envoy, it no longer accepts requests.
640
## https://projectcontour.io/docs/main/config/overload-manager/
641
## @param contour.overloadManager.enabled Enable Overload Manager
642
## @param contour.overloadManager.maxHeapBytes Overload Manager's maximum heap size in bytes
643
##
644
overloadManager:
645
enabled: false
646
maxHeapBytes: "2147483648"
647
## PodDisruptionBudget for default backend
648
## Contour Pod Disruption Budget configuration
649
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
650
## @param contour.pdb.create Enable Pod Disruption Budget configuration
651
## @param contour.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled
652
## @param contour.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
653
##
654
pdb:
655
create: true
656
minAvailable: ""
657
maxUnavailable: ""
658
## @section Envoy parameters
659
##
660
envoy:
661
## @param envoy.enabled Envoy Proxy creation
662
##
663
enabled: true
664
## Iamguarded Envoy image
665
## @param envoy.image.registry [default: REGISTRY_NAME] Envoy Proxy image registry
666
## @param envoy.image.repository [default: REPOSITORY_NAME/envoy] Envoy Proxy image repository
667
## @skip envoy.image.tag Envoy Proxy image tag (immutable tags are recommended)
668
## @param envoy.image.digest Envoy Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
669
## @param envoy.image.pullPolicy Envoy image pull policy
670
## @param envoy.image.pullSecrets [array] Envoy image pull secrets
671
##
672
image:
673
registry: cgr.dev
674
repository: chainguard-private/envoy-iamguarded
675
tag: 1.38.0
676
digest: ""
677
## Specify a imagePullPolicy
678
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
679
##
680
pullPolicy: IfNotPresent
681
## Optionally specify an array of imagePullSecrets.
682
## Secrets must be manually created in the namespace.
683
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
684
## e.g:
685
## pullSecrets:
686
## - myRegistryKeySecretName
687
##
688
pullSecrets: []
689
## @param envoy.priorityClassName Priority class assigned to the pods
690
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
691
##
692
priorityClassName: ""
693
## @param envoy.schedulerName Name of the k8s scheduler (other than default)
694
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
695
##
696
schedulerName: ""
697
## @param envoy.topologySpreadConstraints Topology Spread Constraints for pod assignment
698
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
699
## The value is evaluated as a template
700
##
701
topologySpreadConstraints: []
702
## @param envoy.extraArgs [array] Extra arguments passed to Envoy container
703
##
704
extraArgs: []
705
## @param envoy.automountServiceAccountToken Mount Service Account token in pod
706
##
707
automountServiceAccountToken: false
708
## @param envoy.hostAliases [array] Add deployment host aliases
709
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
710
##
711
hostAliases: []
712
## Envoy container resource requests and limits
713
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
714
## ref: https://projectcontour.io/guides/resource-limits/
715
## We usually recommend not to specify default resources and to leave this as a conscious
716
## choice for the user. This also increases chances charts run on environments with little
717
## resources, such as Minikube. If you do want to specify resources, uncomment the following
718
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
719
## @param envoy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production).
720
##
721
resourcesPreset: "nano"
722
## @param envoy.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
723
## Example:
724
## resources:
725
## requests:
726
## cpu: 2
727
## memory: 512Mi
728
## limits:
729
## cpu: 3
730
## memory: 1024Mi
731
##
732
resources: {}
733
## @param envoy.command Override default command
734
##
735
command: []
736
## @param envoy.args Override default args
737
##
738
args: []
739
## @param envoy.shutdownManager.enabled Contour shutdownManager sidecar
740
## @param envoy.shutdownManager.extraArgs [array] Extra arguments passed to shutdown container
741
## @param envoy.shutdownManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production).
742
## @param envoy.shutdownManager.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
743
## @param envoy.shutdownManager.containerPorts.http Specify Port for shutdown container
744
## @param envoy.shutdownManager.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.
745
##
746
shutdownManager:
747
lifecycleHooks: {}
748
extraArgs: []
749
enabled: true
750
resourcesPreset: "nano"
751
containerPorts:
752
http: 8090
753
## Example:
754
## resources:
755
## requests:
756
## cpu: 2
757
## memory: 512Mi
758
## limits:
759
## cpu: 3
760
## memory: 1024Mi
761
resources: {}
762
## Shutdown Manager container security context
763
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
764
## @param envoy.shutdownManager.containerSecurityContext.enabled Enabled envoy shutdownManager containers' Security Context
765
## @param envoy.shutdownManager.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
766
## @param envoy.shutdownManager.containerSecurityContext.runAsUser Set envoy shutdownManager containers' Security Context runAsUser
767
## @param envoy.shutdownManager.containerSecurityContext.runAsGroup Set contour containers' Security Context runAsGroup
768
## @param envoy.shutdownManager.containerSecurityContext.runAsNonRoot Set envoy shutdownManager containers' Security Context runAsNonRoot
769
## @param envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
770
## @param envoy.shutdownManager.containerSecurityContext.privileged Set envoy.shutdownManager container's Security Context privileged
771
## @param envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation Set envoy shutdownManager container's Security Context allowPrivilegeEscalation
772
## @param envoy.shutdownManager.containerSecurityContext.capabilities.drop List of capabilities to be dropped
773
## @param envoy.shutdownManager.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
774
##
775
containerSecurityContext:
776
enabled: true
777
seLinuxOptions: {}
778
runAsUser: 1001
779
runAsGroup: 1001
780
runAsNonRoot: true
781
privileged: false
782
allowPrivilegeEscalation: false
783
capabilities:
784
drop: ["ALL"]
785
seccompProfile:
786
type: "RuntimeDefault"
787
readOnlyRootFilesystem: true
788
## @param envoy.shutdownManager.livenessProbe.enabled Enable livenessProbe
789
## @param envoy.shutdownManager.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
790
## @param envoy.shutdownManager.livenessProbe.periodSeconds Period seconds for livenessProbe
791
## @param envoy.shutdownManager.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
792
## @param envoy.shutdownManager.livenessProbe.failureThreshold Failure threshold for livenessProbe
793
## @param envoy.shutdownManager.livenessProbe.successThreshold Success threshold for livenessProbe
794
##
795
livenessProbe:
796
enabled: true
797
initialDelaySeconds: 120
798
periodSeconds: 20
799
timeoutSeconds: 5
800
failureThreshold: 6
801
successThreshold: 1
802
## @param envoy.shutdownManager.readinessProbe.enabled Enable/disable the readiness probe
803
## @param envoy.shutdownManager.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
804
## @param envoy.shutdownManager.readinessProbe.periodSeconds How often to perform the probe
805
## @param envoy.shutdownManager.readinessProbe.timeoutSeconds When the probe times out
806
## @param envoy.shutdownManager.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
807
## @param envoy.shutdownManager.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
808
##
809
readinessProbe:
810
enabled: true
811
initialDelaySeconds: 10
812
periodSeconds: 3
813
timeoutSeconds: 1
814
failureThreshold: 3
815
successThreshold: 1
816
## @param envoy.shutdownManager.startupProbe.enabled Enable/disable the startup probe
817
## @param envoy.shutdownManager.startupProbe.initialDelaySeconds Delay before startup probe is initiated
818
## @param envoy.shutdownManager.startupProbe.periodSeconds How often to perform the probe
819
## @param envoy.shutdownManager.startupProbe.timeoutSeconds When the probe times out
820
## @param envoy.shutdownManager.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
821
## @param envoy.shutdownManager.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
822
##
823
startupProbe:
824
enabled: false
825
initialDelaySeconds: 15
826
periodSeconds: 10
827
timeoutSeconds: 5
828
failureThreshold: 3
829
successThreshold: 1
830
## @param envoy.shutdownManager.customLivenessProbe Override default liveness probe
831
##
832
customLivenessProbe: {}
833
## @param envoy.shutdownManager.customReadinessProbe Override default readiness probe
834
##
835
customReadinessProbe: {}
836
## @param envoy.shutdownManager.customStartupProbe Override default startup probe
837
##
838
customStartupProbe: {}
839
## @param envoy.kind Install as deployment or daemonset
840
##
841
kind: daemonset
842
## @param envoy.replicaCount Desired number of Controller pods
843
##
844
replicaCount: 1
845
## @param envoy.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.
846
##
847
lifecycleHooks: {}
848
## @param envoy.updateStrategy [object] Strategy to use to update Pods
849
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
850
## e.g:
851
## updateStrategy:
852
## type: RollingUpdate
853
## rollingUpdate:
854
## maxSurge: 25%
855
## maxUnavailable: 25%
856
##
857
updateStrategy:
858
type: RollingUpdate
859
## @param envoy.minReadySeconds The minimum number of seconds for which a newly created Pod should be ready
860
##
861
minReadySeconds: 0
862
## @param envoy.revisionHistoryLimit The number of old history to retain to allow rollback
863
##
864
revisionHistoryLimit: 10
865
## Controller Autoscaling configuration
866
## @param envoy.autoscaling.enabled Enable autoscaling for Controller
867
## @param envoy.autoscaling.minReplicas Minimum number of Controller replicas
868
## @param envoy.autoscaling.maxReplicas Maximum number of Controller replicas
869
## @param envoy.autoscaling.targetCPU Target CPU utilization percentage
870
## @param envoy.autoscaling.targetMemory Target Memory utilization percentage
871
## @param envoy.autoscaling.behavior HPA Behavior
872
##
873
autoscaling:
874
enabled: false
875
minReplicas: 1
876
maxReplicas: 11
877
targetCPU: ""
878
targetMemory: ""
879
behavior: {}
880
## @param envoy.podAffinityPreset Envoy Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
881
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
882
## Allowed values: soft, hard
883
##
884
podAffinityPreset: ""
885
## @param envoy.podAntiAffinityPreset Envoy Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
886
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
887
## Allowed values: soft, hard
888
##
889
podAntiAffinityPreset: ""
890
## Node affinity preset
891
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
892
## @param envoy.nodeAffinityPreset.type Envoy Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
893
## @param envoy.nodeAffinityPreset.key Envoy Node label key to match Ignored if `affinity` is set.
894
## @param envoy.nodeAffinityPreset.values [array] Envoy Node label values to match. Ignored if `affinity` is set.
895
##
896
nodeAffinityPreset:
897
type: ""
898
key: ""
899
## E.g.
900
## values:
901
## - e2e-az1
902
## - e2e-az2
903
##
904
values: []
905
## @param envoy.affinity [object] Affinity for Envoy pod assignment
906
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
907
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
908
##
909
affinity: {}
910
## @param envoy.nodeSelector [object] Node labels for Envoy pod assignment
911
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
912
##
913
nodeSelector: {}
914
## @param envoy.tolerations [array] Tolerations for Envoy pod assignment
915
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
916
##
917
tolerations: []
918
## @param envoy.podAnnotations [object] Envoy Pod annotations
919
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
920
##
921
podAnnotations: {}
922
## @param envoy.podLabels Extra labels for Envoy pods
923
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
924
##
925
podLabels: {}
926
## Pod security context
927
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
928
## @param envoy.podSecurityContext.enabled Envoy Pod securityContext
929
## @param envoy.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
930
## @param envoy.podSecurityContext.supplementalGroups Set filesystem extra groups
931
## @param envoy.podSecurityContext.fsGroup User ID for the for the mounted volumes
932
## @param envoy.podSecurityContext.sysctls Array of sysctl options to allow
933
##
934
podSecurityContext:
935
enabled: true
936
fsGroupChangePolicy: Always
937
supplementalGroups: []
938
fsGroup: 0
939
sysctls: []
940
## Envoy container security context
941
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
942
## @param envoy.containerSecurityContext.enabled Enabled envoy containers' Security Context
943
## @param envoy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
944
## @param envoy.containerSecurityContext.runAsUser Set envoy containers' Security Context runAsUser
945
## @param envoy.containerSecurityContext.runAsGroup Set envoy containers' Security Context runAsGroup
946
## @param envoy.containerSecurityContext.runAsNonRoot Set envoy containers' Security Context runAsNonRoot
947
## @param envoy.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
948
## @param envoy.containerSecurityContext.privileged Set envoy container's Security Context privileged
949
## @param envoy.containerSecurityContext.allowPrivilegeEscalation Set envoy container's Security Context allowPrivilegeEscalation
950
## @param envoy.containerSecurityContext.capabilities.drop List of capabilities to be dropped
951
## @param envoy.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
952
##
953
containerSecurityContext:
954
enabled: true
955
seLinuxOptions: {}
956
runAsUser: 1001
957
runAsGroup: 1001
958
runAsNonRoot: true
959
privileged: false
960
allowPrivilegeEscalation: false
961
capabilities:
962
drop: ["ALL"]
963
seccompProfile:
964
type: "RuntimeDefault"
965
readOnlyRootFilesystem: true
966
## @param envoy.hostNetwork Envoy Pod host network access
967
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
968
##
969
hostNetwork: false
970
## @param envoy.dnsPolicy Envoy Pod Dns Policy's DNS Policy
971
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
972
##
973
dnsPolicy: ClusterFirst
974
## @param envoy.tlsExistingSecret Name of the existingSecret to be use in Envoy deployment
975
##
976
tlsExistingSecret: ""
977
## @param envoy.serviceAccount.create Specifies whether a ServiceAccount should be created
978
## @param envoy.serviceAccount.name The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template
979
## @param envoy.serviceAccount.automountServiceAccountToken Whether to auto mount API credentials for a service account
980
## @param envoy.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
981
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
982
##
983
serviceAccount:
984
create: true
985
name: ""
986
automountServiceAccountToken: false
987
annotations: {}
988
## @param envoy.livenessProbe.enabled Enable livenessProbe
989
## @param envoy.livenessProbe.port LivenessProbe port
990
## @param envoy.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
991
## @param envoy.livenessProbe.periodSeconds Period seconds for livenessProbe
992
## @param envoy.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
993
## @param envoy.livenessProbe.failureThreshold Failure threshold for livenessProbe
994
## @param envoy.livenessProbe.successThreshold Success threshold for livenessProbe
995
##
996
livenessProbe:
997
enabled: true
998
port: 8002
999
initialDelaySeconds: 120
1000
periodSeconds: 20
1001
timeoutSeconds: 5
1002
failureThreshold: 6
1003
successThreshold: 1
1004
## @param envoy.readinessProbe.enabled Enable/disable the readiness probe
1005
## @param envoy.readinessProbe.port ReadinessProbe port
1006
## @param envoy.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
1007
## @param envoy.readinessProbe.periodSeconds How often to perform the probe
1008
## @param envoy.readinessProbe.timeoutSeconds When the probe times out
1009
## @param envoy.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
1010
## @param envoy.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
1011
##
1012
readinessProbe:
1013
enabled: true
1014
port: 8002
1015
initialDelaySeconds: 10
1016
periodSeconds: 3
1017
timeoutSeconds: 1
1018
failureThreshold: 3
1019
successThreshold: 1
1020
## @param envoy.startupProbe.enabled Enable/disable the startup probe
1021
## @param envoy.startupProbe.port StartupProbe port
1022
## @param envoy.startupProbe.initialDelaySeconds Delay before startup probe is initiated
1023
## @param envoy.startupProbe.periodSeconds How often to perform the probe
1024
## @param envoy.startupProbe.timeoutSeconds When the probe times out
1025
## @param envoy.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
1026
## @param envoy.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
1027
##
1028
startupProbe:
1029
enabled: false
1030
port: 8002
1031
initialDelaySeconds: 15
1032
periodSeconds: 10
1033
timeoutSeconds: 5
1034
failureThreshold: 3
1035
successThreshold: 1
1036
## @param envoy.customLivenessProbe Override default liveness probe
1037
##
1038
customLivenessProbe: {}
1039
## @param envoy.customReadinessProbe Override default readiness probe
1040
##
1041
customReadinessProbe: {}
1042
## @param envoy.customStartupProbe Override default startup probe
1043
##
1044
customStartupProbe: {}
1045
## @param envoy.terminationGracePeriodSeconds Envoy termination grace period in seconds
1046
##
1047
terminationGracePeriodSeconds: 300
1048
## @param envoy.logLevel Envoy log level
1049
##
1050
logLevel: info
1051
## Envoy Service properties
1052
##
1053
service:
1054
## @param envoy.service.name envoy service name
1055
##
1056
name: ""
1057
## The multi az feature renders multiple service, so you could attach different service provider loadbalancer to it.
1058
## This feature is primarily used to achieve a high availability with multiple loadbalancer
1059
## @param envoy.service.multiAz.enabled enables the rendering of the multiple services
1060
## @param envoy.service.multiAz.zones defines different zones their annotations and loadBalancerIPs
1061
##
1062
multiAz:
1063
enabled: false
1064
zones: []
1065
## Example
1066
## - name: "zone1"
1067
## loadBalancerIP: "1.2.3.4"
1068
## annotations:
1069
## service.beta.kubernetes.io/loadbalancer-zone: zone1
1070
## - name: "zone2"
1071
## loadBalancerIP: "5.6.7.8"
1072
## annotations:
1073
## service.beta.kubernetes.io/loadbalancer-zone: zone2
1074
##
1075
## @param envoy.service.targetPorts [object] Map the controller service HTTP/HTTPS port
1076
##
1077
targetPorts:
1078
http: http
1079
https: https
1080
metrics: metrics
1081
## @param envoy.service.type Type of Envoy service to create
1082
##
1083
type: LoadBalancer
1084
## @param envoy.service.externalTrafficPolicy Envoy Service external cluster policy. If `envoy.service.type` is NodePort or LoadBalancer
1085
##
1086
externalTrafficPolicy: Local
1087
## @param envoy.service.labels Labels to add to te envoy service
1088
##
1089
labels: {}
1090
## @param envoy.service.clusterIP Internal envoy cluster service IP
1091
## e.g.:
1092
## clusterIP: None
1093
##
1094
clusterIP: ""
1095
## @param envoy.service.externalIPs [array] Envoy service external IP addresses
1096
##
1097
externalIPs: []
1098
## @param envoy.service.loadBalancerIP IP address to assign to load balancer (if supported)
1099
##
1100
loadBalancerIP: ""
1101
## @param envoy.service.loadBalancerSourceRanges [array] List of IP CIDRs allowed access to load balancer (if supported)
1102
##
1103
loadBalancerSourceRanges: []
1104
## @param envoy.service.loadBalancerClass Envoy service Load Balancer Class
1105
## ref https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1106
##
1107
loadBalancerClass: ""
1108
## @param envoy.service.ipFamilyPolicy [string], support SingleStack, PreferDualStack and RequireDualStack
1109
##
1110
ipFamilyPolicy: ""
1111
## @param envoy.service.ipFamilies [array] List of IP families (e.g. IPv4, IPv6) assigned to the service.
1112
## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
1113
## E.g.
1114
## ipFamilies:
1115
## - IPv6
1116
##
1117
ipFamilies: []
1118
## @param envoy.service.annotations [object] Annotations for Envoy service
1119
##
1120
annotations: {}
1121
ports:
1122
## @param envoy.service.ports.http Sets service http port
1123
##
1124
http: 80
1125
## @param envoy.service.ports.https Sets service https port
1126
##
1127
https: 443
1128
## @param envoy.service.ports.metrics Sets service metrics port
1129
##
1130
metrics: 8002
1131
## Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types.
1132
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
1133
## @param envoy.service.nodePorts.http HTTP Port. If `envoy.service.type` is NodePort and this is non-empty
1134
## @param envoy.service.nodePorts.https HTTPS Port. If `envoy.service.type` is NodePort and this is non-empty
1135
## @param envoy.service.nodePorts.metrics Metrics Port. If `envoy.service.type` is NodePort and this is non-empty
1136
##
1137
nodePorts:
1138
http: ""
1139
https: ""
1140
metrics: ""
1141
## @param envoy.service.extraPorts [array] Extra ports to expose (normally used with the `sidecar` value)
1142
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services
1143
##
1144
extraPorts: []
1145
## @param envoy.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
1146
## If "ClientIP", consecutive client requests will be directed to the same Pod
1147
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
1148
##
1149
sessionAffinity: None
1150
## @param envoy.service.sessionAffinityConfig Additional settings for the sessionAffinity
1151
## sessionAffinityConfig:
1152
## clientIP:
1153
## timeoutSeconds: 300
1154
##
1155
sessionAffinityConfig: {}
1156
## @param envoy.service.exposeMetrics Setting to expose the metrics port in the service
1157
exposeMetrics: false
1158
## Network Policies
1159
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1160
##
1161
networkPolicy:
1162
## @param envoy.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1163
##
1164
enabled: true
1165
## @param envoy.networkPolicy.allowExternal Don't require server label for connections
1166
## The Policy model to apply. When set to false, only pods with the correct
1167
## server label will have network access to the ports server is listening
1168
## on. When true, server will accept connections from any source
1169
## (with the correct destination port).
1170
##
1171
allowExternal: true
1172
## @param envoy.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1173
##
1174
allowExternalEgress: true
1175
## @param envoy.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1176
## e.g:
1177
## extraIngress:
1178
## - ports:
1179
## - port: 1234
1180
## from:
1181
## - podSelector:
1182
## - matchLabels:
1183
## - role: frontend
1184
## - podSelector:
1185
## - matchExpressions:
1186
## - key: role
1187
## operator: In
1188
## values:
1189
## - frontend
1190
extraIngress: []
1191
## @param envoy.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1192
## e.g:
1193
## extraEgress:
1194
## - ports:
1195
## - port: 1234
1196
## to:
1197
## - podSelector:
1198
## - matchLabels:
1199
## - role: frontend
1200
## - podSelector:
1201
## - matchExpressions:
1202
## - key: role
1203
## operator: In
1204
## values:
1205
## - frontend
1206
##
1207
extraEgress: []
1208
## @param envoy.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1209
## @param envoy.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1210
##
1211
ingressNSMatchLabels: {}
1212
ingressNSPodMatchLabels: {}
1213
## @param envoy.useHostPort.http Enable/disable `hostPort` for TCP/80
1214
## @param envoy.useHostPort.https Enable/disable `hostPort` TCP/443
1215
## @param envoy.useHostPort.metrics Enable/disable `hostPort` for TCP/8002
1216
##
1217
useHostPort:
1218
http: false
1219
https: false
1220
metrics: false
1221
## @param envoy.useHostIP Enable/disable `hostIP`
1222
##
1223
useHostIP: false
1224
## @param envoy.hostPorts.http Sets `hostPort` http port
1225
## @param envoy.hostPorts.https Sets `hostPort` https port
1226
## @param envoy.hostPorts.metrics Sets `hostPort` metrics port
1227
##
1228
hostPorts:
1229
http: 80
1230
https: 443
1231
metrics: 8002
1232
## @param envoy.hostIPs.http Sets `hostIP` http IP
1233
## @param envoy.hostIPs.https Sets `hostIP` https IP
1234
## @param envoy.hostIPs.metrics Sets `hostIP` metrics IP
1235
##
1236
hostIPs:
1237
http: 127.0.0.1
1238
https: 127.0.0.1
1239
metrics: 127.0.0.1
1240
## Configures the ports the Envoy proxy listens on
1241
## @param envoy.containerPorts.http Sets http port inside Envoy pod (change this to >1024 to run envoy as a non-root user)
1242
## @param envoy.containerPorts.https Sets https port inside Envoy pod (change this to >1024 to run envoy as a non-root user)
1243
## @param envoy.containerPorts.metrics Sets metrics port inside Envoy pod (change this to >1024 to run envoy as a non-root user)
1244
##
1245
containerPorts:
1246
http: 8080
1247
https: 8443
1248
metrics: 8002
1249
## @param envoy.initContainers [array] Attach additional init containers to Envoy pods
1250
## For example:
1251
## initContainers:
1252
## - name: your-image-name
1253
## image: your-image
1254
## imagePullPolicy: Always
1255
##
1256
initContainers: []
1257
## @param envoy.sidecars Add additional sidecar containers to the Envoy pods
1258
## Example:
1259
## sidecars:
1260
## - name: your-image-name
1261
## image: your-image
1262
## imagePullPolicy: Always
1263
## ports:
1264
## - name: portname
1265
## containerPort: 1234
1266
##
1267
sidecars: []
1268
## @param envoy.extraVolumes [array] Array to add extra volumes
1269
##
1270
extraVolumes: []
1271
## @param envoy.extraVolumeMounts [array] Array to add extra mounts (normally used with extraVolumes)
1272
##
1273
extraVolumeMounts: []
1274
## @param envoy.extraEnvVars [array] Array containing extra env vars to be added to all Envoy containers
1275
## For example:
1276
## extraEnvVars:
1277
## - name: MY_ENV_VAR
1278
## value: env_var_value
1279
##
1280
extraEnvVars: []
1281
## @param envoy.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Envoy containers
1282
##
1283
extraEnvVarsCM: ""
1284
## @param envoy.extraEnvVarsSecret Secret containing extra env vars to be added to all Envoy containers
1285
##
1286
extraEnvVarsSecret: ""
1287
## PodDisruptionBudget for default backend
1288
## Envoy Pod Disruption Budget configuration
1289
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
1290
## @param envoy.pdb.create Enable Pod Disruption Budget configuration
1291
## @param envoy.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled
1292
## @param envoy.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
1293
##
1294
pdb:
1295
create: true
1296
minAvailable: ""
1297
maxUnavailable: ""
1298
## Default init Containers
1299
##
1300
defaultInitContainers:
1301
## 'init-config' init container
1302
## Bootstrap Envoy configuration so it's ready to be consumed by Envoy "main" container
1303
##
1304
initConfig:
1305
## Configure "init-config" init-container Security Context
1306
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1307
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.enabled Enabled "init-config" init-containers' Security Context
1308
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "init-config" init-containers
1309
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsUser Set runAsUser in "init-config" init-containers' Security Context
1310
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsGroup Set runAsGroup in "init-config" init-containers' Security Context
1311
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "init-config" init-containers' Security Context
1312
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.privileged Set privileged in "init-config" init-containers' Security Context
1313
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "init-config" init-containers' Security Context
1314
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "init-config" init-containers' Security Context
1315
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "init-config" init-containers
1316
## @param envoy.defaultInitContainers.initConfig.containerSecurityContext.seccompProfile.type Set seccomp profile in "init-config" init-containers
1317
##
1318
containerSecurityContext:
1319
enabled: true
1320
seLinuxOptions: {}
1321
runAsUser: 1001
1322
runAsGroup: 1001
1323
runAsNonRoot: true
1324
privileged: false
1325
readOnlyRootFilesystem: true
1326
allowPrivilegeEscalation: false
1327
capabilities:
1328
drop: ["ALL"]
1329
seccompProfile:
1330
type: "RuntimeDefault"
1331
## Envoy "init-config" init container resource requests and limits
1332
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1333
## @param envoy.defaultInitContainers.initConfig.resourcesPreset Set Envoy "init-config" init container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.defaultInitContainers.initConfig.resources is set (envoy.defaultInitContainers.initConfig.resources is recommended for production).
1334
##
1335
resourcesPreset: "nano"
1336
## @param envoy.defaultInitContainers.initConfig.resources Set Envoy "init-config" init container requests and limits for different resources like CPU or memory (essential for production workloads)
1337
## E.g:
1338
## resources:
1339
## requests:
1340
## cpu: 2
1341
## memory: 512Mi
1342
## limits:
1343
## cpu: 3
1344
## memory: 1024Mi
1345
##
1346
resources: {}
1347
## @section Gateway API parameters
1348
##
1349
gatewayAPI:
1350
## @param gatewayAPI.manageCRDs Manage the creation, upgrade and deletion of Gateway API CRDs.
1351
##
1352
manageCRDs: false
1353
## @section Default backend parameters
1354
##
1355
1356
## Default 404 backend
1357
##
1358
defaultBackend:
1359
## @param defaultBackend.enabled Enable a default backend based on NGINX
1360
##
1361
enabled: false
1362
## Iamguarded NGINX image
1363
## @param defaultBackend.image.registry [default: REGISTRY_NAME] Default backend image registry
1364
## @param defaultBackend.image.repository [default: REPOSITORY_NAME/nginx] Default backend image name
1365
## @skip defaultBackend.image.tag Default backend image tag
1366
## @param defaultBackend.image.digest Default backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1367
## @param defaultBackend.image.pullPolicy Image pull policy
1368
## @param defaultBackend.image.pullSecrets [array] Specify docker-registry secret names as an array
1369
##
1370
image:
1371
registry: cgr.dev
1372
repository: chainguard-private/nginx-iamguarded
1373
tag: 1.31.1
1374
digest: ""
1375
## Specify a imagePullPolicy
1376
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1377
##
1378
pullPolicy: IfNotPresent
1379
## Optionally specify an array of imagePullSecrets.
1380
## Secrets must be manually created in the namespace.
1381
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1382
## Example:
1383
## pullSecrets:
1384
## - myRegistryKeySecretName
1385
##
1386
pullSecrets: []
1387
## @param defaultBackend.extraArgs [object] Additional command line arguments to pass to NGINX container
1388
##
1389
extraArgs: {}
1390
## @param defaultBackend.lifecycleHooks lifecycleHooks for the container to automate configuration before or after startup.
1391
##
1392
lifecycleHooks: {}
1393
## @param defaultBackend.extraEnvVars [array] Array containing extra env vars to be added to all Contour containers
1394
## For example:
1395
## extraEnvVars:
1396
## - name: MY_ENV_VAR
1397
## value: env_var_value
1398
##
1399
extraEnvVars: []
1400
## @param defaultBackend.extraEnvVarsCM ConfigMap containing extra env vars to be added to all Contour containers
1401
##
1402
extraEnvVarsCM: ""
1403
## @param defaultBackend.extraEnvVarsSecret Secret containing extra env vars to be added to all Contour containers
1404
##
1405
extraEnvVarsSecret: ""
1406
## @param defaultBackend.extraVolumes [array] Array to add extra volumes
1407
##
1408
extraVolumes: []
1409
## @param defaultBackend.extraVolumeMounts [array] Array to add extra mounts (normally used with extraVolumes)
1410
##
1411
extraVolumeMounts: []
1412
## @param defaultBackend.initContainers [array] Attach additional init containers to the http backend pods
1413
## For example:
1414
## initContainers:
1415
## - name: your-image-name
1416
## image: your-image
1417
## imagePullPolicy: Always
1418
##
1419
initContainers: []
1420
## @param defaultBackend.sidecars [array] Add additional sidecar containers to the default backend
1421
## Example:
1422
## sidecars:
1423
## - name: your-image-name
1424
## image: your-image
1425
## imagePullPolicy: Always
1426
## ports:
1427
## - name: portname
1428
## containerPort: 1234
1429
##
1430
sidecars: []
1431
## Configures the ports the http backend listens on
1432
## @param defaultBackend.containerPorts.http Set http port inside Contour pod
1433
##
1434
containerPorts:
1435
http: 8001
1436
## @param defaultBackend.updateStrategy Strategy to use to update Pods
1437
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1438
##
1439
updateStrategy: {}
1440
## @param defaultBackend.command Override default command
1441
##
1442
command: []
1443
## @param defaultBackend.args Override default args
1444
##
1445
args: []
1446
## @param defaultBackend.hostAliases [array] Add deployment host aliases
1447
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1448
##
1449
hostAliases: []
1450
## @param defaultBackend.replicaCount Desired number of default backend pods
1451
##
1452
replicaCount: 1
1453
## Default backend pods' Security Context
1454
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1455
## @param defaultBackend.podSecurityContext.enabled Default backend Pod securityContext
1456
## @param defaultBackend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1457
## @param defaultBackend.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1458
## @param defaultBackend.podSecurityContext.supplementalGroups Set filesystem extra groups
1459
## @param defaultBackend.podSecurityContext.fsGroup Set Default backend Pod's Security Context fsGroup
1460
##
1461
podSecurityContext:
1462
enabled: true
1463
fsGroupChangePolicy: Always
1464
sysctls: []
1465
supplementalGroups: []
1466
fsGroup: 1001
1467
## Default backend containers' Security Context (only main container)
1468
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1469
## @param defaultBackend.containerSecurityContext.enabled Enabled defaultBackend containers' Security Context
1470
## @param defaultBackend.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1471
## @param defaultBackend.containerSecurityContext.runAsUser Set defaultBackend containers' Security Context runAsUser
1472
## @param defaultBackend.containerSecurityContext.runAsGroup Set defaultBackend containers' Security Context runAsGroup
1473
## @param defaultBackend.containerSecurityContext.runAsNonRoot Set defaultBackend containers' Security Context runAsNonRoot
1474
## @param defaultBackend.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
1475
## @param defaultBackend.containerSecurityContext.privileged Set defaultBackend container's Security Context privileged
1476
## @param defaultBackend.containerSecurityContext.allowPrivilegeEscalation Set defaultBackend container's Security Context allowPrivilegeEscalation
1477
## @param defaultBackend.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1478
## @param defaultBackend.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1479
##
1480
containerSecurityContext:
1481
enabled: true
1482
seLinuxOptions: {}
1483
runAsUser: 1001
1484
runAsGroup: 1001
1485
runAsNonRoot: true
1486
privileged: false
1487
allowPrivilegeEscalation: false
1488
capabilities:
1489
drop: ["ALL"]
1490
seccompProfile:
1491
type: "RuntimeDefault"
1492
readOnlyRootFilesystem: true
1493
## Default backend containers' resource requests and limits
1494
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1495
## We usually recommend not to specify default resources and to leave this as a conscious
1496
## choice for the user. This also increases chances charts run on environments with little
1497
## resources, such as Minikube.
1498
## @param defaultBackend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production).
1499
##
1500
resourcesPreset: "nano"
1501
## @param defaultBackend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1502
## Example:
1503
## resources:
1504
## requests:
1505
## cpu: 2
1506
## memory: 512Mi
1507
## limits:
1508
## cpu: 3
1509
## memory: 1024Mi
1510
##
1511
resources: {}
1512
## Default backend containers' liveness probe. Evaluated as a template.
1513
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
1514
## @param defaultBackend.livenessProbe.enabled Enable livenessProbe
1515
## @param defaultBackend.livenessProbe.httpGet [object] Path, port and scheme for the livenessProbe
1516
## @param defaultBackend.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1517
## @param defaultBackend.livenessProbe.periodSeconds Period seconds for livenessProbe
1518
## @param defaultBackend.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1519
## @param defaultBackend.livenessProbe.failureThreshold Failure threshold for livenessProbe
1520
## @param defaultBackend.livenessProbe.successThreshold Success threshold for livenessProbe
1521
##
1522
livenessProbe:
1523
enabled: true
1524
failureThreshold: 3
1525
initialDelaySeconds: 30
1526
periodSeconds: 10
1527
successThreshold: 1
1528
timeoutSeconds: 5
1529
## Default backend containers' readiness probe. Evaluated as a template.
1530
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
1531
## @param defaultBackend.readinessProbe.enabled Enable readinessProbe
1532
## @param defaultBackend.readinessProbe.httpGet [object] Path, port and scheme for the readinessProbe
1533
## @param defaultBackend.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1534
## @param defaultBackend.readinessProbe.periodSeconds Period seconds for readinessProbe
1535
## @param defaultBackend.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1536
## @param defaultBackend.readinessProbe.failureThreshold Failure threshold for readinessProbe
1537
## @param defaultBackend.readinessProbe.successThreshold Success threshold for readinessProbe
1538
##
1539
readinessProbe:
1540
enabled: true
1541
failureThreshold: 6
1542
initialDelaySeconds: 0
1543
periodSeconds: 5
1544
successThreshold: 1
1545
timeoutSeconds: 5
1546
## @param defaultBackend.startupProbe.enabled Enable/disable the startup probe
1547
## @param defaultBackend.startupProbe.initialDelaySeconds Delay before startup probe is initiated
1548
## @param defaultBackend.startupProbe.periodSeconds How often to perform the probe
1549
## @param defaultBackend.startupProbe.timeoutSeconds When the probe times out
1550
## @param defaultBackend.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
1551
## @param defaultBackend.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
1552
##
1553
startupProbe:
1554
enabled: false
1555
initialDelaySeconds: 15
1556
periodSeconds: 10
1557
timeoutSeconds: 5
1558
failureThreshold: 3
1559
successThreshold: 1
1560
## @param defaultBackend.customLivenessProbe [object] Override default liveness probe, it overrides the default one (evaluated as a template)
1561
##
1562
customLivenessProbe: {}
1563
## @param defaultBackend.customReadinessProbe [object] Override default readiness probe, it overrides the default one (evaluated as a template)
1564
##
1565
customReadinessProbe: {}
1566
## @param defaultBackend.customStartupProbe Override default startup probe
1567
##
1568
customStartupProbe: {}
1569
## @param defaultBackend.podLabels [object] Extra labels for Controller pods
1570
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1571
##
1572
podLabels: {}
1573
## @param defaultBackend.podAnnotations [object] Annotations for Controller pods
1574
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1575
##
1576
podAnnotations: {}
1577
## @param defaultBackend.priorityClassName Priority class assigned to the pods
1578
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
1579
##
1580
priorityClassName: ""
1581
## @param defaultBackend.schedulerName Name of the k8s scheduler (other than default)
1582
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1583
##
1584
schedulerName: ""
1585
## @param defaultBackend.terminationGracePeriodSeconds In seconds, time the given to the default backend pod needs to terminate gracefully
1586
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1587
##
1588
terminationGracePeriodSeconds: 60
1589
## @param defaultBackend.topologySpreadConstraints Topology Spread Constraints for pod assignment
1590
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
1591
## The value is evaluated as a template
1592
##
1593
topologySpreadConstraints: []
1594
## @param defaultBackend.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1595
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1596
## Allowed values: soft, hard
1597
##
1598
podAffinityPreset: ""
1599
## @param defaultBackend.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1600
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1601
## Allowed values: soft, hard
1602
##
1603
podAntiAffinityPreset: soft
1604
## Node affinity preset
1605
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1606
## @param defaultBackend.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1607
## @param defaultBackend.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
1608
## @param defaultBackend.nodeAffinityPreset.values [array] Node label values to match. Ignored if `affinity` is set.
1609
##
1610
nodeAffinityPreset:
1611
type: ""
1612
key: ""
1613
## E.g.
1614
## values:
1615
## - e2e-az1
1616
## - e2e-az2
1617
##
1618
values: []
1619
## @param defaultBackend.affinity [object] Affinity for pod assignment. Evaluated as a template.
1620
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1621
## Note: defaultBackend.podAffinityPreset, defaultBackend.podAntiAffinityPreset, and defaultBackend.nodeAffinityPreset will be ignored when it's set
1622
##
1623
affinity: {}
1624
## @param defaultBackend.nodeSelector [object] Node labels for pod assignment. Evaluated as a template.
1625
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1626
##
1627
nodeSelector: {}
1628
## @param defaultBackend.tolerations [array] Tolerations for pod assignment. Evaluated as a template.
1629
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1630
##
1631
tolerations: []
1632
## Default backend Service parameters
1633
## @param defaultBackend.service.type Service type
1634
## @param defaultBackend.service.ports.http Service port
1635
## @param defaultBackend.service.annotations Annotations to add to the service
1636
##
1637
service:
1638
type: ClusterIP
1639
ports:
1640
http: 80
1641
annotations: {}
1642
## Network Policies
1643
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1644
##
1645
networkPolicy:
1646
## @param defaultBackend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1647
##
1648
enabled: true
1649
## @param defaultBackend.networkPolicy.allowExternal Don't require server label for connections
1650
## The Policy model to apply. When set to false, only pods with the correct
1651
## server label will have network access to the ports server is listening
1652
## on. When true, server will accept connections from any source
1653
## (with the correct destination port).
1654
##
1655
allowExternal: true
1656
## @param defaultBackend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1657
##
1658
allowExternalEgress: true
1659
## @param defaultBackend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1660
## e.g:
1661
## extraIngress:
1662
## - ports:
1663
## - port: 1234
1664
## from:
1665
## - podSelector:
1666
## - matchLabels:
1667
## - role: frontend
1668
## - podSelector:
1669
## - matchExpressions:
1670
## - key: role
1671
## operator: In
1672
## values:
1673
## - frontend
1674
extraIngress: []
1675
## @param defaultBackend.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1676
## e.g:
1677
## extraEgress:
1678
## - ports:
1679
## - port: 1234
1680
## to:
1681
## - podSelector:
1682
## - matchLabels:
1683
## - role: frontend
1684
## - podSelector:
1685
## - matchExpressions:
1686
## - key: role
1687
## operator: In
1688
## values:
1689
## - frontend
1690
##
1691
extraEgress: []
1692
## @param defaultBackend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1693
## @param defaultBackend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1694
##
1695
ingressNSMatchLabels: {}
1696
ingressNSPodMatchLabels: {}
1697
## PodDisruptionBudget for default backend
1698
## Default backend Pod Disruption Budget configuration
1699
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
1700
## @param defaultBackend.pdb.create Enable Pod Disruption Budget configuration
1701
## @param defaultBackend.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled
1702
## @param defaultBackend.pdb.maxUnavailable Maximum number/percentage of Default backend pods that should remain scheduled
1703
##
1704
pdb:
1705
create: true
1706
minAvailable: ""
1707
maxUnavailable: ""
1708
## Ingress parameters
1709
##
1710
ingress:
1711
## @param ingress.enabled Ingress configuration enabled
1712
## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
1713
##
1714
## Enable Ingress.
1715
##
1716
enabled: false
1717
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
1718
##
1719
apiVersion: ""
1720
## @param ingress.certManager Add annotations for cert-manager
1721
##
1722
certManager: false
1723
## @param ingress.annotations Annotations to be added to the web ingress.
1724
## Example:
1725
## kubernetes.io/ingress.class: nginx
1726
## kubernetes.io/tls-acme: 'true'
1727
##
1728
annotations: {}
1729
## Either `hosts` or `rulesOverride` must be provided if Ingress is enabled.
1730
## `hosts` sets up the Ingress with default rules per provided hostname.
1731
## @param ingress.hostname Hostname for the Ingress object
1732
##
1733
hostname: contour.local
1734
## @param ingress.path The Path to Concourse
1735
##
1736
path: /
1737
## @param ingress.rulesOverride Ingress rules override
1738
## Either `hosts` or `rulesOverride` must be provided if Ingress is enabled.
1739
## `rulesOverride` allows the user to define the full set of ingress rules, for more complex Ingress setups.
1740
##
1741
rulesOverride: []
1742
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
1743
##
1744
selfSigned: false
1745
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1746
##
1747
ingressClassName: ""
1748
## @param ingress.extraPaths Add additional arbitrary paths that may need to be added to the ingress under the main host.
1749
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
1750
##
1751
extraPaths: []
1752
## @param ingress.tls TLS configuration.
1753
## Secrets must be manually created in the namespace.
1754
## Example:
1755
## - secretName: concourse-web-tls
1756
## hosts:
1757
## - concourse.domain.com
1758
##
1759
tls: false
1760
## @param ingress.pathType Ingress Path type
1761
##
1762
pathType: ImplementationSpecific
1763
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
1764
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
1765
## extraHosts:
1766
## - name: concourse.local
1767
## path: /
1768
##
1769
extraHosts: []
1770
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
1771
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1772
## extraTls:
1773
## - hosts:
1774
## - concourse.local
1775
## secretName: concourse.local-tls
1776
##
1777
extraTls: []
1778
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
1779
## key and certificate should start with -----BEGIN CERTIFICATE----- or
1780
## -----BEGIN RSA PRIVATE KEY-----
1781
##
1782
## name should line up with a tlsSecret set further up
1783
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
1784
##
1785
## It is also possible to create and manage the certificates outside of this helm chart
1786
## Please see README.md for more information
1787
## Example:
1788
## - name: concourse.local-tls
1789
## key:
1790
## certificate:
1791
##
1792
secrets: []
1793
## @param ingress.extraRules Additional rules to be covered with this ingress record
1794
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
1795
## e.g:
1796
## extraRules:
1797
## - host: example.local
1798
## http:
1799
## path: /
1800
## backend:
1801
## service:
1802
## name: example-svc
1803
## port:
1804
## name: http
1805
##
1806
extraRules: []
1807
## @section Metrics parameters
1808
##
1809
metrics:
1810
## Prometheus Operator service monitors
1811
##
1812
serviceMonitor:
1813
## @param metrics.serviceMonitor.namespace Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart)
1814
##
1815
namespace: ""
1816
## @param metrics.serviceMonitor.enabled Specify if a servicemonitor will be deployed for prometheus-operator.
1817
##
1818
enabled: false
1819
## @param metrics.serviceMonitor.jobLabel Specify the jobLabel to use for the prometheus-operator
1820
##
1821
jobLabel: "app.kubernetes.io/name"
1822
## @param metrics.serviceMonitor.interval Specify the scrape interval if not specified use default prometheus scrapeIntervall, the Prometheus default scrape interval is used.
1823
##
1824
interval: ""
1825
## @param metrics.serviceMonitor.metricRelabelings [array] Specify additional relabeling of metrics.
1826
##
1827
metricRelabelings: []
1828
## @param metrics.serviceMonitor.relabelings [array] Specify general relabeling.
1829
##
1830
relabelings: []
1831
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
1832
##
1833
honorLabels: false
1834
## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended
1835
##
1836
scrapeTimeout: ""
1837
## @param metrics.serviceMonitor.selector Specify honorLabels parameter to add the scrape endpoint
1838
##
1839
selector: {}
1840
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1841
##
1842
labels: {}
1843
## Prometheus Operator prometheusRules
1844
##
1845
prometheusRule:
1846
## @param metrics.prometheusRule.enabled Creates a Prometheus Operator prometheusRule
1847
##
1848
enabled: false
1849
## @param metrics.prometheusRule.namespace Namespace for the prometheusRule Resource (defaults to the Release Namespace)
1850
##
1851
namespace: ""
1852
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRule will be discovered by Prometheus
1853
##
1854
additionalLabels: {}
1855
## @param metrics.prometheusRule.rules Prometheus Rule definitions
1856
##
1857
rules: []
1858
## @section Other parameters
1859
##
1860
1861
## @param rbac.create Create the RBAC roles for API accessibility
1862
##
1863
rbac:
1864
create: true
1865
## @param rbac.rules [array] Custom RBAC rules to set
1866
## e.g:
1867
## rules:
1868
## - apiGroups:
1869
## - ""
1870
## resources:
1871
## - pods
1872
## verbs:
1873
## - get
1874
## - list
1875
##
1876
rules: []
1877
## @param tlsExistingSecret Name of the existingSecret to be use in both contour and envoy. If it is not nil `contour.certgen` will be disabled.
1878
##
1879
tlsExistingSecret: ""
1880
## @param useCertManager Use Cert-manager instead of Contour certgen to issue certificates for TLS connection between Contour and Envoy.
1881
useCertManager: false
1882
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.