kong
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets, defaultStorageClass and compatibility
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
##
33
allowInsecureImages: false
34
## Compatibility adaptations for Kubernetes platforms
35
##
36
compatibility:
37
## Compatibility adaptations for Openshift
38
##
39
openshift:
40
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
41
##
42
adaptSecurityContext: auto
43
org: ""
44
## @section Common parameters
45
##
46
47
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
48
##
49
kubeVersion: ""
50
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
51
##
52
apiVersions: []
53
## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name)
54
##
55
nameOverride: ""
56
## @param fullnameOverride String to fully override common.names.fullname template with a string
57
##
58
fullnameOverride: ""
59
## @param commonAnnotations Common annotations to add to all Kong resources (sub-charts are not considered). Evaluated as a template
60
##
61
commonAnnotations: {}
62
## @param commonLabels Common labels to add to all Kong resources (sub-charts are not considered). Evaluated as a template
63
##
64
commonLabels: {}
65
## @param clusterDomain Kubernetes cluster domain
66
##
67
clusterDomain: cluster.local
68
## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template).
69
##
70
extraDeploy: []
71
## @param usePasswordFiles Mount credentials as files instead of using environment variables
72
##
73
usePasswordFiles: true
74
## Enable diagnostic mode in the daemonset/deployment
75
##
76
diagnosticMode:
77
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
78
##
79
enabled: false
80
## @param diagnosticMode.command Command to override all containers in the daemonset/deployment
81
##
82
command:
83
- sleep
84
## @param diagnosticMode.args Args to override all containers in the daemonset/deployment
85
##
86
args:
87
- infinity
88
## @section Kong common parameters
89
##
90
91
## Iamguarded kong image version
92
## @param image.registry [default: REGISTRY_NAME] kong image registry
93
## @param image.repository [default: REPOSITORY_NAME/kong] kong image repository
94
## @skip image.tag kong image tag (immutable tags are recommended)
95
## @param image.digest kong image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
96
## @param image.pullPolicy kong image pull policy
97
## @param image.pullSecrets Specify docker-registry secret names as an array
98
## @param image.debug Enable image debug mode
99
##
100
image:
101
registry: cgr.dev
102
repository: chainguard-private/kong-iamguarded
103
tag: 3.9.1
104
digest: ""
105
## Specify a imagePullPolicy
106
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
107
##
108
pullPolicy: IfNotPresent
109
## Optionally specify an array of imagePullSecrets.
110
## Secrets must be manually created in the namespace.
111
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
112
## E.g:
113
## pullSecrets:
114
## - myRegistryKeySecretName
115
##
116
pullSecrets: []
117
## Enable debug mode
118
##
119
debug: false
120
## @param database Select which database backend Kong will use. Can be 'postgresql', 'cassandra' or 'off'
121
##
122
database: postgresql
123
## @section Kong deployment / daemonset parameters
124
##
125
126
## @param useDaemonset Use a daemonset instead of a deployment. `replicaCount` will not take effect.
127
##
128
useDaemonset: false
129
## @param replicaCount Number of Kong replicas
130
##
131
replicaCount: 2
132
## Kong containers' Security Context
133
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
134
## @param containerSecurityContext.enabled Enabled containers' Security Context
135
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
136
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
137
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
138
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
139
## @param containerSecurityContext.privileged Set container's Security Context privileged
140
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
141
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
142
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
143
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
144
##
145
containerSecurityContext:
146
enabled: true
147
seLinuxOptions: {}
148
runAsUser: 1001
149
runAsGroup: 1001
150
runAsNonRoot: true
151
privileged: false
152
readOnlyRootFilesystem: true
153
allowPrivilegeEscalation: false
154
capabilities:
155
drop: ["ALL"]
156
seccompProfile:
157
type: "RuntimeDefault"
158
## Kong pods' Security Context
159
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
160
## @param podSecurityContext.enabled Enabled Kong pods' Security Context
161
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
162
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
163
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
164
## @param podSecurityContext.fsGroup Set Kong pod's Security Context fsGroup
165
##
166
podSecurityContext:
167
enabled: true
168
fsGroupChangePolicy: Always
169
sysctls: []
170
supplementalGroups: []
171
fsGroup: 1001
172
## @param updateStrategy.type Kong update strategy
173
## @param updateStrategy.rollingUpdate Kong deployment rolling update configuration parameters
174
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
175
## Note: Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first.
176
## E.g:
177
## updateStrategy:
178
## type: RollingUpdate
179
## rollingUpdate:
180
## maxSurge: 25%
181
## maxUnavailable: 25%
182
##
183
updateStrategy:
184
type: RollingUpdate
185
rollingUpdate: {}
186
## @param automountServiceAccountToken Mount Service Account token in pod
187
##
188
automountServiceAccountToken: true
189
## @param hostAliases Add deployment host aliases
190
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
191
##
192
hostAliases: []
193
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
194
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
195
##
196
topologySpreadConstraints: []
197
## @param priorityClassName Priority Class Name
198
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
199
##
200
priorityClassName: ""
201
## @param schedulerName Use an alternate scheduler, e.g. "stork".
202
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
203
##
204
schedulerName: ""
205
## @param terminationGracePeriodSeconds Seconds Kong pod needs to terminate gracefully
206
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
207
##
208
terminationGracePeriodSeconds: ""
209
## @param podAnnotations Additional pod annotations
210
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
211
##
212
podAnnotations: {}
213
## @param podLabels Additional pod labels
214
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
215
##
216
podLabels: {}
217
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
218
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
219
##
220
podAffinityPreset: ""
221
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
222
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
223
##
224
podAntiAffinityPreset: soft
225
## Node affinity preset
226
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
227
##
228
nodeAffinityPreset:
229
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
230
##
231
type: ""
232
## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
233
## E.g.
234
## key: "kubernetes.io/e2e-az-name"
235
##
236
key: ""
237
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
238
## E.g.
239
## values:
240
## - e2e-az1
241
## - e2e-az2
242
##
243
values: []
244
## @param affinity Affinity for pod assignment
245
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
246
## Note: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set
247
##
248
affinity: {}
249
## @param nodeSelector Node labels for pod assignment
250
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
251
##
252
nodeSelector: {}
253
## @param tolerations Tolerations for pod assignment
254
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
255
##
256
tolerations: []
257
## @param extraVolumes Array of extra volumes to be added to the Kong deployment deployment (evaluated as template). Requires setting `extraVolumeMounts`
258
##
259
extraVolumes: []
260
## @param initContainers Add additional init containers to the Kong pods
261
## e.g.
262
## - name: your-image-name
263
## image: your-image
264
## imagePullPolicy: Always
265
## ports:
266
## - name: portname
267
## containerPort: 1234
268
##
269
initContainers: []
270
## @param sidecars Add additional sidecar containers to the Kong pods
271
## e.g.
272
## - name: your-image-name
273
## image: your-image
274
## imagePullPolicy: Always
275
## ports:
276
## - name: portname
277
## containerPort: 1234
278
##
279
sidecars: []
280
## Add an horizontal pod autoscaler
281
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
282
## @param autoscaling.enabled Deploy a HorizontalPodAutoscaler object for the Kong deployment
283
## @param autoscaling.minReplicas Minimum number of replicas to scale back
284
## @param autoscaling.maxReplicas Maximum number of replicas to scale out
285
## @param autoscaling.metrics [array] Metrics to use when deciding to scale the deployment (evaluated as a template)
286
##
287
autoscaling:
288
enabled: false
289
minReplicas: 2
290
maxReplicas: 5
291
metrics:
292
- type: Resource
293
resource:
294
name: cpu
295
target:
296
type: Utilization
297
averageUtilization: 80
298
## Kong Pod Disruption Budget
299
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
300
## @param pdb.create Deploy a PodDisruptionBudget object for Kong deployment
301
## @param pdb.minAvailable Minimum available Kong replicas (expressed in percentage)
302
## @param pdb.maxUnavailable Maximum unavailable Kong replicas (expressed in percentage)
303
##
304
pdb:
305
create: true
306
minAvailable: ""
307
maxUnavailable: "50%"
308
## @section Kong Container Parameters
309
##
310
kong:
311
## @param kong.command Override default container command (useful when using custom images)
312
##
313
command: []
314
## @param kong.args Override default container args (useful when using custom images)
315
##
316
args: []
317
## @param kong.initScriptsCM Configmap with init scripts to execute
318
## ConfigMap containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time (evaluated as a template)
319
##
320
initScriptsCM: ""
321
## @param kong.initScriptsSecret Configmap with init scripts to execute
322
## Secret containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time (that contain sensitive data). Evaluated as a template.
323
##
324
initScriptsSecret: ""
325
## @param kong.declarativeConfig Declarative configuration to be loaded by Kong (evaluated as a template)
326
## https://docs.konghq.com/gateway/latest/production/deployment-topologies/db-less-and-declarative-config/
327
##
328
declarativeConfig: ""
329
## @param kong.declarativeConfigCM Configmap with declarative configuration to be loaded by Kong (evaluated as a template)
330
## https://docs.konghq.com/gateway/latest/production/deployment-topologies/db-less-and-declarative-config/
331
##
332
declarativeConfigCM: ""
333
## @param kong.extraEnvVars Array containing extra env vars to configure Kong
334
## For example:
335
## extraEnvVars:
336
## - name: GF_DEFAULT_INSTANCE_NAME
337
## value: my-instance
338
##
339
extraEnvVars: []
340
## @param kong.extraEnvVarsCM ConfigMap containing extra env vars to configure Kong
341
##
342
extraEnvVarsCM: ""
343
## @param kong.extraEnvVarsSecret Secret containing extra env vars to configure Kong (in case of sensitive data)
344
##
345
extraEnvVarsSecret: ""
346
## @param kong.extraVolumeMounts Array of extra volume mounts to be added to the Kong Container (evaluated as template). Normally used with `extraVolumes`.
347
##
348
extraVolumeMounts: []
349
## @param kong.containerPorts.proxyHttp Kong proxy HTTP container port
350
## @param kong.containerPorts.proxyHttps Kong proxy HTTPS container port
351
## @param kong.containerPorts.adminHttp Kong admin HTTP container port
352
## @param kong.containerPorts.adminHttps Kong admin HTTPS container port
353
##
354
containerPorts:
355
proxyHttp: 8000
356
proxyHttps: 8443
357
adminHttp: 8001
358
adminHttps: 8444
359
## Container resource requests and limits
360
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
361
## @param kong.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if kong.resources is set (kong.resources is recommended for production).
362
##
363
resourcesPreset: "medium"
364
## @param kong.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
365
## Example:
366
## resources:
367
## requests:
368
## cpu: 2
369
## memory: 512Mi
370
## limits:
371
## cpu: 3
372
## memory: 1024Mi
373
##
374
resources: {}
375
## Configure extra options for Kong containers' liveness, readiness and startup probes
376
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
377
## @param kong.livenessProbe.enabled Enable livenessProbe on Kong containers
378
## @param kong.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
379
## @param kong.livenessProbe.periodSeconds Period seconds for livenessProbe
380
## @param kong.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
381
## @param kong.livenessProbe.failureThreshold Failure threshold for livenessProbe
382
## @param kong.livenessProbe.successThreshold Success threshold for livenessProbe
383
##
384
livenessProbe:
385
enabled: true
386
initialDelaySeconds: 120
387
periodSeconds: 10
388
timeoutSeconds: 5
389
failureThreshold: 6
390
successThreshold: 1
391
## @param kong.readinessProbe.enabled Enable readinessProbe on Kong containers
392
## @param kong.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
393
## @param kong.readinessProbe.periodSeconds Period seconds for readinessProbe
394
## @param kong.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
395
## @param kong.readinessProbe.failureThreshold Failure threshold for readinessProbe
396
## @param kong.readinessProbe.successThreshold Success threshold for readinessProbe
397
##
398
readinessProbe:
399
enabled: true
400
initialDelaySeconds: 30
401
periodSeconds: 10
402
timeoutSeconds: 5
403
failureThreshold: 6
404
successThreshold: 1
405
## @param kong.startupProbe.enabled Enable startupProbe on Kong containers
406
## @param kong.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
407
## @param kong.startupProbe.periodSeconds Period seconds for startupProbe
408
## @param kong.startupProbe.timeoutSeconds Timeout seconds for startupProbe
409
## @param kong.startupProbe.failureThreshold Failure threshold for startupProbe
410
## @param kong.startupProbe.successThreshold Success threshold for startupProbe
411
##
412
startupProbe:
413
enabled: false
414
initialDelaySeconds: 10
415
periodSeconds: 15
416
timeoutSeconds: 3
417
failureThreshold: 20
418
successThreshold: 1
419
## @param kong.customLivenessProbe Override default liveness probe (kong container)
420
##
421
customLivenessProbe: {}
422
## @param kong.customReadinessProbe Override default readiness probe (kong container)
423
##
424
customReadinessProbe: {}
425
## @param kong.customStartupProbe Override default startup probe (kong container)
426
##
427
customStartupProbe: {}
428
## @param kong.lifecycleHooks Lifecycle hooks (kong container)
429
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
430
##
431
lifecycleHooks: {}
432
## @section Traffic Exposure Parameters
433
##
434
435
## Service parameters
436
##
437
service:
438
## @param service.type Kubernetes Service type
439
##
440
type: ClusterIP
441
## @param service.exposeAdmin Add the Kong Admin ports to the service
442
##
443
exposeAdmin: false
444
## @param service.disableHttpPort Disable Kong proxy HTTP and Kong admin HTTP ports
445
##
446
disableHttpPort: false
447
## @param service.ports.proxyHttp Kong proxy service HTTP port
448
## @param service.ports.proxyHttps Kong proxy service HTTPS port
449
## @param service.ports.adminHttp Kong admin service HTTP port (only if service.exposeAdmin=true)
450
## @param service.ports.adminHttps Kong admin service HTTPS port (only if service.exposeAdmin=true)
451
##
452
ports:
453
proxyHttp: 80
454
proxyHttps: 443
455
adminHttp: 8001
456
adminHttps: 8444
457
## @param service.nodePorts.proxyHttp NodePort for the Kong proxy HTTP endpoint
458
## @param service.nodePorts.proxyHttps NodePort for the Kong proxy HTTPS endpoint
459
## @param service.nodePorts.adminHttp NodePort for the Kong admin HTTP endpoint
460
## @param service.nodePorts.adminHttps NodePort for the Kong admin HTTPS endpoint
461
## NOTE: choose port between <30000-32767>
462
##
463
nodePorts:
464
proxyHttp: ""
465
proxyHttps: ""
466
adminHttp: ""
467
adminHttps: ""
468
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
469
## Values: ClientIP or None
470
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
471
##
472
sessionAffinity: None
473
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
474
## sessionAffinityConfig:
475
## clientIP:
476
## timeoutSeconds: 300
477
##
478
sessionAffinityConfig: {}
479
## @param service.clusterIP Cluster internal IP of the service
480
## This is the internal IP address of the service and is usually assigned randomly.
481
## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec
482
##
483
clusterIP: ""
484
## @param service.externalTrafficPolicy external traffic policy managing client source IP preservation
485
## default to "Cluster"
486
## set to "Local" in order to preserve the client source IP (only on service of type LoadBalancer or NodePort)
487
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
488
##
489
externalTrafficPolicy: ""
490
## @param service.loadBalancerIP loadBalancerIP if kong service type is `LoadBalancer`
491
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
492
##
493
loadBalancerIP: ""
494
## @param service.loadBalancerSourceRanges Kong service Load Balancer sources
495
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
496
## e.g:
497
## loadBalancerSourceRanges:
498
## - 10.10.10.0/24
499
##
500
loadBalancerSourceRanges: []
501
## @param service.annotations Annotations for Kong service
502
## set the LoadBalancer service type to internal only.
503
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
504
##
505
annotations: {}
506
## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
507
##
508
extraPorts: []
509
## Network Policies
510
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
511
##
512
networkPolicy:
513
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
514
##
515
enabled: true
516
## @param networkPolicy.allowExternal Don't require server label for connections
517
## The Policy model to apply. When set to false, only pods with the correct
518
## server label will have network access to the ports server is listening
519
## on. When true, server will accept connections from any source
520
## (with the correct destination port).
521
##
522
allowExternal: true
523
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
524
##
525
allowExternalEgress: true
526
## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
527
##
528
kubeAPIServerPorts: [443, 6443, 8443]
529
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
530
## e.g:
531
## extraIngress:
532
## - ports:
533
## - port: 1234
534
## from:
535
## - podSelector:
536
## - matchLabels:
537
## - role: frontend
538
## - podSelector:
539
## - matchExpressions:
540
## - key: role
541
## operator: In
542
## values:
543
## - frontend
544
extraIngress: []
545
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
546
## e.g:
547
## extraEgress:
548
## - ports:
549
## - port: 1234
550
## to:
551
## - podSelector:
552
## - matchLabels:
553
## - role: frontend
554
## - podSelector:
555
## - matchExpressions:
556
## - key: role
557
## operator: In
558
## values:
559
## - frontend
560
##
561
extraEgress: []
562
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
563
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
564
##
565
ingressNSMatchLabels: {}
566
ingressNSPodMatchLabels: {}
567
## Configure the ingress resource that allows you to access the
568
## Kong installation. Set up the URL
569
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
570
##
571
ingress:
572
## @param ingress.enabled Enable ingress controller resource
573
##
574
enabled: false
575
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
576
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster.
577
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
578
##
579
ingressClassName: ""
580
## @param ingress.pathType Ingress path type
581
##
582
pathType: ImplementationSpecific
583
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
584
##
585
apiVersion: ""
586
## @param ingress.hostname Default host for the ingress resource
587
##
588
hostname: kong.local
589
## @param ingress.path Ingress path
590
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
591
##
592
path: /
593
## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
594
## Use this parameter to set the required annotations for cert-manager, see
595
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
596
## e.g:
597
## annotations:
598
## kubernetes.io/ingress.class: nginx
599
## cert-manager.io/cluster-issuer: cluster-issuer-name
600
##
601
annotations: {}
602
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
603
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
604
## You can:
605
## - Use the `ingress.secrets` parameter to create this TLS secret
606
## - Rely on cert-manager to create it by setting the corresponding annotations
607
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
608
##
609
tls: false
610
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
611
##
612
selfSigned: false
613
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
614
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
615
## extraHosts:
616
## - name: kong.local
617
## path: /
618
##
619
extraHosts: []
620
## @param ingress.extraPaths Additional arbitrary path/backend objects
621
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
622
## extraPaths:
623
## - path: /*
624
## backend:
625
## serviceName: ssl-redirect
626
## servicePort: use-annotation
627
##
628
extraPaths: []
629
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
630
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
631
## extraTls:
632
## - hosts:
633
## - kong.local
634
## secretName: kong.local-tls
635
##
636
extraTls: []
637
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
638
## key and certificate should start with -----BEGIN CERTIFICATE----- or
639
## -----BEGIN RSA PRIVATE KEY-----
640
##
641
## name should line up with a tlsSecret set further up
642
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
643
##
644
## It is also possible to create and manage the certificates outside of this helm chart
645
## Please see README.md for more information
646
## e.g:
647
## secrets:
648
## - name: kong.local-tls
649
## key:
650
## certificate:
651
##
652
##
653
secrets: []
654
## @param ingress.extraRules Additional rules to be covered with this ingress record
655
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
656
## e.g:
657
## extraRules:
658
## - host: example.local
659
## http:
660
## path: /
661
## backend:
662
## service:
663
## name: example-svc
664
## port:
665
## name: http
666
##
667
extraRules: []
668
## @section Kong Ingress Controller Container Parameters
669
##
670
ingressController:
671
## @param ingressController.enabled Enable/disable the Kong Ingress Controller
672
##
673
enabled: true
674
## @param ingressController.image.registry [default: REGISTRY_NAME] Kong Ingress Controller image registry
675
## @param ingressController.image.repository [default: REPOSITORY_NAME/kong-ingress-controller] Kong Ingress Controller image name
676
## @skip ingressController.image.tag Kong Ingress Controller image tag
677
## @param ingressController.image.digest Kong Ingress Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
678
## @param ingressController.image.pullPolicy Kong Ingress Controller image pull policy
679
## @param ingressController.image.pullSecrets Specify docker-registry secret names as an array
680
##
681
image:
682
registry: cgr.dev
683
repository: chainguard-private/kong-ingress-controller-iamguarded
684
tag: 3.5.4
685
digest: ""
686
## Specify a imagePullPolicy
687
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
688
##
689
pullPolicy: IfNotPresent
690
## Optionally specify an array of imagePullSecrets.
691
## Secrets must be manually created in the namespace.
692
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
693
## E.g:
694
## pullSecrets:
695
## - myRegistryKeySecretName
696
##
697
pullSecrets: []
698
## @param ingressController.proxyReadyTimeout Maximum time (in seconds) to wait for the Kong container to be ready
699
##
700
proxyReadyTimeout: 300
701
## @param ingressController.ingressClass Name of the class to register Kong Ingress Controller (useful when having other Ingress Controllers in the cluster)
702
##
703
ingressClass: kong
704
## @param ingressController.command Override default container command (useful when using custom images)
705
##
706
command: []
707
## @param ingressController.args Override default container args (useful when using custom images)
708
##
709
args: []
710
## @param ingressController.extraEnvVars Array containing extra env vars to configure Kong
711
## For example:
712
## extraEnvVars:
713
## - name: GF_DEFAULT_INSTANCE_NAME
714
## value: my-instance
715
##
716
extraEnvVars: []
717
## @param ingressController.extraEnvVarsCM ConfigMap containing extra env vars to configure Kong Ingress Controller
718
##
719
extraEnvVarsCM: ""
720
## @param ingressController.extraEnvVarsSecret Secret containing extra env vars to configure Kong Ingress Controller (in case of sensitive data)
721
##
722
extraEnvVarsSecret: ""
723
## @param ingressController.extraVolumeMounts Array of extra volume mounts to be added to the Kong Ingress Controller container (evaluated as template). Normally used with `extraVolumes`.
724
##
725
extraVolumeMounts: []
726
## @param ingressController.containerPorts.health Kong Ingress Controller health container port
727
##
728
containerPorts:
729
health: 10254
730
## Container resource requests and limits
731
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
732
## @param ingressController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ingressController.resources is set (ingressController.resources is recommended for production).
733
##
734
resourcesPreset: "nano"
735
## @param ingressController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
736
## Example:
737
## resources:
738
## requests:
739
## cpu: 2
740
## memory: 512Mi
741
## limits:
742
## cpu: 3
743
## memory: 1024Mi
744
##
745
resources: {}
746
## Configure extra options for Kong Ingress Controller containers' liveness, readiness and startup probes
747
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
748
## @param ingressController.livenessProbe.enabled Enable livenessProbe on Kong Ingress Controller containers
749
## @param ingressController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
750
## @param ingressController.livenessProbe.periodSeconds Period seconds for livenessProbe
751
## @param ingressController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
752
## @param ingressController.livenessProbe.failureThreshold Failure threshold for livenessProbe
753
## @param ingressController.livenessProbe.successThreshold Success threshold for livenessProbe
754
##
755
livenessProbe:
756
enabled: true
757
initialDelaySeconds: 120
758
periodSeconds: 10
759
timeoutSeconds: 5
760
failureThreshold: 6
761
successThreshold: 1
762
## @param ingressController.readinessProbe.enabled Enable readinessProbe on Kong Ingress Controller containers
763
## @param ingressController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
764
## @param ingressController.readinessProbe.periodSeconds Period seconds for readinessProbe
765
## @param ingressController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
766
## @param ingressController.readinessProbe.failureThreshold Failure threshold for readinessProbe
767
## @param ingressController.readinessProbe.successThreshold Success threshold for readinessProbe
768
##
769
readinessProbe:
770
enabled: true
771
initialDelaySeconds: 30
772
periodSeconds: 10
773
timeoutSeconds: 5
774
failureThreshold: 6
775
successThreshold: 1
776
## @param ingressController.startupProbe.enabled Enable startupProbe on Kong Ingress Controller containers
777
## @param ingressController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
778
## @param ingressController.startupProbe.periodSeconds Period seconds for startupProbe
779
## @param ingressController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
780
## @param ingressController.startupProbe.failureThreshold Failure threshold for startupProbe
781
## @param ingressController.startupProbe.successThreshold Success threshold for startupProbe
782
##
783
startupProbe:
784
enabled: false
785
initialDelaySeconds: 10
786
periodSeconds: 15
787
timeoutSeconds: 3
788
failureThreshold: 20
789
successThreshold: 1
790
## @param ingressController.customLivenessProbe Override default liveness probe (Kong Ingress Controller container)
791
##
792
customLivenessProbe: {}
793
## @param ingressController.customReadinessProbe Override default readiness probe (Kong Ingress Controller container)
794
##
795
customReadinessProbe: {}
796
## @param ingressController.customStartupProbe Override default startup probe (Kong Ingress Controller container)
797
##
798
customStartupProbe: {}
799
## @param ingressController.lifecycleHooks Lifecycle hooks (Kong Ingress Controller container)
800
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
801
##
802
lifecycleHooks: {}
803
## @param ingressController.serviceAccount.create Enable the creation of a ServiceAccount for Kong pods
804
## @param ingressController.serviceAccount.name Name of the created ServiceAccount (name generated using common.names.fullname template otherwise)
805
## @param ingressController.serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
806
## @param ingressController.serviceAccount.annotations Additional custom annotations for the ServiceAccount
807
##
808
serviceAccount:
809
create: true
810
name: ""
811
automountServiceAccountToken: false
812
annotations: {}
813
## @param ingressController.rbac.create Create the necessary RBAC resources for the Ingress Controller to work
814
## @param ingressController.rbac.rules Custom RBAC rules
815
##
816
rbac:
817
create: true
818
## Example:
819
## rules:
820
## - apiGroups:
821
## - ""
822
## resources:
823
## - pods
824
## verbs:
825
## - get
826
## - list
827
##
828
rules: []
829
## @section Kong Migration job Parameters
830
##
831
migration:
832
## In case you want to use a custom image for Kong migration, set this value
833
## image:
834
## registry:
835
## repository:
836
## tag:
837
## digest: ""
838
##
839
## @param migration.command Override default container command (useful when using custom images)
840
##
841
command: []
842
## @param migration.args Override default container args (useful when using custom images)
843
##
844
args: []
845
## @param migration.extraEnvVars Array containing extra env vars to configure the Kong migration job
846
## For example:
847
## extraEnvVars:
848
## - name: GF_DEFAULT_INSTANCE_NAME
849
## value: my-instance
850
##
851
extraEnvVars: []
852
## @param migration.extraEnvVarsCM ConfigMap containing extra env vars to configure the Kong migration job
853
##
854
extraEnvVarsCM: ""
855
## @param migration.extraEnvVarsSecret Secret containing extra env vars to configure the Kong migration job (in case of sensitive data)
856
##
857
extraEnvVarsSecret: ""
858
## @param migration.extraVolumeMounts Array of extra volume mounts to be added to the Kong Container (evaluated as template). Normally used with `extraVolumes`.
859
##
860
extraVolumeMounts: []
861
## Container resource requests and limits
862
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
863
## @param migration.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if migration.resources is set (migration.resources is recommended for production).
864
##
865
resourcesPreset: "nano"
866
## @param migration.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
867
## Example:
868
## resources:
869
## requests:
870
## cpu: 2
871
## memory: 512Mi
872
## limits:
873
## cpu: 3
874
## memory: 1024Mi
875
##
876
resources: {}
877
## @param migration.automountServiceAccountToken Mount Service Account token in pod
878
##
879
automountServiceAccountToken: true
880
## @param migration.hostAliases Add deployment host aliases
881
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
882
##
883
hostAliases: []
884
## @param migration.annotations [object] Add annotations to the job
885
##
886
annotations:
887
helm.sh/hook: post-install, pre-upgrade
888
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
889
## @param migration.podLabels Additional pod labels
890
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
891
##
892
podLabels: {}
893
## @param migration.podAnnotations Additional pod annotations
894
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
895
##
896
podAnnotations: {}
897
## @section PostgreSQL Parameters
898
##
899
900
## PostgreSQL chart configuration
901
## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
902
## @param postgresql.auth.postgresPassword Password for the "postgres" admin user
903
## @param postgresql.auth.username Name for a custom user to create
904
## @param postgresql.auth.password Password for the custom user to create
905
## @param postgresql.auth.database Name for a custom database to create
906
## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
907
## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
908
##
909
postgresql:
910
enabled: true
911
auth:
912
username: kong
913
password: ""
914
database: kong
915
postgresPassword: ""
916
existingSecret: ""
917
architecture: standalone
918
primary:
919
## PostgreSQL Primary resource requests and limits
920
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
921
## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
922
##
923
resourcesPreset: "nano"
924
## @param postgresql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
925
## Example:
926
## resources:
927
## requests:
928
## cpu: 2
929
## memory: 512Mi
930
## limits:
931
## cpu: 3
932
## memory: 1024Mi
933
##
934
resources: {}
935
## External PostgreSQL configuration
936
## All of these values are only used when postgresql.enabled is set to false
937
## @param postgresql.external.host Database host
938
## @param postgresql.external.port Database port number
939
## @param postgresql.external.user Non-root username for Kong
940
## @param postgresql.external.password Password for the non-root username for Kong
941
## @param postgresql.external.database Kong database name
942
## @param postgresql.external.existingSecret Name of an existing secret resource containing the database credentials
943
## @param postgresql.external.existingSecretPasswordKey Name of an existing secret key containing the database credentials
944
##
945
external:
946
host: ""
947
port: 5432
948
user: kong
949
password: ""
950
database: kong
951
existingSecret: ""
952
existingSecretPasswordKey: ""
953
image:
954
digest: ""
955
registry: cgr.dev
956
repository: chainguard-private/postgres-iamguarded
957
tag: 18.3-r3
958
## @section Cassandra Parameters
959
##
960
961
## Cassandra chart configuration
962
## @param cassandra.enabled Switch to enable or disable the Cassandra helm chart
963
## @param cassandra.dbUser.user Cassandra admin user
964
## @param cassandra.dbUser.password Password for `cassandra.dbUser.user`. Randomly generated if empty
965
## @param cassandra.dbUser.existingSecret Name of existing secret to use for Cassandra credentials
966
## @param cassandra.replicaCount Number of Cassandra replicas
967
##
968
cassandra:
969
enabled: false
970
dbUser:
971
user: kong
972
password: ""
973
existingSecret: ""
974
replicaCount: 1
975
## External Cassandra configuration
976
## All of these values are only used when cassandra.enabled is set to false
977
## @param cassandra.external.hosts List of Cassandra hosts
978
## @param cassandra.external.port Cassandra port number
979
## @param cassandra.external.user Username of the external cassandra installation
980
## @param cassandra.external.password Password of the external cassandra installation
981
## @param cassandra.external.existingSecret Name of an existing secret resource containing the Cassandra credentials
982
## @param cassandra.external.existingSecretPasswordKey Name of an existing secret key containing the Cassandra credentials
983
##
984
external:
985
hosts: []
986
port: 9042
987
user: ""
988
password: ""
989
existingSecret: ""
990
existingSecretPasswordKey: ""
991
## Cassandra pods' resource requests and limits
992
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
993
## Minimum memory for development is 4GB and 2 CPU cores
994
## Minimum memory for production is 8GB and 4 CPU cores
995
## ref: http://docs.datastax.com/en/archived/cassandra/2.0/cassandra/architecture/architecturePlanningHardware_c.html
996
##
997
## We usually recommend not to specify default resources and to leave this as a conscious
998
## choice for the user. This also increases chances charts run on environments with little
999
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1000
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1001
## @param cassandra.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
1002
##
1003
resourcesPreset: "large"
1004
## @param cassandra.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1005
## Example:
1006
## resources:
1007
## requests:
1008
## cpu: 2
1009
## memory: 512Mi
1010
## limits:
1011
## cpu: 3
1012
## memory: 1024Mi
1013
##
1014
resources: {}
1015
image:
1016
digest: ""
1017
registry: cgr.dev
1018
repository: chainguard-private/cassandra-iamguarded
1019
tag: 5.0.6
1020
## @section Metrics Parameters
1021
##
1022
1023
## Prometheus metrics
1024
##
1025
metrics:
1026
## @param metrics.enabled Enable the export of Prometheus metrics
1027
##
1028
enabled: false
1029
## @param metrics.containerPorts.http Prometheus metrics HTTP container port
1030
##
1031
containerPorts:
1032
http: 9119
1033
## Kong metrics service configuration
1034
##
1035
service:
1036
## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
1037
## Values: ClientIP or None
1038
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1039
##
1040
sessionAffinity: None
1041
## @param metrics.service.clusterIP Cluster internal IP of the service
1042
## This is the internal IP address of the service and is usually assigned randomly.
1043
## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#ServiceSpec
1044
##
1045
clusterIP: ""
1046
## @param metrics.service.annotations [object] Annotations for Prometheus metrics service
1047
##
1048
annotations:
1049
prometheus.io/scrape: "true"
1050
prometheus.io/port: "{{ coalesce .Values.metrics.service.ports.http .Values.metrics.service.port }}"
1051
prometheus.io/path: "/metrics"
1052
## @param metrics.service.ports.http Prometheus metrics service HTTP port
1053
##
1054
ports:
1055
http: 9119
1056
## Kong ServiceMonitor configuration
1057
##
1058
serviceMonitor:
1059
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
1060
##
1061
enabled: false
1062
## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
1063
##
1064
namespace: ""
1065
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
1066
##
1067
interval: 30s
1068
## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
1069
## e.g:
1070
## scrapeTimeout: 30s
1071
##
1072
scrapeTimeout: ""
1073
## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
1074
##
1075
labels: {}
1076
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
1077
##
1078
selector: {}
1079
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1080
##
1081
relabelings: []
1082
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1083
##
1084
metricRelabelings: []
1085
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1086
##
1087
honorLabels: false
1088
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1089
##
1090
jobLabel: ""
1091
## @param metrics.serviceMonitor.serviceAccount Service account used by Prometheus Operator
1092
##
1093
serviceAccount: ""
1094
## @param metrics.serviceMonitor.rbac.create Create the necessary RBAC resources so Prometheus Operator can reach Kong's namespace
1095
##
1096
rbac:
1097
create: true
1098
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.