1 # Default values for Kong's Helm Chart.
2 # Declare variables to be passed into your templates.
5 # - Deployment parameters
7 # - Ingress Controller parameters
8 # - Postgres sub-chart parameters
9 # - Miscellaneous parameters
10 # - Kong Enterprise parameters
12 # -----------------------------------------------------------------------------
13 # Deployment parameters
14 # -----------------------------------------------------------------------------
18 # Enable or disable Kong itself
19 # Setting this to false with ingressController.enabled=true will create a
20 # controller-only release.
22 ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing,
23 ## for it to be considered available.
25 ## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations
28 # Automount the service account token. By default, this is disabled, and the token is only mounted on the controller
29 # container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong
30 # Lua code, increasing potential attack surface.
31 automountServiceAccountToken: false
32 ## Optionally specify the name of the service account to create and the annotations to add.
36 ## Optionally specify any extra sidecar containers to be included in the deployment
37 ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
40 # image: sidecar:latest
43 # image: initcon:latest
50 ## Define any volumes and mounts you want present in the Kong proxy container
52 # - name: "volumeName"
54 # userDefinedVolumeMounts:
55 # - name: "volumeName"
56 # mountPath: "/opt/user/dir/mount"
58 # Enable creation of test resources for use with "helm test"
60 # Use a DaemonSet controller instead of a Deployment controller
63 # Set the Deployment's spec.template.hostname field.
64 # This propagates to Kong API endpoints that report
65 # the hostname, such as the admin API root and hybrid mode
66 # /clustering/data-planes endpoint
68 # kong_prefix empty dir size
74 # Override namepsace for Kong chart resources. By default, the chart creates resources in the release namespace.
75 # This may not be desirable when using this chart as a dependency.
76 # namespace: "example"
78 # -----------------------------------------------------------------------------
80 # -----------------------------------------------------------------------------
82 # Specify Kong configuration
83 # This chart takes all entries defined under `.env` and transforms them into into `KONG_*`
84 # environment variables for Kong containers.
85 # Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default
86 # See https://docs.konghq.com/latest/configuration also for additional details
87 # Values here take precedence over values from other sections of values.yaml,
88 # e.g. setting pg_user here will override the value normally set when postgresql.enabled
89 # is set below. In general, you should not set values here if they are set elsewhere.
92 # the chart uses the traditional router (for Kong 3.x+) because the ingress
93 # controller generates traditional routes. if you do not use the controller,
94 # you may set this to "traditional_compatible" or "expressions" to use the new
96 router_flavor: "traditional"
97 nginx_worker_processes: "2"
98 proxy_access_log: /dev/stdout
99 admin_access_log: /dev/stdout
100 admin_gui_access_log: /dev/stdout
101 portal_api_access_log: /dev/stdout
102 proxy_error_log: /dev/stderr
103 admin_error_log: /dev/stderr
104 admin_gui_error_log: /dev/stderr
105 portal_api_error_log: /dev/stderr
106 prefix: /kong_prefix/
108 # This section is any customer specific environments variables that doesn't require KONG_ prefix.
109 # These custom environment variables are typicall used in custom plugins or serverless plugins to
110 # access environment specific credentials or tokens.
111 # Example as below, uncomment if required and add additional attributes as required.
112 # Note that these environment variables will only apply to the proxy and init container. The ingress-controller
113 # container has its own customEnv section.
121 # client_name: testClient
123 # Load all ConfigMap or Secret keys as environment variables:
124 # https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
127 # This section can be used to configure some extra labels that will be added to each Kubernetes object generated.
130 # Specify Kong's Docker image and repository details here
135 # repository: kong/kong-gateway
138 # Specify a semver version if your image tag is not one (e.g. "nightly")
140 pullPolicy: IfNotPresent
141 ## Optionally specify an array of imagePullSecrets.
142 ## Secrets must be manually created in the namespace.
143 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
146 # - myRegistrKeySecretName
148 # Specify Kong admin API service and listener configuration
150 # Enable creating a Kubernetes service for the admin API
151 # Disabling this is recommended for most ingress controller configurations
152 # Enterprise users that wish to use Kong Manager with the controller should enable this
156 # To specify annotations or labels for the admin service, add them to the respective
157 # "annotations" or "labels" dictionaries below.
159 # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
163 # Enable plaintext HTTP listen for the admin API
164 # Disabling this and using a TLS listen only is recommended for most configuration
168 # Set a nodePort which is available if service type is NodePort
170 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
174 # Enable HTTPS listen for the admin API
178 # Set a target port for the TLS port in the admin API service, useful when using TLS
179 # termination on an ELB.
180 # overrideServiceTargetPort: 8000
181 # Set a nodePort which is available if service type is NodePort
183 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
187 # Specify the CA certificate to use for TLS verification of the Admin API client by:
188 # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate.
189 # - caBundle (PEM-encoded certificate string).
190 # If both are set, caBundle takes precedence.
195 # Kong admin ingress settings. Useful if you want to expose the Admin
196 # API of Kong outside the k8s cluster.
198 # Enable/disable exposure using ingress.
202 # tls: kong-admin.example.com-tls
205 # Map of ingress annotations.
209 # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
210 pathType: ImplementationSpecific
212 # Specify Kong status listener configuration
213 # This listen is internal-only. It cannot be exposed through a service or ingress.
217 # Enable plaintext HTTP listen for the status listen
223 # Enable HTTPS listen for the status listen
224 # Kong versions prior to 2.1 do not support TLS status listens.
225 # This setting must remain false on those versions
230 # Name the kong hybrid cluster CA certificate secret
231 clusterCaSecretName: ""
233 # Specify Kong cluster service and listener configuration
235 # The cluster service *must* use TLS. It does not support the "http" block
236 # available on other services.
238 # The cluster service cannot be exposed through an Ingress, as it must perform
239 # TLS client validation directly and is not compatible with TLS-terminating
240 # proxies. If you need to expose it externally, you must use "type:
241 # LoadBalancer" and use a TCP-only load balancer (check your Kubernetes
242 # provider's documentation, as the configuration required for this varies).
245 # To specify annotations or labels for the cluster service, add them to the respective
246 # "annotations" or "labels" dictionaries below.
248 # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
260 # Kong cluster ingress settings. Useful if you want to split CP and DP
261 # in different clusters.
263 # Enable/disable exposure using ingress.
267 # tls: kong-cluster.example.com-tls
270 # Map of ingress annotations.
274 # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
275 pathType: ImplementationSpecific
277 # Specify Kong proxy service configuration
279 # Enable creating a Kubernetes service for the proxy
283 # Override proxy Service name
285 # To specify annotations or labels for the proxy service, add them to the respective
286 # "annotations" or "labels" dictionaries below.
288 # If terminating TLS at the ELB, the following annotations can be used
289 # "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "*",
290 # "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled": "true",
291 # "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:REGION:ACCOUNT:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX",
292 # "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "kong-proxy-tls",
293 # "service.beta.kubernetes.io/aws-load-balancer-type": "elb"
295 enable-metrics: "true"
298 # Enable plaintext HTTP listen for the proxy
302 # Set a nodePort which is available if service type is NodePort
304 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
308 # Enable HTTPS listen for the proxy
312 # Set a target port for the TLS port in proxy service
313 # overrideServiceTargetPort: 8000
314 # Set a nodePort which is available if service type is NodePort
316 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
320 # Specify the Service's TLS port's appProtocol. This can be useful when integrating with
321 # external load balancers that require the `appProtocol` field to be set (e.g. GCP).
324 # Define stream (TCP) listen
325 # To enable, remove "[]", uncomment the section below, and select your desired
326 # ports and parameters. Listens are dynamically named after their containerPort,
327 # e.g. "stream-9000" for the below.
328 # Note: although you can select the protocol here, you cannot set UDP if you
329 # use a LoadBalancer Service due to limitations in current Kubernetes versions.
330 # To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service
331 # in the next section and place all UDP stream listen configuration under it.
333 # # Set the container (internal) and service (external) ports for this listen.
334 # # These values should normally be the same. If your environment requires they
335 # # differ, note that Kong will match routes based on the containerPort only.
336 # - containerPort: 9000
339 # # Optionally set a static nodePort if the service type is NodePort
341 # # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
342 # # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
345 # Kong proxy ingress settings.
346 # Note: You need this only if you are using another Ingress Controller
347 # to expose Kong outside the k8s cluster.
349 # Enable/disable exposure using ingress.
352 # To specify annotations or labels for the ingress, add them to the respective
353 # "annotations" or "labels" dictionaries below.
358 # Ingress path (when used with hostname above).
360 # Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix)
361 pathType: ImplementationSpecific
362 # Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations
364 # - host: kong-proxy.example.com
368 # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
369 # pathType: ImplementationSpecific
370 # - host: kong-proxy-other.example.com
374 # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
375 # pathType: ImplementationSpecific
378 # name: kong-other-proxy
383 # tls: kong-proxy.example.com-tls
384 # Or if multiple hosts/secrets needs to be configured:
386 # - secretName: kong-proxy.example.com-tls
388 # - kong-proxy.example.com
389 # - secretName: kong-proxy-other.example.com-tls
391 # - kong-proxy-other.example.com
393 # Optionally specify a static load balancer IP.
396 # Specify Kong UDP proxy service configuration
397 # Currently, LoadBalancer type Services are generally limited to a single transport protocol
398 # Multi-protocol Services are an alpha feature as of Kubernetes 1.20:
399 # https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types
400 # You should enable this Service if you proxy UDP traffic, and configure UDP stream listens under it
402 # Enable creating a Kubernetes service for UDP proxying
406 # To specify annotations or labels for the proxy service, add them to the respective
407 # "annotations" or "labels" dictionaries below.
409 # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
411 # Optionally specify a static load balancer IP.
414 # Define stream (UDP) listen
415 # To enable, remove "[]", uncomment the section below, and select your desired
416 # ports and parameters. Listens are dynamically named after their servicePort,
417 # e.g. "stream-9000" for the below.
419 # # Set the container (internal) and service (external) ports for this listen.
420 # # These values should normally be the same. If your environment requires they
421 # # differ, note that Kong will match routes based on the containerPort only.
422 # - containerPort: 9000
425 # # Optionally set a static nodePort if the service type is NodePort
427 # # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384"
428 # # "ssl" is required for SNI-based routes. It is not supported on versions <2.0
431 # Custom Kong plugins can be loaded into Kong by mounting the plugin code
432 # into the file-system of Kong container.
433 # The plugin code should be present in ConfigMap or Secret inside the same
434 # namespace as Kong is being installed.
435 # The `name` property refers to the name of the ConfigMap or Secret
436 # itself, while the pluginName refers to the name of the plugin as it appears
438 # Subdirectories (which are optional) require separate ConfigMaps/Secrets.
439 # "path" indicates their directory under the main plugin directory: the example
440 # below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations".
443 # - pluginName: rewriter
444 # name: kong-plugin-rewriter
446 # - name: kong-plugin-rewriter-migrations
449 # - pluginName: rewriter
450 # name: kong-plugin-rewriter
451 # Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/
452 # This can be used to override default SSL certificates.
453 # Be aware that the secret name will be used verbatim, and that certain types
454 # of punctuation (e.g. `.`) can cause issues.
455 # Example configuration
461 # Enable/disable migration jobs, and set annotations for them
463 # Enable pre-upgrade migrations (run "kong migrations up")
465 # Enable post-upgrade migrations (run "kong migrations finish")
467 # Annotations to apply to migrations job pods
468 # By default, these disable service mesh sidecar injection for Istio and Kuma,
469 # as the sidecar containers do not terminate and prevent the jobs from completing
471 sidecar.istio.io/inject: false
472 # Additional annotations to apply to migration jobs
473 # This is helpful in certain non-Helm installation situations such as GitOps
474 # where additional control is required around this job creation.
476 # Optionally set a backoffLimit. If none is set, Jobs will use the cluster default
479 # Example reasonable setting for "resources":
487 ## Optionally specify any extra sidecar containers to be included in the deployment
488 ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
489 ## Keep in mind these containers should be terminated along with the main
490 ## migration containers
493 # image: sidecar:latest
495 # Kong's configuration for DB-less mode
496 # Note: Use this section only if you are deploying Kong in DB-less mode
497 # and not as an Ingress Controller.
499 # Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml)
501 # Or Kong's configuration is managed from an existing Secret (with Key: kong.yml)
503 # Or the configuration is passed in full-text below
505 # # _format_version: "1.1"
507 # # # Example configuration
508 # # # - name: example.com
509 # # # url: http://example.com
511 # # # - name: example
514 ## Optionally specify any extra sidecar containers to be included in the
516 ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core
519 # image: sidecar:latest
521 # -----------------------------------------------------------------------------
522 # Ingress Controller parameters
523 # -----------------------------------------------------------------------------
525 # Kong Ingress Controller's primary purpose is to satisfy Ingress resources
526 # created in k8s. It uses CRDs for more fine grained control over routing and
527 # for Kong specific configuration.
531 repository: kong/kubernetes-ingress-controller
533 # Optionally set a semantic version for version-gated features. This can normally
534 # be left unset. You only need to set this if your tag is not a semver string,
535 # such as when you are using a "next" tag. Set this to the effective semantic
536 # version of your tag: for example if using a "next" image for an unreleased 3.1.0
537 # version, set this to "3.1.0".
543 generateAdminApiService: false
548 # Specify individual namespaces to watch for ingress configuration. By default,
549 # when no namespaces are set, the controller watches all namespaces and uses a
550 # ClusterRole to grant access to Kubernetes resources. When you list specific
551 # namespaces, the controller will watch those namespaces only and will create
552 # namespaced-scoped Roles for each of them. The controller will still use a
553 # ClusterRole for cluster-scoped resources.
554 # Requires controller 2.0.0 or newer.
557 # Specify Kong Ingress Controller configuration via environment variables
559 # The controller disables TLS verification by default because Kong
560 # generates self-signed certificates by default. Set this to false once you
561 # have installed CA-signed certificates.
562 kong_admin_tls_skip_verify: true
563 # If using Kong Enterprise with RBAC enabled, uncomment the section below
564 # and specify the secret/key containing your admin token.
568 # name: CHANGEME-admin-token-secret
569 # key: CHANGEME-admin-token-key
571 # This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix.
572 # Example as below, uncomment if required and add additional attributes as required.
574 # TZ: "Europe/Berlin"
576 # Load all ConfigMap or Secret keys as environment variables:
577 # https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
582 failurePolicy: Ignore
586 namespaceSelector: {}
587 # Specifiy the secretName when the certificate is provided via a TLS secret
589 # Specifiy the CA bundle of the provided certificate.
590 # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
592 # | Add the CA bundle content here.
594 # Specify custom labels for the validation webhook service.
596 # Tune the default Kubernetes timeoutSeconds of 10 seconds
600 # annotations for IngressClass resource (Kubernetes 1.18+)
601 ingressClassAnnotations: {}
603 ## Define any volumes and mounts you want present in the ingress controller container
604 ## Volumes are defined above in deployment.userDefinedVolumes
605 # userDefinedVolumeMounts:
606 # - name: "volumeName"
607 # mountPath: "/opt/user/dir/mount"
610 # Specifies whether RBAC resources should be created
619 initialDelaySeconds: 5
629 initialDelaySeconds: 5
635 # Example reasonable setting for "resources":
647 # Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
650 # Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
651 # By default, this is set to US region's production API hostname.
652 # If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
653 apiHostname: "us.kic.api.konghq.com"
655 # Specifies a secret that contains a client TLS certificate that the controller
656 # will use to authenticate against Konnect APIs.
657 tlsClientCertSecretName: "konnect-client-tls"
660 # Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
666 # Enable TLS client authentication for the Admin API.
669 # If set to false, Helm will generate certificates for you.
670 # If set to true, you are expected to provide your own secret (see secretName, caSecretName).
673 # Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
674 # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
675 # a specific secret name).
678 # CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
679 # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
680 # a specific secret name).
684 # -----------------------------------------------------------------------------
685 # Postgres sub-chart parameters
686 # -----------------------------------------------------------------------------
688 # Kong can run without a database or use either Postgres or Cassandra
689 # as a backend datatstore for it's configuration.
690 # By default, this chart installs Kong without a database.
692 # If you would like to use a database, there are two options:
693 # - (recommended) Deploy and maintain a database and pass the connection
694 # details to Kong via the `env` section.
695 # - You can use the below `postgresql` sub-chart to deploy a database
696 # along-with Kong as part of a single Helm release. Running a database
697 # independently is recommended for production, but the built-in Postgres is
698 # useful for quickly creating test instances.
700 # PostgreSQL chart documentation:
701 # https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
703 # WARNING: by default, the Postgres chart generates a random password each
704 # time it upgrades, which breaks access to existing volumes. You should set a
705 # password explicitly:
706 # https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#kong-fails-to-start-after-helm-upgrade-when-postgres-is-used-what-do-i-do
714 # use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released
715 # enterprise (kong-gateway) supports postgres 14
716 tag: 13.11.0-debian-11-r20
721 # -----------------------------------------------------------------------------
722 # Configure cert-manager integration
723 # -----------------------------------------------------------------------------
728 # Set either `issuer` or `clusterIssuer` to the name of the desired cert manager issuer
729 # If left blank a built in self-signed issuer will be created and utilized
733 # Set proxy.enabled to true to issue default kong-proxy certificate with cert-manager
736 # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
737 # self-signed issuer.
740 # Use commonName and dnsNames to set the common name and dns alt names which this
741 # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
742 commonName: "app.example"
743 # Remove the "[]" and uncomment/change the examples to add SANs
749 # Set admin.enabled true to issue kong admin api and manager certificate with cert-manager
752 # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
753 # self-signed issuer.
756 # Use commonName and dnsNames to set the common name and dns alt names which this
757 # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
758 commonName: "kong.example"
759 # Remove the "[]" and uncomment/change the examples to add SANs
761 # - "manager.kong.example"
763 # Set portal.enabled to true to issue a developer portal certificate with cert-manager
766 # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default
767 # self-signed issuer.
770 # Use commonName and dnsNames to set the common name and dns alt names which this
771 # certificate is valid for. Wildcard records are supported by the included self-signed issuer.
772 commonName: "developer.example"
773 # Remove the "{}" and uncomment/change the examples to add SANs
775 # - "manager.kong.example"
777 # Set cluster.enabled true to issue kong hybrid mtls certificate with cert-manager
780 # Issuers used by the control and data plane releases must match for this certificate.
783 commonName: "kong_clustering"
786 # -----------------------------------------------------------------------------
787 # Miscellaneous parameters
788 # -----------------------------------------------------------------------------
791 # Wait for the database to come online before starting Kong or running migrations
792 # If Kong is to access the database through a service mesh that injects a sidecar to
793 # Kong's container, this must be disabled. Otherwise there'll be a deadlock:
794 # InitContainer waiting for DB access that requires the sidecar, and the sidecar
795 # waiting for InitContainers to finish.
797 # Optionally specify an image that provides bash for pre-migration database
798 # checks. If none is specified, the chart uses the Kong image. The official
799 # Kong images provide bash
802 pullPolicy: IfNotPresent
806 # type: RollingUpdate
809 # maxUnavailable: "0%"
811 # If you want to specify resources, uncomment the following
812 # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
821 # readinessProbe for Kong pods
824 path: "/status/ready"
827 initialDelaySeconds: 5
833 # livenessProbe for Kong pods
839 initialDelaySeconds: 5
845 # startupProbe for Kong pods
851 # initialDelaySeconds: 5
854 # successThreshold: 1
855 # failureThreshold: 40
857 # Proxy container lifecycle hooks
858 # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
862 # kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds.
863 # Note: together they should be less than the terminationGracePeriodSeconds setting below.
869 # Sets the termination grace period for pods spawned by the Kubernetes Deployment.
870 # Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
871 terminationGracePeriodSeconds: 30
873 # Affinity for pod assignment
874 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
877 # Topology spread constraints for pod assignment (requires Kubernetes >= 1.19)
878 # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
879 # topologySpreadConstraints: []
881 # Tolerations for pod assignment
882 # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
885 # Node labels for pod assignment
886 # Ref: https://kubernetes.io/docs/user-guide/node-selection/
889 # Annotation to be added to Kong pods
891 kuma.io/gateway: enabled
892 traffic.sidecar.istio.io/includeInboundPorts: ""
894 # Labels to be added to Kong pods
898 # It has no effect when autoscaling.enabled is set to true
901 # Annotations to be added to Kong deployment
902 deploymentAnnotations: {}
904 # Enable autoscaling using HorizontalPodAutoscaler
905 # When configuring an HPA, you must set resource requests on all containers via
906 # "resources" and, if using the controller, "ingressController.resources" in values.yaml
912 ## targetCPUUtilizationPercentage only used if the cluster doesn't support autoscaling/v2 or autoscaling/v2beta
913 targetCPUUtilizationPercentage:
914 ## Otherwise for clusters that do support autoscaling/v2 or autoscaling/v2beta, use metrics
921 averageUtilization: 80
923 # Kong Pod Disruption Budget
926 # Uncomment only one of the following when enabled is set to true
927 # maxUnavailable: "50%"
928 # minAvailable: "50%"
951 allowPrivilegeEscalation: false
955 # Make the root filesystem read-only. This is not compatible with Kong Enterprise <1.5.
956 # If you use Kong Enterprise <1.5, this must be set to false.
957 readOnlyRootFilesystem: true
960 priorityClassName: ""
962 # securityContext for Kong pods.
965 # securityContext for containers.
966 containerSecurityContext:
967 readOnlyRootFilesystem: true
968 allowPrivilegeEscalation: false
977 ## Optional DNS configuration for Kong pods
978 # dnsPolicy: ClusterFirst
986 # - default.svc.cluster.local
987 # - svc.cluster.local
989 # - us-east-1.compute.internal
992 # Specifies whether ServiceMonitor for Prometheus operator should be created
993 # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see:
994 # https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration
997 # Specifies namespace, where ServiceMonitor should be installed
998 # namespace: monitoring
1004 # honorLabels: false
1005 # metricRelabelings: []
1007 # -----------------------------------------------------------------------------
1008 # Kong Enterprise parameters
1009 # -----------------------------------------------------------------------------
1011 # Toggle Kong Enterprise features on or off
1012 # RBAC and SMTP configuration have additional options that must all be set together
1013 # Other settings should be added to the "env" settings below
1016 # Kong Enterprise license secret name
1017 # This secret must contain a single 'license' key, containing your base64-encoded license data
1018 # The license secret is required to unlock all Enterprise features. If you omit it,
1019 # Kong will run in free mode, with some Enterprise features disabled.
1020 # license_secret: kong-enterprise-license
1027 admin_gui_auth: basic-auth
1028 # If RBAC is enabled, this Secret must contain an admin_gui_session_conf key
1029 # The key value must be a secret configuration, following the example at
1030 # https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions
1031 session_conf_secret: kong-session-config
1032 # If admin_gui_auth is not set to basic-auth, provide a secret name which
1033 # has an admin_gui_auth_conf key containing the plugin config JSON
1034 admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret
1035 # For configuring emails and SMTP, please read through:
1036 # https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp
1037 # https://docs.konghq.com/enterprise/latest/kong-manager/networking/email
1040 portal_emails_from: none@example.com
1041 portal_emails_reply_to: none@example.com
1042 admin_emails_from: none@example.com
1043 admin_emails_reply_to: none@example.com
1044 smtp_admin_emails: none@example.com
1045 smtp_host: smtp.example.com
1051 # If your SMTP server does not require authentication, this section can
1052 # be left as-is. If smtp_username is set to anything other than an empty
1053 # string, you must create a Secret with an smtp_password key containing
1054 # your SMTP password and specify its name here.
1055 smtp_username: '' # e.g. postmaster@example.com
1056 smtp_password_secret: CHANGEME-smtp-password
1059 # Enable creating a Kubernetes service for Kong Manager
1063 # To specify annotations or labels for the Manager service, add them to the respective
1064 # "annotations" or "labels" dictionaries below.
1066 # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
1070 # Enable plaintext HTTP listen for Kong Manager
1074 # Set a nodePort which is available if service type is NodePort
1076 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
1080 # Enable HTTPS listen for Kong Manager
1084 # Set a nodePort which is available if service type is NodePort
1086 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
1091 # Enable/disable exposure using ingress.
1095 # tls: kong-manager.example.com-tls
1098 # Map of ingress annotations.
1102 # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
1103 pathType: ImplementationSpecific
1106 # Enable creating a Kubernetes service for the Developer Portal
1110 # To specify annotations or labels for the Portal service, add them to the respective
1111 # "annotations" or "labels" dictionaries below.
1113 # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
1117 # Enable plaintext HTTP listen for the Developer Portal
1121 # Set a nodePort which is available if service type is NodePort
1123 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
1127 # Enable HTTPS listen for the Developer Portal
1131 # Set a nodePort which is available if service type is NodePort
1133 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
1138 # Enable/disable exposure using ingress.
1142 # tls: kong-portal.example.com-tls
1145 # Map of ingress annotations.
1149 # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
1150 pathType: ImplementationSpecific
1153 # Enable creating a Kubernetes service for the Developer Portal API
1157 # To specify annotations or labels for the Portal API service, add them to the respective
1158 # "annotations" or "labels" dictionaries below.
1160 # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
1164 # Enable plaintext HTTP listen for the Developer Portal API
1168 # Set a nodePort which is available if service type is NodePort
1170 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
1174 # Enable HTTPS listen for the Developer Portal API
1178 # Set a nodePort which is available if service type is NodePort
1180 # Additional listen parameters, e.g. "reuseport", "backlog=16384"
1185 # Enable/disable exposure using ingress.
1189 # tls: kong-portalapi.example.com-tls
1192 # Map of ingress annotations.
1196 # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
1197 pathType: ImplementationSpecific
1201 # To specify annotations or labels for the cluster telemetry service, add them to the respective
1202 # "annotations" or "labels" dictionaries below.
1204 # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
1216 # Kong clustertelemetry ingress settings. Useful if you want to split
1217 # CP and DP in different clusters.
1219 # Enable/disable exposure using ingress.
1223 # tls: kong-clustertelemetry.example.com-tls
1226 # Map of ingress annotations.
1230 # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
1231 pathType: ImplementationSpecific
1235 # - name: my-config-map
1236 # mountPath: /mount/to/my/location
1237 # subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap
1242 # mountPath: /mount/to/my/location
1243 # subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap
1247 # - apiVersion: configuration.konghq.com/v1
1248 # kind: KongClusterPlugin
1252 # per_consumer: false
1253 # plugin: prometheus