+| customEnv | Custom Environment variables without `KONG_` prefix | |
+| envFrom | Populate environment variables from ConfigMap or Secret keys | |
+| migrations.preUpgrade | Run "kong migrations up" jobs | `true` |
+| migrations.postUpgrade | Run "kong migrations finish" jobs | `true` |
+| migrations.annotations | Annotations for migration job pods | `{"sidecar.istio.io/inject": "false" |
+| migrations.jobAnnotations | Additional annotations for migration jobs | `{}` |
+| migrations.backoffLimit | Override the system backoffLimit | `{}` |
+| waitImage.enabled | Spawn init containers that wait for the database before starting Kong | `true` |
+| waitImage.repository | Image used to wait for database to become ready. Uses the Kong image if none set | |
+| waitImage.tag | Tag for image used to wait for database to become ready | |
+| waitImage.pullPolicy | Wait image pull policy | `IfNotPresent` |
+| postgresql.enabled | Spin up a new postgres instance for Kong | `false` |
+| dblessConfig.configMap | Name of an existing ConfigMap containing the `kong.yml` file. This must have the key `kong.yml`.| `` |
+| dblessConfig.config | Yaml configuration file for the dbless (declarative) configuration of Kong | see in `values.yaml` |
+
+#### Kong Service Parameters
+
+The various `SVC.*` parameters below are common to the various Kong services
+(the admin API, proxy, Kong Manager, the Developer Portal, and the Developer
+Portal API) and define their listener configuration, K8S Service properties,
+and K8S Ingress properties. Defaults are listed only if consistent across the
+individual services: see values.yaml for their individual default values.
+
+`SVC` below can be substituted with each of:
+* `proxy`
+* `udpProxy`
+* `admin`
+* `manager`
+* `portal`
+* `portalapi`
+* `cluster`
+* `clustertelemetry`
+* `status`
+
+`status` is intended for internal use within the cluster. Unlike other
+services it cannot be exposed externally, and cannot create a Kubernetes
+service or ingress. It supports the settings under `SVC.http` and `SVC.tls`
+only.
+
+`cluster` is used on hybrid mode control plane nodes. It does not support the
+`SVC.http.*` settings (cluster communications must be TLS-only) or the
+`SVC.ingress.*` settings (cluster communication requires TLS client
+authentication, which cannot pass through an ingress proxy). `clustertelemetry`
+is similar, and used when Vitals is enabled on Kong Enterprise control plane
+nodes.
+
+`udpProxy` is used for UDP stream listens (Kubernetes does not yet support
+mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`,
+or `ingress` sections, as it is used only for stream listens.
+
+| Parameter | Description | Default |
+|-----------------------------------|-------------------------------------------------------------------------------------------|--------------------------|
+| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | |
+| SVC.http.enabled | Enables http on the service | |
+| SVC.http.servicePort | Service port to use for http | |
+| SVC.http.containerPort | Container port to use for http | |
+| SVC.http.nodePort | Node port to use for http | |
+| SVC.http.hostPort | Host port to use for http | |
+| SVC.http.parameters | Array of additional listen parameters | `[]` |
+| SVC.http.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
+| SVC.tls.enabled | Enables TLS on the service | |
+| SVC.tls.containerPort | Container port to use for TLS | |
+| SVC.tls.servicePort | Service port to use for TLS | |
+| SVC.tls.nodePort | Node port to use for TLS | |
+| SVC.tls.hostPort | Host port to use for TLS | |
+| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | |
+| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` |
+| SVC.tls.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | |
+| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | |
+| SVC.clusterIP | k8s service clusterIP | |
+| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | |
+| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` |
+| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | |
+| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` |
+| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | |
+| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` |
+| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | |
+| SVC.ingress.hostname | Ingress hostname | `""` |
+| SVC.ingress.path | Ingress path. | `/` |
+| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` |
+| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` |
+| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | |
+| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` |
+| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` |
+| SVC.annotations | Service annotations | `{}` |
+| SVC.labels | Service labels | `{}` |
+
+#### Admin Service mTLS
+
+On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification.
+If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to
+require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence.
+
+| Parameter | Description | Default |
+|-----------------------------|---------------------------------------------------------------------------------------------|---------|
+| admin.tls.client.caBundle | CA certificate to use for TLS verification of the Admin API client (PEM-encoded). | `""` |
+| admin.tls.client.secretName | CA certificate secret name - must contain a `tls.crt` key with the PEM-encoded certificate. | `""` |
+
+#### Stream listens
+
+The proxy configuration additionally supports creating stream listens. These
+are configured using an array of objects under `proxy.stream` and `udpProxy.stream`:
+
+| Parameter | Description | Default |
+| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
+| protocol | The listen protocol, either "TCP" or "UDP" | |
+| containerPort | Container port to use for a stream listen | |
+| servicePort | Service port to use for a stream listen | |
+| nodePort | Node port to use for a stream listen | |
+| hostPort | Host port to use for a stream listen | |
+| parameters | Array of additional listen parameters | `[]` |
+
+### Ingress Controller Parameters
+
+All of the following properties are nested under the `ingressController`
+section of `values.yaml` file:
+
+| Parameter | Description | Default |
+|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
+| enabled | Deploy the ingress controller, rbac and crd | true |
+| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller |
+| image.tag | Version of the ingress controller | `3.0` |
+| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | |
+| readinessProbe | Kong ingress controllers readiness probe | |
+| livenessProbe | Kong ingress controllers liveness probe | |
+| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false |
+| env | Specify Kong Ingress Controller configuration via environment variables | |
+| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | |
+| envFrom | Populate environment variables from ConfigMap or Secret keys | |
+| ingressClass | The name of this controller's ingressClass | kong |
+| ingressClassAnnotations | The ingress-class value for controller | kong |
+| args | List of ingress-controller cli arguments | [] |
+| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] |
+| admissionWebhook.enabled | Whether to enable the validating admission webhook | true |
+| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore |
+| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 |
+| admissionWebhook.address | The address the ingress controller will listen on for admission webhooks, if not 0.0.0.0 | |
+| admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | |
+| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false |
+| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | |
+| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | |
+| admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | |
+| admissionWebhook.timeoutSeconds | Kubernetes `apiserver`'s timeout when running this webhook. Default: 10 seconds. | |
+| userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
+| userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
+| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 |
+| gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false |
+| gatewayDiscovery.generateAdminApiService | Generate the admin API service name based on the release name (for more details see [gatewayDiscovery section][gd_section]) | false |
+| gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` |
+| gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" |
+| konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false |
+| konnect.runtimeGroupID | Konnect Runtime Group's unique identifier. | |
+| konnect.apiHostname | Konnect API hostname. Defaults to a production US-region. | us.kic.api.konghq.com |
+| konnect.tlsClientCertSecretName | Name of the secret that contains Konnect Runtime Group's client TLS certificate. | konnect-client-tls |
+| konnect.license.enabled | Enable automatic license provisioning for Gateways managed by Ingress Controller in Konnect mode. | false |
+| adminApi.tls.client.enabled | Enable TLS client verification for the Admin API. By default, Helm will generate certificates automatically. | false |
+| adminApi.tls.client.certProvided | Use user-provided certificates. If set to false, Helm will generate certificates. | false |
+| adminApi.tls.client.secretName | Client TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
+| adminApi.tls.client.caSecretName | CA TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" |
+
+[gd_section]: #the-gatewayDiscovery-section
+
+#### The `env` section
+For a complete list of all configuration values you can set in the
+`env` section, please read the Kong Ingress Controller's
+[configuration document](https://docs.konghq.com/kubernetes-ingress-controller/latest/reference/cli-arguments/).
+
+#### The `customEnv` section
+
+The `customEnv` section can be used to configure all environment variables other than Ingress Controller configuration.
+Any key value put under this section translates to environment variables.
+Every key is upper-cased before setting the environment variable.
+
+An example:
+
+```yaml
+kong:
+ ingressController:
+ customEnv:
+ TZ: "Europe/Berlin"
+```
+
+#### The `gatewayDiscovery` section
+
+Kong Ingress Controller v2.9 has introduced gateway discovery which allows
+the controller to discover Gateway instances that it should configure using
+an Admin API Kubernetes service.
+
+Using this feature requires a split release installation of Gateways and Ingress Controller.
+For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md).
+or use the [`ingress` chart](../ingress/README.md) which can handle this for you.
+
+##### Configuration
+
+You'll be able to configure this feature through configuration section under
+`ingressController.gatewayDiscovery`:
+
+- If `ingressController.gatewayDiscovery.enabled` is set to `false`: the ingress controller
+ will control a pre-determined set of Gateway instances based on Admin API URLs
+ (provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable).
+
+- If `ingressController.gatewayDiscovery.enabled` is set to `true`: the ingress controller
+ will dynamically locate Gateway instances by watching the specified Kubernetes
+ service.
+ (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable).
+
+ The following admin API Service flags have to be present in order for gateway
+ discovery to work:
+
+ - `ingressController.gatewayDiscovery.adminApiService.name`
+ - `ingressController.gatewayDiscovery.adminApiService.namespace`
+
+ If you set `ingressController.gatewayDiscovery.generateAdminApiService` to `true`,
+ the chart will generate values for `name` and `namespace` based on the current release name and
+ namespace. This is useful when consuming the `kong` chart as a subchart.
+
+Additionally, you can control the addresses that are generated for your Gateways
+via the `--gateway-discovery-dns-strategy` CLI flag that can be set on the Ingress Controller
+(or an equivalent environment variable: `CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY`).
+It accepts 3 values which change the way that Gateway addresses are generated:
+- `service` - for service scoped pod DNS names: `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example`
+- `pod` - for namespace scope pod DNS names: `pod-ip-address.my-namespace.pod.cluster-domain.example`
+- `ip` (default, retains behavior introduced in v2.9) - for regular IP addresses
+
+When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make
+this interface secure.
+Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway instances.
+
+On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`.
+By default, Helm will generate a certificate Secret named `<release name>-admin-api-keypair` and
+a CA Secret named `<release name>-admin-api-ca-keypair` for you.
+
+To provide your own cert, set `ingressController.adminApi.tls.client.certProvided` to
+`true`, `ingressController.adminApi.tls.client.secretName` to the name of the Secret containing your client cert, and `ingressController.adminApi.tls.client.caSecretName` to the name of the Secret containing your CA cert.
+
+On the Gateway release side, set either `admin.tls.client.secretName` to the name of your CA Secret or set `admin.tls.client.caBundle` to the CA certificate string.
+
+### General Parameters
+
+| Parameter | Description | Default |
+| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- |
+| namespace | Namespace to deploy chart resources | |
+| deployment.kong.enabled | Enable or disable deploying Kong | `true` |
+| deployment.minReadySeconds | Minimum number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. | |
+| deployment.initContainers | Create initContainers. Please go to Kubernetes doc for the spec of the initContainers | |
+| deployment.daemonset | Use a DaemonSet instead of a Deployment | `false` |
+| deployment.hostname | Set the Deployment's `.spec.template.hostname`. Kong reports this as its hostname. | |
+| deployment.hostNetwork | Enable hostNetwork, which binds to the ports to the host | `false` |
+| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | |
+| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | |
+| deployment.serviceAccount.create | Create Service Account for the Deployment / Daemonset and the migrations | `true` |
+| deployment.serviceAccount.automountServiceAccountToken | Enable ServiceAccount token automount in Kong deployment | `false` |
+| deployment.serviceAccount.name | Name of the Service Account, a default one will be generated if left blank. | "" |
+| deployment.serviceAccount.annotations | Annotations for the Service Account | {} |
+| deployment.test.enabled | Enable creation of test resources for use with "helm test" | `false` |
+| autoscaling.enabled | Set this to `true` to enable autoscaling | `false` |
+| autoscaling.minReplicas | Set minimum number of replicas | `2` |
+| autoscaling.maxReplicas | Set maximum number of replicas | `5` |
+| autoscaling.behavior | Sets the [behavior for scaling up and down](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior) | `{}` |
+| autoscaling.targetCPUUtilizationPercentage | Target Percentage for when autoscaling takes affect. Only used if cluster does not support `autoscaling/v2` or `autoscaling/v2beta2` | `80` |
+| autoscaling.metrics | metrics used for autoscaling for clusters that supports `autoscaling/v2` or `autoscaling/v2beta2` | See [values.yaml](values.yaml) |
+| updateStrategy | update strategy for deployment | `{}` |