# Copyright 2026 HAProxy Technologies LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## HAProxy Unified Gateway Helm Chart - values.yaml # -- PodSecurityPolicy configuration (deprecated in K8s 1.21, removed in 1.25) podSecurityPolicy: ## Specify pod annotations ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl annotations: {} # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default enabled: false # -- Create RBAC resources rbac: create: true # -- Create a namespace (uses Helm pre-install hook) namespace: create: false # -- ServiceAccount configuration serviceAccount: # -- Create a ServiceAccount create: true # -- ServiceAccount name (generated if not set) name: "" # -- Annotations to add to the ServiceAccount annotations: {} # -- Controller configuration controller: # -- Controller name name: controller # -- Container image configuration image: repository: docker.io/haproxytech/haproxy-unified-gateway tag: "" # defaults to appVersion pullPolicy: IfNotPresent # -- Image pull secrets imagePullSecrets: [] # -- Deployment or DaemonSet pod mode # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ kind: Deployment # can be 'Deployment' or 'DaemonSet' # -- Number of replicas (only for Deployment mode) replicaCount: 1 # -- HugConf CRD reference (namespace/name) # If empty, defaults to "/hugconf" hugconfCrd: "" # -- Metrics authentication mode for the controller metrics endpoint (port 31060) # Supported values: "none", "kube-rbac", "basic" # - none: HTTP, no authentication # - kube-rbac: HTTPS with Kubernetes TokenReview/SubjectAccessReview # - basic: HTTPS with HTTP Basic Authentication (set credentials via extraArgs) metricsAuth: kube-rbac # -- Extra arguments to pass to the controller extraArgs: [] # -- Container ports containerPort: http: 31080 https: 31443 stat: 31024 metrics: 31060 # -- Resource requests and limits resources: limits: memory: 2560Mi requests: memory: 2048Mi ## Running container without root privileges ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ unprivileged: true ## Privilege escalation ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ allowPrivilegeEscalation: false ## Restricts container syscalls ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/ ## Supported types: RuntimeDefault, Localhost, Unconfined ## Set to empty ({}) to disable seccomp profile seccompProfile: type: RuntimeDefault # localhostProfile: my-profiles/profile.json # only for type: Localhost # -- Pod-level security context podSecurityContext: {} # -- Liveness probe configuration livenessProbe: {} # -- Readiness probe configuration readinessProbe: {} # -- Startup probe configuration startupProbe: {} # -- Node selector for pod scheduling nodeSelector: {} # -- Tolerations for pod scheduling tolerations: [] # -- Affinity rules for pod scheduling affinity: {} # -- Topology spread constraints topologySpreadConstraints: [] # -- Extra environment variables extraEnvs: [] # -- Extra volume mounts extraVolumeMounts: [] # -- Extra volumes extraVolumes: [] # -- Extra init containers initContainers: [] # -- Extra sidecar containers extraContainers: [] # -- Pod annotations podAnnotations: {} # -- Pod labels podLabels: {} # -- Extra labels for the Deployment extraLabels: {} # -- Update strategy strategy: type: RollingUpdate # -- Priority class name priorityClassName: "" # -- DNS policy dnsPolicy: "" # -- DNS config dnsConfig: {} # -- DaemonSet-specific configuration (only used when kind is 'DaemonSet') daemonset: useHostNetwork: false # also modify dnsPolicy accordingly useHostPort: false hostIP: null hostPorts: http: 80 https: 443 stat: 1024 metrics: 31060 # -- Service configuration service: # -- Enable the Service enabled: true # -- Service type type: NodePort # -- Service annotations annotations: {} # -- Service labels labels: {} # -- External traffic policy externalTrafficPolicy: "" # -- HTTP port configuration http: port: 31080 targetPort: 31080 nodePort: 31080 # -- HTTPS port configuration https: port: 31443 targetPort: 31443 nodePort: 31443 # -- Stats port configuration stat: port: 31024 targetPort: 31024 nodePort: "" # -- Extra ports to expose extraPorts: [] # -- Controller metrics port configuration (hug_* prometheus metrics) controller-metrics: port: 31060 targetPort: 31060 # -- Metrics service configuration (created when serviceMonitor is enabled) metrics: type: ClusterIP annotations: {} labels: {} # -- ServiceMonitor configuration (requires Prometheus Operator) ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md ## Note: requires Prometheus Operator to be able to work, for example: ## helm install prometheus prometheus-community/kube-prometheus-stack \ ## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \ ## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false serviceMonitor: # -- Enable ServiceMonitor (should not be enabled together with podMonitor) enabled: false # -- Extra labels for ServiceMonitor target discovery extraLabels: {} # -- ServiceMonitor endpoints configuration endpoints: - port: stat path: /metrics scheme: http interval: 30s - port: metrics path: /metrics scheme: https interval: 30s tlsConfig: insecureSkipVerify: true bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token # -- PodMonitor configuration (requires Prometheus Operator) ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md podMonitor: # -- Enable PodMonitor (should not be enabled together with serviceMonitor) enabled: false # -- Extra labels for PodMonitor target discovery extraLabels: {} # -- PodMonitor endpoints configuration endpoints: - port: stat path: /metrics scheme: http interval: 30s - port: metrics path: /metrics scheme: https interval: 30s tlsConfig: insecureSkipVerify: true bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token # -- HorizontalPodAutoscaler configuration autoscaling: enabled: false minReplicas: 1 maxReplicas: 10 targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 # -- KEDA ScaledObject configuration (mutually exclusive with autoscaling) keda: enabled: false minReplicas: 2 maxReplicas: 20 pollingInterval: 30 cooldownPeriod: 300 restoreToOriginalReplicaCount: false # fallback: # failureThreshold: 3 # replicas: 11 scaledObject: annotations: {} horizontalPodAutoscalerConfig: {} # name: "" # behavior: # scaleDown: # stabilizationWindowSeconds: 300 # policies: # - type: Pods # value: 1 # periodSeconds: 300 triggers: [] # - type: prometheus # metadata: # serverAddress: http://:9090 # metricName: haproxy_process_idle_time_percent # threshold: '50' # query: avg(100-avg_over_time(haproxy_process_idle_time_percent{job="haproxy-unified-gateway"}[2m])) # -- PodDisruptionBudget configuration podDisruptionBudget: enabled: false # minAvailable: 1 # maxUnavailable: 1 # -- HugConf custom resource configuration hugconf: # -- Create a HugConf resource create: true # -- HugConf name name: hugconf # -- Logging configuration logging: # -- Default log level defaultLevel: Info # -- Per-category log level overrides categoryLevelList: - category: "k8s" level: "Error" - category: "gate" level: "Info" - category: "status" level: "Info" - category: "batch" level: "Error" - category: "app" level: "Info" - category: "certs-storage" level: "Info" # -- Global configuration reference (group, kind, name, namespace) globalRef: {} # group: gate.v3.haproxy.org # kind: Global # name: global # namespace: haproxy-unified-gateway # -- Defaults configuration reference (group, kind, name, namespace) defaultsRef: {} # group: gate.v3.haproxy.org # kind: Defaults # name: haproxytech # namespace: haproxy-unified-gateway # -- CRD Job configuration crdjob: # -- Enable the CRD installation Job (Helm hook) enabled: true # -- Additional pod annotations podAnnotations: {} # -- TTL for completed jobs (seconds) ttlSecondsAfterFinished: 60 # -- Node selector nodeSelector: {} # -- Tolerations tolerations: [] # -- Affinity affinity: {} # -- Resources for CRD job resources: {} # -- Image override (defaults to controller image) image: {} # -- Gateway API Job configuration gwapijob: # -- Enable the Gateway API CRD installation Job (Helm hook) enabled: true # -- Gateway API version to install version: "1.3.0" # -- Additional pod annotations podAnnotations: {} # -- TTL for completed jobs (seconds) ttlSecondsAfterFinished: 60 # -- Node selector nodeSelector: {} # -- Tolerations tolerations: [] # -- Affinity affinity: {} # -- Resources for Gateway API job resources: {} # -- Image override (defaults to controller image) image: {}