initial commit

Change-Id: I6048ebc6243ebc8630caceeff787370b9725a152

deploy/values.yaml

@@ -0,0 +1,389 @@
+# Copyright 2026 HAProxy Technologies LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+## HAProxy Unified Gateway Helm Chart - values.yaml
+
+# -- PodSecurityPolicy configuration (deprecated in K8s 1.21, removed in 1.25)
+podSecurityPolicy:
+  ## Specify pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
+  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
+  ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
+  annotations: {}
+    # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    # seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
+    # seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+  enabled: false
+
+# -- Create RBAC resources
+rbac:
+  create: true
+
+# -- Create a namespace (uses Helm pre-install hook)
+namespace:
+  create: false
+
+# -- ServiceAccount configuration
+serviceAccount:
+  # -- Create a ServiceAccount
+  create: true
+  # -- ServiceAccount name (generated if not set)
+  name: ""
+  # -- Annotations to add to the ServiceAccount
+  annotations: {}
+
+# -- Controller configuration
+controller:
+  # -- Controller name
+  name: controller
+
+  # -- Container image configuration
+  image:
+    repository: docker.io/haproxytech/haproxy-unified-gateway
+    tag: ""  # defaults to appVersion
+    pullPolicy: IfNotPresent
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+
+  # -- Deployment or DaemonSet pod mode
+  # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  # ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
+  kind: Deployment    # can be 'Deployment' or 'DaemonSet'
+
+  # -- Number of replicas (only for Deployment mode)
+  replicaCount: 1
+
+  # -- HugConf CRD reference (namespace/name)
+  # If empty, defaults to "<release-namespace>/hugconf"
+  hugconfCrd: ""
+
+  # -- Metrics authentication mode for the controller metrics endpoint (port 31060)
+  # Supported values: "none", "kube-rbac", "basic"
+  # - none: HTTP, no authentication
+  # - kube-rbac: HTTPS with Kubernetes TokenReview/SubjectAccessReview
+  # - basic: HTTPS with HTTP Basic Authentication (set credentials via extraArgs)
+  metricsAuth: kube-rbac
+
+  # -- Extra arguments to pass to the controller
+  extraArgs: []
+
+  # -- Container ports
+  containerPort:
+    http: 31080
+    https: 31443
+    stat: 31024
+    metrics: 31060
+
+  # -- Resource requests and limits
+  resources:
+    limits:
+      memory: 2560Mi
+    requests:
+      memory: 2048Mi
+
+  ## Running container without root privileges
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  unprivileged: true
+
+  ## Privilege escalation
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  allowPrivilegeEscalation: false
+
+  ## Restricts container syscalls
+  ## ref: https://kubernetes.io/docs/tutorials/security/seccomp/
+  ## Supported types: RuntimeDefault, Localhost, Unconfined
+  ## Set to empty ({}) to disable seccomp profile
+  seccompProfile:
+    type: RuntimeDefault
+    # localhostProfile: my-profiles/profile.json  # only for type: Localhost
+
+  # -- Pod-level security context
+  podSecurityContext: {}
+
+  # -- Liveness probe configuration
+  livenessProbe: {}
+
+  # -- Readiness probe configuration
+  readinessProbe: {}
+
+  # -- Startup probe configuration
+  startupProbe: {}
+
+  # -- Node selector for pod scheduling
+  nodeSelector: {}
+
+  # -- Tolerations for pod scheduling
+  tolerations: []
+
+  # -- Affinity rules for pod scheduling
+  affinity: {}
+
+  # -- Topology spread constraints
+  topologySpreadConstraints: []
+
+  # -- Extra environment variables
+  extraEnvs: []
+
+  # -- Extra volume mounts
+  extraVolumeMounts: []
+
+  # -- Extra volumes
+  extraVolumes: []
+
+  # -- Extra init containers
+  initContainers: []
+
+  # -- Extra sidecar containers
+  extraContainers: []
+
+  # -- Pod annotations
+  podAnnotations: {}
+
+  # -- Pod labels
+  podLabels: {}
+
+  # -- Extra labels for the Deployment
+  extraLabels: {}
+
+  # -- Update strategy
+  strategy:
+    type: RollingUpdate
+
+  # -- Priority class name
+  priorityClassName: ""
+
+  # -- DNS policy
+  dnsPolicy: ""
+
+  # -- DNS config
+  dnsConfig: {}
+
+  # -- DaemonSet-specific configuration (only used when kind is 'DaemonSet')
+  daemonset:
+    useHostNetwork: false  # also modify dnsPolicy accordingly
+    useHostPort: false
+    hostIP: null
+    hostPorts:
+      http: 80
+      https: 443
+      stat: 1024
+      metrics: 31060
+
+  # -- Service configuration
+  service:
+    # -- Enable the Service
+    enabled: true
+    # -- Service type
+    type: NodePort
+    # -- Service annotations
+    annotations: {}
+    # -- Service labels
+    labels: {}
+    # -- External traffic policy
+    externalTrafficPolicy: ""
+    # -- HTTP port configuration
+    http:
+      port: 31080
+      targetPort: 31080
+      nodePort: 31080
+    # -- HTTPS port configuration
+    https:
+      port: 31443
+      targetPort: 31443
+      nodePort: 31443
+    # -- Stats port configuration
+    stat:
+      port: 31024
+      targetPort: 31024
+      nodePort: ""
+    # -- Extra ports to expose
+    extraPorts: []
+    # -- Controller metrics port configuration (hug_* prometheus metrics)
+    controller-metrics:
+      port: 31060
+      targetPort: 31060
+    # -- Metrics service configuration (created when serviceMonitor is enabled)
+    metrics:
+      type: ClusterIP
+      annotations: {}
+      labels: {}
+
+  # -- ServiceMonitor configuration (requires Prometheus Operator)
+  ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md
+  ## Note: requires Prometheus Operator to be able to work, for example:
+  ## helm install prometheus prometheus-community/kube-prometheus-stack \
+  ##   --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
+  ##   --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
+  serviceMonitor:
+    # -- Enable ServiceMonitor (should not be enabled together with podMonitor)
+    enabled: false
+    # -- Extra labels for ServiceMonitor target discovery
+    extraLabels: {}
+    # -- ServiceMonitor endpoints configuration
+    endpoints:
+      - port: stat
+        path: /metrics
+        scheme: http
+        interval: 30s
+      - port: metrics
+        path: /metrics
+        scheme: https
+        interval: 30s
+        tlsConfig:
+          insecureSkipVerify: true
+        bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+  # -- PodMonitor configuration (requires Prometheus Operator)
+  ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md
+  podMonitor:
+    # -- Enable PodMonitor (should not be enabled together with serviceMonitor)
+    enabled: false
+    # -- Extra labels for PodMonitor target discovery
+    extraLabels: {}
+    # -- PodMonitor endpoints configuration
+    endpoints:
+      - port: stat
+        path: /metrics
+        scheme: http
+        interval: 30s
+      - port: metrics
+        path: /metrics
+        scheme: https
+        interval: 30s
+        tlsConfig:
+          insecureSkipVerify: true
+        bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
+
+  # -- HorizontalPodAutoscaler configuration
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 80
+    # targetMemoryUtilizationPercentage: 80
+
+  # -- KEDA ScaledObject configuration (mutually exclusive with autoscaling)
+  keda:
+    enabled: false
+    minReplicas: 2
+    maxReplicas: 20
+    pollingInterval: 30
+    cooldownPeriod: 300
+    restoreToOriginalReplicaCount: false
+    # fallback:
+    #   failureThreshold: 3
+    #   replicas: 11
+    scaledObject:
+      annotations: {}
+    horizontalPodAutoscalerConfig: {}
+      # name: ""
+      # behavior:
+      #   scaleDown:
+      #     stabilizationWindowSeconds: 300
+      #     policies:
+      #       - type: Pods
+      #         value: 1
+      #         periodSeconds: 300
+    triggers: []
+      # - type: prometheus
+      #   metadata:
+      #     serverAddress: http://<prometheus-host>:9090
+      #     metricName: haproxy_process_idle_time_percent
+      #     threshold: '50'
+      #     query: avg(100-avg_over_time(haproxy_process_idle_time_percent{job="haproxy-unified-gateway"}[2m]))
+
+  # -- PodDisruptionBudget configuration
+  podDisruptionBudget:
+    enabled: false
+    # minAvailable: 1
+    # maxUnavailable: 1
+
+# -- HugConf custom resource configuration
+hugconf:
+  # -- Create a HugConf resource
+  create: true
+  # -- HugConf name
+  name: hugconf
+  # -- Logging configuration
+  logging:
+    # -- Default log level
+    defaultLevel: Info
+    # -- Per-category log level overrides
+    categoryLevelList:
+      - category: "k8s"
+        level: "Error"
+      - category: "gate"
+        level: "Info"
+      - category: "status"
+        level: "Info"
+      - category: "batch"
+        level: "Error"
+      - category: "app"
+        level: "Info"
+      - category: "certs-storage"
+        level: "Info"
+  # -- Global configuration reference (group, kind, name, namespace)
+  globalRef: {}
+  #   group: gate.v3.haproxy.org
+  #   kind: Global
+  #   name: global
+  #   namespace: haproxy-unified-gateway
+  # -- Defaults configuration reference (group, kind, name, namespace)
+  defaultsRef: {}
+  #   group: gate.v3.haproxy.org
+  #   kind: Defaults
+  #   name: haproxytech
+  #   namespace: haproxy-unified-gateway
+
+# -- CRD Job configuration
+crdjob:
+  # -- Enable the CRD installation Job (Helm hook)
+  enabled: true
+  # -- Additional pod annotations
+  podAnnotations: {}
+  # -- TTL for completed jobs (seconds)
+  ttlSecondsAfterFinished: 60
+  # -- Node selector
+  nodeSelector: {}
+  # -- Tolerations
+  tolerations: []
+  # -- Affinity
+  affinity: {}
+  # -- Resources for CRD job
+  resources: {}
+  # -- Image override (defaults to controller image)
+  image: {}
+
+# -- Gateway API Job configuration
+gwapijob:
+  # -- Enable the Gateway API CRD installation Job (Helm hook)
+  enabled: true
+  # -- Gateway API version to install
+  version: "1.3.0"
+  # -- Additional pod annotations
+  podAnnotations: {}
+  # -- TTL for completed jobs (seconds)
+  ttlSecondsAfterFinished: 60
+  # -- Node selector
+  nodeSelector: {}
+  # -- Tolerations
+  tolerations: []
+  # -- Affinity
+  affinity: {}
+  # -- Resources for Gateway API job
+  resources: {}
+  # -- Image override (defaults to controller image)
+  image: {}