6b61e22bfa
All checks were successful
Build and Publish TechDocs (Helm Chart Resource) / build-and-publish-helm-chart (push) Successful in 1m25s
Change-Id: Iedffaa05911f8f1c99119ed53d76af84be0baaee
390 lines
11 KiB
YAML
390 lines
11 KiB
YAML
# Copyright 2026 HAProxy Technologies LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## HAProxy Unified Gateway Helm Chart - values.yaml
|
|
|
|
# -- PodSecurityPolicy configuration (deprecated in K8s 1.21, removed in 1.25)
|
|
podSecurityPolicy:
|
|
## Specify pod annotations
|
|
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
|
|
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp
|
|
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl
|
|
annotations: {}
|
|
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
|
|
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
|
|
# seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
|
|
# seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
|
|
enabled: false
|
|
|
|
# -- Create RBAC resources
|
|
rbac:
|
|
create: true
|
|
|
|
# -- Create a namespace (uses Helm pre-install hook)
|
|
namespace:
|
|
create: false
|
|
|
|
# -- ServiceAccount configuration
|
|
serviceAccount:
|
|
# -- Create a ServiceAccount
|
|
create: true
|
|
# -- ServiceAccount name (generated if not set)
|
|
name: ""
|
|
# -- Annotations to add to the ServiceAccount
|
|
annotations: {}
|
|
|
|
# -- Controller configuration
|
|
controller:
|
|
# -- Controller name
|
|
name: controller
|
|
|
|
# -- Container image configuration
|
|
image:
|
|
repository: docker.io/haproxytech/haproxy-unified-gateway
|
|
tag: "" # defaults to appVersion
|
|
pullPolicy: IfNotPresent
|
|
|
|
# -- Image pull secrets
|
|
imagePullSecrets: []
|
|
|
|
# -- Deployment or DaemonSet pod mode
|
|
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
|
|
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
|
|
kind: Deployment # can be 'Deployment' or 'DaemonSet'
|
|
|
|
# -- Number of replicas (only for Deployment mode)
|
|
replicaCount: 1
|
|
|
|
# -- HugConf CRD reference (namespace/name)
|
|
# If empty, defaults to "<release-namespace>/hugconf"
|
|
hugconfCrd: ""
|
|
|
|
# -- Metrics authentication mode for the controller metrics endpoint (port 31060)
|
|
# Supported values: "none", "kube-rbac", "basic"
|
|
# - none: HTTP, no authentication
|
|
# - kube-rbac: HTTPS with Kubernetes TokenReview/SubjectAccessReview
|
|
# - basic: HTTPS with HTTP Basic Authentication (set credentials via extraArgs)
|
|
metricsAuth: kube-rbac
|
|
|
|
# -- Extra arguments to pass to the controller
|
|
extraArgs: []
|
|
|
|
# -- Container ports
|
|
containerPort:
|
|
http: 31080
|
|
https: 31443
|
|
stat: 31024
|
|
metrics: 31060
|
|
|
|
# -- Resource requests and limits
|
|
resources:
|
|
limits:
|
|
memory: 2560Mi
|
|
requests:
|
|
memory: 2048Mi
|
|
|
|
## Running container without root privileges
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
unprivileged: true
|
|
|
|
## Privilege escalation
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
allowPrivilegeEscalation: false
|
|
|
|
## Restricts container syscalls
|
|
## ref: https://kubernetes.io/docs/tutorials/security/seccomp/
|
|
## Supported types: RuntimeDefault, Localhost, Unconfined
|
|
## Set to empty ({}) to disable seccomp profile
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
# localhostProfile: my-profiles/profile.json # only for type: Localhost
|
|
|
|
# -- Pod-level security context
|
|
podSecurityContext: {}
|
|
|
|
# -- Liveness probe configuration
|
|
livenessProbe: {}
|
|
|
|
# -- Readiness probe configuration
|
|
readinessProbe: {}
|
|
|
|
# -- Startup probe configuration
|
|
startupProbe: {}
|
|
|
|
# -- Node selector for pod scheduling
|
|
nodeSelector: {}
|
|
|
|
# -- Tolerations for pod scheduling
|
|
tolerations: []
|
|
|
|
# -- Affinity rules for pod scheduling
|
|
affinity: {}
|
|
|
|
# -- Topology spread constraints
|
|
topologySpreadConstraints: []
|
|
|
|
# -- Extra environment variables
|
|
extraEnvs: []
|
|
|
|
# -- Extra volume mounts
|
|
extraVolumeMounts: []
|
|
|
|
# -- Extra volumes
|
|
extraVolumes: []
|
|
|
|
# -- Extra init containers
|
|
initContainers: []
|
|
|
|
# -- Extra sidecar containers
|
|
extraContainers: []
|
|
|
|
# -- Pod annotations
|
|
podAnnotations: {}
|
|
|
|
# -- Pod labels
|
|
podLabels: {}
|
|
|
|
# -- Extra labels for the Deployment
|
|
extraLabels: {}
|
|
|
|
# -- Update strategy
|
|
strategy:
|
|
type: RollingUpdate
|
|
|
|
# -- Priority class name
|
|
priorityClassName: ""
|
|
|
|
# -- DNS policy
|
|
dnsPolicy: ""
|
|
|
|
# -- DNS config
|
|
dnsConfig: {}
|
|
|
|
# -- DaemonSet-specific configuration (only used when kind is 'DaemonSet')
|
|
daemonset:
|
|
useHostNetwork: false # also modify dnsPolicy accordingly
|
|
useHostPort: false
|
|
hostIP: null
|
|
hostPorts:
|
|
http: 80
|
|
https: 443
|
|
stat: 1024
|
|
metrics: 31060
|
|
|
|
# -- Service configuration
|
|
service:
|
|
# -- Enable the Service
|
|
enabled: true
|
|
# -- Service type
|
|
type: NodePort
|
|
# -- Service annotations
|
|
annotations: {}
|
|
# -- Service labels
|
|
labels: {}
|
|
# -- External traffic policy
|
|
externalTrafficPolicy: ""
|
|
# -- HTTP port configuration
|
|
http:
|
|
port: 31080
|
|
targetPort: 31080
|
|
nodePort: 31080
|
|
# -- HTTPS port configuration
|
|
https:
|
|
port: 31443
|
|
targetPort: 31443
|
|
nodePort: 31443
|
|
# -- Stats port configuration
|
|
stat:
|
|
port: 31024
|
|
targetPort: 31024
|
|
nodePort: ""
|
|
# -- Extra ports to expose
|
|
extraPorts: []
|
|
# -- Controller metrics port configuration (hug_* prometheus metrics)
|
|
controller-metrics:
|
|
port: 31060
|
|
targetPort: 31060
|
|
# -- Metrics service configuration (created when serviceMonitor is enabled)
|
|
metrics:
|
|
type: ClusterIP
|
|
annotations: {}
|
|
labels: {}
|
|
|
|
# -- ServiceMonitor configuration (requires Prometheus Operator)
|
|
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md
|
|
## Note: requires Prometheus Operator to be able to work, for example:
|
|
## helm install prometheus prometheus-community/kube-prometheus-stack \
|
|
## --set prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false \
|
|
## --set prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false
|
|
serviceMonitor:
|
|
# -- Enable ServiceMonitor (should not be enabled together with podMonitor)
|
|
enabled: false
|
|
# -- Extra labels for ServiceMonitor target discovery
|
|
extraLabels: {}
|
|
# -- ServiceMonitor endpoints configuration
|
|
endpoints:
|
|
- port: stat
|
|
path: /metrics
|
|
scheme: http
|
|
interval: 30s
|
|
- port: metrics
|
|
path: /metrics
|
|
scheme: https
|
|
interval: 30s
|
|
tlsConfig:
|
|
insecureSkipVerify: true
|
|
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
|
|
# -- PodMonitor configuration (requires Prometheus Operator)
|
|
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md
|
|
podMonitor:
|
|
# -- Enable PodMonitor (should not be enabled together with serviceMonitor)
|
|
enabled: false
|
|
# -- Extra labels for PodMonitor target discovery
|
|
extraLabels: {}
|
|
# -- PodMonitor endpoints configuration
|
|
endpoints:
|
|
- port: stat
|
|
path: /metrics
|
|
scheme: http
|
|
interval: 30s
|
|
- port: metrics
|
|
path: /metrics
|
|
scheme: https
|
|
interval: 30s
|
|
tlsConfig:
|
|
insecureSkipVerify: true
|
|
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
|
|
|
# -- HorizontalPodAutoscaler configuration
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 10
|
|
targetCPUUtilizationPercentage: 80
|
|
# targetMemoryUtilizationPercentage: 80
|
|
|
|
# -- KEDA ScaledObject configuration (mutually exclusive with autoscaling)
|
|
keda:
|
|
enabled: false
|
|
minReplicas: 2
|
|
maxReplicas: 20
|
|
pollingInterval: 30
|
|
cooldownPeriod: 300
|
|
restoreToOriginalReplicaCount: false
|
|
# fallback:
|
|
# failureThreshold: 3
|
|
# replicas: 11
|
|
scaledObject:
|
|
annotations: {}
|
|
horizontalPodAutoscalerConfig: {}
|
|
# name: ""
|
|
# behavior:
|
|
# scaleDown:
|
|
# stabilizationWindowSeconds: 300
|
|
# policies:
|
|
# - type: Pods
|
|
# value: 1
|
|
# periodSeconds: 300
|
|
triggers: []
|
|
# - type: prometheus
|
|
# metadata:
|
|
# serverAddress: http://<prometheus-host>:9090
|
|
# metricName: haproxy_process_idle_time_percent
|
|
# threshold: '50'
|
|
# query: avg(100-avg_over_time(haproxy_process_idle_time_percent{job="haproxy-unified-gateway"}[2m]))
|
|
|
|
# -- PodDisruptionBudget configuration
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
# minAvailable: 1
|
|
# maxUnavailable: 1
|
|
|
|
# -- HugConf custom resource configuration
|
|
hugconf:
|
|
# -- Create a HugConf resource
|
|
create: true
|
|
# -- HugConf name
|
|
name: hugconf
|
|
# -- Logging configuration
|
|
logging:
|
|
# -- Default log level
|
|
defaultLevel: Info
|
|
# -- Per-category log level overrides
|
|
categoryLevelList:
|
|
- category: "k8s"
|
|
level: "Error"
|
|
- category: "gate"
|
|
level: "Info"
|
|
- category: "status"
|
|
level: "Info"
|
|
- category: "batch"
|
|
level: "Error"
|
|
- category: "app"
|
|
level: "Info"
|
|
- category: "certs-storage"
|
|
level: "Info"
|
|
# -- Global configuration reference (group, kind, name, namespace)
|
|
globalRef: {}
|
|
# group: gate.v3.haproxy.org
|
|
# kind: Global
|
|
# name: global
|
|
# namespace: haproxy-unified-gateway
|
|
# -- Defaults configuration reference (group, kind, name, namespace)
|
|
defaultsRef: {}
|
|
# group: gate.v3.haproxy.org
|
|
# kind: Defaults
|
|
# name: haproxytech
|
|
# namespace: haproxy-unified-gateway
|
|
|
|
# -- CRD Job configuration
|
|
crdjob:
|
|
# -- Enable the CRD installation Job (Helm hook)
|
|
enabled: true
|
|
# -- Additional pod annotations
|
|
podAnnotations: {}
|
|
# -- TTL for completed jobs (seconds)
|
|
ttlSecondsAfterFinished: 60
|
|
# -- Node selector
|
|
nodeSelector: {}
|
|
# -- Tolerations
|
|
tolerations: []
|
|
# -- Affinity
|
|
affinity: {}
|
|
# -- Resources for CRD job
|
|
resources: {}
|
|
# -- Image override (defaults to controller image)
|
|
image: {}
|
|
|
|
# -- Gateway API Job configuration
|
|
gwapijob:
|
|
# -- Enable the Gateway API CRD installation Job (Helm hook)
|
|
enabled: true
|
|
# -- Gateway API version to install
|
|
version: "1.3.0"
|
|
# -- Additional pod annotations
|
|
podAnnotations: {}
|
|
# -- TTL for completed jobs (seconds)
|
|
ttlSecondsAfterFinished: 60
|
|
# -- Node selector
|
|
nodeSelector: {}
|
|
# -- Tolerations
|
|
tolerations: []
|
|
# -- Affinity
|
|
affinity: {}
|
|
# -- Resources for Gateway API job
|
|
resources: {}
|
|
# -- Image override (defaults to controller image)
|
|
image: {}
|