github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/ingress-nginx/values.yaml (about)

     1  ## nginx configuration
     2  ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
     3  ##
     4  
     5  ## Overrides for generated resource names
     6  # See templates/_helpers.tpl
     7  # nameOverride:
     8  # fullnameOverride:
     9  
    10  ## Labels to apply to all resources
    11  ##
    12  commonLabels: {}
    13  # scmhash: abc123
    14  # myLabel: aakkmd
    15  
    16  controller:
    17    name: controller
    18    image:
    19      ## Keep false as default for now!
    20      chroot: false
    21      registry: registry.k8s.io
    22      image: ingress-nginx/controller
    23      ## for backwards compatibility consider setting the full image url via the repository value below
    24      ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
    25      ## repository:
    26      tag: "v1.7.1"
    27      digest: sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407
    28      digestChroot: sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988
    29      pullPolicy: IfNotPresent
    30      # www-data -> uid 101
    31      runAsUser: 101
    32      allowPrivilegeEscalation: true
    33    # -- Use an existing PSP instead of creating one
    34    existingPsp: ""
    35    # -- Configures the controller container name
    36    containerName: controller
    37    # -- Configures the ports that the nginx-controller listens on
    38    containerPort:
    39      http: 80
    40      https: 443
    41    # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
    42    config: {}
    43    # -- Annotations to be added to the controller config configuration configmap.
    44    configAnnotations: {}
    45    # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
    46    proxySetHeaders: {}
    47    # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
    48    addHeaders: {}
    49    # -- Optionally customize the pod dnsConfig.
    50    dnsConfig: {}
    51    # -- Optionally customize the pod hostname.
    52    hostname: {}
    53    # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
    54    # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
    55    # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
    56    dnsPolicy: ClusterFirst
    57    # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
    58    # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
    59    reportNodeInternalIp: false
    60    # -- Process Ingress objects without ingressClass annotation/ingressClassName field
    61    # Overrides value for --watch-ingress-without-class flag of the controller binary
    62    # Defaults to false
    63    watchIngressWithoutClass: false
    64    # -- Process IngressClass per name (additionally as per spec.controller).
    65    ingressClassByName: false
    66    # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto"
    67    # Defaults to false
    68    enableTopologyAwareRouting: false
    69    # -- This configuration defines if Ingress Controller should allow users to set
    70    # their own *-snippet annotations, otherwise this is forbidden / dropped
    71    # when users add those annotations.
    72    # Global snippets in ConfigMap are still respected
    73    allowSnippetAnnotations: true
    74    # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
    75    # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
    76    # is merged
    77    hostNetwork: false
    78    ## Use host ports 80 and 443
    79    ## Disabled by default
    80    hostPort:
    81      # -- Enable 'hostPort' or not
    82      enabled: false
    83      ports:
    84        # -- 'hostPort' http port
    85        http: 80
    86        # -- 'hostPort' https port
    87        https: 443
    88    # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
    89    electionID: ""
    90    ## This section refers to the creation of the IngressClass resource
    91    ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
    92    ingressClassResource:
    93      # -- Name of the ingressClass
    94      name: nginx
    95      # -- Is this ingressClass enabled or not
    96      enabled: true
    97      # -- Is this the default ingressClass for the cluster
    98      default: false
    99      # -- Controller-value of the controller that is processing this ingressClass
   100      controllerValue: "k8s.io/ingress-nginx"
   101      # -- Parameters is a link to a custom resource containing additional
   102      # configuration for the controller. This is optional if the controller
   103      # does not require extra parameters.
   104      parameters: {}
   105    # -- For backwards compatibility with ingress.class annotation, use ingressClass.
   106    # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation
   107    ingressClass: nginx
   108    # -- Labels to add to the pod container metadata
   109    podLabels: {}
   110    #  key: value
   111  
   112    # -- Security Context policies for controller pods
   113    podSecurityContext: {}
   114    # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls
   115    sysctls: {}
   116    # sysctls:
   117    #   "net.core.somaxconn": "8192"
   118  
   119    # -- Allows customization of the source of the IP address or FQDN to report
   120    # in the ingress status field. By default, it reads the information provided
   121    # by the service. If disable, the status field reports the IP address of the
   122    # node or nodes where an ingress controller pod is running.
   123    publishService:
   124      # -- Enable 'publishService' or not
   125      enabled: true
   126      # -- Allows overriding of the publish service to bind to
   127      # Must be <namespace>/<service_name>
   128      pathOverride: ""
   129    # Limit the scope of the controller to a specific namespace
   130    scope:
   131      # -- Enable 'scope' or not
   132      enabled: false
   133      # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE)
   134      namespace: ""
   135      # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
   136      # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
   137      namespaceSelector: ""
   138    # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE)
   139    configMapNamespace: ""
   140    tcp:
   141      # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE)
   142      configMapNamespace: ""
   143      # -- Annotations to be added to the tcp config configmap
   144      annotations: {}
   145    udp:
   146      # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE)
   147      configMapNamespace: ""
   148      # -- Annotations to be added to the udp config configmap
   149      annotations: {}
   150    # -- Maxmind license key to download GeoLite2 Databases.
   151    ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
   152    maxmindLicenseKey: ""
   153    # -- Additional command line arguments to pass to nginx-ingress-controller
   154    # E.g. to specify the default SSL certificate you can use
   155    extraArgs: {}
   156    ## extraArgs:
   157    ##   default-ssl-certificate: "<namespace>/<secret_name>"
   158  
   159    # -- Additional environment variables to set
   160    extraEnvs: []
   161    # extraEnvs:
   162    #   - name: FOO
   163    #     valueFrom:
   164    #       secretKeyRef:
   165    #         key: FOO
   166    #         name: secret-resource
   167  
   168    # -- Use a `DaemonSet` or `Deployment`
   169    kind: Deployment
   170    # -- Annotations to be added to the controller Deployment or DaemonSet
   171    ##
   172    annotations: {}
   173    #  keel.sh/pollSchedule: "@every 60m"
   174  
   175    # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels
   176    ##
   177    labels: {}
   178    #  keel.sh/policy: patch
   179    #  keel.sh/trigger: poll
   180  
   181    # -- The update strategy to apply to the Deployment or DaemonSet
   182    ##
   183    updateStrategy: {}
   184    #  rollingUpdate:
   185    #    maxUnavailable: 1
   186    #  type: RollingUpdate
   187  
   188    # -- `minReadySeconds` to avoid killing pods before we are ready
   189    ##
   190    minReadySeconds: 0
   191    # -- Node tolerations for server scheduling to nodes with taints
   192    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   193    ##
   194    tolerations: []
   195    #  - key: "key"
   196    #    operator: "Equal|Exists"
   197    #    value: "value"
   198    #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
   199  
   200    # -- Affinity and anti-affinity rules for server scheduling to nodes
   201    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
   202    ##
   203    affinity: {}
   204    # # An example of preferred pod anti-affinity, weight is in the range 1-100
   205    # podAntiAffinity:
   206    #   preferredDuringSchedulingIgnoredDuringExecution:
   207    #   - weight: 100
   208    #     podAffinityTerm:
   209    #       labelSelector:
   210    #         matchExpressions:
   211    #         - key: app.kubernetes.io/name
   212    #           operator: In
   213    #           values:
   214    #           - ingress-nginx
   215    #         - key: app.kubernetes.io/instance
   216    #           operator: In
   217    #           values:
   218    #           - ingress-nginx
   219    #         - key: app.kubernetes.io/component
   220    #           operator: In
   221    #           values:
   222    #           - controller
   223    #       topologyKey: kubernetes.io/hostname
   224  
   225    # # An example of required pod anti-affinity
   226    # podAntiAffinity:
   227    #   requiredDuringSchedulingIgnoredDuringExecution:
   228    #   - labelSelector:
   229    #       matchExpressions:
   230    #       - key: app.kubernetes.io/name
   231    #         operator: In
   232    #         values:
   233    #         - ingress-nginx
   234    #       - key: app.kubernetes.io/instance
   235    #         operator: In
   236    #         values:
   237    #         - ingress-nginx
   238    #       - key: app.kubernetes.io/component
   239    #         operator: In
   240    #         values:
   241    #         - controller
   242    #     topologyKey: "kubernetes.io/hostname"
   243  
   244    # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
   245    ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   246    ##
   247    topologySpreadConstraints: []
   248    # - maxSkew: 1
   249    #   topologyKey: topology.kubernetes.io/zone
   250    #   whenUnsatisfiable: DoNotSchedule
   251    #   labelSelector:
   252    #     matchLabels:
   253    #       app.kubernetes.io/instance: ingress-nginx-internal
   254  
   255    # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
   256    ## wait up to five minutes for the drain of connections
   257    ##
   258    terminationGracePeriodSeconds: 300
   259    # -- Node labels for controller pod assignment
   260    ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
   261    ##
   262    nodeSelector:
   263      kubernetes.io/os: linux
   264    ## Liveness and readiness probe values
   265    ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
   266    ##
   267    ## startupProbe:
   268    ##   httpGet:
   269    ##     # should match container.healthCheckPath
   270    ##     path: "/healthz"
   271    ##     port: 10254
   272    ##     scheme: HTTP
   273    ##   initialDelaySeconds: 5
   274    ##   periodSeconds: 5
   275    ##   timeoutSeconds: 2
   276    ##   successThreshold: 1
   277    ##   failureThreshold: 5
   278    livenessProbe:
   279      httpGet:
   280        # should match container.healthCheckPath
   281        path: "/healthz"
   282        port: 10254
   283        scheme: HTTP
   284      initialDelaySeconds: 10
   285      periodSeconds: 10
   286      timeoutSeconds: 1
   287      successThreshold: 1
   288      failureThreshold: 5
   289    readinessProbe:
   290      httpGet:
   291        # should match container.healthCheckPath
   292        path: "/healthz"
   293        port: 10254
   294        scheme: HTTP
   295      initialDelaySeconds: 10
   296      periodSeconds: 10
   297      timeoutSeconds: 1
   298      successThreshold: 1
   299      failureThreshold: 3
   300    # -- Path of the health check endpoint. All requests received on the port defined by
   301    # the healthz-port parameter are forwarded internally to this path.
   302    healthCheckPath: "/healthz"
   303    # -- Address to bind the health check endpoint.
   304    # It is better to set this option to the internal node address
   305    # if the ingress nginx controller is running in the `hostNetwork: true` mode.
   306    healthCheckHost: ""
   307    # -- Annotations to be added to controller pods
   308    ##
   309    podAnnotations: {}
   310    replicaCount: 1
   311    # -- Define either 'minAvailable' or 'maxUnavailable', never both.
   312    minAvailable: 1
   313    # -- Define either 'minAvailable' or 'maxUnavailable', never both.
   314    # maxUnavailable: 1
   315  
   316    ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
   317    ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
   318    ## Ideally, there should be no limits.
   319    ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
   320    resources:
   321      ##  limits:
   322      ##    cpu: 100m
   323      ##    memory: 90Mi
   324      requests:
   325        cpu: 100m
   326        memory: 90Mi
   327    # Mutually exclusive with keda autoscaling
   328    autoscaling:
   329      apiVersion: autoscaling/v2
   330      enabled: false
   331      annotations: {}
   332      minReplicas: 1
   333      maxReplicas: 11
   334      targetCPUUtilizationPercentage: 50
   335      targetMemoryUtilizationPercentage: 50
   336      behavior: {}
   337      # scaleDown:
   338      #   stabilizationWindowSeconds: 300
   339      #   policies:
   340      #   - type: Pods
   341      #     value: 1
   342      #     periodSeconds: 180
   343      # scaleUp:
   344      #   stabilizationWindowSeconds: 300
   345      #   policies:
   346      #   - type: Pods
   347      #     value: 2
   348      #     periodSeconds: 60
   349    autoscalingTemplate: []
   350    # Custom or additional autoscaling metrics
   351    # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
   352    # - type: Pods
   353    #   pods:
   354    #     metric:
   355    #       name: nginx_ingress_controller_nginx_process_requests_total
   356    #     target:
   357    #       type: AverageValue
   358    #       averageValue: 10000m
   359  
   360    # Mutually exclusive with hpa autoscaling
   361    keda:
   362      apiVersion: "keda.sh/v1alpha1"
   363      ## apiVersion changes with keda 1.x vs 2.x
   364      ## 2.x = keda.sh/v1alpha1
   365      ## 1.x = keda.k8s.io/v1alpha1
   366      enabled: false
   367      minReplicas: 1
   368      maxReplicas: 11
   369      pollingInterval: 30
   370      cooldownPeriod: 300
   371      restoreToOriginalReplicaCount: false
   372      scaledObject:
   373        annotations: {}
   374        # Custom annotations for ScaledObject resource
   375        #  annotations:
   376        # key: value
   377      triggers: []
   378      # - type: prometheus
   379      #   metadata:
   380      #     serverAddress: http://<prometheus-host>:9090
   381      #     metricName: http_requests_total
   382      #     threshold: '100'
   383      #     query: sum(rate(http_requests_total{deployment="my-deployment"}[2m]))
   384  
   385      behavior: {}
   386      # scaleDown:
   387      #   stabilizationWindowSeconds: 300
   388      #   policies:
   389      #   - type: Pods
   390      #     value: 1
   391      #     periodSeconds: 180
   392      # scaleUp:
   393      #   stabilizationWindowSeconds: 300
   394      #   policies:
   395      #   - type: Pods
   396      #     value: 2
   397      #     periodSeconds: 60
   398    # -- Enable mimalloc as a drop-in replacement for malloc.
   399    ## ref: https://github.com/microsoft/mimalloc
   400    ##
   401    enableMimalloc: true
   402    ## Override NGINX template
   403    customTemplate:
   404      configMapName: ""
   405      configMapKey: ""
   406    service:
   407      enabled: true
   408      # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
   409      # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
   410      # It allows choosing the protocol for each backend specified in the Kubernetes service.
   411      # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244
   412      # Will be ignored for Kubernetes versions older than 1.20
   413      ##
   414      appProtocol: true
   415      annotations: {}
   416      labels: {}
   417      # clusterIP: ""
   418  
   419      # -- List of IP addresses at which the controller services are available
   420      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
   421      ##
   422      externalIPs: []
   423      # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
   424      loadBalancerIP: ""
   425      loadBalancerSourceRanges: []
   426      enableHttp: true
   427      enableHttps: true
   428      ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
   429      ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
   430      # externalTrafficPolicy: ""
   431  
   432      ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
   433      ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
   434      # sessionAffinity: ""
   435  
   436      ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
   437      ## the service controller allocates a port from your cluster’s NodePort range.
   438      ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
   439      # healthCheckNodePort: 0
   440  
   441      # -- Represents the dual-stack-ness requested or required by this Service. Possible values are
   442      # SingleStack, PreferDualStack or RequireDualStack.
   443      # The ipFamilies and clusterIPs fields depend on the value of this field.
   444      ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
   445      ipFamilyPolicy: "SingleStack"
   446      # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically
   447      # based on cluster configuration and the ipFamilyPolicy field.
   448      ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
   449      ipFamilies:
   450        - IPv4
   451      ports:
   452        http: 80
   453        https: 443
   454      targetPorts:
   455        http: http
   456        https: https
   457      type: LoadBalancer
   458      ## type: NodePort
   459      ## nodePorts:
   460      ##   http: 32080
   461      ##   https: 32443
   462      ##   tcp:
   463      ##     8080: 32808
   464      nodePorts:
   465        http: ""
   466        https: ""
   467        tcp: {}
   468        udp: {}
   469      external:
   470        enabled: true
   471      internal:
   472        # -- Enables an additional internal load balancer (besides the external one).
   473        enabled: false
   474        # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
   475        annotations: {}
   476        # loadBalancerIP: ""
   477  
   478        # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
   479        loadBalancerSourceRanges: []
   480        ## Set external traffic policy to: "Local" to preserve source IP on
   481        ## providers supporting it
   482        ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
   483        # externalTrafficPolicy: ""
   484  
   485        # -- Custom port mapping for internal service
   486        ports: {}
   487        #  http: 80
   488        #  https: 443
   489  
   490        # -- Custom target port mapping for internal service
   491        targetPorts: {}
   492        #  http: http
   493        #  https: https
   494    # shareProcessNamespace enables process namespace sharing within the pod.
   495    # This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
   496    shareProcessNamespace: false
   497    # -- Additional containers to be added to the controller pod.
   498    # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
   499    extraContainers: []
   500    #  - name: my-sidecar
   501    #    image: nginx:latest
   502    #  - name: lemonldap-ng-controller
   503    #    image: lemonldapng/lemonldap-ng-controller:0.2.0
   504    #    args:
   505    #      - /lemonldap-ng-controller
   506    #      - --alsologtostderr
   507    #      - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration
   508    #    env:
   509    #      - name: POD_NAME
   510    #        valueFrom:
   511    #          fieldRef:
   512    #            fieldPath: metadata.name
   513    #      - name: POD_NAMESPACE
   514    #        valueFrom:
   515    #          fieldRef:
   516    #            fieldPath: metadata.namespace
   517    #    volumeMounts:
   518    #    - name: copy-portal-skins
   519    #      mountPath: /srv/var/lib/lemonldap-ng/portal/skins
   520  
   521    # -- Additional volumeMounts to the controller main container.
   522    extraVolumeMounts: []
   523    #  - name: copy-portal-skins
   524    #   mountPath: /var/lib/lemonldap-ng/portal/skins
   525  
   526    # -- Additional volumes to the controller pod.
   527    extraVolumes: []
   528    #  - name: copy-portal-skins
   529    #    emptyDir: {}
   530  
   531    # -- Containers, which are run before the app containers are started.
   532    extraInitContainers: []
   533    # - name: init-myservice
   534    #   image: busybox
   535    #   command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
   536  
   537    # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module
   538    extraModules: []
   539    # - name: mytestmodule
   540    #   image: registry.k8s.io/ingress-nginx/mytestmodule
   541    #   containerSecurityContext:
   542    #     allowPrivilegeEscalation: false
   543    #
   544    # The image must contain a `/usr/local/bin/init_module.sh` executable, which
   545    # will be executed as initContainers, to move its config files within the
   546    # mounted volume.
   547  
   548    opentelemetry:
   549      enabled: false
   550      image: registry.k8s.io/ingress-nginx/opentelemetry:v20230312-helm-chart-4.5.2-28-g66a760794@sha256:40f766ac4a9832f36f217bb0e98d44c8d38faeccbfe861fbc1a76af7e9ab257f
   551      containerSecurityContext:
   552        allowPrivilegeEscalation: false
   553    admissionWebhooks:
   554      annotations: {}
   555      # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
   556  
   557      ## Additional annotations to the admission webhooks.
   558      ## These annotations will be added to the ValidatingWebhookConfiguration and
   559      ## the Jobs Spec of the admission webhooks.
   560      enabled: true
   561      # -- Additional environment variables to set
   562      extraEnvs: []
   563      # extraEnvs:
   564      #   - name: FOO
   565      #     valueFrom:
   566      #       secretKeyRef:
   567      #         key: FOO
   568      #         name: secret-resource
   569      # -- Admission Webhook failure policy to use
   570      failurePolicy: Fail
   571      # timeoutSeconds: 10
   572      port: 8443
   573      certificate: "/usr/local/certificates/cert"
   574      key: "/usr/local/certificates/key"
   575      namespaceSelector: {}
   576      objectSelector: {}
   577      # -- Labels to be added to admission webhooks
   578      labels: {}
   579      # -- Use an existing PSP instead of creating one
   580      existingPsp: ""
   581      networkPolicyEnabled: false
   582      service:
   583        annotations: {}
   584        # clusterIP: ""
   585        externalIPs: []
   586        # loadBalancerIP: ""
   587        loadBalancerSourceRanges: []
   588        servicePort: 443
   589        type: ClusterIP
   590      createSecretJob:
   591        securityContext:
   592          allowPrivilegeEscalation: false
   593        resources: {}
   594        # limits:
   595        #   cpu: 10m
   596        #   memory: 20Mi
   597        # requests:
   598        #   cpu: 10m
   599        #   memory: 20Mi
   600      patchWebhookJob:
   601        securityContext:
   602          allowPrivilegeEscalation: false
   603        resources: {}
   604      patch:
   605        enabled: true
   606        image:
   607          registry: registry.k8s.io
   608          image: ingress-nginx/kube-webhook-certgen
   609          ## for backwards compatibility consider setting the full image url via the repository value below
   610          ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
   611          ## repository:
   612          tag: v20230312-helm-chart-4.5.2-28-g66a760794
   613          digest: sha256:01d181618f270f2a96c04006f33b2699ad3ccb02da48d0f89b22abce084b292f
   614          pullPolicy: IfNotPresent
   615        # -- Provide a priority class name to the webhook patching job
   616        ##
   617        priorityClassName: ""
   618        podAnnotations: {}
   619        nodeSelector:
   620          kubernetes.io/os: linux
   621        tolerations: []
   622        # -- Labels to be added to patch job resources
   623        labels: {}
   624        securityContext:
   625          runAsNonRoot: true
   626          runAsUser: 2000
   627          fsGroup: 2000
   628      # Use certmanager to generate webhook certs
   629      certManager:
   630        enabled: false
   631        # self-signed root certificate
   632        rootCert:
   633          # default to be 5y
   634          duration: ""
   635        admissionCert:
   636          # default to be 1y
   637          duration: ""
   638          # issuerRef:
   639          #   name: "issuer"
   640          #   kind: "ClusterIssuer"
   641    metrics:
   642      port: 10254
   643      portName: metrics
   644      # if this port is changed, change healthz-port: in extraArgs: accordingly
   645      enabled: false
   646      service:
   647        annotations: {}
   648        # prometheus.io/scrape: "true"
   649        # prometheus.io/port: "10254"
   650        # -- Labels to be added to the metrics service resource
   651        labels: {}
   652        # clusterIP: ""
   653  
   654        # -- List of IP addresses at which the stats-exporter service is available
   655        ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
   656        ##
   657        externalIPs: []
   658        # loadBalancerIP: ""
   659        loadBalancerSourceRanges: []
   660        servicePort: 10254
   661        type: ClusterIP
   662        # externalTrafficPolicy: ""
   663        # nodePort: ""
   664      serviceMonitor:
   665        enabled: false
   666        additionalLabels: {}
   667        ## The label to use to retrieve the job name from.
   668        ## jobLabel: "app.kubernetes.io/name"
   669        namespace: ""
   670        namespaceSelector: {}
   671        ## Default: scrape .Release.Namespace only
   672        ## To scrape all, use the following:
   673        ## namespaceSelector:
   674        ##   any: true
   675        scrapeInterval: 30s
   676        # honorLabels: true
   677        targetLabels: []
   678        relabelings: []
   679        metricRelabelings: []
   680      prometheusRule:
   681        enabled: false
   682        additionalLabels: {}
   683        # namespace: ""
   684        rules: []
   685        # # These are just examples rules, please adapt them to your needs
   686        # - alert: NGINXConfigFailed
   687        #   expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
   688        #   for: 1s
   689        #   labels:
   690        #     severity: critical
   691        #   annotations:
   692        #     description: bad ingress config - nginx config test failed
   693        #     summary: uninstall the latest ingress changes to allow config reloads to resume
   694        # - alert: NGINXCertificateExpiry
   695        #   expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800
   696        #   for: 1s
   697        #   labels:
   698        #     severity: critical
   699        #   annotations:
   700        #     description: ssl certificate(s) will expire in less then a week
   701        #     summary: renew expiring certificates to avoid downtime
   702        # - alert: NGINXTooMany500s
   703        #   expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
   704        #   for: 1m
   705        #   labels:
   706        #     severity: warning
   707        #   annotations:
   708        #     description: Too many 5XXs
   709        #     summary: More than 5% of all requests returned 5XX, this requires your attention
   710        # - alert: NGINXTooMany400s
   711        #   expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
   712        #   for: 1m
   713        #   labels:
   714        #     severity: warning
   715        #   annotations:
   716        #     description: Too many 4XXs
   717        #     summary: More than 5% of all requests returned 4XX, this requires your attention
   718    # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
   719    # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
   720    # to 300, allowing the draining of connections up to five minutes.
   721    # If the active connections end before that, the pod will terminate gracefully at that time.
   722    # To effectively take advantage of this feature, the Configmap feature
   723    # worker-shutdown-timeout new value is 240s instead of 10s.
   724    ##
   725    lifecycle:
   726      preStop:
   727        exec:
   728          command:
   729            - /wait-shutdown
   730    priorityClassName: ""
   731  # -- Rollback limit
   732  ##
   733  revisionHistoryLimit: 10
   734  ## Default 404 backend
   735  ##
   736  defaultBackend:
   737    ##
   738    enabled: false
   739    name: defaultbackend
   740    image:
   741      registry: registry.k8s.io
   742      image: defaultbackend-amd64
   743      ## for backwards compatibility consider setting the full image url via the repository value below
   744      ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
   745      ## repository:
   746      tag: "1.5"
   747      pullPolicy: IfNotPresent
   748      # nobody user -> uid 65534
   749      runAsUser: 65534
   750      runAsNonRoot: true
   751      readOnlyRootFilesystem: true
   752      allowPrivilegeEscalation: false
   753      privileged: false
   754  
   755    # -- Use an existing PSP instead of creating one
   756    existingPsp: ""
   757    extraArgs: {}
   758    serviceAccount:
   759      create: true
   760      name: ""
   761      automountServiceAccountToken: true
   762    # -- Additional environment variables to set for defaultBackend pods
   763    extraEnvs: []
   764    port: 8080
   765    ## Readiness and liveness probes for default backend
   766    ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
   767    ##
   768    livenessProbe:
   769      failureThreshold: 3
   770      initialDelaySeconds: 30
   771      periodSeconds: 10
   772      successThreshold: 1
   773      timeoutSeconds: 5
   774    readinessProbe:
   775      failureThreshold: 6
   776      initialDelaySeconds: 0
   777      periodSeconds: 5
   778      successThreshold: 1
   779      timeoutSeconds: 5
   780    # -- The update strategy to apply to the Deployment or DaemonSet
   781    ##
   782    updateStrategy: {}
   783    #  rollingUpdate:
   784    #    maxUnavailable: 1
   785    #  type: RollingUpdate
   786  
   787    # -- `minReadySeconds` to avoid killing pods before we are ready
   788    ##
   789    minReadySeconds: 0
   790    # -- Node tolerations for server scheduling to nodes with taints
   791    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   792    ##
   793    tolerations: []
   794    #  - key: "key"
   795    #    operator: "Equal|Exists"
   796    #    value: "value"
   797    #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
   798  
   799    affinity: {}
   800    # -- Security Context policies for controller pods
   801    # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
   802    # notes on enabling and using sysctls
   803    ##
   804    podSecurityContext: {}
   805    # -- Security Context policies for controller main container.
   806    # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
   807    # notes on enabling and using sysctls
   808    ##
   809    containerSecurityContext: {}
   810    # -- Labels to add to the pod container metadata
   811    podLabels: {}
   812    #  key: value
   813  
   814    # -- Node labels for default backend pod assignment
   815    ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
   816    ##
   817    nodeSelector:
   818      kubernetes.io/os: linux
   819    # -- Annotations to be added to default backend pods
   820    ##
   821    podAnnotations: {}
   822    replicaCount: 1
   823    minAvailable: 1
   824    resources: {}
   825    # limits:
   826    #   cpu: 10m
   827    #   memory: 20Mi
   828    # requests:
   829    #   cpu: 10m
   830    #   memory: 20Mi
   831  
   832    extraVolumeMounts: []
   833    ## Additional volumeMounts to the default backend container.
   834    #  - name: copy-portal-skins
   835    #   mountPath: /var/lib/lemonldap-ng/portal/skins
   836  
   837    extraVolumes: []
   838    ## Additional volumes to the default backend pod.
   839    #  - name: copy-portal-skins
   840    #    emptyDir: {}
   841  
   842    autoscaling:
   843      apiVersion: autoscaling/v2
   844      annotations: {}
   845      enabled: false
   846      minReplicas: 1
   847      maxReplicas: 2
   848      targetCPUUtilizationPercentage: 50
   849      targetMemoryUtilizationPercentage: 50
   850    service:
   851      annotations: {}
   852      # clusterIP: ""
   853  
   854      # -- List of IP addresses at which the default backend service is available
   855      ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
   856      ##
   857      externalIPs: []
   858      # loadBalancerIP: ""
   859      loadBalancerSourceRanges: []
   860      servicePort: 80
   861      type: ClusterIP
   862    priorityClassName: ""
   863    # -- Labels to be added to the default backend resources
   864    labels: {}
   865  ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
   866  rbac:
   867    create: true
   868    scope: false
   869  ## If true, create & use Pod Security Policy resources
   870  ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
   871  podSecurityPolicy:
   872    enabled: false
   873  serviceAccount:
   874    create: true
   875    name: ""
   876    automountServiceAccountToken: true
   877    # -- Annotations for the controller service account
   878    annotations: {}
   879  # -- Optional array of imagePullSecrets containing private registry credentials
   880  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   881  imagePullSecrets: []
   882  # - name: secretName
   883  
   884  # -- TCP service key-value pairs
   885  ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
   886  ##
   887  tcp: {}
   888  #  8080: "default/example-tcp-svc:9000"
   889  
   890  # -- UDP service key-value pairs
   891  ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
   892  ##
   893  udp: {}
   894  #  53: "kube-system/kube-dns:53"
   895  
   896  # -- Prefix for TCP and UDP ports names in ingress controller service
   897  ## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration
   898  portNamePrefix: ""
   899  # -- (string) A base64-encoded Diffie-Hellman parameter.
   900  # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
   901  ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
   902  dhParam: ""