2# Licensed to the Apache Software Foundation (ASF) under one or more
3# contributor license agreements. See the NOTICE file distributed with
4# this work for additional information regarding copyright ownership.
5# The ASF licenses this file to You under the Apache License, Version 2.0
6# (the "License"); you may not use this file except in compliance with
7# the License. You may obtain a copy of the License at
9# http://www.apache.org/licenses/LICENSE-2.0
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
20 # - my-registry-secrets
21 # - other-registry-secrets
22 # -- Global Docker registry secret names as an array
25 # -- Apache APISIX image repository
26 repository: cgr.dev/chainguard-private/apache-apisix
27 # -- Apache APISIX image pull policy
28 pullPolicy: IfNotPresent
29 # -- Apache APISIX image tag
30 # Overrides the image tag whose default is the chart appVersion.
31 tag: latest@sha256:93eedc59391acb29ed4b4b505f1ee3c5e1ceb3b7907d6c7c796cb54814432f60
32# -- set false to use `Deployment`, set true to use `DaemonSet`
34# -- if useDaemonSet is true or autoscaling.enabled is true, replicaCount not become effective
36# -- Set [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) for Apache APISIX pods
38# -- Annotations to add to each pod
40# -- Set the securityContext for Apache APISIX pods
43# -- Set the securityContext for Apache APISIX container
48# readOnlyRootFilesystem: true
52# -- See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details
54 # -- Enable or disable podDisruptionBudget
56 # -- Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget.
57 # See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget)
60 # -- Set the maxUnavailable of podDisruptionBudget
62# -- Set pod resource requests & limits
64# We usually recommend not to specify default resources and to leave this as a conscious
65# choice for the user. This also increases chances charts run on environments with little
66# resources, such as Minikube. If you do want to specify resources, uncomment the following
67# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
75# -- Use the host's network namespace
77# -- Node labels for Apache APISIX pod assignment
79# -- List of node taints to tolerate
81# -- Set affinity for Apache APISIX deploy
83# -- Topology Spread Constraints for pod assignment spread across your cluster among failure-domains
84# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
85topologySpreadConstraints: []
86# -- timezone is the timezone where apisix uses.
87# For example: "UTC" or "Asia/Shanghai"
88# This value will be set on apisix container's environment variable TZ.
89# You may need to set the timezone to be consistent with your local time zone,
90# otherwise the apisix's logs may used to retrieve event maybe in wrong timezone.
92# -- extraEnvVars An array to add extra env vars
103# -- Update strategy of the workload (Deployment or DaemonSet), e.g. `type: RollingUpdate`
107# -- Additional Kubernetes resources to deploy with the release.
109# -- Additional `volume`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
114# -- Additional `volumeMounts` for the APISIX container, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
117# mountPath: /usr/share/extras
120# -- Additional `initContainers`, See [Kubernetes initContainers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) for the detail.
121extraInitContainers: []
122# - name: init-myservice
124# command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"]
126# -- Additional `containers`, See [Kubernetes containers](https://kubernetes.io/docs/concepts/containers/) for the detail.
129 # -- Init container image
130 image: cgr.dev/chainguard-private/netcat
131 # -- Init container tag
132 tag: latest@sha256:ab3c0c2cba71296203c82798f45d8bd3f58d18effd0b38cf4dc6df8e64d4dedf
134 # -- Enable HorizontalPodAutoscaler for APISIX (only when useDaemonSet is false)
136 # -- HPA version, the value is "v2" or "v2beta1", default "v2"
138 # -- Minimum number of APISIX replicas
140 # -- Maximum number of APISIX replicas
142 # -- Target average CPU utilization percentage that triggers scaling
143 targetCPUUtilizationPercentage: 80
144 # -- Target average memory utilization percentage that triggers scaling
145 targetMemoryUtilizationPercentage: 80
146# -- String to partially override the chart fullname
148# -- String to fully override the chart fullname
151 # -- Whether a ServiceAccount should be created for the APISIX pods
153 # -- Annotations to add to the ServiceAccount
155 # -- Name of the ServiceAccount to use. If not set and create is true, a name is generated from the chart fullname
158 # -- Whether RBAC resources (ClusterRole and ClusterRoleBinding) should be created
161 # -- Apache APISIX service type for user access itself
163 # -- Setting how the Service route external traffic.
164 # If you want to keep the client source IP, you can set this to Local,
165 # ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
166 externalTrafficPolicy: Cluster
169 # service.beta.kubernetes.io/aws-load-balancer-type: nlb
170 # -- IPs for which nodes in the cluster will also accept traffic for the service
172 # -- Apache APISIX service settings for http
174 # -- Enable plain HTTP listeners
176 # -- Kubernetes service port for HTTP traffic
178 # -- Container port APISIX listens on for HTTP traffic
180 # -- Support multiple http ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L24)
181 additionalContainerPorts: []
183 # enable_http2: true # If not set, the default value is `false`.
184 # - ip: 127.0.0.2 # Specific IP, If not set, the default value is `0.0.0.0`.
187 # -- Apache APISIX service settings for tls
189 # -- Kubernetes service port for HTTPS traffic
192 # -- Apache APISIX service settings for stream. L4 proxy (TCP/UDP)
194 # -- Enable the stream (L4 proxy) subsystem
196 # -- TCP proxy port list, element format: port number, or a map with `addr` and optional `tls`
198 # -- UDP proxy port list
200 # - secretName: apisix-tls
202 # - chart-example.local
203 # -- Override default labels assigned to Apache APISIX gateway resources
206 # app.kubernetes.io/name: "{{ .Release.Name }}"
207 # app.kubernetes.io/instance: '{{ include "apisix.name" . }}'
208# -- Using ingress access Apache APISIX service
210 # -- Enable an Ingress resource in front of the APISIX service
212 # -- (number) Service port to send traffic. Defaults to `service.http.servicePort`.
214 # -- Ingress annotations
216 # kubernetes.io/ingress.class: nginx
217 # kubernetes.io/tls-acme: "true"
218 # -- Ingress host and path rules
222 # -- Ingress TLS settings
225 # -- Enable Control API
228 # -- Control annotations
230 # -- Control service type
232 # loadBalancerIP: a.b.c.d
233 # loadBalancerSourceRanges:
235 # -- IPs for which nodes in the cluster will also accept traffic for the servic
237 # -- NodePort (only if control.service.type is NodePort)
240 # -- which ip to listen on for Apache APISIX Control API
242 # -- which port to use for Apache APISIX Control API
244 # -- Service port to use for Apache APISIX Control API
246 # -- Using ingress access Apache APISIX Control service
248 # -- Enable an Ingress resource in front of the Control API service
250 # -- Ingress annotations
252 # kubernetes.io/ingress.class: nginx
253 # kubernetes.io/tls-acme: "true"
254 # -- Ingress Class Name
256 # -- Ingress host and path rules
258 - host: apisix-control.local
261 # -- Ingress TLS settings
263 # - secretName: apisix-tls
265 # - chart-example.local
266# -- Observability configuration.
269 # -- Enable or disable Apache APISIX serviceMonitor
271 # -- namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix
273 # -- name of the serviceMonitor, by default, it is the same as the apisix fullname
275 # -- interval at which metrics should be scraped
277 # -- @param serviceMonitor.labels ServiceMonitor extra labels
279 # -- @param serviceMonitor.annotations ServiceMonitor annotations
282 # -- Enable nginx IPv6 resolver
284 # -- Enable HTTP/2 on the HTTP listeners
286 # -- Whether the APISIX version number should be shown in Server header
287 enableServerTokens: true
288 # -- When true, the upstream status is always written to the `X-APISIX-Upstream-Status` response header; when false, it is written only for 5xx responses
289 showUpstreamStatusInResponseHeader: false
290 # -- PROXY Protocol configuration.
292 # -- (int) The HTTP port that accepts the PROXY Protocol. It differs from `service.http` ports and `apisix.admin` port:
293 # this port only accepts HTTP requests carrying the PROXY Protocol, while the other ports only accept plain HTTP
294 # requests. If you enable the PROXY Protocol, you must use this port to receive HTTP requests with it.
295 # When set, the port is also exposed on the gateway Service.
297 # -- (int) The nodePort of the PROXY Protocol HTTP port, only used if service.type is NodePort.
298 # If not set, a random port will be assigned by Kubernetes.
300 # -- (int) The HTTPS port that accepts the PROXY Protocol.
301 # When set, the port is also exposed on the gateway Service.
303 # -- (int) The nodePort of the PROXY Protocol HTTPS port, only used if service.type is NodePort.
304 # If not set, a random port will be assigned by Kubernetes.
306 # -- Accept the PROXY Protocol on every service.stream.tcp port.
308 # -- Send the PROXY Protocol to the upstream server on every service.stream.tcp port.
309 enableTcpPPToUpstream: false
310 # -- Proxy caching configuration used by the proxy-cache plugin.
312 # -- The default caching time in disk if the upstream does not specify the cache time
314 # -- The parameters of a cache. The `memory_size` field stores the cache index for the
315 # disk strategy and the cache content for the memory strategy; `disk_size`, `disk_path`
316 # and `cache_levels` only apply to the disk strategy.
318 - name: disk_cache_one
321 disk_path: "/tmp/disk_cache_one"
326 # -- The maximum size in bytes of GraphQL queries APISIX parses when matching routes by GraphQL attributes (default 1MiB)
328 # -- Delete the '/' at the end of the URI
329 deleteURITailSlash: false
330 # -- The URI normalization in servlet is a little different from the RFC's.
331 # See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
332 # which is used under Tomcat.
333 # Turn this option on if you want to be compatible with servlet when matching URI path.
334 normalizeURILikeServlet: false
335 # -- fine tune the parameters of LRU cache for some features like secret
338 # -- TTL in seconds for cached secret values
340 # -- Maximum number of cached secret values
342 # -- TTL in seconds for cached negative (failed lookup) results
344 # -- Maximum number of cached negative (failed lookup) results
346 # -- Enable comprehensive request lifecycle tracing (SSL/SNI, rewrite, access, header_filter, body_filter, and log).
347 # When disabled, OpenTelemetry collects only a single span per request.
349 # -- Use Pod metadata.uid as the APISIX id.
350 setIDFromPodUID: false
351 # -- Whether to add a custom lua module
353 # -- Enable loading a custom lua module hook
355 # -- extend lua_package_path to load third party code
357 # -- the hook module which will be used to inject third party code into APISIX
358 # use the lua require style like: "module.say_hello"
360 # -- configmap that stores the codes
362 # -- Name of the ConfigMap where the lua module codes store
364 # mounts decides how to mount the codes to the container.
366 # -- Name of the ConfigMap key, for setting the mapping relationship between ConfigMap key and the lua module code path.
368 # -- Filepath of the plugin code, for setting the mapping relationship between ConfigMap key and the lua module code path.
371 # -- Enable HTTPS listeners
373 # -- Container port APISIX listens on for HTTPS traffic
375 # -- Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
376 additionalContainerPorts: []
377 # - ip: 127.0.0.3 # Specific IP, If not set, the default value is `0.0.0.0`.
380 # -- Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd)
382 # -- Filename be used in the apisix.ssl.existingCASecret
384 # -- Enable HTTP/3 (QUIC) on the HTTPS listeners
386 # -- TLS protocols allowed to use.
387 sslProtocols: "TLSv1.2 TLSv1.3"
388 # -- TLS ciphers allowed to use.
389 sslCiphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
390 # -- Enable or disable TLS session tickets. Disabled by default because session tickets
391 # defeat Perfect Forward Secrecy (see https://github.com/mozilla/server-side-tls/issues/135)
392 sslSessionTickets: false
393 # -- Define SNI to fallback if none is presented by client
396 # -- Defines how apisix handles routing:
397 # - radixtree_uri: match route by uri(base on radixtree)
398 # - radixtree_host_uri: match route by host + uri(base on radixtree)
399 # - radixtree_uri_with_parameter: match route by uri with parameters
400 http: radixtree_host_uri
402 # -- Enable full customized config.yaml
404 # -- If apisix.fullCustomConfig.enabled is true, full customized config.yaml.
405 # Please note that other settings about APISIX config will be ignored
408 # -- Apache APISIX deployment mode
409 # Optional: traditional, decoupled, standalone
411 # ref: https://apisix.apache.org/docs/apisix/deployment-modes/
414 # Optional: traditional, data_plane, control_plane
416 # ref: https://apisix.apache.org/docs/apisix/deployment-modes/
419 # -- Config provider for the traditional role. enum: etcd, yaml
420 config_provider: "etcd"
421 # -- Standalone rules configuration
423 # ref: https://apisix.apache.org/docs/apisix/deployment-modes/#standalone
425 # -- Rules which are set to the default apisix.yaml configmap.
426 # If apisix.delpoyment.standalone.existingConfigMap is empty, these are used.
435 # -- Specifies the name of the ConfigMap that contains the rule configurations.
436 # The configuration must be set to the key named `apisix.yaml` in the configmap.
437 existingConfigMap: ""
439 # -- Enable Admin API
441 # -- Enable Embedded Admin UI
442 enable_admin_ui: true
443 # -- admin service type
445 # loadBalancerIP: a.b.c.d
446 # loadBalancerSourceRanges:
448 # -- IPs for which nodes in the cluster will also accept traffic for the servic
450 # -- which ip to listen on for Apache APISIX admin API. Set to `"[::]"` when on IPv6 single stack
452 # -- which port to use for Apache APISIX admin API
454 # -- Service port to use for Apache APISIX admin API
456 # -- Admin API support CORS response headers
458 # -- Admin API credentials
460 # -- Apache APISIX admin API admin role credentials
461 admin: edd1c9f034335f136f87ad84b625c8f1
462 # -- Apache APISIX admin API viewer role credentials
463 viewer: 4054f7cf07e344346cd3f287985e76a2
464 # -- The APISIX Helm chart supports storing user credentials in a secret.
465 # The secret needs to contain two keys, admin and viewer, with their respective values set.
467 # -- Name of the admin role key in the secret, overrides the default key name "admin"
469 # -- Name of the viewer role key in the secret, overrides the default key name "viewer"
472 # -- The client IP CIDR allowed to access Apache APISIX Admin API service.
475 # -- Using ingress access Apache APISIX admin service
477 # -- Enable an Ingress resource in front of the Admin API service
479 # -- Ingress annotations
481 # kubernetes.io/ingress.class: nginx
482 # kubernetes.io/tls-acme: "true"
483 # -- Ingress host and path rules
485 - host: apisix-admin.local
488 # -- Ingress TLS settings
490 # - secretName: apisix-tls
492 # - chart-example.local
494 # -- The number of files a worker process can open, should be larger than apisix.nginx.workerConnections
495 workerRlimitNofile: "20480"
496 # -- The maximum number of connections that each worker process can open
497 workerConnections: "10620"
498 # -- The number of nginx worker processes. `auto` means the number of CPU cores
499 workerProcesses: auto
500 # -- Bind nginx worker processes to CPUs
501 enableCPUAffinity: true
502 # -- Timeout for a graceful shutdown of worker processes
503 workerShutdownTimeout: "240s"
504 # -- Maximum number of pending timers. Increase it if you see "too many pending timers" error
505 maxPendingTimers: 16384
506 # -- Maximum number of running timers. Increase it if you see "lua_max_running_timers are not enough" error
507 maxRunningTimers: 4096
508 # -- Timeout during which a keep-alive client connection will stay open on the server side.
509 keepaliveTimeout: 60s
510 # -- List of environment variable names allowed to be accessed within nginx (rendered as nginx `env` directives)
512 # -- Nginx HTTP subsystem configurations
514 # -- timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
515 clientHeaderTimeout: "60s"
516 # -- timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
517 clientBodyTimeout: "60s"
518 # -- timeout for transmitting a response to the client, then the connection is closed
520 # -- The maximum allowed size of the client request body.
521 # If exceeded, the 413 (Request Entity Too Large) error is returned to the client.
522 # Note that unlike Nginx, we don't limit the body size by default (0 means no limit).
524 # -- Enable the use of underscores in client request header fields
525 underscoresInHeaders: "on"
526 # -- The request header used to determine the client's real IP address,
527 # see [real_ip_header](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header)
528 realIpHeader: "X-Real-IP"
529 # -- Whether to search for the real IP recursively when the header set in apisix.nginx.http.realIpHeader contains multiple addresses,
530 # see [real_ip_recursive](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive)
531 realIpRecursive: "off"
532 # -- Trusted addresses from which the real IP header is honored,
533 # see [set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from)
537 # -- Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066)
538 # when establishing a connection with the proxied HTTPS server
539 proxySslServerName: true
540 # -- Keepalive settings for connections from APISIX to upstream servers
542 # -- Maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process.
543 # When this number is exceeded, the least recently used connections are closed
545 # -- Maximum number of requests that can be served through one keepalive connection.
546 # After the maximum number of requests is made, the connection is closed
547 keepaliveRequests: 1000
548 # -- Timeout during which an idle keepalive connection to an upstream server will stay open
549 keepaliveTimeout: 60s
550 # -- The charset added to the "Content-Type" response header field,
551 # see [charset](http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset)
553 # -- The maximum size of the nginx variables hash table
554 variablesHashMaxSize: 2048
555 # access log and error log configuration
557 # -- Enable access log or not, default true
558 enableAccessLog: true
560 accessLog: "/dev/stdout"
561 # -- Access log format
562 accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
563 # -- Allows setting json or default characters escaping in variables
564 accessLogFormatEscape: default
566 errorLog: "/dev/stderr"
568 errorLogLevel: "warn"
569 # -- Stream (L4 proxy) access log configuration
571 # -- Enable stream access log or not, default false
572 enableAccessLog: false
573 # -- Stream access log path
574 accessLog: "logs/access_stream.log"
575 # -- Stream access log format
576 accessLogFormat: '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time'
577 # -- Allows setting json or default characters escaping in variables for stream
578 accessLogFormatEscape: default
579 # -- Custom nginx configuration snippets injected into the generated nginx.conf.
580 # As arbitrary configuration can be added here, it is your responsibility to make sure
581 # the snippets don't conflict with the configuration generated by APISIX.
582 configurationSnippet:
583 # -- Snippet added to the nginx `main` (top-level) block
585 # -- Snippet added to the beginning of the nginx `http` block
587 # -- Snippet added to the end of the nginx `http` block
589 # -- Snippet added to the nginx `server` block that proxies regular traffic
591 # -- Snippet added to the nginx `server` block that serves the Admin API
593 # -- Snippet added to the nginx `stream` block
595 # -- Add custom [lua_shared_dict](https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_shared_dict) settings,
596 # click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
597 customLuaSharedDicts: []
603 # -- Override default [lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L250-L276) settings,
604 # click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
606 # - name: prometheus-metrics
609 # -- Override default meta-level [lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example) settings,
610 # meta-level shared dicts are shared across both HTTP and stream subsystems.
611 # Since APISIX 3.16.0, `upstream-healthcheck` is a meta-level shared dict.
612 # click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
613 metaLuaSharedDicts: []
614 # - name: upstream-healthcheck
617 # -- Enable or disable Apache APISIX integration service discovery
619 # -- Service discovery registry. Refer to [configuration under discovery](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L307) for example.
620 # Also see [example of using external service discovery](https://apisix.apache.org/docs/ingress-controller/1.8.0/tutorials/external-service-discovery/).
622 # Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
624 # https://apisix.apache.org/docs/apisix/discovery/#configuration-for-eureka
625 # https://apisix.apache.org/docs/apisix/discovery/dns/#service-discovery-via-dns
626 # https://apisix.apache.org/docs/apisix/discovery/consul_kv/#configuration-for-consul-kv
627 # https://apisix.apache.org/docs/apisix/discovery/nacos/#configuration-for-nacos
628 # https://apisix.apache.org/docs/apisix/discovery/kubernetes/#configuration
634 # - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
635 # - "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
645 # the minimal Kubernetes example:
650 # The prerequisites for the above minimal Kubernetes example:
651 # 1. [Optional] Set `.serviceAccount.create` to `true` to create a dedicated ServiceAccount.
652 # It is recommended to do so, otherwise the default ServiceAccount "default" will be used.
653 # 2. [Required] Set `.rbac.create` to `true` to create and bind the necessary RBAC resources.
654 # This grants the ServiceAccount in use to List-Watch Kubernetes Endpoints resources.
655 # 3. [Required] Include the following environment variables in `.nginx.envs` to pass them into
656 # nginx worker processes (https://nginx.org/en/docs/ngx_core_module.html#env):
657 # - KUBERNETES_SERVICE_HOST
658 # - KUBERNETES_SERVICE_PORT
659 # This is for allowing the default `host` and `port` of `.discovery.registry.kubernetes.service`.
661 # -- Nameservers used by APISIX to resolve upstream domain names.
662 # When empty (default), nameservers are read from `/etc/resolv.conf`,
663 # which is usually what you want inside Kubernetes
667 # -- Override the TTL in seconds of valid DNS records
669 # -- DNS resolver timeout in seconds
671 # -- Honor the `search` option in `/etc/resolv.conf` when resolving domain names
672 enableResolvSearchOpt: true
674 # -- Enable or disable the vault integration
676 # -- The host address where the vault server is running.
678 # -- HTTP timeout for each request.
680 # -- The generated token from vault instance that can grant access to read data from the vault.
682 # -- Prefix allows you to better enforcement of policies.
685 # -- Enable Prometheus metrics. ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/
687 # -- path of the metrics endpoint
688 path: /apisix/prometheus/metrics
689 # -- prefix of the metrics
690 metricPrefix: apisix_
691 # -- container port where the metrics are exposed
693 # -- Customize the list of APISIX plugins to enable. By default, APISIX's [default plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L196) are automatically used.
695 # -- Customize the list of APISIX stream_plugins to enable. By default, APISIX's [default stream_plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L294) are automatically used.
697 # -- Set APISIX plugin attributes. By default, APISIX's [plugin_attr](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L295) are automatically used.
698 # See [configuration example](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L591).
701 # -- Enable External Plugins. See [external plugin](https://apisix.apache.org/docs/apisix/next/external-plugin/)
703 # -- the command and its arguements to run as a subprocess
704 cmd: ["/path/to/apisix-plugin-runner/runner", "run"]
706 # -- Enable Wasm Plugins. See [wasm plugin](https://apisix.apache.org/docs/apisix/next/wasm/)
708 # -- List of Wasm plugins, each item with `name`, `priority` and `file` (path or URL of the wasm binary)
710 # -- customPlugins allows you to mount your own HTTP plugins.
712 # -- Whether to configure some custom plugins
714 # -- the lua_path that tells APISIX where it can find plugins,
715 # note the last ';' is required.
716 luaPath: "/opts/custom_plugins/?.lua"
719 - name: "plugin-name"
722 # -- plugin codes can be saved inside configmap object.
724 # -- name of configmap.
725 name: "configmap-name"
726 # -- since keys in configmap is flat, mountPath allows to define the mount
727 # path, so that plugin codes can be mounted hierarchically.
729 - key: "the-file-name"
732 # -- The IP address on which the status endpoint (`/status`, `/status/ready`) listens
734 # -- The port on which the status endpoint listens
736 # -- When configured, APISIX will trust the `X-Forwarded-*` Headers passed in requests from the IP/CIDR in the list.
739# -- external etcd configuration. If etcd.enabled is false, these configuration will be used.
741 # -- if etcd.enabled is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379.
743 # host or ip e.g. http://172.20.128.89:2379
744 - http://etcd.host:2379
745 # -- if etcd.enabled is false, user for external etcd. Set empty to disable authentication
747 # -- if etcd.enabled is true, use etcd.auth.rbac.rootPassword instead.
748 # -- if etcd.enabled is false and externalEtcd.existingSecret is not empty, the password should store in the corresponding secret
749 # -- if etcd.enabled is false and externalEtcd.existingSecret is empty, externalEtcd.password is the passsword for external etcd.
751 # -- if externalEtcd.existingSecret is the name of secret containing the external etcd password
753 # -- externalEtcd.secretPasswordKey Key inside the secret containing the external etcd password
754 secretPasswordKey: "etcd-root-password"
755# -- etcd configuration
756# use the FQDN address or the IP of the etcd
758 # -- install built-in etcd by default, set false if do not want to install built-in etcd together,
759 # this etcd is based on bitnamilegacy/etcd helm chart and latest bitnami docker image, only for development and testing purposes,
760 # if you want to use etcd in production, we recommend you to install etcd by yourself and use `externalEtcd` to connect it.
762 # -- docker image for built-in etcd
765 repository: bitnamilegacy/etcd
766 # -- `bitnamilegacy/etcd` only provide `latest` tag now, ref: https://github.com/bitnami/containers/issues/83267,
767 # you can switch `etcd.image.repository` to `bitnamilegacy/etcd` to use old versioned tags.
769 # -- apisix configurations prefix
771 # -- Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster
773 # -- Set the timeout value in seconds for watching etcd
775 # -- The number of retries to etcd during startup
777 # -- if etcd.enabled is true, set more values of bitnamilegacy/etcd helm chart
780 # -- No authentication by default. Switch to enable RBAC authentication
782 # -- root password for etcd. Requires etcd.auth.rbac.create to be true.
785 # -- enable etcd client certificate
787 # -- name of the secret contains etcd client cert
789 # -- etcd client cert filename using in etcd.auth.tls.existingSecret
791 # -- etcd client cert key filename using in etcd.auth.tls.existingSecret
793 # -- whether to verify the etcd endpoint certificate when setup a TLS connection to etcd
795 # -- specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset.
797 # -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
798 # -- added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19
799 containerSecurityContext:
802 # -- etcd client service port
804 # -- Number of etcd replicas, only used when etcd.enabled is true
806 # -- Auto compaction retention for mvcc key value store, only used when etcd.enabled is true
807 autoCompactionRetention: "1h"
808 # -- Auto compaction mode (periodic or revision), only used when etcd.enabled is true
809 autoCompactionMode: "periodic"
810# -- Ingress controller configuration
812 # -- Enable the apisix-ingress-controller sub-chart
815 # Specifies whether to enable the validation webhook.
816 # Note: This feature relies on the '/apisix/admin/configs/validate' endpoint.
817 # It requires APISIX version 3.17.0 or later to function correctly.
818 # Ensure your cluster's APISIX deployment meets this version requirement before enabling.