DirectorySecurity AdvisoriesPricing
Sign in
Directory
apisix logoHELM

apisix

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
#
2
# Licensed to the Apache Software Foundation (ASF) under one or more
3
# contributor license agreements. See the NOTICE file distributed with
4
# this work for additional information regarding copyright ownership.
5
# The ASF licenses this file to You under the Apache License, Version 2.0
6
# (the "License"); you may not use this file except in compliance with
7
# the License. You may obtain a copy of the License at
8
#
9
# http://www.apache.org/licenses/LICENSE-2.0
10
#
11
# Unless required by applicable law or agreed to in writing, software
12
# distributed under the License is distributed on an "AS IS" BASIS,
13
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
# See the License for the specific language governing permissions and
15
# limitations under the License.
16
17
global:
18
# e.g.
19
# imagePullSecrets:
20
# - my-registry-secrets
21
# - other-registry-secrets
22
# -- Global Docker registry secret names as an array
23
imagePullSecrets: []
24
image:
25
# -- Apache APISIX image repository
26
repository: cgr.dev/chainguard-private/apache-apisix
27
# -- Apache APISIX image pull policy
28
pullPolicy: IfNotPresent
29
# -- Apache APISIX image tag
30
# Overrides the image tag whose default is the chart appVersion.
31
tag: latest@sha256:93eedc59391acb29ed4b4b505f1ee3c5e1ceb3b7907d6c7c796cb54814432f60
32
# -- set false to use `Deployment`, set true to use `DaemonSet`
33
useDaemonSet: false
34
# -- if useDaemonSet is true or autoscaling.enabled is true, replicaCount not become effective
35
replicaCount: 1
36
# -- Set [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) for Apache APISIX pods
37
priorityClassName: ""
38
# -- Annotations to add to each pod
39
podAnnotations: {}
40
# -- Set the securityContext for Apache APISIX pods
41
podSecurityContext: {}
42
# fsGroup: 2000
43
# -- Set the securityContext for Apache APISIX container
44
securityContext: {}
45
# capabilities:
46
# drop:
47
# - ALL
48
# readOnlyRootFilesystem: true
49
# runAsNonRoot: true
50
# runAsUser: 1000
51
52
# -- See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details
53
podDisruptionBudget:
54
# -- Enable or disable podDisruptionBudget
55
enabled: false
56
# -- Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget.
57
# See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget)
58
# for more details
59
minAvailable: 90%
60
# -- Set the maxUnavailable of podDisruptionBudget
61
maxUnavailable: 1
62
# -- Set pod resource requests & limits
63
resources: {}
64
# We usually recommend not to specify default resources and to leave this as a conscious
65
# choice for the user. This also increases chances charts run on environments with little
66
# resources, such as Minikube. If you do want to specify resources, uncomment the following
67
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
68
# limits:
69
# cpu: 100m
70
# memory: 128Mi
71
# requests:
72
# cpu: 100m
73
# memory: 128Mi
74
75
# -- Use the host's network namespace
76
hostNetwork: false
77
# -- Node labels for Apache APISIX pod assignment
78
nodeSelector: {}
79
# -- List of node taints to tolerate
80
tolerations: []
81
# -- Set affinity for Apache APISIX deploy
82
affinity: {}
83
# -- Topology Spread Constraints for pod assignment spread across your cluster among failure-domains
84
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
85
topologySpreadConstraints: []
86
# -- timezone is the timezone where apisix uses.
87
# For example: "UTC" or "Asia/Shanghai"
88
# This value will be set on apisix container's environment variable TZ.
89
# You may need to set the timezone to be consistent with your local time zone,
90
# otherwise the apisix's logs may used to retrieve event maybe in wrong timezone.
91
timezone: ""
92
# -- extraEnvVars An array to add extra env vars
93
# e.g:
94
# extraEnvVars:
95
# - name: FOO
96
# value: "bar"
97
# - name: FOO2
98
# valueFrom:
99
# secretKeyRef:
100
# name: SECRET_NAME
101
# key: KEY
102
extraEnvVars: []
103
# -- Update strategy of the workload (Deployment or DaemonSet), e.g. `type: RollingUpdate`
104
updateStrategy: {}
105
# type: RollingUpdate
106
107
# -- Additional Kubernetes resources to deploy with the release.
108
extraDeploy: []
109
# -- Additional `volume`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
110
extraVolumes: []
111
# - name: extras
112
# emptyDir: {}
113
114
# -- Additional `volumeMounts` for the APISIX container, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
115
extraVolumeMounts: []
116
# - name: extras
117
# mountPath: /usr/share/extras
118
# readOnly: true
119
120
# -- Additional `initContainers`, See [Kubernetes initContainers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) for the detail.
121
extraInitContainers: []
122
# - name: init-myservice
123
# image: busybox:1.28
124
# command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"]
125
126
# -- Additional `containers`, See [Kubernetes containers](https://kubernetes.io/docs/concepts/containers/) for the detail.
127
extraContainers: []
128
initContainer:
129
# -- Init container image
130
image: cgr.dev/chainguard-private/netcat
131
# -- Init container tag
132
tag: latest@sha256:ab3c0c2cba71296203c82798f45d8bd3f58d18effd0b38cf4dc6df8e64d4dedf
133
autoscaling:
134
# -- Enable HorizontalPodAutoscaler for APISIX (only when useDaemonSet is false)
135
enabled: false
136
# -- HPA version, the value is "v2" or "v2beta1", default "v2"
137
version: v2
138
# -- Minimum number of APISIX replicas
139
minReplicas: 1
140
# -- Maximum number of APISIX replicas
141
maxReplicas: 100
142
# -- Target average CPU utilization percentage that triggers scaling
143
targetCPUUtilizationPercentage: 80
144
# -- Target average memory utilization percentage that triggers scaling
145
targetMemoryUtilizationPercentage: 80
146
# -- String to partially override the chart fullname
147
nameOverride: ""
148
# -- String to fully override the chart fullname
149
fullnameOverride: ""
150
serviceAccount:
151
# -- Whether a ServiceAccount should be created for the APISIX pods
152
create: false
153
# -- Annotations to add to the ServiceAccount
154
annotations: {}
155
# -- Name of the ServiceAccount to use. If not set and create is true, a name is generated from the chart fullname
156
name: ""
157
rbac:
158
# -- Whether RBAC resources (ClusterRole and ClusterRoleBinding) should be created
159
create: false
160
service:
161
# -- Apache APISIX service type for user access itself
162
type: NodePort
163
# -- Setting how the Service route external traffic.
164
# If you want to keep the client source IP, you can set this to Local,
165
# ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
166
externalTrafficPolicy: Cluster
167
# type: LoadBalancer
168
# annotations:
169
# service.beta.kubernetes.io/aws-load-balancer-type: nlb
170
# -- IPs for which nodes in the cluster will also accept traffic for the service
171
externalIPs: []
172
# -- Apache APISIX service settings for http
173
http:
174
# -- Enable plain HTTP listeners
175
enabled: true
176
# -- Kubernetes service port for HTTP traffic
177
servicePort: 80
178
# -- Container port APISIX listens on for HTTP traffic
179
containerPort: 9080
180
# -- Support multiple http ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L24)
181
additionalContainerPorts: []
182
# - port: 9081
183
# enable_http2: true # If not set, the default value is `false`.
184
# - ip: 127.0.0.2 # Specific IP, If not set, the default value is `0.0.0.0`.
185
# port: 9082
186
# enable_http2: true
187
# -- Apache APISIX service settings for tls
188
tls:
189
# -- Kubernetes service port for HTTPS traffic
190
servicePort: 443
191
# nodePort: 4443
192
# -- Apache APISIX service settings for stream. L4 proxy (TCP/UDP)
193
stream:
194
# -- Enable the stream (L4 proxy) subsystem
195
enabled: false
196
# -- TCP proxy port list, element format: port number, or a map with `addr` and optional `tls`
197
tcp: []
198
# -- UDP proxy port list
199
udp: []
200
# - secretName: apisix-tls
201
# hosts:
202
# - chart-example.local
203
# -- Override default labels assigned to Apache APISIX gateway resources
204
labelsOverride: {}
205
# labelsOverride:
206
# app.kubernetes.io/name: "{{ .Release.Name }}"
207
# app.kubernetes.io/instance: '{{ include "apisix.name" . }}'
208
# -- Using ingress access Apache APISIX service
209
ingress:
210
# -- Enable an Ingress resource in front of the APISIX service
211
enabled: false
212
# -- (number) Service port to send traffic. Defaults to `service.http.servicePort`.
213
servicePort:
214
# -- Ingress annotations
215
annotations: {}
216
# kubernetes.io/ingress.class: nginx
217
# kubernetes.io/tls-acme: "true"
218
# -- Ingress host and path rules
219
hosts:
220
- host: apisix.local
221
paths: []
222
# -- Ingress TLS settings
223
tls: []
224
control:
225
# -- Enable Control API
226
enabled: true
227
service:
228
# -- Control annotations
229
annotations: {}
230
# -- Control service type
231
type: ClusterIP
232
# loadBalancerIP: a.b.c.d
233
# loadBalancerSourceRanges:
234
# - "143.231.0.0/16"
235
# -- IPs for which nodes in the cluster will also accept traffic for the servic
236
externalIPs: []
237
# -- NodePort (only if control.service.type is NodePort)
238
# nodePort: 32000
239
240
# -- which ip to listen on for Apache APISIX Control API
241
ip: "127.0.0.1"
242
# -- which port to use for Apache APISIX Control API
243
port: 9090
244
# -- Service port to use for Apache APISIX Control API
245
servicePort: 9090
246
# -- Using ingress access Apache APISIX Control service
247
ingress:
248
# -- Enable an Ingress resource in front of the Control API service
249
enabled: false
250
# -- Ingress annotations
251
annotations: {}
252
# kubernetes.io/ingress.class: nginx
253
# kubernetes.io/tls-acme: "true"
254
# -- Ingress Class Name
255
# className: "nginx"
256
# -- Ingress host and path rules
257
hosts:
258
- host: apisix-control.local
259
paths:
260
- "/*"
261
# -- Ingress TLS settings
262
tls: []
263
# - secretName: apisix-tls
264
# hosts:
265
# - chart-example.local
266
# -- Observability configuration.
267
metrics:
268
serviceMonitor:
269
# -- Enable or disable Apache APISIX serviceMonitor
270
enabled: false
271
# -- namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix
272
namespace: ""
273
# -- name of the serviceMonitor, by default, it is the same as the apisix fullname
274
name: ""
275
# -- interval at which metrics should be scraped
276
interval: 15s
277
# -- @param serviceMonitor.labels ServiceMonitor extra labels
278
labels: {}
279
# -- @param serviceMonitor.annotations ServiceMonitor annotations
280
annotations: {}
281
apisix:
282
# -- Enable nginx IPv6 resolver
283
enableIPv6: true
284
# -- Enable HTTP/2 on the HTTP listeners
285
enableHTTP2: true
286
# -- Whether the APISIX version number should be shown in Server header
287
enableServerTokens: true
288
# -- When true, the upstream status is always written to the `X-APISIX-Upstream-Status` response header; when false, it is written only for 5xx responses
289
showUpstreamStatusInResponseHeader: false
290
# -- PROXY Protocol configuration.
291
proxyProtocol:
292
# -- (int) The HTTP port that accepts the PROXY Protocol. It differs from `service.http` ports and `apisix.admin` port:
293
# this port only accepts HTTP requests carrying the PROXY Protocol, while the other ports only accept plain HTTP
294
# requests. If you enable the PROXY Protocol, you must use this port to receive HTTP requests with it.
295
# When set, the port is also exposed on the gateway Service.
296
listenHttpPort:
297
# -- (int) The nodePort of the PROXY Protocol HTTP port, only used if service.type is NodePort.
298
# If not set, a random port will be assigned by Kubernetes.
299
listenHttpNodePort:
300
# -- (int) The HTTPS port that accepts the PROXY Protocol.
301
# When set, the port is also exposed on the gateway Service.
302
listenHttpsPort:
303
# -- (int) The nodePort of the PROXY Protocol HTTPS port, only used if service.type is NodePort.
304
# If not set, a random port will be assigned by Kubernetes.
305
listenHttpsNodePort:
306
# -- Accept the PROXY Protocol on every service.stream.tcp port.
307
enableTcpPP: false
308
# -- Send the PROXY Protocol to the upstream server on every service.stream.tcp port.
309
enableTcpPPToUpstream: false
310
# -- Proxy caching configuration used by the proxy-cache plugin.
311
proxyCache:
312
# -- The default caching time in disk if the upstream does not specify the cache time
313
cacheTtl: 10s
314
# -- The parameters of a cache. The `memory_size` field stores the cache index for the
315
# disk strategy and the cache content for the memory strategy; `disk_size`, `disk_path`
316
# and `cache_levels` only apply to the disk strategy.
317
zones:
318
- name: disk_cache_one
319
memory_size: 50m
320
disk_size: 1G
321
disk_path: "/tmp/disk_cache_one"
322
cache_levels: "1:2"
323
- name: memory_cache
324
memory_size: 50m
325
graphql:
326
# -- The maximum size in bytes of GraphQL queries APISIX parses when matching routes by GraphQL attributes (default 1MiB)
327
maxSize: 1048576
328
# -- Delete the '/' at the end of the URI
329
deleteURITailSlash: false
330
# -- The URI normalization in servlet is a little different from the RFC's.
331
# See https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
332
# which is used under Tomcat.
333
# Turn this option on if you want to be compatible with servlet when matching URI path.
334
normalizeURILikeServlet: false
335
# -- fine tune the parameters of LRU cache for some features like secret
336
lru:
337
secret:
338
# -- TTL in seconds for cached secret values
339
ttl: 300
340
# -- Maximum number of cached secret values
341
count: 512
342
# -- TTL in seconds for cached negative (failed lookup) results
343
neg_ttl: 60
344
# -- Maximum number of cached negative (failed lookup) results
345
neg_count: 512
346
# -- Enable comprehensive request lifecycle tracing (SSL/SNI, rewrite, access, header_filter, body_filter, and log).
347
# When disabled, OpenTelemetry collects only a single span per request.
348
tracing: false
349
# -- Use Pod metadata.uid as the APISIX id.
350
setIDFromPodUID: false
351
# -- Whether to add a custom lua module
352
luaModuleHook:
353
# -- Enable loading a custom lua module hook
354
enabled: false
355
# -- extend lua_package_path to load third party code
356
luaPath: ""
357
# -- the hook module which will be used to inject third party code into APISIX
358
# use the lua require style like: "module.say_hello"
359
hookPoint: ""
360
# -- configmap that stores the codes
361
configMapRef:
362
# -- Name of the ConfigMap where the lua module codes store
363
name: ""
364
# mounts decides how to mount the codes to the container.
365
mounts:
366
# -- Name of the ConfigMap key, for setting the mapping relationship between ConfigMap key and the lua module code path.
367
- key: ""
368
# -- Filepath of the plugin code, for setting the mapping relationship between ConfigMap key and the lua module code path.
369
path: ""
370
ssl:
371
# -- Enable HTTPS listeners
372
enabled: false
373
# -- Container port APISIX listens on for HTTPS traffic
374
containerPort: 9443
375
# -- Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
376
additionalContainerPorts: []
377
# - ip: 127.0.0.3 # Specific IP, If not set, the default value is `0.0.0.0`.
378
# port: 9445
379
# enable_http3: true
380
# -- Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd)
381
existingCASecret: ""
382
# -- Filename be used in the apisix.ssl.existingCASecret
383
certCAFilename: ""
384
# -- Enable HTTP/3 (QUIC) on the HTTPS listeners
385
enableHTTP3: false
386
# -- TLS protocols allowed to use.
387
sslProtocols: "TLSv1.2 TLSv1.3"
388
# -- TLS ciphers allowed to use.
389
sslCiphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
390
# -- Enable or disable TLS session tickets. Disabled by default because session tickets
391
# defeat Perfect Forward Secrecy (see https://github.com/mozilla/server-side-tls/issues/135)
392
sslSessionTickets: false
393
# -- Define SNI to fallback if none is presented by client
394
fallbackSNI: ""
395
router:
396
# -- Defines how apisix handles routing:
397
# - radixtree_uri: match route by uri(base on radixtree)
398
# - radixtree_host_uri: match route by host + uri(base on radixtree)
399
# - radixtree_uri_with_parameter: match route by uri with parameters
400
http: radixtree_host_uri
401
fullCustomConfig:
402
# -- Enable full customized config.yaml
403
enabled: false
404
# -- If apisix.fullCustomConfig.enabled is true, full customized config.yaml.
405
# Please note that other settings about APISIX config will be ignored
406
config: {}
407
deployment:
408
# -- Apache APISIX deployment mode
409
# Optional: traditional, decoupled, standalone
410
#
411
# ref: https://apisix.apache.org/docs/apisix/deployment-modes/
412
mode: traditional
413
# -- Deployment role
414
# Optional: traditional, data_plane, control_plane
415
#
416
# ref: https://apisix.apache.org/docs/apisix/deployment-modes/
417
role: "traditional"
418
role_traditional:
419
# -- Config provider for the traditional role. enum: etcd, yaml
420
config_provider: "etcd"
421
# -- Standalone rules configuration
422
#
423
# ref: https://apisix.apache.org/docs/apisix/deployment-modes/#standalone
424
standalone:
425
# -- Rules which are set to the default apisix.yaml configmap.
426
# If apisix.delpoyment.standalone.existingConfigMap is empty, these are used.
427
config: |
428
routes:
429
-
430
uri: /hi
431
upstream:
432
nodes:
433
"127.0.0.1:1980": 1
434
type: roundrobin
435
# -- Specifies the name of the ConfigMap that contains the rule configurations.
436
# The configuration must be set to the key named `apisix.yaml` in the configmap.
437
existingConfigMap: ""
438
admin:
439
# -- Enable Admin API
440
enabled: true
441
# -- Enable Embedded Admin UI
442
enable_admin_ui: true
443
# -- admin service type
444
type: ClusterIP
445
# loadBalancerIP: a.b.c.d
446
# loadBalancerSourceRanges:
447
# - "143.231.0.0/16"
448
# -- IPs for which nodes in the cluster will also accept traffic for the servic
449
externalIPs: []
450
# -- which ip to listen on for Apache APISIX admin API. Set to `"[::]"` when on IPv6 single stack
451
ip: 0.0.0.0
452
# -- which port to use for Apache APISIX admin API
453
port: 9180
454
# -- Service port to use for Apache APISIX admin API
455
servicePort: 9180
456
# -- Admin API support CORS response headers
457
cors: true
458
# -- Admin API credentials
459
credentials:
460
# -- Apache APISIX admin API admin role credentials
461
admin: edd1c9f034335f136f87ad84b625c8f1
462
# -- Apache APISIX admin API viewer role credentials
463
viewer: 4054f7cf07e344346cd3f287985e76a2
464
# -- The APISIX Helm chart supports storing user credentials in a secret.
465
# The secret needs to contain two keys, admin and viewer, with their respective values set.
466
secretName: ""
467
# -- Name of the admin role key in the secret, overrides the default key name "admin"
468
secretAdminKey: ""
469
# -- Name of the viewer role key in the secret, overrides the default key name "viewer"
470
secretViewerKey: ""
471
allow:
472
# -- The client IP CIDR allowed to access Apache APISIX Admin API service.
473
ipList:
474
- 127.0.0.1/24
475
# -- Using ingress access Apache APISIX admin service
476
ingress:
477
# -- Enable an Ingress resource in front of the Admin API service
478
enabled: false
479
# -- Ingress annotations
480
annotations: {}
481
# kubernetes.io/ingress.class: nginx
482
# kubernetes.io/tls-acme: "true"
483
# -- Ingress host and path rules
484
hosts:
485
- host: apisix-admin.local
486
paths:
487
- "/apisix"
488
# -- Ingress TLS settings
489
tls: []
490
# - secretName: apisix-tls
491
# hosts:
492
# - chart-example.local
493
nginx:
494
# -- The number of files a worker process can open, should be larger than apisix.nginx.workerConnections
495
workerRlimitNofile: "20480"
496
# -- The maximum number of connections that each worker process can open
497
workerConnections: "10620"
498
# -- The number of nginx worker processes. `auto` means the number of CPU cores
499
workerProcesses: auto
500
# -- Bind nginx worker processes to CPUs
501
enableCPUAffinity: true
502
# -- Timeout for a graceful shutdown of worker processes
503
workerShutdownTimeout: "240s"
504
# -- Maximum number of pending timers. Increase it if you see "too many pending timers" error
505
maxPendingTimers: 16384
506
# -- Maximum number of running timers. Increase it if you see "lua_max_running_timers are not enough" error
507
maxRunningTimers: 4096
508
# -- Timeout during which a keep-alive client connection will stay open on the server side.
509
keepaliveTimeout: 60s
510
# -- List of environment variable names allowed to be accessed within nginx (rendered as nginx `env` directives)
511
envs: []
512
# -- Nginx HTTP subsystem configurations
513
http:
514
# -- timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
515
clientHeaderTimeout: "60s"
516
# -- timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
517
clientBodyTimeout: "60s"
518
# -- timeout for transmitting a response to the client, then the connection is closed
519
sendTimeout: "10s"
520
# -- The maximum allowed size of the client request body.
521
# If exceeded, the 413 (Request Entity Too Large) error is returned to the client.
522
# Note that unlike Nginx, we don't limit the body size by default (0 means no limit).
523
clientMaxBodySize: 0
524
# -- Enable the use of underscores in client request header fields
525
underscoresInHeaders: "on"
526
# -- The request header used to determine the client's real IP address,
527
# see [real_ip_header](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header)
528
realIpHeader: "X-Real-IP"
529
# -- Whether to search for the real IP recursively when the header set in apisix.nginx.http.realIpHeader contains multiple addresses,
530
# see [real_ip_recursive](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive)
531
realIpRecursive: "off"
532
# -- Trusted addresses from which the real IP header is honored,
533
# see [set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from)
534
realIpFrom:
535
- 127.0.0.1
536
- "unix:"
537
# -- Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066)
538
# when establishing a connection with the proxied HTTPS server
539
proxySslServerName: true
540
# -- Keepalive settings for connections from APISIX to upstream servers
541
upstream:
542
# -- Maximum number of idle keepalive connections to upstream servers that are preserved in the cache of each worker process.
543
# When this number is exceeded, the least recently used connections are closed
544
keepalive: 320
545
# -- Maximum number of requests that can be served through one keepalive connection.
546
# After the maximum number of requests is made, the connection is closed
547
keepaliveRequests: 1000
548
# -- Timeout during which an idle keepalive connection to an upstream server will stay open
549
keepaliveTimeout: 60s
550
# -- The charset added to the "Content-Type" response header field,
551
# see [charset](http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset)
552
charset: utf-8
553
# -- The maximum size of the nginx variables hash table
554
variablesHashMaxSize: 2048
555
# access log and error log configuration
556
logs:
557
# -- Enable access log or not, default true
558
enableAccessLog: true
559
# -- Access log path
560
accessLog: "/dev/stdout"
561
# -- Access log format
562
accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
563
# -- Allows setting json or default characters escaping in variables
564
accessLogFormatEscape: default
565
# -- Error log path
566
errorLog: "/dev/stderr"
567
# -- Error log level
568
errorLogLevel: "warn"
569
# -- Stream (L4 proxy) access log configuration
570
stream:
571
# -- Enable stream access log or not, default false
572
enableAccessLog: false
573
# -- Stream access log path
574
accessLog: "logs/access_stream.log"
575
# -- Stream access log format
576
accessLogFormat: '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time'
577
# -- Allows setting json or default characters escaping in variables for stream
578
accessLogFormatEscape: default
579
# -- Custom nginx configuration snippets injected into the generated nginx.conf.
580
# As arbitrary configuration can be added here, it is your responsibility to make sure
581
# the snippets don't conflict with the configuration generated by APISIX.
582
configurationSnippet:
583
# -- Snippet added to the nginx `main` (top-level) block
584
main: ""
585
# -- Snippet added to the beginning of the nginx `http` block
586
httpStart: ""
587
# -- Snippet added to the end of the nginx `http` block
588
httpEnd: ""
589
# -- Snippet added to the nginx `server` block that proxies regular traffic
590
httpSrv: ""
591
# -- Snippet added to the nginx `server` block that serves the Admin API
592
httpAdmin: ""
593
# -- Snippet added to the nginx `stream` block
594
stream: ""
595
# -- Add custom [lua_shared_dict](https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_shared_dict) settings,
596
# click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
597
customLuaSharedDicts: []
598
# - name: foo
599
# size: 10k
600
# - name: bar
601
# size: 1m
602
603
# -- Override default [lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L250-L276) settings,
604
# click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
605
luaSharedDicts: []
606
# - name: prometheus-metrics
607
# size: 20m
608
609
# -- Override default meta-level [lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example) settings,
610
# meta-level shared dicts are shared across both HTTP and stream subsystems.
611
# Since APISIX 3.16.0, `upstream-healthcheck` is a meta-level shared dict.
612
# click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
613
metaLuaSharedDicts: []
614
# - name: upstream-healthcheck
615
# size: 10m
616
discovery:
617
# -- Enable or disable Apache APISIX integration service discovery
618
enabled: false
619
# -- Service discovery registry. Refer to [configuration under discovery](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L307) for example.
620
# Also see [example of using external service discovery](https://apisix.apache.org/docs/ingress-controller/1.8.0/tutorials/external-service-discovery/).
621
registry: {}
622
# Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
623
# reference:
624
# https://apisix.apache.org/docs/apisix/discovery/#configuration-for-eureka
625
# https://apisix.apache.org/docs/apisix/discovery/dns/#service-discovery-via-dns
626
# https://apisix.apache.org/docs/apisix/discovery/consul_kv/#configuration-for-consul-kv
627
# https://apisix.apache.org/docs/apisix/discovery/nacos/#configuration-for-nacos
628
# https://apisix.apache.org/docs/apisix/discovery/kubernetes/#configuration
629
#
630
# an eureka example:
631
# ```
632
# eureka:
633
# host:
634
# - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
635
# - "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
636
# prefix: "/eureka/"
637
# fetch_interval: 30
638
# weight: 100
639
# timeout:
640
# connect: 2000
641
# send: 2000
642
# read: 5000
643
# ```
644
#
645
# the minimal Kubernetes example:
646
# ```
647
# kubernetes: {}
648
# ```
649
#
650
# The prerequisites for the above minimal Kubernetes example:
651
# 1. [Optional] Set `.serviceAccount.create` to `true` to create a dedicated ServiceAccount.
652
# It is recommended to do so, otherwise the default ServiceAccount "default" will be used.
653
# 2. [Required] Set `.rbac.create` to `true` to create and bind the necessary RBAC resources.
654
# This grants the ServiceAccount in use to List-Watch Kubernetes Endpoints resources.
655
# 3. [Required] Include the following environment variables in `.nginx.envs` to pass them into
656
# nginx worker processes (https://nginx.org/en/docs/ngx_core_module.html#env):
657
# - KUBERNETES_SERVICE_HOST
658
# - KUBERNETES_SERVICE_PORT
659
# This is for allowing the default `host` and `port` of `.discovery.registry.kubernetes.service`.
660
dns:
661
# -- Nameservers used by APISIX to resolve upstream domain names.
662
# When empty (default), nameservers are read from `/etc/resolv.conf`,
663
# which is usually what you want inside Kubernetes
664
resolvers: []
665
# - 127.0.0.1
666
# - 8.8.8.8
667
# -- Override the TTL in seconds of valid DNS records
668
validity: 30
669
# -- DNS resolver timeout in seconds
670
timeout: 5
671
# -- Honor the `search` option in `/etc/resolv.conf` when resolving domain names
672
enableResolvSearchOpt: true
673
vault:
674
# -- Enable or disable the vault integration
675
enabled: false
676
# -- The host address where the vault server is running.
677
host: ""
678
# -- HTTP timeout for each request.
679
timeout: 10
680
# -- The generated token from vault instance that can grant access to read data from the vault.
681
token: ""
682
# -- Prefix allows you to better enforcement of policies.
683
prefix: ""
684
prometheus:
685
# -- Enable Prometheus metrics. ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/
686
enabled: false
687
# -- path of the metrics endpoint
688
path: /apisix/prometheus/metrics
689
# -- prefix of the metrics
690
metricPrefix: apisix_
691
# -- container port where the metrics are exposed
692
containerPort: 9091
693
# -- Customize the list of APISIX plugins to enable. By default, APISIX's [default plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L196) are automatically used.
694
plugins: []
695
# -- Customize the list of APISIX stream_plugins to enable. By default, APISIX's [default stream_plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L294) are automatically used.
696
stream_plugins: []
697
# -- Set APISIX plugin attributes. By default, APISIX's [plugin_attr](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L295) are automatically used.
698
# See [configuration example](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L591).
699
pluginAttrs: {}
700
extPlugin:
701
# -- Enable External Plugins. See [external plugin](https://apisix.apache.org/docs/apisix/next/external-plugin/)
702
enabled: false
703
# -- the command and its arguements to run as a subprocess
704
cmd: ["/path/to/apisix-plugin-runner/runner", "run"]
705
wasm:
706
# -- Enable Wasm Plugins. See [wasm plugin](https://apisix.apache.org/docs/apisix/next/wasm/)
707
enabled: false
708
# -- List of Wasm plugins, each item with `name`, `priority` and `file` (path or URL of the wasm binary)
709
plugins: []
710
# -- customPlugins allows you to mount your own HTTP plugins.
711
customPlugins:
712
# -- Whether to configure some custom plugins
713
enabled: false
714
# -- the lua_path that tells APISIX where it can find plugins,
715
# note the last ';' is required.
716
luaPath: "/opts/custom_plugins/?.lua"
717
plugins:
718
# -- plugin name.
719
- name: "plugin-name"
720
# -- plugin attrs
721
attrs: {}
722
# -- plugin codes can be saved inside configmap object.
723
configMap:
724
# -- name of configmap.
725
name: "configmap-name"
726
# -- since keys in configmap is flat, mountPath allows to define the mount
727
# path, so that plugin codes can be mounted hierarchically.
728
mounts:
729
- key: "the-file-name"
730
path: "mount-path"
731
status:
732
# -- The IP address on which the status endpoint (`/status`, `/status/ready`) listens
733
ip: "0.0.0.0"
734
# -- The port on which the status endpoint listens
735
port: 7085
736
# -- When configured, APISIX will trust the `X-Forwarded-*` Headers passed in requests from the IP/CIDR in the list.
737
trustedAddresses:
738
- 127.0.0.1
739
# -- external etcd configuration. If etcd.enabled is false, these configuration will be used.
740
externalEtcd:
741
# -- if etcd.enabled is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379.
742
host:
743
# host or ip e.g. http://172.20.128.89:2379
744
- http://etcd.host:2379
745
# -- if etcd.enabled is false, user for external etcd. Set empty to disable authentication
746
user: root
747
# -- if etcd.enabled is true, use etcd.auth.rbac.rootPassword instead.
748
# -- if etcd.enabled is false and externalEtcd.existingSecret is not empty, the password should store in the corresponding secret
749
# -- if etcd.enabled is false and externalEtcd.existingSecret is empty, externalEtcd.password is the passsword for external etcd.
750
password: ""
751
# -- if externalEtcd.existingSecret is the name of secret containing the external etcd password
752
existingSecret: ""
753
# -- externalEtcd.secretPasswordKey Key inside the secret containing the external etcd password
754
secretPasswordKey: "etcd-root-password"
755
# -- etcd configuration
756
# use the FQDN address or the IP of the etcd
757
etcd:
758
# -- install built-in etcd by default, set false if do not want to install built-in etcd together,
759
# this etcd is based on bitnamilegacy/etcd helm chart and latest bitnami docker image, only for development and testing purposes,
760
# if you want to use etcd in production, we recommend you to install etcd by yourself and use `externalEtcd` to connect it.
761
enabled: true
762
# -- docker image for built-in etcd
763
image:
764
registry: docker.io
765
repository: bitnamilegacy/etcd
766
# -- `bitnamilegacy/etcd` only provide `latest` tag now, ref: https://github.com/bitnami/containers/issues/83267,
767
# you can switch `etcd.image.repository` to `bitnamilegacy/etcd` to use old versioned tags.
768
tag: latest
769
# -- apisix configurations prefix
770
prefix: "/apisix"
771
# -- Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster
772
timeout: 30
773
# -- Set the timeout value in seconds for watching etcd
774
watchTimeout: 50
775
# -- The number of retries to etcd during startup
776
startupRetry: 2
777
# -- if etcd.enabled is true, set more values of bitnamilegacy/etcd helm chart
778
auth:
779
rbac:
780
# -- No authentication by default. Switch to enable RBAC authentication
781
create: false
782
# -- root password for etcd. Requires etcd.auth.rbac.create to be true.
783
rootPassword: ""
784
tls:
785
# -- enable etcd client certificate
786
enabled: false
787
# -- name of the secret contains etcd client cert
788
existingSecret: ""
789
# -- etcd client cert filename using in etcd.auth.tls.existingSecret
790
certFilename: ""
791
# -- etcd client cert key filename using in etcd.auth.tls.existingSecret
792
certKeyFilename: ""
793
# -- whether to verify the etcd endpoint certificate when setup a TLS connection to etcd
794
verify: true
795
# -- specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset.
796
sni: ""
797
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
798
# -- added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19
799
containerSecurityContext:
800
enabled: false
801
service:
802
# -- etcd client service port
803
port: 2379
804
# -- Number of etcd replicas, only used when etcd.enabled is true
805
replicaCount: 3
806
# -- Auto compaction retention for mvcc key value store, only used when etcd.enabled is true
807
autoCompactionRetention: "1h"
808
# -- Auto compaction mode (periodic or revision), only used when etcd.enabled is true
809
autoCompactionMode: "periodic"
810
# -- Ingress controller configuration
811
ingress-controller:
812
# -- Enable the apisix-ingress-controller sub-chart
813
enabled: false
814
webhook:
815
# Specifies whether to enable the validation webhook.
816
# Note: This feature relies on the '/apisix/admin/configs/validate' endpoint.
817
# It requires APISIX version 3.17.0 or later to function correctly.
818
# Ensure your cluster's APISIX deployment meets this version requirement before enabling.
819
enabled: false
820

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.