apisix
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
#
2
# Licensed to the Apache Software Foundation (ASF) under one or more
3
# contributor license agreements. See the NOTICE file distributed with
4
# this work for additional information regarding copyright ownership.
5
# The ASF licenses this file to You under the Apache License, Version 2.0
6
# (the "License"); you may not use this file except in compliance with
7
# the License. You may obtain a copy of the License at
8
#
9
# http://www.apache.org/licenses/LICENSE-2.0
10
#
11
# Unless required by applicable law or agreed to in writing, software
12
# distributed under the License is distributed on an "AS IS" BASIS,
13
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
# See the License for the specific language governing permissions and
15
# limitations under the License.
16
17
global:
18
# e.g.
19
# imagePullSecrets:
20
# - my-registry-secrets
21
# - other-registry-secrets
22
# -- Global Docker registry secret names as an array
23
imagePullSecrets: []
24
image:
25
# -- Apache APISIX image repository
26
repository: cgr.dev/chainguard-private/apache-apisix
27
# -- Apache APISIX image pull policy
28
pullPolicy: IfNotPresent
29
# -- Apache APISIX image tag
30
# Overrides the image tag whose default is the chart appVersion.
31
tag: latest@sha256:5f3bc6e0266f57a9641668879c27e89a2b8bf2948cd9e4debeb3822ca1a11551
32
# -- set false to use `Deployment`, set true to use `DaemonSet`
33
useDaemonSet: false
34
# -- if useDaemonSet is true or autoscaling.enabled is true, replicaCount not become effective
35
replicaCount: 1
36
# -- Set [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority) for Apache APISIX pods
37
priorityClassName: ""
38
# -- Annotations to add to each pod
39
podAnnotations: {}
40
# -- Set the securityContext for Apache APISIX pods
41
podSecurityContext: {}
42
# fsGroup: 2000
43
# -- Set the securityContext for Apache APISIX container
44
securityContext: {}
45
# capabilities:
46
# drop:
47
# - ALL
48
# readOnlyRootFilesystem: true
49
# runAsNonRoot: true
50
# runAsUser: 1000
51
52
# -- See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details
53
podDisruptionBudget:
54
# -- Enable or disable podDisruptionBudget
55
enabled: false
56
# -- Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget.
57
# See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget)
58
# for more details
59
minAvailable: 90%
60
# -- Set the maxUnavailable of podDisruptionBudget
61
maxUnavailable: 1
62
# -- Set pod resource requests & limits
63
resources: {}
64
# -- Use the host's network namespace
65
66
# We usually recommend not to specify default resources and to leave this as a conscious
67
# choice for the user. This also increases chances charts run on environments with little
68
# resources, such as Minikube. If you do want to specify resources, uncomment the following
69
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
70
# limits:
71
# cpu: 100m
72
# memory: 128Mi
73
# requests:
74
# cpu: 100m
75
# memory: 128Mi
76
hostNetwork: false
77
# -- Node labels for Apache APISIX pod assignment
78
nodeSelector: {}
79
# -- List of node taints to tolerate
80
tolerations: []
81
# -- Set affinity for Apache APISIX deploy
82
affinity: {}
83
# -- Topology Spread Constraints for pod assignment spread across your cluster among failure-domains
84
# ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
85
topologySpreadConstraints: []
86
# -- timezone is the timezone where apisix uses.
87
# For example: "UTC" or "Asia/Shanghai"
88
# This value will be set on apisix container's environment variable TZ.
89
# You may need to set the timezone to be consistent with your local time zone,
90
# otherwise the apisix's logs may used to retrieve event maybe in wrong timezone.
91
timezone: ""
92
# -- extraEnvVars An array to add extra env vars
93
# e.g:
94
# extraEnvVars:
95
# - name: FOO
96
# value: "bar"
97
# - name: FOO2
98
# valueFrom:
99
# secretKeyRef:
100
# name: SECRET_NAME
101
# key: KEY
102
extraEnvVars: []
103
updateStrategy: {}
104
# type: RollingUpdate
105
106
# -- Additional Kubernetes resources to deploy with the release.
107
extraDeploy: []
108
# -- Additional `volume`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
109
extraVolumes: []
110
# - name: extras
111
# emptyDir: {}
112
113
# -- Additional `volume`, See [Kubernetes Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
114
extraVolumeMounts: []
115
# - name: extras
116
# mountPath: /usr/share/extras
117
# readOnly: true
118
119
# -- Additional `initContainers`, See [Kubernetes initContainers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) for the detail.
120
extraInitContainers: []
121
# - name: init-myservice
122
# image: busybox:1.28
123
# command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"]
124
125
# -- Additional `containers`, See [Kubernetes containers](https://kubernetes.io/docs/concepts/containers/) for the detail.
126
extraContainers: []
127
initContainer:
128
# -- Init container image
129
image: cgr.dev/chainguard-private/netcat
130
# -- Init container tag
131
tag: latest@sha256:82075322d49ed368eab79d40c6adcacf07e1fdf38dd0b147417e26d191238d1a
132
autoscaling:
133
enabled: false
134
# -- HPA version, the value is "v2" or "v2beta1", default "v2"
135
version: v2
136
minReplicas: 1
137
maxReplicas: 100
138
targetCPUUtilizationPercentage: 80
139
targetMemoryUtilizationPercentage: 80
140
nameOverride: ""
141
fullnameOverride: ""
142
serviceAccount:
143
create: false
144
annotations: {}
145
name: ""
146
rbac:
147
create: false
148
service:
149
# -- Apache APISIX service type for user access itself
150
type: NodePort
151
# -- Setting how the Service route external traffic
152
# If you want to keep the client source IP, you can set this to Local.
153
154
# ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
155
externalTrafficPolicy: Cluster
156
# type: LoadBalancer
157
# annotations:
158
# service.beta.kubernetes.io/aws-load-balancer-type: nlb
159
externalIPs: []
160
# -- Apache APISIX service settings for http
161
http:
162
enabled: true
163
servicePort: 80
164
containerPort: 9080
165
# -- Support multiple http ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L24)
166
additionalContainerPorts: []
167
# - port: 9081
168
# enable_http2: true # If not set, the default value is `false`.
169
# - ip: 127.0.0.2 # Specific IP, If not set, the default value is `0.0.0.0`.
170
# port: 9082
171
# enable_http2: true
172
# -- Apache APISIX service settings for tls
173
tls:
174
servicePort: 443
175
# nodePort: 4443
176
# -- Apache APISIX service settings for stream. L4 proxy (TCP/UDP)
177
stream:
178
enabled: false
179
tcp: []
180
udp: []
181
# - secretName: apisix-tls
182
# hosts:
183
# - chart-example.local
184
# -- Override default labels assigned to Apache APISIX gateway resources
185
labelsOverride: {}
186
# labelsOverride:
187
# app.kubernetes.io/name: "{{ .Release.Name }}"
188
# app.kubernetes.io/instance: '{{ include "apisix.name" . }}'
189
# -- Using ingress access Apache APISIX service
190
ingress:
191
enabled: false
192
# -- (number) Service port to send traffic. Defaults to `service.http.servicePort`.
193
servicePort:
194
# -- Ingress annotations
195
annotations: {}
196
# kubernetes.io/ingress.class: nginx
197
# kubernetes.io/tls-acme: "true"
198
hosts:
199
- host: apisix.local
200
paths: []
201
tls: []
202
control:
203
# -- Enable Control API
204
enabled: true
205
service:
206
# -- Control annotations
207
annotations: {}
208
# -- Control service type
209
type: ClusterIP
210
# loadBalancerIP: a.b.c.d
211
# loadBalancerSourceRanges:
212
# - "143.231.0.0/16"
213
# -- IPs for which nodes in the cluster will also accept traffic for the servic
214
externalIPs: []
215
# -- NodePort (only if control.service.type is NodePort)
216
# nodePort: 32000
217
218
# -- which ip to listen on for Apache APISIX Control API
219
ip: "127.0.0.1"
220
# -- which port to use for Apache APISIX Control API
221
port: 9090
222
# -- Service port to use for Apache APISIX Control API
223
servicePort: 9090
224
# -- Using ingress access Apache APISIX Control service
225
ingress:
226
enabled: false
227
# -- Ingress annotations
228
annotations: {}
229
# kubernetes.io/ingress.class: nginx
230
# kubernetes.io/tls-acme: "true"
231
# -- Ingress Class Name
232
# className: "nginx"
233
hosts:
234
- host: apisix-control.local
235
paths:
236
- "/*"
237
tls: []
238
# - secretName: apisix-tls
239
# hosts:
240
# - chart-example.local
241
# -- Observability configuration.
242
metrics:
243
serviceMonitor:
244
# -- Enable or disable Apache APISIX serviceMonitor
245
enabled: false
246
# -- namespace where the serviceMonitor is deployed, by default, it is the same as the namespace of the apisix
247
namespace: ""
248
# -- name of the serviceMonitor, by default, it is the same as the apisix fullname
249
name: ""
250
# -- interval at which metrics should be scraped
251
interval: 15s
252
# -- @param serviceMonitor.labels ServiceMonitor extra labels
253
labels: {}
254
# -- @param serviceMonitor.annotations ServiceMonitor annotations
255
annotations: {}
256
apisix:
257
# -- Enable nginx IPv6 resolver
258
enableIPv6: true
259
enableHTTP2: true
260
# -- Whether the APISIX version number should be shown in Server header
261
enableServerTokens: true
262
# -- Use Pod metadata.uid as the APISIX id.
263
setIDFromPodUID: false
264
# -- Whether to add a custom lua module
265
luaModuleHook:
266
enabled: false
267
# -- extend lua_package_path to load third party code
268
luaPath: ""
269
# -- the hook module which will be used to inject third party code into APISIX
270
# use the lua require style like: "module.say_hello"
271
hookPoint: ""
272
# -- configmap that stores the codes
273
configMapRef:
274
# -- Name of the ConfigMap where the lua module codes store
275
name: ""
276
# mounts decides how to mount the codes to the container.
277
mounts:
278
# -- Name of the ConfigMap key, for setting the mapping relationship between ConfigMap key and the lua module code path.
279
- key: ""
280
# -- Filepath of the plugin code, for setting the mapping relationship between ConfigMap key and the lua module code path.
281
path: ""
282
ssl:
283
enabled: false
284
containerPort: 9443
285
# -- Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
286
additionalContainerPorts: []
287
# - ip: 127.0.0.3 # Specific IP, If not set, the default value is `0.0.0.0`.
288
# port: 9445
289
# enable_http3: true
290
# -- Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd)
291
existingCASecret: ""
292
# -- Filename be used in the apisix.ssl.existingCASecret
293
certCAFilename: ""
294
enableHTTP3: false
295
# -- TLS protocols allowed to use.
296
sslProtocols: "TLSv1.2 TLSv1.3"
297
# -- TLS ciphers allowed to use.
298
sslCiphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
299
# -- Define SNI to fallback if none is presented by client
300
fallbackSNI: ""
301
router:
302
# -- Defines how apisix handles routing:
303
# - radixtree_uri: match route by uri(base on radixtree)
304
# - radixtree_host_uri: match route by host + uri(base on radixtree)
305
# - radixtree_uri_with_parameter: match route by uri with parameters
306
http: radixtree_host_uri
307
fullCustomConfig:
308
# -- Enable full customized config.yaml
309
enabled: false
310
# -- If apisix.fullCustomConfig.enabled is true, full customized config.yaml.
311
# Please note that other settings about APISIX config will be ignored
312
config: {}
313
deployment:
314
# -- Apache APISIX deployment mode
315
# Optional: traditional, decoupled, standalone
316
#
317
# ref: https://apisix.apache.org/docs/apisix/deployment-modes/
318
mode: traditional
319
# -- Deployment role
320
# Optional: traditional, data_plane, control_plane
321
#
322
# ref: https://apisix.apache.org/docs/apisix/deployment-modes/
323
role: "traditional"
324
role_traditional:
325
# enum: etcd, yaml
326
config_provider: "etcd"
327
# -- Standalone rules configuration
328
#
329
# ref: https://apisix.apache.org/docs/apisix/deployment-modes/#standalone
330
standalone:
331
# -- Rules which are set to the default apisix.yaml configmap.
332
# If apisix.delpoyment.standalone.existingConfigMap is empty, these are used.
333
config: |
334
routes:
335
-
336
uri: /hi
337
upstream:
338
nodes:
339
"127.0.0.1:1980": 1
340
type: roundrobin
341
# -- Specifies the name of the ConfigMap that contains the rule configurations.
342
# The configuration must be set to the key named `apisix.yaml` in the configmap.
343
existingConfigMap: ""
344
admin:
345
# -- Enable Admin API
346
enabled: true
347
# -- Enable Embedded Admin UI
348
enable_admin_ui: true
349
# -- admin service type
350
type: ClusterIP
351
# loadBalancerIP: a.b.c.d
352
# loadBalancerSourceRanges:
353
# - "143.231.0.0/16"
354
# -- IPs for which nodes in the cluster will also accept traffic for the servic
355
externalIPs: []
356
# -- which ip to listen on for Apache APISIX admin API. Set to `"[::]"` when on IPv6 single stack
357
ip: 0.0.0.0
358
# -- which port to use for Apache APISIX admin API
359
port: 9180
360
# -- Service port to use for Apache APISIX admin API
361
servicePort: 9180
362
# -- Admin API support CORS response headers
363
cors: true
364
# -- Admin API credentials
365
credentials:
366
# -- Apache APISIX admin API admin role credentials
367
admin: edd1c9f034335f136f87ad84b625c8f1
368
# -- Apache APISIX admin API viewer role credentials
369
viewer: 4054f7cf07e344346cd3f287985e76a2
370
# -- The APISIX Helm chart supports storing user credentials in a secret.
371
# The secret needs to contain two keys, admin and viewer, with their respective values set.
372
secretName: ""
373
# -- Name of the admin role key in the secret, overrides the default key name "admin"
374
secretAdminKey: ""
375
# -- Name of the viewer role key in the secret, overrides the default key name "viewer"
376
secretViewerKey: ""
377
allow:
378
# -- The client IP CIDR allowed to access Apache APISIX Admin API service.
379
ipList:
380
- 127.0.0.1/24
381
# -- Using ingress access Apache APISIX admin service
382
ingress:
383
enabled: false
384
# -- Ingress annotations
385
annotations: {}
386
# kubernetes.io/ingress.class: nginx
387
# kubernetes.io/tls-acme: "true"
388
hosts:
389
- host: apisix-admin.local
390
paths:
391
- "/apisix"
392
tls: []
393
# - secretName: apisix-tls
394
# hosts:
395
# - chart-example.local
396
nginx:
397
workerRlimitNofile: "20480"
398
workerConnections: "10620"
399
workerProcesses: auto
400
enableCPUAffinity: true
401
# -- Timeout during which a keep-alive client connection will stay open on the server side.
402
keepaliveTimeout: 60s
403
envs: []
404
# access log and error log configuration
405
logs:
406
# -- Enable access log or not, default true
407
enableAccessLog: true
408
# -- Access log path
409
accessLog: "/dev/stdout"
410
# -- Access log format
411
accessLogFormat: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
412
# -- Allows setting json or default characters escaping in variables
413
accessLogFormatEscape: default
414
# -- Error log path
415
errorLog: "/dev/stderr"
416
# -- Error log level
417
errorLogLevel: "warn"
418
# -- Custom configuration snippet.
419
configurationSnippet:
420
main: ""
421
httpStart: ""
422
httpEnd: ""
423
httpSrv: ""
424
httpAdmin: ""
425
stream: ""
426
# -- Add custom [lua_shared_dict](https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_shared_dict) settings,
427
# click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
428
customLuaSharedDicts: []
429
# - name: foo
430
# size: 10k
431
# - name: bar
432
# size: 1m
433
434
# -- Override default [lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L250-L276) settings,
435
# click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
436
luaSharedDicts: []
437
# - name: prometheus-metrics
438
# size: 20m
439
440
# -- Override default meta-level [lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example) settings,
441
# meta-level shared dicts are shared across both HTTP and stream subsystems.
442
# Since APISIX 3.16.0, `upstream-healthcheck` is a meta-level shared dict.
443
# click [here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30) to learn the format of a shared dict
444
metaLuaSharedDicts: []
445
# - name: upstream-healthcheck
446
# size: 10m
447
discovery:
448
# -- Enable or disable Apache APISIX integration service discovery
449
enabled: false
450
# -- Service discovery registry. Refer to [configuration under discovery](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L307) for example.
451
# Also see [example of using external service discovery](https://apisix.apache.org/docs/ingress-controller/1.8.0/tutorials/external-service-discovery/).
452
registry: {}
453
# Integration service discovery registry. E.g eureka\dns\nacos\consul_kv
454
# reference:
455
# https://apisix.apache.org/docs/apisix/discovery/#configuration-for-eureka
456
# https://apisix.apache.org/docs/apisix/discovery/dns/#service-discovery-via-dns
457
# https://apisix.apache.org/docs/apisix/discovery/consul_kv/#configuration-for-consul-kv
458
# https://apisix.apache.org/docs/apisix/discovery/nacos/#configuration-for-nacos
459
# https://apisix.apache.org/docs/apisix/discovery/kubernetes/#configuration
460
#
461
# an eureka example:
462
# ```
463
# eureka:
464
# host:
465
# - "http://${username}:${password}@${eureka_host1}:${eureka_port1}"
466
# - "http://${username}:${password}@${eureka_host2}:${eureka_port2}"
467
# prefix: "/eureka/"
468
# fetch_interval: 30
469
# weight: 100
470
# timeout:
471
# connect: 2000
472
# send: 2000
473
# read: 5000
474
# ```
475
#
476
# the minimal Kubernetes example:
477
# ```
478
# kubernetes: {}
479
# ```
480
#
481
# The prerequisites for the above minimal Kubernetes example:
482
# 1. [Optional] Set `.serviceAccount.create` to `true` to create a dedicated ServiceAccount.
483
# It is recommended to do so, otherwise the default ServiceAccount "default" will be used.
484
# 2. [Required] Set `.rbac.create` to `true` to create and bind the necessary RBAC resources.
485
# This grants the ServiceAccount in use to List-Watch Kubernetes Endpoints resources.
486
# 3. [Required] Include the following environment variables in `.nginx.envs` to pass them into
487
# nginx worker processes (https://nginx.org/en/docs/ngx_core_module.html#env):
488
# - KUBERNETES_SERVICE_HOST
489
# - KUBERNETES_SERVICE_PORT
490
# This is for allowing the default `host` and `port` of `.discovery.registry.kubernetes.service`.
491
dns:
492
resolvers:
493
- 127.0.0.1
494
- 172.20.0.10
495
- 114.114.114.114
496
- 223.5.5.5
497
- 1.1.1.1
498
- 8.8.8.8
499
validity: 30
500
timeout: 5
501
vault:
502
# -- Enable or disable the vault integration
503
enabled: false
504
# -- The host address where the vault server is running.
505
host: ""
506
# -- HTTP timeout for each request.
507
timeout: 10
508
# -- The generated token from vault instance that can grant access to read data from the vault.
509
token: ""
510
# -- Prefix allows you to better enforcement of policies.
511
prefix: ""
512
prometheus:
513
# ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/
514
enabled: false
515
# -- path of the metrics endpoint
516
path: /apisix/prometheus/metrics
517
# -- prefix of the metrics
518
metricPrefix: apisix_
519
# -- container port where the metrics are exposed
520
containerPort: 9091
521
# -- Customize the list of APISIX plugins to enable. By default, APISIX's [default plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L196) are automatically used.
522
plugins: []
523
# -- Customize the list of APISIX stream_plugins to enable. By default, APISIX's [default stream_plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L294) are automatically used.
524
stream_plugins: []
525
# -- Set APISIX plugin attributes. By default, APISIX's [plugin_attr](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L295) are automatically used.
526
# See [configuration example](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L591).
527
pluginAttrs: {}
528
extPlugin:
529
# -- Enable External Plugins. See [external plugin](https://apisix.apache.org/docs/apisix/next/external-plugin/)
530
enabled: false
531
# -- the command and its arguements to run as a subprocess
532
cmd: ["/path/to/apisix-plugin-runner/runner", "run"]
533
wasm:
534
# -- Enable Wasm Plugins. See [wasm plugin](https://apisix.apache.org/docs/apisix/next/wasm/)
535
enabled: false
536
plugins: []
537
# -- customPlugins allows you to mount your own HTTP plugins.
538
customPlugins:
539
# -- Whether to configure some custom plugins
540
enabled: false
541
# -- the lua_path that tells APISIX where it can find plugins,
542
# note the last ';' is required.
543
luaPath: "/opts/custom_plugins/?.lua"
544
plugins:
545
# -- plugin name.
546
- name: "plugin-name"
547
# -- plugin attrs
548
attrs: {}
549
# -- plugin codes can be saved inside configmap object.
550
configMap:
551
# -- name of configmap.
552
name: "configmap-name"
553
# -- since keys in configmap is flat, mountPath allows to define the mount
554
# path, so that plugin codes can be mounted hierarchically.
555
mounts:
556
- key: "the-file-name"
557
path: "mount-path"
558
status:
559
ip: "0.0.0.0"
560
port: 7085
561
# -- When configured, APISIX will trust the `X-Forwarded-*` Headers passed in requests from the IP/CIDR in the list.
562
trustedAddresses:
563
- 127.0.0.1
564
# -- external etcd configuration. If etcd.enabled is false, these configuration will be used.
565
externalEtcd:
566
# -- if etcd.enabled is false, use external etcd, support multiple address, if your etcd cluster enables TLS, please use https scheme, e.g. https://127.0.0.1:2379.
567
host:
568
# host or ip e.g. http://172.20.128.89:2379
569
- http://etcd.host:2379
570
# -- if etcd.enabled is false, user for external etcd. Set empty to disable authentication
571
user: root
572
# -- if etcd.enabled is true, use etcd.auth.rbac.rootPassword instead.
573
# -- if etcd.enabled is false and externalEtcd.existingSecret is not empty, the password should store in the corresponding secret
574
# -- if etcd.enabled is false and externalEtcd.existingSecret is empty, externalEtcd.password is the passsword for external etcd.
575
password: ""
576
# -- if externalEtcd.existingSecret is the name of secret containing the external etcd password
577
existingSecret: ""
578
# -- externalEtcd.secretPasswordKey Key inside the secret containing the external etcd password
579
secretPasswordKey: "etcd-root-password"
580
# -- etcd configuration
581
# use the FQDN address or the IP of the etcd
582
etcd:
583
# -- install built-in etcd by default, set false if do not want to install built-in etcd together,
584
# this etcd is based on bitnamilegacy/etcd helm chart and latest bitnami docker image, only for development and testing purposes,
585
# if you want to use etcd in production, we recommend you to install etcd by yourself and use `externalEtcd` to connect it.
586
enabled: true
587
# -- docker image for built-in etcd
588
image:
589
registry: docker.io
590
repository: bitnamilegacy/etcd
591
# -- `bitnamilegacy/etcd` only provide `latest` tag now, ref: https://github.com/bitnami/containers/issues/83267,
592
# you can switch `etcd.image.repository` to `bitnamilegacy/etcd` to use old versioned tags.
593
tag: latest
594
# -- apisix configurations prefix
595
prefix: "/apisix"
596
# -- Set the timeout value in seconds for subsequent socket operations from apisix to etcd cluster
597
timeout: 30
598
# -- if etcd.enabled is true, set more values of bitnamilegacy/etcd helm chart
599
auth:
600
rbac:
601
# -- No authentication by default. Switch to enable RBAC authentication
602
create: false
603
# -- root password for etcd. Requires etcd.auth.rbac.create to be true.
604
rootPassword: ""
605
tls:
606
# -- enable etcd client certificate
607
enabled: false
608
# -- name of the secret contains etcd client cert
609
existingSecret: ""
610
# -- etcd client cert filename using in etcd.auth.tls.existingSecret
611
certFilename: ""
612
# -- etcd client cert key filename using in etcd.auth.tls.existingSecret
613
certKeyFilename: ""
614
# -- whether to verify the etcd endpoint certificate when setup a TLS connection to etcd
615
verify: true
616
# -- specify the TLS Server Name Indication extension, the ETCD endpoint hostname will be used when this setting is unset.
617
sni: ""
618
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
619
# -- added for backward compatibility with old kubernetes versions, as seccompProfile is not supported in kubernetes < 1.19
620
containerSecurityContext:
621
enabled: false
622
service:
623
port: 2379
624
replicaCount: 3
625
autoCompactionRetention: "1h"
626
autoCompactionMode: "periodic"
627
# -- Ingress controller configuration
628
ingress-controller:
629
enabled: false
630
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.