3
# -- Default registry for all Kuma Images
4
registry: "docker.io/kumahq"
5
# -- The default tag for all Kuma images, which itself defaults to .Chart.AppVersion
7
# -- Add `imagePullSecrets` to all the service accounts used for Kuma components
10
# -- Whether to patch the target namespace with the system label
11
patchSystemNamespace: true
14
# -- Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma)
16
# -- The `imagePullSecrets` to attach to the Service Account running CRD installation.
17
# This field will be deprecated in a future release, please use .global.imagePullSecrets
20
# -- Whether to disable all helm hooks
23
# -- Whether to restart control-plane by calculating a new checksum for the secret
24
restartOnSecretChange: true
27
# -- Environment that control plane is run in, useful when running universal global control plane on k8s
28
environment: "kubernetes"
30
# -- Labels to add to resources in addition to default labels
33
# -- Kuma CP log level: one of off,info,debug
36
# -- Kuma CP log output path: Defaults to /dev/stdout
39
# -- Kuma CP modes: one of zone,global
42
# -- (string) Kuma CP zone, if running multizone
45
# -- Only used in `zone` mode
48
# -- Number of replicas of the Kuma CP. Ignored when autoscaling is enabled
51
# -- Minimum number of seconds for which a newly created pod should be ready for it to be considered available.
54
# -- Annotations applied only to the `Deployment` resource
55
deploymentAnnotations: {}
57
# -- Annotations applied only to the `Pod` resource
60
# Horizontal Pod Autoscaling configuration
62
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
65
# -- The minimum CP pods to allow
67
# -- The max CP pods to scale to
70
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
71
targetCPUUtilizationPercentage: 80
72
# -- For clusters that do support autoscaling/v2, use metrics
79
averageUtilization: 80
81
# -- Node selector for the Kuma Control Plane pods
83
kubernetes.io/os: linux
85
# -- Tolerations for the Kuma Control Plane pods
89
# -- Whether to create a pod disruption budget
91
# -- The maximum number of unavailable pods allowed by the budget
94
# -- Affinity placement rule for the Kuma Control Plane pods.
95
# This is rendered as a template, so you can reference other helm variables or includes.
98
preferredDuringSchedulingIgnoredDuringExecution:
102
# These match the selector labels used on the deployment.
104
- key: app.kubernetes.io/name
107
- '{{ include "kuma.name" . }}'
108
- key: app.kubernetes.io/instance
111
- '{{ .Release.Name }}'
115
- '{{ include "kuma.name" . }}-control-plane'
116
topologyKey: kubernetes.io/hostname
118
# -- Topology spread constraints rule for the Kuma Control Plane pods.
119
# This is rendered as a template, so you can use variables to generate match labels.
120
topologySpreadConstraints:
122
# -- Failure policy of the mutating webhook implemented by the Kuma Injector component
123
injectorFailurePolicy: Fail
128
# -- Port on which Http api server Service is exposed on Node for service of type NodePort
131
# -- Port on which Https api server Service is exposed on Node for service of type NodePort
134
# -- Whether to create a service resource.
137
# -- (string) Optionally override of the Kuma Control Plane Service's name
140
# -- Service type of the Kuma Control Plane
143
# -- Annotations to put on the Kuma Control Plane
145
prometheus.io/scrape: "true"
146
prometheus.io/port: "5680"
148
# Kuma API and GUI ingress settings. Useful if you want to expose the
149
# API and GUI of Kuma outside the k8s cluster.
151
# -- Install K8s Ingress resource that exposes GUI and API
153
# -- IngressClass defines which controller will implement the resource
155
# -- Ingress hostname
157
# -- Map of ingress annotations.
161
# -- Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
162
pathType: ImplementationSpecific
163
# -- Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port
166
globalZoneSyncService:
167
# -- Whether to create a k8s service for the global zone sync
168
# service. It will only be created when enabled and deploying the global
171
# -- Service type of the Global-zone sync
173
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
175
# -- Optionally specify allowed source ranges that can access the load balancer
176
loadBalancerSourceRanges: []
177
# -- Additional annotations to put on the Global Zone Sync Service
179
# -- Port on which Global Zone Sync Service is exposed on Node for service of type NodePort
181
# -- Port on which Global Zone Sync Service is exposed
183
# -- Protocol of the Global Zone Sync service port
187
# -- Whether to skip creating the default Mesh
188
skipMeshCreation: false
190
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
191
automountServiceAccountToken: true
193
# -- Optionally override the resource spec
201
# -- Pod lifecycle settings (useful for adding a preStop hook, when
202
# using AWS ALB or NLB)
205
# -- Number of seconds to wait before force killing the pod. Make sure to
206
# update this if you add a preStop hook.
207
terminationGracePeriodSeconds: 30
209
# TLS for various servers
212
# -- Secret that contains tls.crt, tls.key [and ca.crt when no
213
# controlPlane.tls.general.caSecretName specified] for protecting
214
# Kuma in-cluster communication
216
# -- Secret that contains ca.crt that was used to sign cert for protecting
217
# Kuma in-cluster communication (ca.crt present in this secret
218
# have precedence over the one provided in the controlPlane.tls.general.secretName)
220
# -- Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt)
223
# -- Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS
225
# -- Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS
226
clientCertsSecretName: ""
227
# - if not creating the global control plane, then do nothing
228
# - if secretName is empty and create is false, then do nothing
229
# - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
230
# - if secretName is empty and create is true, then create a secret with a default name and use it
231
# - if secretName is non-empty and create is true, then create the secret using the provided name
233
# -- Name of the K8s TLS Secret resource. If you set this and don't set
234
# create=true, you have to create the secret manually.
236
# -- Whether to create the TLS secret in helm.
238
# -- The TLS certificate to offer.
240
# -- The TLS key to use.
242
# - if not creating the zonal control plane, then do nothing
243
# - if secretName is empty and create is false, then do nothing
244
# - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
245
# - if secretName is empty and create is true, then create a secret with a default name and use it
246
# - if secretName is non-empty and create is true, then create the secret using the provided name
248
# -- Name of the K8s Secret resource that contains ca.crt which was
249
# used to sign the certificate of KDS Global Server. If you set this
250
# and don't set create=true, you have to create the secret manually.
252
# -- Whether to create the TLS secret in helm.
254
# -- CA bundle that was used to sign the certificate of KDS Global Server.
256
# -- If true, TLS cert of the server is not verified.
259
# -- Annotations to add for Control Plane's Service Account
260
serviceAccountAnnotations: { }
263
# -- Kuma CP ImagePullPolicy
264
pullPolicy: IfNotPresent
265
# -- Kuma CP image repository
266
repository: "kuma-cp"
267
# -- Kuma CP Image tag. When not specified, the value is copied from global.tag
270
# -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables,
271
# where `Env` is the name of the env variable,
272
# `Secret` is the name of the Secret,
273
# and `Key` is the key of the Secret value to use
276
# Secret: some-secret
280
# -- Additional environment variables that will be passed to the control plane
283
# -- Additional config maps to mount into the control plane, with optional inline values
285
# - name: extra-config
286
# mountPath: /etc/extra-config
292
# -- (object with { name: string, mountPath: string, readOnly: string }) Additional secrets to mount into the control plane,
293
# where `Env` is the name of the env variable,
294
# `Secret` is the name of the Secret,
295
# and `Key` is the key of the Secret value to use
299
# mountPath: /etc/extra-config
304
# -- Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma.
307
# -- Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma.
310
# -- Specifies if the deployment should be started in hostNetwork mode.
312
# -- Define a new server port for the admission controller. Recommended to set in combination with
313
# hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS).
314
admissionServerPort: 5443
316
# -- Security context at the pod level for control plane.
320
# -- Security context at the container level for control plane.
321
containerSecurityContext:
322
readOnlyRootFilesystem: true
325
# -- Install Kuma with CNI instead of proxy init container
327
# -- Install CNI in chained mode
329
# -- Set the CNI install directory
330
netDir: /etc/cni/multus/net.d
331
# -- Set the CNI bin directory
332
binDir: /var/lib/cni/bin
333
# -- Set the CNI configuration name
334
confName: kuma-cni.conf
335
# -- CNI log level: one of off,info,debug
337
# -- Node Selector for the CNI pods
339
kubernetes.io/os: linux
340
# -- Tolerations for the CNI pods
342
# -- Additional pod annotations
344
# -- Set the CNI namespace
345
namespace: kube-system
348
# -- CNI image repository
349
repository: "kuma-cni"
350
# -- CNI image tag - defaults to .Chart.AppVersion
352
# -- CNI image pull policy
353
imagePullPolicy: IfNotPresent
355
# -- it's only useful in tests to trigger a possible race condition
356
delayStartupSeconds: 0
358
# -- use new CNI (experimental)
361
# -- CNI experimental eBPF image registry
362
registry: "docker.io/kumahq"
363
# -- CNI experimental eBPF image repository
364
repository: "merbridge"
365
# -- CNI experimental eBPF image tag
375
# -- Security context at the pod level for cni
376
podSecurityContext: {}
378
# -- Security context at the container level for cni
379
containerSecurityContext:
380
readOnlyRootFilesystem: true
386
# -- If true, then turn on CoreDNS query logging
389
# -- The Kuma DP image repository
390
repository: "kuma-dp"
391
# -- Kuma DP ImagePullPolicy
392
pullPolicy: IfNotPresent
393
# -- Kuma DP Image Tag. When not specified, the value is copied from global.tag
397
# -- The Kuma DP init image repository
398
repository: "kuma-init"
399
# -- Kuma DP init image tag When not specified, the value is copied from global.tag
403
# -- If true, it deploys Ingress for cross cluster communication
406
# -- Labels to add to resources, in addition to default labels
409
# -- Time for which old listener will still be active as draining
412
# -- Number of replicas of the Ingress. Ignored when autoscaling is enabled.
415
# -- Log level for ingress (available values: off|info|debug)
418
# -- Define the resources to allocate to mesh ingress
427
# -- Pod lifecycle settings (useful for adding a preStop hook, when
428
# using AWS ALB or NLB)
431
# -- Number of seconds to wait before force killing the pod. Make sure to
432
# update this if you add a preStop hook.
433
terminationGracePeriodSeconds: 40
435
# Horizontal Pod Autoscaling configuration
437
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
440
# -- The minimum CP pods to allow
442
# -- The max CP pods to scale to
445
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
446
targetCPUUtilizationPercentage: 80
447
# -- For clusters that do support autoscaling/v2, use metrics
454
averageUtilization: 80
457
# -- Whether to create a Service resource.
459
# -- Service type of the Ingress
461
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
463
# -- Additional annotations to put on the Ingress service
465
# -- Port on which Ingress is exposed
467
# -- Port on which service is exposed on Node for service of type NodePort
469
# -- Additional pod annotations (deprecated favor `podAnnotations`)
471
# -- Additional pod annotations
473
# -- Node Selector for the Ingress pods
475
kubernetes.io/os: linux
476
# -- Tolerations for the Ingress pods
479
# -- Whether to create a pod disruption budget
481
# -- The maximum number of unavailable pods allowed by the budget
484
# -- Affinity placement rule for the Kuma Ingress pods
485
# This is rendered as a template, so you can reference other helm variables
489
preferredDuringSchedulingIgnoredDuringExecution:
493
# These match the selector labels used on the deployment.
495
- key: app.kubernetes.io/name
498
- '{{ include "kuma.name" . }}'
499
- key: app.kubernetes.io/instance
502
- '{{ .Release.Name }}'
507
topologyKey: kubernetes.io/hostname
509
# -- Topology spread constraints rule for the Kuma Mesh Ingress pods.
510
# This is rendered as a template, so you can use variables to generate match labels.
511
topologySpreadConstraints:
513
# -- Security context at the pod level for ingress
519
# -- Security context at the container level for ingress
520
containerSecurityContext:
521
readOnlyRootFilesystem: true
523
# -- Annotations to add for Control Plane's Service Account
524
serviceAccountAnnotations: { }
525
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
526
automountServiceAccountToken: true
529
# -- If true, it deploys Egress for cross cluster communication
531
# -- Labels to add to resources, in addition to the default labels.
533
# -- Time for which old listener will still be active as draining
535
# -- Number of replicas of the Egress. Ignored when autoscaling is enabled.
538
# -- Log level for egress (available values: off|info|debug)
541
# Horizontal Pod Autoscaling configuration
543
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
546
# -- The minimum CP pods to allow
548
# -- The max CP pods to scale to
551
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
552
targetCPUUtilizationPercentage: 80
553
# -- For clusters that do support autoscaling/v2, use metrics
560
averageUtilization: 80
570
# -- Whether to create the service object
572
# -- Service type of the Egress
574
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
576
# -- Additional annotations to put on the Egress service
578
# -- Port on which Egress is exposed
580
# -- Port on which service is exposed on Node for service of type NodePort
582
# -- Additional pod annotations (deprecated favor `podAnnotations`)
584
# -- Additional pod annotations
586
# -- Node Selector for the Egress pods
588
kubernetes.io/os: linux
589
# -- Tolerations for the Egress pods
592
# -- Whether to create a pod disruption budget
594
# -- The maximum number of unavailable pods allowed by the budget
597
# -- Affinity placement rule for the Kuma Egress pods.
598
# This is rendered as a template, so you can reference other helm variables or includes.
601
preferredDuringSchedulingIgnoredDuringExecution:
605
# These match the selector labels used on the deployment.
607
- key: app.kubernetes.io/name
610
- '{{ include "kuma.name" . }}'
611
- key: app.kubernetes.io/instance
614
- '{{ .Release.Name }}'
619
topologyKey: kubernetes.io/hostname
621
# -- Topology spread constraints rule for the Kuma Egress pods.
622
# This is rendered as a template, so you can use variables to generate match labels.
623
topologySpreadConstraints:
625
# -- Security context at the pod level for egress
631
# -- Security context at the container level for egress
632
containerSecurityContext:
633
readOnlyRootFilesystem: true
635
# -- Annotations to add for Control Plane's Service Account
636
serviceAccountAnnotations: { }
637
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
638
automountServiceAccountToken: true
642
# -- The kumactl image repository
644
# -- The kumactl image tag. When not specified, the value is copied from global.tag
649
# -- The kubectl image registry
651
# -- The kubectl image repository
652
repository: bitnami/kubectl
653
# -- The kubectl image tag
656
# -- Node selector for the HELM hooks
658
kubernetes.io/os: linux
659
# -- Tolerations for the HELM hooks
661
# -- Security context at the pod level for crd/webhook/ns
665
# -- Security context at the container level for crd/webhook/ns
666
containerSecurityContext:
667
readOnlyRootFilesystem: true
669
# -- ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs
670
# Changing below values will potentially break ebpf cleanup completely,
671
# so be cautious when doing so.
673
# -- Security context at the pod level for crd/webhook/cleanup-ebpf
676
# -- Security context at the container level for crd/webhook/cleanup-ebpf
677
containerSecurityContext:
678
readOnlyRootFilesystem: false
681
# -- If true, it installs experimental Gateway API support
683
# Configuration for the experimental ebpf mode for transparent proxy
685
# -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy
687
# -- Name of the environmental variable which will contain the IP address of a pod
688
instanceIPEnvVarName: INSTANCE_IP
689
# -- Path where BPF file system should be mounted
690
bpffsPath: /sys/fs/bpf
691
# -- Host's cgroup2 path
692
cgroupPath: /sys/fs/cgroup
693
# -- Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty
695
# -- Path where compiled eBPF programs which will be installed can be found
696
programsSourcePath: /kuma/ebpf
697
# -- If false, it uses legacy API for resource synchronization
700
# Postgres' settings for universal control plane on k8s
702
# -- Postgres port, password should be provided as a secret reference in "controlPlane.secrets"
703
# with the Env value "KUMA_STORE_POSTGRES_PASSWORD".
707
# - Secret: postgres-postgresql
708
# Key: postgresql-password
709
# Env: KUMA_STORE_POSTGRES_PASSWORD
713
# -- Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
714
mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
715
# -- Whether to disable SNI the postgres `sslsni` option.
716
disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI
717
# -- Secret name that contains the ca.crt
719
# -- Secret name that contains the client tls.crt, tls.key
722
# @ignored for helm-docs
726
meshcircuitbreakers: true
727
meshfaultinjections: true
728
meshhealthchecks: true
730
meshloadbalancingstrategies: true
732
meshproxypatches: true
738
meshtrafficpermissions: true