Contour is an open source Kubernetes ingress controller that works by deploying the Envoy proxy as a reverse proxy and load balancer.
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository.
Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads.
This chart bootstraps a Contour Ingress Controller Deployment and a Envoy Proxy Daemonset on a Kubernetes cluster using the Helm package manager.
Bitnami charts can be used with Kubeapps for deployment and management of Helm Charts in clusters.
ServiceType: LoadBalancer
like MetalLBTo install the chart with the release name my-release
:
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.io
andREPOSITORY_NAME=bitnamicharts
.
These commands deploy contour on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.
Tip: List all releases using
helm list
orhelm ls --all-namespaces
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources
value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the resourcesPreset
values, which automatically sets the resources
section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcePreset
is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
To configure Contour please look into the configuration section Contour Configuration.
configInline:
# should contour expect to be running inside a k8s cluster
# incluster: true
#
# path to kubeconfig (if not running inside a k8s cluster)
# kubeconfig: /path/to/.kube/config
#
# Client request timeout to be passed to Envoy
# as the connection manager request_timeout.
# Defaults to 0, which Envoy interprets as disabled.
# Note that this is the timeout for the whole request,
# not an idle timeout.
# request-timeout: 0s
# disable ingressroute permitInsecure field
disablePermitInsecure: false
tls:
# minimum TLS version that Contour will negotiate
# minimum-protocol-version: "1.1"
# Defines the Kubernetes name/namespace matching a secret to use
# as the fallback certificate when requests which don't match the
# SNI defined for a vhost.
fallback-certificate:
# name: fallback-secret-name
# namespace: projectcontour
# The following config shows the defaults for the leader election.
# leaderelection:
# configmap-name: leader-elect
# configmap-namespace: projectcontour
### Logging options
# Default setting
accesslog-format: envoy
# To enable JSON logging in Envoy
# accesslog-format: json
# The default fields that will be logged are specified below.
# To customise this list, just add or remove entries.
# The canonical list is available at
# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
# json-fields:
# - "@timestamp"
# - "authority"
# - "bytes_received"
# - "bytes_sent"
# - "downstream_local_address"
# - "downstream_remote_address"
# - "duration"
# - "method"
# - "path"
# - "protocol"
# - "request_id"
# - "requested_server_name"
# - "response_code"
# - "response_flags"
# - "uber_trace_id"
# - "upstream_cluster"
# - "upstream_host"
# - "upstream_local_address"
# - "upstream_service_time"
# - "user_agent"
# - "x_forwarded_for"
#
# default-http-versions:
# - "HTTP/2"
# - "HTTP/1.1"
#
# The following shows the default proxy timeout settings.
# timeouts:
# request-timeout: infinity
# connection-idle-timeout: 60s
# stream-idle-timeout: 5m
# max-connection-duration: infinity
# connection-shutdown-grace-period: 5s
By default, Contour is launched with an AWS Classic ELB. To launch contour backed by a NLB, please set these settings:
envoy:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
containerPorts:
http: 80
https: 80
This chart allows you to set your custom affinity using the XXX.affinity
parameter(s). Find more information about Pod’s affinity in the kubernetes documentation.
As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the bitnami/common chart. To do so, set the XXX.podAffinityPreset
, XXX.podAntiAffinityPreset
, or XXX.nodeAffinityPreset
parameters.
Name | Description | Value |
---|---|---|
global.imageRegistry |
Global Docker image registry | "" |
global.imagePullSecrets |
Global Docker registry secret names as an array | [] |
global.defaultStorageClass |
Global default StorageClass for Persistent Volume(s) | "" |
global.storageClass |
DEPRECATED: use global.defaultStorageClass instead | "" |
global.compatibility.openshift.adaptSecurityContext |
Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | auto |
Name | Description | Value |
---|---|---|
nameOverride |
String to partially override contour.fullname include (will maintain the release name) | "" |
fullnameOverride |
String to fully override contour.fullname template | "" |
namespaceOverride |
String to fully override common.names.namespace | "" |
kubeVersion |
Force target Kubernetes version (using Helm capabilities if not set) | "" |
extraDeploy |
Array of extra objects to deploy with the release | [] |
commonLabels |
Labels to add to all deployed objects | {} |
commonAnnotations |
Annotations to add to all deployed objects | {} |
diagnosticMode.enabled |
Enable diagnostic mode (all probes will be disabled and the command will be overridden) | false |
diagnosticMode.command |
Command to override all containers in the deployment | [] |
diagnosticMode.args |
Args to override all containers in the deployment | [] |
Name | Description | Value |
---|---|---|
existingConfigMap |
Specifies the name of an externally-defined ConfigMap to use as the configuration (this is mutually exclusive with configInline ) |
"" |
configInline |
Specifies Contour’s configuration directly in YAML format | {} |
contour.enabled |
Contour Deployment creation. | true |
contour.image.registry |
Contour image registry | REGISTRY_NAME |
contour.image.repository |
Contour image name | REPOSITORY_NAME/contour |
contour.image.digest |
Contour image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
contour.image.pullPolicy |
Contour Image pull policy | IfNotPresent |
contour.image.pullSecrets |
Contour Image pull secrets | [] |
contour.image.debug |
Enable image debug mode | false |
contour.contourConfigName |
Contour Deployment with ContourConfiguration CRD. | contour |
contour.configPath |
Contour Deployment with configmap. | true |
contour.replicaCount |
Number of Contour Pod replicas | 1 |
contour.priorityClassName |
Priority class assigned to the pods | "" |
contour.schedulerName |
Name of the k8s scheduler (other than default) | "" |
contour.terminationGracePeriodSeconds |
In seconds, time the given to the Contour pod needs to terminate gracefully | "" |
contour.topologySpreadConstraints |
Topology Spread Constraints for pod assignment | [] |
contour.containerPorts.xds |
Set xds port inside Contour pod | 8001 |
contour.containerPorts.metrics |
Set metrics port inside Contour pod | 8000 |
contour.automountServiceAccountToken |
Mount Service Account token in pod | true |
contour.hostAliases |
Add deployment host aliases | [] |
contour.updateStrategy |
Strategy to use to update Pods | {} |
contour.extraArgs |
Extra arguments passed to Contour container | [] |
contour.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production). | nano |
contour.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
contour.manageCRDs |
Manage the creation, upgrade and deletion of Contour CRDs. | true |
contour.envoyServiceNamespace |
Namespace of the envoy service to inspect for Ingress status details. | "" |
contour.envoyServiceName |
Name of the envoy service to inspect for Ingress status details. | "" |
contour.leaderElectionResourceName |
Name of the contour (Lease) leader election will lease. | "" |
contour.ingressStatusAddress |
Address to set in Ingress object status. It is exclusive with envoyServiceName and envoyServiceNamespace . |
"" |
contour.podAffinityPreset |
Contour Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
"" |
contour.podAntiAffinityPreset |
Contour Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
soft |
contour.podLabels |
Extra labels for Contour pods | {} |
contour.lifecycleHooks |
lifecycleHooks for the container to automate configuration before or after startup. | {} |
contour.customLivenessProbe |
Override default liveness probe | {} |
contour.customReadinessProbe |
Override default readiness probe | {} |
contour.customStartupProbe |
Override default startup probe | {} |
contour.nodeAffinityPreset.type |
Contour Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard |
"" |
contour.nodeAffinityPreset.key |
Contour Node label key to match Ignored if affinity is set. |
"" |
contour.nodeAffinityPreset.values |
Contour Node label values to match. Ignored if affinity is set. |
[] |
contour.command |
Override default command | [] |
contour.args |
Override default args | [] |
contour.affinity |
Affinity for Contour pod assignment | {} |
contour.nodeSelector |
Node labels for Contour pod assignment | {} |
contour.tolerations |
Tolerations for Contour pod assignment | [] |
contour.podAnnotations |
Contour Pod annotations | {} |
contour.serviceAccount.create |
Create a serviceAccount for the Contour pod | true |
contour.serviceAccount.name |
Use the serviceAccount with the specified name, a name is generated using the fullname template | "" |
contour.serviceAccount.automountServiceAccountToken |
Automount service account token for the server service account | false |
contour.serviceAccount.annotations |
Annotations for service account. Evaluated as a template. Only used if create is true . |
{} |
contour.podSecurityContext.enabled |
Default backend Pod securityContext | true |
contour.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
contour.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
contour.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
contour.podSecurityContext.fsGroup |
Set Default backend Pod’s Security Context fsGroup | 1001 |
contour.containerSecurityContext.enabled |
Enabled contour containers’ Security Context | true |
contour.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
contour.containerSecurityContext.runAsUser |
Set contour containers’ Security Context runAsUser | 1001 |
contour.containerSecurityContext.runAsGroup |
Set contour containers’ Security Context runAsGroup | 1001 |
contour.containerSecurityContext.runAsNonRoot |
Set contour containers’ Security Context runAsNonRoot | true |
contour.containerSecurityContext.readOnlyRootFilesystem |
Set read only root file system pod’s Security Conte | true |
contour.containerSecurityContext.privileged |
Set contour container’s Security Context privileged | false |
contour.containerSecurityContext.allowPrivilegeEscalation |
Set contour container’s Security Context allowPrivilegeEscalation | false |
contour.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
contour.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
contour.livenessProbe.enabled |
Enable/disable the Liveness probe | true |
contour.livenessProbe.initialDelaySeconds |
Delay before liveness probe is initiated | 120 |
contour.livenessProbe.periodSeconds |
How often to perform the probe | 20 |
contour.livenessProbe.timeoutSeconds |
When the probe times out | 5 |
contour.livenessProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
contour.livenessProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
contour.readinessProbe.enabled |
Enable/disable the readiness probe | true |
contour.readinessProbe.initialDelaySeconds |
Delay before readiness probe is initiated | 15 |
contour.readinessProbe.periodSeconds |
How often to perform the probe | 10 |
contour.readinessProbe.timeoutSeconds |
When the probe times out | 5 |
contour.readinessProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 |
contour.readinessProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
contour.startupProbe.enabled |
Enable/disable the startup probe | false |
contour.startupProbe.initialDelaySeconds |
Delay before startup probe is initiated | 15 |
contour.startupProbe.periodSeconds |
How often to perform the probe | 10 |
contour.startupProbe.timeoutSeconds |
When the probe times out | 5 |
contour.startupProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 |
contour.startupProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
contour.certgen.serviceAccount.create |
Create a serviceAccount for the Contour pod | true |
contour.certgen.serviceAccount.name |
Use the serviceAccount with the specified name, a name is generated using the fullname template | "" |
contour.certgen.serviceAccount.automountServiceAccountToken |
Automount service account token for the server service account | false |
contour.certgen.serviceAccount.annotations |
Annotations for service account. Evaluated as a template. Only used if create is true . |
{} |
contour.certgen.certificateLifetime |
Generated certificate lifetime (in days). | 365 |
contour.certgen.automountServiceAccountToken |
Mount Service Account token in pod | true |
contour.certgen.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
contour.certgen.networkPolicy.allowExternal |
Don’t require server label for connections | true |
contour.certgen.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
contour.certgen.networkPolicy.kubeAPIServerPorts |
List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | [] |
contour.certgen.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
contour.certgen.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
contour.certgen.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
contour.certgen.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
contour.tlsExistingSecret |
Name of the existingSecret to be use in Contour deployment. If it is not nil contour.certgen will be disabled. |
"" |
contour.service.type |
Service type | ClusterIP |
contour.service.ports.xds |
Contour service xds port | 8001 |
contour.service.ports.metrics |
Contour service xds port | 8000 |
contour.service.nodePorts.xds |
Node port for HTTP | "" |
contour.service.clusterIP |
Contour service Cluster IP | "" |
contour.service.loadBalancerIP |
Contour service Load Balancer IP | "" |
contour.service.loadBalancerSourceRanges |
Contour service Load Balancer sources | [] |
contour.service.loadBalancerClass |
Contour service Load Balancer Class | "" |
contour.service.externalTrafficPolicy |
Contour service external traffic policy | Cluster |
contour.service.annotations |
Additional custom annotations for Contour service | {} |
contour.service.extraPorts |
Extra port to expose on Contour service | [] |
contour.service.sessionAffinity |
Session Affinity for Kubernetes service, can be “None” or “ClientIP” | None |
contour.service.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
contour.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
contour.networkPolicy.allowExternal |
Don’t require server label for connections | true |
contour.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
contour.networkPolicy.kubeAPIServerPorts |
List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | [] |
contour.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
contour.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
contour.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
contour.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
contour.initContainers |
Attach additional init containers to Contour pods | [] |
contour.sidecars |
Add additional sidecar containers to the Contour pods | [] |
contour.extraVolumes |
Array to add extra volumes | [] |
contour.extraVolumeMounts |
Array to add extra mounts (normally used with extraVolumes) | [] |
contour.extraEnvVars |
Array containing extra env vars to be added to all Contour containers | [] |
contour.extraEnvVarsCM |
ConfigMap containing extra env vars to be added to all Contour containers | "" |
contour.extraEnvVarsSecret |
Secret containing extra env vars to be added to all Contour containers | "" |
contour.ingressClass.name |
Name of the ingress class to route through this controller. | "" |
contour.ingressClass.create |
Whether to create or not the IngressClass resource | true |
contour.ingressClass.default |
Mark IngressClass resource as default for cluster | true |
contour.debug |
Enable Contour debug log level | false |
contour.logFormat |
Set contour log-format. Default text, either text or json. | text |
contour.kubernetesDebug |
Contour kubernetes debug log level, Default 0, minimum 0, maximum 9. | 0 |
contour.rootNamespaces |
Restrict Contour to searching these namespaces for root ingress routes. | "" |
contour.overloadManager.enabled |
Enable Overload Manager | false |
contour.overloadManager.maxHeapBytes |
Overload Manager’s maximum heap size in bytes | 2147483648 |
contour.pdb.create |
Enable Pod Disruption Budget configuration | true |
contour.pdb.minAvailable |
Minimum number/percentage of Default backend pods that should remain scheduled | "" |
contour.pdb.maxUnavailable |
Maximum number/percentage of Default backend pods that should remain scheduled | "" |
Name | Description | Value |
---|---|---|
envoy.enabled |
Envoy Proxy creation | true |
envoy.image.registry |
Envoy Proxy image registry | REGISTRY_NAME |
envoy.image.repository |
Envoy Proxy image repository | REPOSITORY_NAME/envoy |
envoy.image.digest |
Envoy Proxy image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
envoy.image.pullPolicy |
Envoy image pull policy | IfNotPresent |
envoy.image.pullSecrets |
Envoy image pull secrets | [] |
envoy.priorityClassName |
Priority class assigned to the pods | "" |
envoy.schedulerName |
Name of the k8s scheduler (other than default) | "" |
envoy.topologySpreadConstraints |
Topology Spread Constraints for pod assignment | [] |
envoy.extraArgs |
Extra arguments passed to Envoy container | [] |
envoy.automountServiceAccountToken |
Mount Service Account token in pod | false |
envoy.hostAliases |
Add deployment host aliases | [] |
envoy.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production). | nano |
envoy.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
envoy.command |
Override default command | [] |
envoy.args |
Override default args | [] |
envoy.shutdownManager.enabled |
Contour shutdownManager sidecar | true |
envoy.shutdownManager.extraArgs |
Extra arguments passed to shutdown container | [] |
envoy.shutdownManager.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production). | nano |
envoy.shutdownManager.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
envoy.shutdownManager.containerPorts.http |
Specify Port for shutdown container | 8090 |
envoy.shutdownManager.lifecycleHooks |
lifecycleHooks for the container to automate configuration before or after startup. | {} |
envoy.shutdownManager.containerSecurityContext.enabled |
Enabled envoy shutdownManager containers’ Security Context | true |
envoy.shutdownManager.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
envoy.shutdownManager.containerSecurityContext.runAsUser |
Set envoy shutdownManager containers’ Security Context runAsUser | 1001 |
envoy.shutdownManager.containerSecurityContext.runAsGroup |
Set contour containers’ Security Context runAsGroup | 1001 |
envoy.shutdownManager.containerSecurityContext.runAsNonRoot |
Set envoy shutdownManager containers’ Security Context runAsNonRoot | true |
envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem |
Set read only root file system pod’s Security Conte | true |
envoy.shutdownManager.containerSecurityContext.privileged |
Set envoy.shutdownManager container’s Security Context privileged | false |
envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation |
Set envoy shutdownManager container’s Security Context allowPrivilegeEscalation | false |
envoy.shutdownManager.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
envoy.shutdownManager.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
envoy.shutdownManager.livenessProbe.enabled |
Enable livenessProbe | true |
envoy.shutdownManager.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 120 |
envoy.shutdownManager.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 20 |
envoy.shutdownManager.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
envoy.shutdownManager.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
envoy.shutdownManager.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
envoy.shutdownManager.readinessProbe.enabled |
Enable/disable the readiness probe | true |
envoy.shutdownManager.readinessProbe.initialDelaySeconds |
Delay before readiness probe is initiated | 10 |
envoy.shutdownManager.readinessProbe.periodSeconds |
How often to perform the probe | 3 |
envoy.shutdownManager.readinessProbe.timeoutSeconds |
When the probe times out | 1 |
envoy.shutdownManager.readinessProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 |
envoy.shutdownManager.readinessProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
envoy.shutdownManager.startupProbe.enabled |
Enable/disable the startup probe | false |
envoy.shutdownManager.startupProbe.initialDelaySeconds |
Delay before startup probe is initiated | 15 |
envoy.shutdownManager.startupProbe.periodSeconds |
How often to perform the probe | 10 |
envoy.shutdownManager.startupProbe.timeoutSeconds |
When the probe times out | 5 |
envoy.shutdownManager.startupProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 |
envoy.shutdownManager.startupProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
envoy.shutdownManager.customLivenessProbe |
Override default liveness probe | {} |
envoy.shutdownManager.customReadinessProbe |
Override default readiness probe | {} |
envoy.shutdownManager.customStartupProbe |
Override default startup probe | {} |
envoy.initConfig.containerSecurityContext.enabled |
Enabled envoy initConfig containers’ Security Context | true |
envoy.initConfig.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
envoy.initConfig.containerSecurityContext.runAsUser |
Set envoy initConfig containers’ Security Context runAsUser | 1001 |
envoy.initConfig.containerSecurityContext.runAsGroup |
Set envoy initConfig containers’ Security Context runAsUser | 1001 |
envoy.initConfig.containerSecurityContext.runAsNonRoot |
Set envoy initConfig containers’ Security Context runAsNonRoot | true |
envoy.initConfig.containerSecurityContext.readOnlyRootFilesystem |
Set read only root file system pod’s Security Conte | true |
envoy.initConfig.containerSecurityContext.privileged |
Set contraller container’s Security Context privileged | false |
envoy.initConfig.containerSecurityContext.allowPrivilegeEscalation |
Set contraller container’s Security Context allowPrivilegeEscalation | false |
envoy.initConfig.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
envoy.initConfig.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
envoy.kind |
Install as deployment or daemonset | daemonset |
envoy.replicaCount |
Desired number of Controller pods | 1 |
envoy.lifecycleHooks |
lifecycleHooks for the container to automate configuration before or after startup. | {} |
envoy.updateStrategy |
Strategy to use to update Pods | {} |
envoy.minReadySeconds |
The minimum number of seconds for which a newly created Pod should be ready | 0 |
envoy.revisionHistoryLimit |
The number of old history to retain to allow rollback | 10 |
envoy.autoscaling.enabled |
Enable autoscaling for Controller | false |
envoy.autoscaling.minReplicas |
Minimum number of Controller replicas | 1 |
envoy.autoscaling.maxReplicas |
Maximum number of Controller replicas | 11 |
envoy.autoscaling.targetCPU |
Target CPU utilization percentage | "" |
envoy.autoscaling.targetMemory |
Target Memory utilization percentage | "" |
envoy.autoscaling.behavior |
HPA Behavior | {} |
envoy.podAffinityPreset |
Envoy Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
"" |
envoy.podAntiAffinityPreset |
Envoy Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
"" |
envoy.nodeAffinityPreset.type |
Envoy Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard |
"" |
envoy.nodeAffinityPreset.key |
Envoy Node label key to match Ignored if affinity is set. |
"" |
envoy.nodeAffinityPreset.values |
Envoy Node label values to match. Ignored if affinity is set. |
[] |
envoy.affinity |
Affinity for Envoy pod assignment | {} |
envoy.nodeSelector |
Node labels for Envoy pod assignment | {} |
envoy.tolerations |
Tolerations for Envoy pod assignment | [] |
envoy.podAnnotations |
Envoy Pod annotations | {} |
envoy.podLabels |
Extra labels for Envoy pods | {} |
envoy.podSecurityContext.enabled |
Envoy Pod securityContext | true |
envoy.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
envoy.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
envoy.podSecurityContext.fsGroup |
User ID for the for the mounted volumes | 0 |
envoy.podSecurityContext.sysctls |
Array of sysctl options to allow | [] |
envoy.containerSecurityContext.enabled |
Enabled envoy containers’ Security Context | true |
envoy.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
envoy.containerSecurityContext.runAsUser |
Set envoy containers’ Security Context runAsUser | 1001 |
envoy.containerSecurityContext.runAsGroup |
Set envoy containers’ Security Context runAsGroup | 1001 |
envoy.containerSecurityContext.runAsNonRoot |
Set envoy containers’ Security Context runAsNonRoot | true |
envoy.containerSecurityContext.readOnlyRootFilesystem |
Set read only root file system pod’s Security Conte | true |
envoy.containerSecurityContext.privileged |
Set envoy container’s Security Context privileged | false |
envoy.containerSecurityContext.allowPrivilegeEscalation |
Set envoy container’s Security Context allowPrivilegeEscalation | false |
envoy.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
envoy.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
envoy.hostNetwork |
Envoy Pod host network access | false |
envoy.dnsPolicy |
Envoy Pod Dns Policy’s DNS Policy | ClusterFirst |
envoy.tlsExistingSecret |
Name of the existingSecret to be use in Envoy deployment | "" |
envoy.serviceAccount.create |
Specifies whether a ServiceAccount should be created | true |
envoy.serviceAccount.name |
The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template | "" |
envoy.serviceAccount.automountServiceAccountToken |
Whether to auto mount API credentials for a service account | false |
envoy.serviceAccount.annotations |
Annotations for service account. Evaluated as a template. Only used if create is true . |
{} |
envoy.livenessProbe.enabled |
Enable livenessProbe | true |
envoy.livenessProbe.port |
LivenessProbe port | 8002 |
envoy.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 120 |
envoy.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 20 |
envoy.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
envoy.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 6 |
envoy.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
envoy.readinessProbe.enabled |
Enable/disable the readiness probe | true |
envoy.readinessProbe.port |
ReadinessProbe port | 8002 |
envoy.readinessProbe.initialDelaySeconds |
Delay before readiness probe is initiated | 10 |
envoy.readinessProbe.periodSeconds |
How often to perform the probe | 3 |
envoy.readinessProbe.timeoutSeconds |
When the probe times out | 1 |
envoy.readinessProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 |
envoy.readinessProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
envoy.startupProbe.enabled |
Enable/disable the startup probe | false |
envoy.startupProbe.port |
StartupProbe port | 8002 |
envoy.startupProbe.initialDelaySeconds |
Delay before startup probe is initiated | 15 |
envoy.startupProbe.periodSeconds |
How often to perform the probe | 10 |
envoy.startupProbe.timeoutSeconds |
When the probe times out | 5 |
envoy.startupProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 |
envoy.startupProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
envoy.customLivenessProbe |
Override default liveness probe | {} |
envoy.customReadinessProbe |
Override default readiness probe | {} |
envoy.customStartupProbe |
Override default startup probe | {} |
envoy.terminationGracePeriodSeconds |
Envoy termination grace period in seconds | 300 |
envoy.logLevel |
Envoy log level | info |
envoy.service.name |
envoy service name | "" |
envoy.service.multiAz.enabled |
enables the rendering of the multiple services | false |
envoy.service.multiAz.zones |
defines different zones their annotations and loadBalancerIPs | [] |
envoy.service.targetPorts |
Map the controller service HTTP/HTTPS port | {} |
envoy.service.type |
Type of Envoy service to create | LoadBalancer |
envoy.service.externalTrafficPolicy |
Envoy Service external cluster policy. If envoy.service.type is NodePort or LoadBalancer |
Local |
envoy.service.labels |
Labels to add to te envoy service | {} |
envoy.service.clusterIP |
Internal envoy cluster service IP | "" |
envoy.service.externalIPs |
Envoy service external IP addresses | [] |
envoy.service.loadBalancerIP |
IP address to assign to load balancer (if supported) | "" |
envoy.service.loadBalancerSourceRanges |
List of IP CIDRs allowed access to load balancer (if supported) | [] |
envoy.service.loadBalancerClass |
Envoy service Load Balancer Class | "" |
envoy.service.ipFamilyPolicy |
, support SingleStack, PreferDualStack and RequireDualStack | "" |
envoy.service.ipFamilies |
List of IP families (e.g. IPv4, IPv6) assigned to the service. | [] |
envoy.service.annotations |
Annotations for Envoy service | {} |
envoy.service.ports.http |
Sets service http port | 80 |
envoy.service.ports.https |
Sets service https port | 443 |
envoy.service.ports.metrics |
Sets service metrics port | 8002 |
envoy.service.nodePorts.http |
HTTP Port. If envoy.service.type is NodePort and this is non-empty |
"" |
envoy.service.nodePorts.https |
HTTPS Port. If envoy.service.type is NodePort and this is non-empty |
"" |
envoy.service.extraPorts |
Extra ports to expose (normally used with the sidecar value) |
[] |
envoy.service.sessionAffinity |
Session Affinity for Kubernetes service, can be “None” or “ClientIP” | None |
envoy.service.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
envoy.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
envoy.networkPolicy.allowExternal |
Don’t require server label for connections | true |
envoy.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
envoy.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
envoy.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
envoy.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
envoy.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
envoy.useHostPort.http |
Enable/disable hostPort for TCP/80 |
false |
envoy.useHostPort.https |
Enable/disable hostPort TCP/443 |
false |
envoy.useHostPort.metrics |
Enable/disable hostPort for TCP/8002 |
false |
envoy.useHostIP |
Enable/disable hostIP |
false |
envoy.hostPorts.http |
Sets hostPort http port |
80 |
envoy.hostPorts.https |
Sets hostPort https port |
443 |
envoy.hostPorts.metrics |
Sets hostPort metrics port |
8002 |
envoy.hostIPs.http |
Sets hostIP http IP |
127.0.0.1 |
envoy.hostIPs.https |
Sets hostIP https IP |
127.0.0.1 |
envoy.hostIPs.metrics |
Sets hostIP metrics IP |
127.0.0.1 |
envoy.containerPorts.http |
Sets http port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | 8080 |
envoy.containerPorts.https |
Sets https port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | 8443 |
envoy.containerPorts.metrics |
Sets metrics port inside Envoy pod (change this to >1024 to run envoy as a non-root user) | 8002 |
envoy.initContainers |
Attach additional init containers to Envoy pods | [] |
envoy.sidecars |
Add additional sidecar containers to the Envoy pods | [] |
envoy.extraVolumes |
Array to add extra volumes | [] |
envoy.extraVolumeMounts |
Array to add extra mounts (normally used with extraVolumes) | [] |
envoy.extraEnvVars |
Array containing extra env vars to be added to all Envoy containers | [] |
envoy.extraEnvVarsCM |
ConfigMap containing extra env vars to be added to all Envoy containers | "" |
envoy.extraEnvVarsSecret |
Secret containing extra env vars to be added to all Envoy containers | "" |
envoy.pdb.create |
Enable Pod Disruption Budget configuration | true |
envoy.pdb.minAvailable |
Minimum number/percentage of Default backend pods that should remain scheduled | "" |
envoy.pdb.maxUnavailable |
Maximum number/percentage of Default backend pods that should remain scheduled | "" |
Name | Description | Value |
---|---|---|
defaultBackend.enabled |
Enable a default backend based on NGINX | false |
defaultBackend.image.registry |
Default backend image registry | REGISTRY_NAME |
defaultBackend.image.repository |
Default backend image name | REPOSITORY_NAME/nginx |
defaultBackend.image.digest |
Default backend image digest in the way sha256:aa…. Please note this parameter, if set, will override the tag | "" |
defaultBackend.image.pullPolicy |
Image pull policy | IfNotPresent |
defaultBackend.image.pullSecrets |
Specify docker-registry secret names as an array | [] |
defaultBackend.extraArgs |
Additional command line arguments to pass to NGINX container | {} |
defaultBackend.lifecycleHooks |
lifecycleHooks for the container to automate configuration before or after startup. | {} |
defaultBackend.extraEnvVars |
Array containing extra env vars to be added to all Contour containers | [] |
defaultBackend.extraEnvVarsCM |
ConfigMap containing extra env vars to be added to all Contour containers | "" |
defaultBackend.extraEnvVarsSecret |
Secret containing extra env vars to be added to all Contour containers | "" |
defaultBackend.extraVolumes |
Array to add extra volumes | [] |
defaultBackend.extraVolumeMounts |
Array to add extra mounts (normally used with extraVolumes) | [] |
defaultBackend.initContainers |
Attach additional init containers to the http backend pods | [] |
defaultBackend.sidecars |
Add additional sidecar containers to the default backend | [] |
defaultBackend.containerPorts.http |
Set http port inside Contour pod | 8001 |
defaultBackend.updateStrategy |
Strategy to use to update Pods | {} |
defaultBackend.command |
Override default command | [] |
defaultBackend.args |
Override default args | [] |
defaultBackend.hostAliases |
Add deployment host aliases | [] |
defaultBackend.replicaCount |
Desired number of default backend pods | 1 |
defaultBackend.podSecurityContext.enabled |
Default backend Pod securityContext | true |
defaultBackend.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy | Always |
defaultBackend.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface | [] |
defaultBackend.podSecurityContext.supplementalGroups |
Set filesystem extra groups | [] |
defaultBackend.podSecurityContext.fsGroup |
Set Default backend Pod’s Security Context fsGroup | 1001 |
defaultBackend.containerSecurityContext.enabled |
Enabled defaultBackend containers’ Security Context | true |
defaultBackend.containerSecurityContext.seLinuxOptions |
Set SELinux options in container | {} |
defaultBackend.containerSecurityContext.runAsUser |
Set defaultBackend containers’ Security Context runAsUser | 1001 |
defaultBackend.containerSecurityContext.runAsGroup |
Set defaultBackend containers’ Security Context runAsGroup | 1001 |
defaultBackend.containerSecurityContext.runAsNonRoot |
Set defaultBackend containers’ Security Context runAsNonRoot | true |
defaultBackend.containerSecurityContext.readOnlyRootFilesystem |
Set read only root file system pod’s Security Conte | true |
defaultBackend.containerSecurityContext.privileged |
Set defaultBackend container’s Security Context privileged | false |
defaultBackend.containerSecurityContext.allowPrivilegeEscalation |
Set defaultBackend container’s Security Context allowPrivilegeEscalation | false |
defaultBackend.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped | ["ALL"] |
defaultBackend.containerSecurityContext.seccompProfile.type |
Set container’s Security Context seccomp profile | RuntimeDefault |
defaultBackend.resourcesPreset |
Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production). | nano |
defaultBackend.resources |
Set container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
defaultBackend.livenessProbe.enabled |
Enable livenessProbe | true |
defaultBackend.livenessProbe.httpGet |
Path, port and scheme for the livenessProbe | {} |
defaultBackend.livenessProbe.initialDelaySeconds |
Initial delay seconds for livenessProbe | 30 |
defaultBackend.livenessProbe.periodSeconds |
Period seconds for livenessProbe | 10 |
defaultBackend.livenessProbe.timeoutSeconds |
Timeout seconds for livenessProbe | 5 |
defaultBackend.livenessProbe.failureThreshold |
Failure threshold for livenessProbe | 3 |
defaultBackend.livenessProbe.successThreshold |
Success threshold for livenessProbe | 1 |
defaultBackend.readinessProbe.enabled |
Enable readinessProbe | true |
defaultBackend.readinessProbe.httpGet |
Path, port and scheme for the readinessProbe | {} |
defaultBackend.readinessProbe.initialDelaySeconds |
Initial delay seconds for readinessProbe | 0 |
defaultBackend.readinessProbe.periodSeconds |
Period seconds for readinessProbe | 5 |
defaultBackend.readinessProbe.timeoutSeconds |
Timeout seconds for readinessProbe | 5 |
defaultBackend.readinessProbe.failureThreshold |
Failure threshold for readinessProbe | 6 |
defaultBackend.readinessProbe.successThreshold |
Success threshold for readinessProbe | 1 |
defaultBackend.startupProbe.enabled |
Enable/disable the startup probe | false |
defaultBackend.startupProbe.initialDelaySeconds |
Delay before startup probe is initiated | 15 |
defaultBackend.startupProbe.periodSeconds |
How often to perform the probe | 10 |
defaultBackend.startupProbe.timeoutSeconds |
When the probe times out | 5 |
defaultBackend.startupProbe.failureThreshold |
Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3 |
defaultBackend.startupProbe.successThreshold |
Minimum consecutive successes for the probe to be considered successful after having failed. | 1 |
defaultBackend.customLivenessProbe |
Override default liveness probe, it overrides the default one (evaluated as a template) | {} |
defaultBackend.customReadinessProbe |
Override default readiness probe, it overrides the default one (evaluated as a template) | {} |
defaultBackend.customStartupProbe |
Override default startup probe | {} |
defaultBackend.podLabels |
Extra labels for Controller pods | {} |
defaultBackend.podAnnotations |
Annotations for Controller pods | {} |
defaultBackend.priorityClassName |
Priority class assigned to the pods | "" |
defaultBackend.schedulerName |
Name of the k8s scheduler (other than default) | "" |
defaultBackend.terminationGracePeriodSeconds |
In seconds, time the given to the default backend pod needs to terminate gracefully | 60 |
defaultBackend.topologySpreadConstraints |
Topology Spread Constraints for pod assignment | [] |
defaultBackend.podAffinityPreset |
Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
"" |
defaultBackend.podAntiAffinityPreset |
Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard |
soft |
defaultBackend.nodeAffinityPreset.type |
Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard |
"" |
defaultBackend.nodeAffinityPreset.key |
Node label key to match. Ignored if affinity is set. |
"" |
defaultBackend.nodeAffinityPreset.values |
Node label values to match. Ignored if affinity is set. |
[] |
defaultBackend.affinity |
Affinity for pod assignment. Evaluated as a template. | {} |
defaultBackend.nodeSelector |
Node labels for pod assignment. Evaluated as a template. | {} |
defaultBackend.tolerations |
Tolerations for pod assignment. Evaluated as a template. | [] |
defaultBackend.service.type |
Service type | ClusterIP |
defaultBackend.service.ports.http |
Service port | 80 |
defaultBackend.service.annotations |
Annotations to add to the service | {} |
defaultBackend.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
defaultBackend.networkPolicy.allowExternal |
Don’t require server label for connections | true |
defaultBackend.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
defaultBackend.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
defaultBackend.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
defaultBackend.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
defaultBackend.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
defaultBackend.pdb.create |
Enable Pod Disruption Budget configuration | true |
defaultBackend.pdb.minAvailable |
Minimum number/percentage of Default backend pods that should remain scheduled | "" |
defaultBackend.pdb.maxUnavailable |
Maximum number/percentage of Default backend pods that should remain scheduled | "" |
ingress.enabled |
Ingress configuration enabled | false |
ingress.apiVersion |
Force Ingress API version (automatically detected if not set) | "" |
ingress.certManager |
Add annotations for cert-manager | false |
ingress.annotations |
Annotations to be added to the web ingress. | {} |
ingress.hostname |
Hostname for the Ingress object | contour.local |
ingress.path |
The Path to Concourse | / |
ingress.rulesOverride |
Ingress rules override | [] |
ingress.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
ingress.ingressClassName |
IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
ingress.extraPaths |
Add additional arbitrary paths that may need to be added to the ingress under the main host. | [] |
ingress.tls |
TLS configuration. | false |
ingress.pathType |
Ingress Path type | ImplementationSpecific |
ingress.extraHosts |
The list of additional hostnames to be covered with this ingress record. | [] |
ingress.extraTls |
The tls configuration for additional hostnames to be covered with this ingress record. | [] |
ingress.secrets |
If you’re providing your own certificates, please use this to add the certificates as secrets | [] |
ingress.extraRules |
Additional rules to be covered with this ingress record | [] |
Name | Description | Value |
---|---|---|
metrics.serviceMonitor.namespace |
Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart) | "" |
metrics.serviceMonitor.enabled |
Specify if a servicemonitor will be deployed for prometheus-operator. | false |
metrics.serviceMonitor.jobLabel |
Specify the jobLabel to use for the prometheus-operator | app.kubernetes.io/name |
metrics.serviceMonitor.interval |
Specify the scrape interval if not specified use default prometheus scrapeIntervall, the Prometheus default scrape interval is used. | "" |
metrics.serviceMonitor.metricRelabelings |
Specify additional relabeling of metrics. | [] |
metrics.serviceMonitor.relabelings |
Specify general relabeling. | [] |
metrics.serviceMonitor.honorLabels |
Specify honorLabels parameter to add the scrape endpoint | false |
metrics.serviceMonitor.scrapeTimeout |
The timeout after which the scrape is ended | "" |
metrics.serviceMonitor.selector |
Specify honorLabels parameter to add the scrape endpoint | {} |
metrics.serviceMonitor.labels |
Extra labels for the ServiceMonitor | {} |
metrics.prometheusRule.enabled |
Creates a Prometheus Operator prometheusRule | false |
metrics.prometheusRule.namespace |
Namespace for the prometheusRule Resource (defaults to the Release Namespace) | "" |
metrics.prometheusRule.additionalLabels |
Additional labels that can be used so prometheusRule will be discovered by Prometheus | {} |
metrics.prometheusRule.rules |
Prometheus Rule definitions | [] |
Name | Description | Value |
---|---|---|
rbac.create |
Create the RBAC roles for API accessibility | true |
rbac.rules |
Custom RBAC rules to set | [] |
tlsExistingSecret |
Name of the existingSecret to be use in both contour and envoy. If it is not nil contour.certgen will be disabled. |
"" |
Specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
helm install my-release \
--set envoy.readinessProbe.successThreshold=5 \
oci://REGISTRY_NAME/REPOSITORY_NAME/contour
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.io
andREPOSITORY_NAME=bitnamicharts
.
The above command sets the envoy.readinessProbe.successThreshold
to 5
.
Find more information about how to deal with common errors related to Bitnami’s Helm charts in this troubleshooting guide.
Please carefully read through the guide “Upgrading Contour” at https://projectcontour.io/resources/upgrading/.
This major bump changes the following security defaults:
runAsGroup
is changed from 0
to 1001
readOnlyRootFilesystem
is set to true
resourcesPreset
is changed from none
to the minimum size working in our test suites (NOTE: resourcesPreset
is not meant for production usage, but resources
adapted to your use case).global.compatibility.openshift.adaptSecurityContext
is changed from disabled
to auto
.envoy.useHostPort.*
are changed from true
to false
.This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
This major release adds support for Kubernetes PSA restricted mode out of the box. In order to do so, hostNetwork
is disabled by default in envoy. In order to maintain hostNetwork
in your current installation set envoy.useHostNetwork=true
.
This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository.
Affected values:
prometheus
renamed as metrics
.serviceMonitor.labels
renamed as serviceMonitor.selector
.service.port
renamed as service.ports.xds
.service.nodePort
renamed as service.nodePorts.xds
.contour.updateStrategy
and worker.updateStrategy
changed from String type (previously default to ‘rollingUpdate’) to Object type, allowing users to configure other updateStrategy parameters, similar to other charts.This version updates the chart to use Contour’s latest release, 1.19.0
. Among other features, this new version introduces support for new kinds of CRDs: ContourConfiguration
and ContourDeployment
. For further information on new features, please refer to the official release notes for this version.
Additionally, exisiting CRDs have been syncronised with the official Contour repository
If you are installing a fresh chart, you can ignore this section.
If you are upgrading from 5.x of this Helm chart, this is a breaking change as the new CRDs will not overwrite the existing ones. Therefore, you will need to delete the CRDs and let the chart recreate them. Make sure to back up any existing CRs (kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml
) unless you have other ways of recreating them.
This version bumps the Envoy container from 1.17.X to 1.19.X; this Envoy version is officially supported by Contour since 1.18.0, see https://github.com/projectcontour/contour/releases/tag/v1.18.0
In this version it was synchronized CRD with the official Contour repository
If you are installing a fresh chart, you can ignore this section.
If you are upgrading from 4.x of this Helm chart, this is a breaking change as the new CRDs will not overwrite the existing ones. Therefore, you will need to delete the CRDs and let the chart recreate them. Make sure to back up any existing CRs (kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml
) unless you have other ways of recreating them.
The 4.0 version of this chart introduces changes to handle Contour CRD upgrades. While Helm 3.x introduced the crd
folder to place CRDs, Helm explicitly does not handle the CRD upgrade scenario.
resources
directory was added that contains all the Contour CRDs, which are imported by the templates/00-crds.yaml
manifest on installation and upgrade.contour.manageCRDs
to false
when running Helm.If you are installing a fresh chart, or if you are upgrading from a 4.x version of this chart, you can ignore this section.
If you are upgrading from 3.x of this Helm chart, this is a breaking change as the new CRDs will not overwrite the existing ones. Therefore, you will need to delete the CRDs and let the chart recreate them. Make sure to back up any existing CRs (kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml
) unless you have other ways of recreating them.
If required, back up your existing Custom Resources:
kubectl get -o yaml extensionservice,httpproxy,tlscertificatedelegation -A > backup.yaml
Delete the existing Contour CRDs. Note that this step will also delete the associated CRs and impact availability until the upgrade is complete and the backup restored:
kubectl delete extensionservices.projectcontour.io
kubectl delete httpproxies.projectcontour.io
kubectl delete tlscertificatedelegations.projectcontour.io
Upgrade the Contour chart with the release name my-release
:
helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/contour
Note: You need to substitute the placeholders
REGISTRY_NAME
andREPOSITORY_NAME
with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.io
andREPOSITORY_NAME=bitnamicharts
.
If you made a backup earlier, restore the objects:
kubectl apply -f backup.yaml
On November 13, 2020, Helm v2 support was formally finished, this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL.
apiVersion: v1
(installable by both Helm 2 and 3), this Helm Chart was updated to apiVersion: v2
(installable by Helm 3 only). Here you can find more information about the apiVersion
field.helm dependency update
, a Chart.lock file is generated containing the same structure used in the previous requirements.lockMost important changes are:
contour.createCustomResource
to contour.installCRDs
--skip-crds
when using helm v3 and --set contour.installCRDs=false
when using helm v2). Read Upgrading Contour and execute the following kubectl
command before helm upgrade:kubectl apply -f https://raw.githubusercontent.com/projectcontour/contour/release-{{version}}/examples/contour/01-crds.yaml
This version also introduces bitnami/common
, a library chart as a dependency. More documentation about this new utility could be found here. Please, make sure that you have updated the chart dependencies before executing any upgrade.
Copyright © 2024 Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.