This is an automated email from the ASF dual-hosted git repository.
nic-6443 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-helm-chart.git
The following commit(s) were added to refs/heads/master by this push:
new 873c9db feat(apisix): expose more config options and document all
values (#989)
873c9db is described below
commit 873c9db60bea54ee2eb258762deb8963e563f3be
Author: Nic <[email protected]>
AuthorDate: Mon Jul 6 17:19:36 2026 +0800
feat(apisix): expose more config options and document all values (#989)
---
charts/apisix/Chart.yaml | 2 +-
charts/apisix/README.md | 152 +++++++++++++-----
charts/apisix/templates/configmap.yaml | 107 +++++++++----
charts/apisix/templates/hpa.yaml | 2 +-
charts/apisix/templates/service-gateway.yaml | 18 +++
charts/apisix/values.yaml | 224 +++++++++++++++++++++++++--
6 files changed, 414 insertions(+), 91 deletions(-)
diff --git a/charts/apisix/Chart.yaml b/charts/apisix/Chart.yaml
index 915da86..6a93851 100644
--- a/charts/apisix/Chart.yaml
+++ b/charts/apisix/Chart.yaml
@@ -31,7 +31,7 @@ type: application
# This is the chart version. This version number should be incremented each
time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.15.0
+version: 2.16.0
# This is the version number of the application being deployed. This version
number should be
# incremented each time you make changes to the application. Versions are not
expected to
diff --git a/charts/apisix/README.md b/charts/apisix/README.md
index 64dfe2a..7f1ecc6 100644
--- a/charts/apisix/README.md
+++ b/charts/apisix/README.md
@@ -54,6 +54,9 @@ The command removes all the Kubernetes components associated
with the chart and
| apisix.admin.externalIPs | list | `[]` | IPs for which nodes in the cluster
will also accept traffic for the servic |
| apisix.admin.ingress | object |
`{"annotations":{},"enabled":false,"hosts":[{"host":"apisix-admin.local","paths":["/apisix"]}],"tls":[]}`
| Using ingress access Apache APISIX admin service |
| apisix.admin.ingress.annotations | object | `{}` | Ingress annotations |
+| apisix.admin.ingress.enabled | bool | `false` | Enable an Ingress resource
in front of the Admin API service |
+| apisix.admin.ingress.hosts | list |
`[{"host":"apisix-admin.local","paths":["/apisix"]}]` | Ingress host and path
rules |
+| apisix.admin.ingress.tls | list | `[]` | Ingress TLS settings |
| apisix.admin.ip | string | `"0.0.0.0"` | which ip to listen on for Apache
APISIX admin API. Set to `"[::]"` when on IPv6 single stack |
| apisix.admin.port | int | `9180` | which port to use for Apache APISIX admin
API |
| apisix.admin.servicePort | int | `9180` | Service port to use for Apache
APISIX admin API |
@@ -66,40 +69,66 @@ The command removes all the Kubernetes components
associated with the chart and
| apisix.customPlugins.plugins[0].configMap | object |
`{"mounts":[{"key":"the-file-name","path":"mount-path"}],"name":"configmap-name"}`
| plugin codes can be saved inside configmap object. |
| apisix.customPlugins.plugins[0].configMap.mounts | list |
`[{"key":"the-file-name","path":"mount-path"}]` | since keys in configmap is
flat, mountPath allows to define the mount path, so that plugin codes can be
mounted hierarchically. |
| apisix.customPlugins.plugins[0].configMap.name | string | `"configmap-name"`
| name of configmap. |
+| apisix.deleteURITailSlash | bool | `false` | Delete the '/' at the end of
the URI |
| apisix.deployment.mode | string | `"traditional"` | Apache APISIX deployment
mode Optional: traditional, decoupled, standalone ref:
https://apisix.apache.org/docs/apisix/deployment-modes/ |
| apisix.deployment.role | string | `"traditional"` | Deployment role
Optional: traditional, data_plane, control_plane ref:
https://apisix.apache.org/docs/apisix/deployment-modes/ |
-| apisix.deployment.role_traditional.config_provider | string | `"etcd"` | |
+| apisix.deployment.role_traditional.config_provider | string | `"etcd"` |
Config provider for the traditional role. enum: etcd, yaml |
| apisix.deployment.standalone | object | `{"config":"routes:\n-\n uri: /hi\n
upstream:\n nodes:\n \"127.0.0.1:1980\": 1\n type:
roundrobin\n","existingConfigMap":""}` | Standalone rules configuration ref:
https://apisix.apache.org/docs/apisix/deployment-modes/#standalone |
| apisix.deployment.standalone.config | string | `"routes:\n-\n uri: /hi\n
upstream:\n nodes:\n \"127.0.0.1:1980\": 1\n type: roundrobin\n"` |
Rules which are set to the default apisix.yaml configmap. If
apisix.delpoyment.standalone.existingConfigMap is empty, these are used. |
| apisix.deployment.standalone.existingConfigMap | string | `""` | Specifies
the name of the ConfigMap that contains the rule configurations. The
configuration must be set to the key named `apisix.yaml` in the configmap. |
| apisix.discovery.enabled | bool | `false` | Enable or disable Apache APISIX
integration service discovery |
| apisix.discovery.registry | object | `{}` | Service discovery registry.
Refer to [configuration under
discovery](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L307)
for example. Also see [example of using external service
discovery](https://apisix.apache.org/docs/ingress-controller/1.8.0/tutorials/external-service-discovery/).
|
-| apisix.dns.resolvers[0] | string | `"127.0.0.1"` | |
-| apisix.dns.resolvers[1] | string | `"172.20.0.10"` | |
-| apisix.dns.resolvers[2] | string | `"114.114.114.114"` | |
-| apisix.dns.resolvers[3] | string | `"223.5.5.5"` | |
-| apisix.dns.resolvers[4] | string | `"1.1.1.1"` | |
-| apisix.dns.resolvers[5] | string | `"8.8.8.8"` | |
-| apisix.dns.timeout | int | `5` | |
-| apisix.dns.validity | int | `30` | |
-| apisix.enableHTTP2 | bool | `true` | |
+| apisix.dns.enableResolvSearchOpt | bool | `true` | Honor the `search` option
in `/etc/resolv.conf` when resolving domain names |
+| apisix.dns.resolvers | list | `[]` | Nameservers used by APISIX to resolve
upstream domain names. When empty (default), nameservers are read from
`/etc/resolv.conf`, which is usually what you want inside Kubernetes |
+| apisix.dns.timeout | int | `5` | DNS resolver timeout in seconds |
+| apisix.dns.validity | int | `30` | Override the TTL in seconds of valid DNS
records |
+| apisix.enableHTTP2 | bool | `true` | Enable HTTP/2 on the HTTP listeners |
| apisix.enableIPv6 | bool | `true` | Enable nginx IPv6 resolver |
| apisix.enableServerTokens | bool | `true` | Whether the APISIX version
number should be shown in Server header |
| apisix.extPlugin.cmd | list |
`["/path/to/apisix-plugin-runner/runner","run"]` | the command and its
arguements to run as a subprocess |
| apisix.extPlugin.enabled | bool | `false` | Enable External Plugins. See
[external plugin](https://apisix.apache.org/docs/apisix/next/external-plugin/) |
| apisix.fullCustomConfig.config | object | `{}` | If
apisix.fullCustomConfig.enabled is true, full customized config.yaml. Please
note that other settings about APISIX config will be ignored |
| apisix.fullCustomConfig.enabled | bool | `false` | Enable full customized
config.yaml |
+| apisix.graphql.maxSize | int | `1048576` | The maximum size in bytes of
GraphQL queries APISIX parses when matching routes by GraphQL attributes
(default 1MiB) |
+| apisix.lru | object |
`{"secret":{"count":512,"neg_count":512,"neg_ttl":60,"ttl":300}}` | fine tune
the parameters of LRU cache for some features like secret |
+| apisix.lru.secret.count | int | `512` | Maximum number of cached secret
values |
+| apisix.lru.secret.neg_count | int | `512` | Maximum number of cached
negative (failed lookup) results |
+| apisix.lru.secret.neg_ttl | int | `60` | TTL in seconds for cached negative
(failed lookup) results |
+| apisix.lru.secret.ttl | int | `300` | TTL in seconds for cached secret
values |
| apisix.luaModuleHook | object |
`{"configMapRef":{"mounts":[{"key":"","path":""}],"name":""},"enabled":false,"hookPoint":"","luaPath":""}`
| Whether to add a custom lua module |
| apisix.luaModuleHook.configMapRef | object |
`{"mounts":[{"key":"","path":""}],"name":""}` | configmap that stores the codes
|
| apisix.luaModuleHook.configMapRef.mounts[0] | object |
`{"key":"","path":""}` | Name of the ConfigMap key, for setting the mapping
relationship between ConfigMap key and the lua module code path. |
| apisix.luaModuleHook.configMapRef.mounts[0].path | string | `""` | Filepath
of the plugin code, for setting the mapping relationship between ConfigMap key
and the lua module code path. |
| apisix.luaModuleHook.configMapRef.name | string | `""` | Name of the
ConfigMap where the lua module codes store |
+| apisix.luaModuleHook.enabled | bool | `false` | Enable loading a custom lua
module hook |
| apisix.luaModuleHook.hookPoint | string | `""` | the hook module which will
be used to inject third party code into APISIX use the lua require style like:
"module.say_hello" |
| apisix.luaModuleHook.luaPath | string | `""` | extend lua_package_path to
load third party code |
-| apisix.nginx.configurationSnippet | object |
`{"httpAdmin":"","httpEnd":"","httpSrv":"","httpStart":"","main":"","stream":""}`
| Custom configuration snippet. |
+| apisix.nginx.configurationSnippet | object |
`{"httpAdmin":"","httpEnd":"","httpSrv":"","httpStart":"","main":"","stream":""}`
| Custom nginx configuration snippets injected into the generated nginx.conf.
As arbitrary configuration can be added here, it is your responsibility to make
sure the snippets don't conflict with the configuration generated by APISIX. |
+| apisix.nginx.configurationSnippet.httpAdmin | string | `""` | Snippet added
to the nginx `server` block that serves the Admin API |
+| apisix.nginx.configurationSnippet.httpEnd | string | `""` | Snippet added to
the end of the nginx `http` block |
+| apisix.nginx.configurationSnippet.httpSrv | string | `""` | Snippet added to
the nginx `server` block that proxies regular traffic |
+| apisix.nginx.configurationSnippet.httpStart | string | `""` | Snippet added
to the beginning of the nginx `http` block |
+| apisix.nginx.configurationSnippet.main | string | `""` | Snippet added to
the nginx `main` (top-level) block |
+| apisix.nginx.configurationSnippet.stream | string | `""` | Snippet added to
the nginx `stream` block |
| apisix.nginx.customLuaSharedDicts | list | `[]` | Add custom
[lua_shared_dict](https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_shared_dict)
settings, click
[here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30)
to learn the format of a shared dict |
-| apisix.nginx.enableCPUAffinity | bool | `true` | |
-| apisix.nginx.envs | list | `[]` | |
+| apisix.nginx.enableCPUAffinity | bool | `true` | Bind nginx worker processes
to CPUs |
+| apisix.nginx.envs | list | `[]` | List of environment variable names allowed
to be accessed within nginx (rendered as nginx `env` directives) |
+| apisix.nginx.http | object |
`{"charset":"utf-8","clientBodyTimeout":"60s","clientHeaderTimeout":"60s","clientMaxBodySize":0,"proxySslServerName":true,"realIpFrom":["127.0.0.1","unix:"],"realIpHeader":"X-Real-IP","realIpRecursive":"off","sendTimeout":"10s","underscoresInHeaders":"on","upstream":{"keepalive":320,"keepaliveRequests":1000,"keepaliveTimeout":"60s"},"variablesHashMaxSize":2048}`
| Nginx HTTP subsystem configurations |
+| apisix.nginx.http.charset | string | `"utf-8"` | The charset added to the
"Content-Type" response header field, see
[charset](http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset) |
+| apisix.nginx.http.clientBodyTimeout | string | `"60s"` | timeout for reading
client request body, then 408 (Request Time-out) error is returned to the
client |
+| apisix.nginx.http.clientHeaderTimeout | string | `"60s"` | timeout for
reading client request header, then 408 (Request Time-out) error is returned to
the client |
+| apisix.nginx.http.clientMaxBodySize | int | `0` | The maximum allowed size
of the client request body. If exceeded, the 413 (Request Entity Too Large)
error is returned to the client. Note that unlike Nginx, we don't limit the
body size by default (0 means no limit). |
+| apisix.nginx.http.proxySslServerName | bool | `true` | Enables or disables
passing of the server name through TLS Server Name Indication extension (SNI,
RFC 6066) when establishing a connection with the proxied HTTPS server |
+| apisix.nginx.http.realIpFrom | list | `["127.0.0.1","unix:"]` | Trusted
addresses from which the real IP header is honored, see
[set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from)
|
+| apisix.nginx.http.realIpHeader | string | `"X-Real-IP"` | The request header
used to determine the client's real IP address, see
[real_ip_header](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header)
|
+| apisix.nginx.http.realIpRecursive | string | `"off"` | Whether to search for
the real IP recursively when the header set in apisix.nginx.http.realIpHeader
contains multiple addresses, see
[real_ip_recursive](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive)
|
+| apisix.nginx.http.sendTimeout | string | `"10s"` | timeout for transmitting
a response to the client, then the connection is closed |
+| apisix.nginx.http.underscoresInHeaders | string | `"on"` | Enable the use of
underscores in client request header fields |
+| apisix.nginx.http.upstream | object |
`{"keepalive":320,"keepaliveRequests":1000,"keepaliveTimeout":"60s"}` |
Keepalive settings for connections from APISIX to upstream servers |
+| apisix.nginx.http.upstream.keepalive | int | `320` | Maximum number of idle
keepalive connections to upstream servers that are preserved in the cache of
each worker process. When this number is exceeded, the least recently used
connections are closed |
+| apisix.nginx.http.upstream.keepaliveRequests | int | `1000` | Maximum number
of requests that can be served through one keepalive connection. After the
maximum number of requests is made, the connection is closed |
+| apisix.nginx.http.upstream.keepaliveTimeout | string | `"60s"` | Timeout
during which an idle keepalive connection to an upstream server will stay open |
+| apisix.nginx.http.variablesHashMaxSize | int | `2048` | The maximum size of
the nginx variables hash table |
| apisix.nginx.keepaliveTimeout | string | `"60s"` | Timeout during which a
keep-alive client connection will stay open on the server side. |
| apisix.nginx.logs.accessLog | string | `"/dev/stdout"` | Access log path |
| apisix.nginx.logs.accessLogFormat | string | `"$remote_addr - $remote_user
[$time_local] $http_host \\\"$request\\\" $status $body_bytes_sent
$request_time \\\"$http_referer\\\" \\\"$http_user_agent\\\" $upstream_addr
$upstream_status $upstream_response_time
\\\"$upstream_scheme://$upstream_host$upstream_uri\\\""` | Access log format |
@@ -107,31 +136,53 @@ The command removes all the Kubernetes components
associated with the chart and
| apisix.nginx.logs.enableAccessLog | bool | `true` | Enable access log or
not, default true |
| apisix.nginx.logs.errorLog | string | `"/dev/stderr"` | Error log path |
| apisix.nginx.logs.errorLogLevel | string | `"warn"` | Error log level |
+| apisix.nginx.logs.stream | object |
`{"accessLog":"logs/access_stream.log","accessLogFormat":"$remote_addr
[$time_local] $protocol $status $bytes_sent $bytes_received
$session_time","accessLogFormatEscape":"default","enableAccessLog":false}` |
Stream (L4 proxy) access log configuration |
+| apisix.nginx.logs.stream.accessLog | string | `"logs/access_stream.log"` |
Stream access log path |
+| apisix.nginx.logs.stream.accessLogFormat | string | `"$remote_addr
[$time_local] $protocol $status $bytes_sent $bytes_received $session_time"` |
Stream access log format |
+| apisix.nginx.logs.stream.accessLogFormatEscape | string | `"default"` |
Allows setting json or default characters escaping in variables for stream |
+| apisix.nginx.logs.stream.enableAccessLog | bool | `false` | Enable stream
access log or not, default false |
| apisix.nginx.luaSharedDicts | list | `[]` | Override default
[lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L250-L276)
settings, click
[here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30)
to learn the format of a shared dict |
+| apisix.nginx.maxPendingTimers | int | `16384` | Maximum number of pending
timers. Increase it if you see "too many pending timers" error |
+| apisix.nginx.maxRunningTimers | int | `4096` | Maximum number of running
timers. Increase it if you see "lua_max_running_timers are not enough" error |
| apisix.nginx.metaLuaSharedDicts | list | `[]` | Override default meta-level
[lua_shared_dict](https://github.com/apache/apisix/blob/master/conf/config.yaml.example)
settings, meta-level shared dicts are shared across both HTTP and stream
subsystems. Since APISIX 3.16.0, `upstream-healthcheck` is a meta-level shared
dict. click
[here](https://github.com/apache/apisix-helm-chart/blob/master/charts/apisix/values.yaml#L27-L30)
to learn the format of a shared dict |
-| apisix.nginx.workerConnections | string | `"10620"` | |
-| apisix.nginx.workerProcesses | string | `"auto"` | |
-| apisix.nginx.workerRlimitNofile | string | `"20480"` | |
+| apisix.nginx.workerConnections | string | `"10620"` | The maximum number of
connections that each worker process can open |
+| apisix.nginx.workerProcesses | string | `"auto"` | The number of nginx
worker processes. `auto` means the number of CPU cores |
+| apisix.nginx.workerRlimitNofile | string | `"20480"` | The number of files a
worker process can open, should be larger than apisix.nginx.workerConnections |
+| apisix.nginx.workerShutdownTimeout | string | `"240s"` | Timeout for a
graceful shutdown of worker processes |
+| apisix.normalizeURILikeServlet | bool | `false` | The URI normalization in
servlet is a little different from the RFC's. See
https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
which is used under Tomcat. Turn this option on if you want to be compatible
with servlet when matching URI path. |
| apisix.pluginAttrs | object | `{}` | Set APISIX plugin attributes. By
default, APISIX's
[plugin_attr](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L295)
are automatically used. See [configuration
example](https://github.com/apache/apisix/blob/master/conf/config.yaml.example#L591).
|
| apisix.plugins | list | `[]` | Customize the list of APISIX plugins to
enable. By default, APISIX's [default
plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L196)
are automatically used. |
| apisix.prometheus.containerPort | int | `9091` | container port where the
metrics are exposed |
-| apisix.prometheus.enabled | bool | `false` | |
+| apisix.prometheus.enabled | bool | `false` | Enable Prometheus metrics. ref:
https://apisix.apache.org/docs/apisix/plugins/prometheus/ |
| apisix.prometheus.metricPrefix | string | `"apisix_"` | prefix of the
metrics |
| apisix.prometheus.path | string | `"/apisix/prometheus/metrics"` | path of
the metrics endpoint |
+| apisix.proxyCache | object |
`{"cacheTtl":"10s","zones":[{"cache_levels":"1:2","disk_path":"/tmp/disk_cache_one","disk_size":"1G","memory_size":"50m","name":"disk_cache_one"},{"memory_size":"50m","name":"memory_cache"}]}`
| Proxy caching configuration used by the proxy-cache plugin. |
+| apisix.proxyCache.cacheTtl | string | `"10s"` | The default caching time in
disk if the upstream does not specify the cache time |
+| apisix.proxyCache.zones | list |
`[{"cache_levels":"1:2","disk_path":"/tmp/disk_cache_one","disk_size":"1G","memory_size":"50m","name":"disk_cache_one"},{"memory_size":"50m","name":"memory_cache"}]`
| The parameters of a cache. The `memory_size` field stores the cache index
for the disk strategy and the cache content for the memory strategy;
`disk_size`, `disk_path` and `cache_levels` only apply to the disk strategy. |
+| apisix.proxyProtocol | object |
`{"enableTcpPP":false,"enableTcpPPToUpstream":false,"listenHttpNodePort":null,"listenHttpPort":null,"listenHttpsNodePort":null,"listenHttpsPort":null}`
| PROXY Protocol configuration. |
+| apisix.proxyProtocol.enableTcpPP | bool | `false` | Accept the PROXY
Protocol on every service.stream.tcp port. |
+| apisix.proxyProtocol.enableTcpPPToUpstream | bool | `false` | Send the PROXY
Protocol to the upstream server on every service.stream.tcp port. |
+| apisix.proxyProtocol.listenHttpNodePort | int | `nil` | The nodePort of the
PROXY Protocol HTTP port, only used if service.type is NodePort. If not set, a
random port will be assigned by Kubernetes. |
+| apisix.proxyProtocol.listenHttpPort | int | `nil` | The HTTP port that
accepts the PROXY Protocol. It differs from `service.http` ports and
`apisix.admin` port: this port only accepts HTTP requests carrying the PROXY
Protocol, while the other ports only accept plain HTTP requests. If you enable
the PROXY Protocol, you must use this port to receive HTTP requests with it.
When set, the port is also exposed on the gateway Service. |
+| apisix.proxyProtocol.listenHttpsNodePort | int | `nil` | The nodePort of the
PROXY Protocol HTTPS port, only used if service.type is NodePort. If not set, a
random port will be assigned by Kubernetes. |
+| apisix.proxyProtocol.listenHttpsPort | int | `nil` | The HTTPS port that
accepts the PROXY Protocol. When set, the port is also exposed on the gateway
Service. |
| apisix.router.http | string | `"radixtree_host_uri"` | Defines how apisix
handles routing: - radixtree_uri: match route by uri(base on radixtree) -
radixtree_host_uri: match route by host + uri(base on radixtree) -
radixtree_uri_with_parameter: match route by uri with parameters |
| apisix.setIDFromPodUID | bool | `false` | Use Pod metadata.uid as the APISIX
id. |
+| apisix.showUpstreamStatusInResponseHeader | bool | `false` | When true, the
upstream status is always written to the `X-APISIX-Upstream-Status` response
header; when false, it is written only for 5xx responses |
| apisix.ssl.additionalContainerPorts | list | `[]` | Support multiple https
ports, See
[Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
|
| apisix.ssl.certCAFilename | string | `""` | Filename be used in the
apisix.ssl.existingCASecret |
-| apisix.ssl.containerPort | int | `9443` | |
-| apisix.ssl.enableHTTP3 | bool | `false` | |
-| apisix.ssl.enabled | bool | `false` | |
+| apisix.ssl.containerPort | int | `9443` | Container port APISIX listens on
for HTTPS traffic |
+| apisix.ssl.enableHTTP3 | bool | `false` | Enable HTTP/3 (QUIC) on the HTTPS
listeners |
+| apisix.ssl.enabled | bool | `false` | Enable HTTPS listeners |
| apisix.ssl.existingCASecret | string | `""` | Specifies the name of Secret
contains trusted CA certificates in the PEM format used to verify the
certificate when APISIX needs to do SSL/TLS handshaking with external services
(e.g. etcd) |
| apisix.ssl.fallbackSNI | string | `""` | Define SNI to fallback if none is
presented by client |
| apisix.ssl.sslCiphers | string |
`"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-
[...]
| apisix.ssl.sslProtocols | string | `"TLSv1.2 TLSv1.3"` | TLS protocols
allowed to use. |
-| apisix.status.ip | string | `"0.0.0.0"` | |
-| apisix.status.port | int | `7085` | |
+| apisix.ssl.sslSessionTickets | bool | `false` | Enable or disable TLS
session tickets. Disabled by default because session tickets defeat Perfect
Forward Secrecy (see https://github.com/mozilla/server-side-tls/issues/135) |
+| apisix.status.ip | string | `"0.0.0.0"` | The IP address on which the status
endpoint (`/status`, `/status/ready`) listens |
+| apisix.status.port | int | `7085` | The port on which the status endpoint
listens |
| apisix.stream_plugins | list | `[]` | Customize the list of APISIX
stream_plugins to enable. By default, APISIX's [default
stream_plugins](https://github.com/apache/apisix/blob/master/apisix/cli/config.lua#L294)
are automatically used. |
+| apisix.tracing | bool | `false` | Enable comprehensive request lifecycle
tracing (SSL/SNI, rewrite, access, header_filter, body_filter, and log). When
disabled, OpenTelemetry collects only a single span per request. |
| apisix.trustedAddresses | list | `["127.0.0.1"]` | When configured, APISIX
will trust the `X-Forwarded-*` Headers passed in requests from the IP/CIDR in
the list. |
| apisix.vault.enabled | bool | `false` | Enable or disable the vault
integration |
| apisix.vault.host | string | `""` | The host address where the vault server
is running. |
@@ -139,24 +190,26 @@ The command removes all the Kubernetes components
associated with the chart and
| apisix.vault.timeout | int | `10` | HTTP timeout for each request. |
| apisix.vault.token | string | `""` | The generated token from vault instance
that can grant access to read data from the vault. |
| apisix.wasm.enabled | bool | `false` | Enable Wasm Plugins. See [wasm
plugin](https://apisix.apache.org/docs/apisix/next/wasm/) |
-| apisix.wasm.plugins | list | `[]` | |
-| autoscaling.enabled | bool | `false` | |
-| autoscaling.maxReplicas | int | `100` | |
-| autoscaling.minReplicas | int | `1` | |
-| autoscaling.targetCPUUtilizationPercentage | int | `80` | |
-| autoscaling.targetMemoryUtilizationPercentage | int | `80` | |
+| apisix.wasm.plugins | list | `[]` | List of Wasm plugins, each item with
`name`, `priority` and `file` (path or URL of the wasm binary) |
+| autoscaling.enabled | bool | `false` | Enable HorizontalPodAutoscaler for
APISIX (only when useDaemonSet is false) |
+| autoscaling.maxReplicas | int | `100` | Maximum number of APISIX replicas |
+| autoscaling.minReplicas | int | `1` | Minimum number of APISIX replicas |
+| autoscaling.targetCPUUtilizationPercentage | int | `80` | Target average CPU
utilization percentage that triggers scaling |
+| autoscaling.targetMemoryUtilizationPercentage | int | `80` | Target average
memory utilization percentage that triggers scaling |
| autoscaling.version | string | `"v2"` | HPA version, the value is "v2" or
"v2beta1", default "v2" |
| control.enabled | bool | `true` | Enable Control API |
| control.ingress | object |
`{"annotations":{},"enabled":false,"hosts":[{"host":"apisix-control.local","paths":["/*"]}],"tls":[]}`
| Using ingress access Apache APISIX Control service |
| control.ingress.annotations | object | `{}` | Ingress annotations |
-| control.ingress.hosts | list |
`[{"host":"apisix-control.local","paths":["/*"]}]` | Ingress Class Name
className: "nginx" |
+| control.ingress.enabled | bool | `false` | Enable an Ingress resource in
front of the Control API service |
+| control.ingress.hosts | list |
`[{"host":"apisix-control.local","paths":["/*"]}]` | Ingress host and path
rules |
+| control.ingress.tls | list | `[]` | Ingress TLS settings |
| control.service.annotations | object | `{}` | Control annotations |
| control.service.externalIPs | list | `[]` | IPs for which nodes in the
cluster will also accept traffic for the servic |
| control.service.ip | string | `"127.0.0.1"` | which ip to listen on for
Apache APISIX Control API |
| control.service.port | int | `9090` | which port to use for Apache APISIX
Control API |
| control.service.servicePort | int | `9090` | Service port to use for Apache
APISIX Control API |
| control.service.type | string | `"ClusterIP"` | Control service type |
-| etcd | object |
`{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"autoCompactionMode":"periodic","autoCompactionRetention":"1h","containerSecurityContext":{"enabled":false},"enabled":true,"image":{"registry":"docker.io","repository":"bitnamilegacy/etcd","tag":"latest"},"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"timeout":30}`
| etcd configuration use the FQDN a [...]
+| etcd | object |
`{"auth":{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}},"autoCompactionMode":"periodic","autoCompactionRetention":"1h","containerSecurityContext":{"enabled":false},"enabled":true,"image":{"registry":"docker.io","repository":"bitnamilegacy/etcd","tag":"latest"},"prefix":"/apisix","replicaCount":3,"service":{"port":2379},"startupRetry":2,"timeout":30,"watchTimeout":50}`
[...]
| etcd.auth | object |
`{"rbac":{"create":false,"rootPassword":""},"tls":{"certFilename":"","certKeyFilename":"","enabled":false,"existingSecret":"","sni":"","verify":true}}`
| if etcd.enabled is true, set more values of bitnamilegacy/etcd helm chart |
| etcd.auth.rbac.create | bool | `false` | No authentication by default.
Switch to enable RBAC authentication |
| etcd.auth.rbac.rootPassword | string | `""` | root password for etcd.
Requires etcd.auth.rbac.create to be true. |
@@ -166,12 +219,18 @@ The command removes all the Kubernetes components
associated with the chart and
| etcd.auth.tls.existingSecret | string | `""` | name of the secret contains
etcd client cert |
| etcd.auth.tls.sni | string | `""` | specify the TLS Server Name Indication
extension, the ETCD endpoint hostname will be used when this setting is unset. |
| etcd.auth.tls.verify | bool | `true` | whether to verify the etcd endpoint
certificate when setup a TLS connection to etcd |
+| etcd.autoCompactionMode | string | `"periodic"` | Auto compaction mode
(periodic or revision), only used when etcd.enabled is true |
+| etcd.autoCompactionRetention | string | `"1h"` | Auto compaction retention
for mvcc key value store, only used when etcd.enabled is true |
| etcd.containerSecurityContext | object | `{"enabled":false}` | added for
backward compatibility with old kubernetes versions, as seccompProfile is not
supported in kubernetes < 1.19 |
| etcd.enabled | bool | `true` | install built-in etcd by default, set false
if do not want to install built-in etcd together, this etcd is based on
bitnamilegacy/etcd helm chart and latest bitnami docker image, only for
development and testing purposes, if you want to use etcd in production, we
recommend you to install etcd by yourself and use `externalEtcd` to connect it.
|
| etcd.image | object |
`{"registry":"docker.io","repository":"bitnamilegacy/etcd","tag":"latest"}` |
docker image for built-in etcd |
| etcd.image.tag | string | `"latest"` | `bitnamilegacy/etcd` only provide
`latest` tag now, ref: https://github.com/bitnami/containers/issues/83267, you
can switch `etcd.image.repository` to `bitnamilegacy/etcd` to use old versioned
tags. |
| etcd.prefix | string | `"/apisix"` | apisix configurations prefix |
+| etcd.replicaCount | int | `3` | Number of etcd replicas, only used when
etcd.enabled is true |
+| etcd.service.port | int | `2379` | etcd client service port |
+| etcd.startupRetry | int | `2` | The number of retries to etcd during startup
|
| etcd.timeout | int | `30` | Set the timeout value in seconds for subsequent
socket operations from apisix to etcd cluster |
+| etcd.watchTimeout | int | `50` | Set the timeout value in seconds for
watching etcd |
| externalEtcd | object |
`{"existingSecret":"","host":["http://etcd.host:2379"],"password":"","secretPasswordKey":"etcd-root-password","user":"root"}`
| external etcd configuration. If etcd.enabled is false, these configuration
will be used. |
| externalEtcd.existingSecret | string | `""` | if externalEtcd.existingSecret
is the name of secret containing the external etcd password |
| externalEtcd.host | list | `["http://etcd.host:2379"]` | if etcd.enabled is
false, use external etcd, support multiple address, if your etcd cluster
enables TLS, please use https scheme, e.g. https://127.0.0.1:2379. |
@@ -182,18 +241,22 @@ The command removes all the Kubernetes components
associated with the chart and
| extraDeploy | list | `[]` | Additional Kubernetes resources to deploy with
the release. |
| extraEnvVars | list | `[]` | extraEnvVars An array to add extra env vars
e.g: extraEnvVars: - name: FOO value: "bar" - name: FOO2 valueFrom:
secretKeyRef: name: SECRET_NAME key: KEY |
| extraInitContainers | list | `[]` | Additional `initContainers`, See
[Kubernetes
initContainers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
for the detail. |
-| extraVolumeMounts | list | `[]` | Additional `volume`, See [Kubernetes
Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail. |
+| extraVolumeMounts | list | `[]` | Additional `volumeMounts` for the APISIX
container, See [Kubernetes
Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail. |
| extraVolumes | list | `[]` | Additional `volume`, See [Kubernetes
Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail. |
-| fullnameOverride | string | `""` | |
+| fullnameOverride | string | `""` | String to fully override the chart
fullname |
| global.imagePullSecrets | list | `[]` | Global Docker registry secret names
as an array |
-| hostNetwork | bool | `false` | |
+| hostNetwork | bool | `false` | Use the host's network namespace |
| image.pullPolicy | string | `"IfNotPresent"` | Apache APISIX image pull
policy |
| image.repository | string | `"apache/apisix"` | Apache APISIX image
repository |
| image.tag | string | `"3.17.0-ubuntu"` | Apache APISIX image tag Overrides
the image tag whose default is the chart appVersion. |
| ingress | object |
`{"annotations":{},"enabled":false,"hosts":[{"host":"apisix.local","paths":[]}],"servicePort":null,"tls":[]}`
| Using ingress access Apache APISIX service |
| ingress-controller | object |
`{"enabled":false,"webhook":{"enabled":false}}` | Ingress controller
configuration |
+| ingress-controller.enabled | bool | `false` | Enable the
apisix-ingress-controller sub-chart |
| ingress.annotations | object | `{}` | Ingress annotations |
+| ingress.enabled | bool | `false` | Enable an Ingress resource in front of
the APISIX service |
+| ingress.hosts | list | `[{"host":"apisix.local","paths":[]}]` | Ingress host
and path rules |
| ingress.servicePort | number | `nil` | Service port to send traffic.
Defaults to `service.http.servicePort`. |
+| ingress.tls | list | `[]` | Ingress TLS settings |
| initContainer.image | string | `"busybox"` | Init container image |
| initContainer.tag | float | `1.28` | Init container tag |
| metrics | object |
`{"serviceMonitor":{"annotations":{},"enabled":false,"interval":"15s","labels":{},"name":"","namespace":""}}`
| Observability configuration. |
@@ -203,7 +266,7 @@ The command removes all the Kubernetes components
associated with the chart and
| metrics.serviceMonitor.labels | object | `{}` | @param serviceMonitor.labels
ServiceMonitor extra labels |
| metrics.serviceMonitor.name | string | `""` | name of the serviceMonitor, by
default, it is the same as the apisix fullname |
| metrics.serviceMonitor.namespace | string | `""` | namespace where the
serviceMonitor is deployed, by default, it is the same as the namespace of the
apisix |
-| nameOverride | string | `""` | |
+| nameOverride | string | `""` | String to partially override the chart
fullname |
| nodeSelector | object | `{}` | Node labels for Apache APISIX pod assignment |
| podAnnotations | object | `{}` | Annotations to add to each pod |
| podDisruptionBudget | object |
`{"enabled":false,"maxUnavailable":1,"minAvailable":"90%"}` | See
https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more
details |
@@ -212,23 +275,30 @@ The command removes all the Kubernetes components
associated with the chart and
| podDisruptionBudget.minAvailable | string | `"90%"` | Set the `minAvailable`
of podDisruptionBudget. You can specify only one of `maxUnavailable` and
`minAvailable` in a single PodDisruptionBudget. See [Specifying a Disruption
Budget for your
Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget)
for more details |
| podSecurityContext | object | `{}` | Set the securityContext for Apache
APISIX pods |
| priorityClassName | string | `""` | Set
[priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority)
for Apache APISIX pods |
-| rbac.create | bool | `false` | |
+| rbac.create | bool | `false` | Whether RBAC resources (ClusterRole and
ClusterRoleBinding) should be created |
| replicaCount | int | `1` | if useDaemonSet is true or autoscaling.enabled is
true, replicaCount not become effective |
| resources | object | `{}` | Set pod resource requests & limits |
| securityContext | object | `{}` | Set the securityContext for Apache APISIX
container |
-| service.externalIPs | list | `[]` | |
-| service.externalTrafficPolicy | string | `"Cluster"` | |
+| service.externalIPs | list | `[]` | IPs for which nodes in the cluster will
also accept traffic for the service |
+| service.externalTrafficPolicy | string | `"Cluster"` | Setting how the
Service route external traffic. If you want to keep the client source IP, you
can set this to Local, ref:
https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
|
| service.http | object |
`{"additionalContainerPorts":[],"containerPort":9080,"enabled":true,"servicePort":80}`
| Apache APISIX service settings for http |
| service.http.additionalContainerPorts | list | `[]` | Support multiple http
ports, See
[Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L24)
|
+| service.http.containerPort | int | `9080` | Container port APISIX listens on
for HTTP traffic |
+| service.http.enabled | bool | `true` | Enable plain HTTP listeners |
+| service.http.servicePort | int | `80` | Kubernetes service port for HTTP
traffic |
| service.labelsOverride | object | `{}` | Override default labels assigned to
Apache APISIX gateway resources |
| service.stream | object | `{"enabled":false,"tcp":[],"udp":[]}` | Apache
APISIX service settings for stream. L4 proxy (TCP/UDP) |
+| service.stream.enabled | bool | `false` | Enable the stream (L4 proxy)
subsystem |
+| service.stream.tcp | list | `[]` | TCP proxy port list, element format: port
number, or a map with `addr` and optional `tls` |
+| service.stream.udp | list | `[]` | UDP proxy port list |
| service.tls | object | `{"servicePort":443}` | Apache APISIX service
settings for tls |
+| service.tls.servicePort | int | `443` | Kubernetes service port for HTTPS
traffic |
| service.type | string | `"NodePort"` | Apache APISIX service type for user
access itself |
-| serviceAccount.annotations | object | `{}` | |
-| serviceAccount.create | bool | `false` | |
-| serviceAccount.name | string | `""` | |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the
ServiceAccount |
+| serviceAccount.create | bool | `false` | Whether a ServiceAccount should be
created for the APISIX pods |
+| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If
not set and create is true, a name is generated from the chart fullname |
| timezone | string | `""` | timezone is the timezone where apisix uses. For
example: "UTC" or "Asia/Shanghai" This value will be set on apisix container's
environment variable TZ. You may need to set the timezone to be consistent with
your local time zone, otherwise the apisix's logs may used to retrieve event
maybe in wrong timezone. |
| tolerations | list | `[]` | List of node taints to tolerate |
| topologySpreadConstraints | list | `[]` | Topology Spread Constraints for
pod assignment spread across your cluster among failure-domains ref:
https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
|
-| updateStrategy | object | `{}` | |
+| updateStrategy | object | `{}` | Update strategy of the workload (Deployment
or DaemonSet), e.g. `type: RollingUpdate` |
| useDaemonSet | bool | `false` | set false to use `Deployment`, set true to
use `DaemonSet` |
diff --git a/charts/apisix/templates/configmap.yaml
b/charts/apisix/templates/configmap.yaml
index 6189527..8739d72 100644
--- a/charts/apisix/templates/configmap.yaml
+++ b/charts/apisix/templates/configmap.yaml
@@ -75,30 +75,42 @@ data:
enable_ipv6: {{ .Values.apisix.enableIPv6 }} # Enable nginx IPv6 resolver
enable_http2: {{ .Values.apisix.enableHTTP2 }}
enable_server_tokens: {{ .Values.apisix.enableServerTokens }} # Whether
the APISIX version number should be shown in Server header
+ show_upstream_status_in_response_header: {{
.Values.apisix.showUpstreamStatusInResponseHeader }} # when true, all upstream
statuses are written to `X-APISIX-Upstream-Status`; otherwise only 5xx codes
- # proxy_protocol: # Proxy Protocol configuration
- # listen_http_port: 9181 # The port with proxy protocol for
http, it differs from node_listen and admin_listen.
- # # This port can only receive http
request with proxy protocol, but node_listen & admin_listen
- # # can only receive http request. If
you enable proxy protocol, you must use this port to
- # # receive http request with proxy
protocol
- # listen_https_port: 9182 # The port with proxy protocol for
https
- # enable_tcp_pp: true # Enable the proxy protocol for tcp
proxy, it works for stream_proxy.tcp option
- # enable_tcp_pp_to_upstream: true # Enables the proxy protocol to the
upstream server
+ {{- if or .Values.apisix.proxyProtocol.enableTcpPP
.Values.apisix.proxyProtocol.enableTcpPPToUpstream
.Values.apisix.proxyProtocol.listenHttpPort
.Values.apisix.proxyProtocol.listenHttpsPort }}
+ proxy_protocol:
+ {{- if .Values.apisix.proxyProtocol.listenHttpPort }}
+ listen_http_port: {{ .Values.apisix.proxyProtocol.listenHttpPort }}
+ {{- end }}
+ {{- if .Values.apisix.proxyProtocol.listenHttpsPort }}
+ listen_https_port: {{ .Values.apisix.proxyProtocol.listenHttpsPort }}
+ {{- end }}
+ enable_tcp_pp: {{ .Values.apisix.proxyProtocol.enableTcpPP }}
+ enable_tcp_pp_to_upstream: {{
.Values.apisix.proxyProtocol.enableTcpPPToUpstream }}
+ {{- end }}
proxy_cache: # Proxy Caching configuration
- cache_ttl: 10s # The default caching time if the
upstream does not specify the cache time
+ cache_ttl: {{ .Values.apisix.proxyCache.cacheTtl }} # The default
caching time if the upstream does not specify the cache time
zones: # The parameters of a cache
- - name: disk_cache_one # The name of the cache,
administrator can be specify
- # which cache to use by name in the
admin api
- memory_size: 50m # The size of shared memory, it's
used to store the cache index
- disk_size: 1G # The size of disk, it's used to
store the cache data
- disk_path: "/tmp/disk_cache_one" # The path to store the cache data
- cache_levels: "1:2" # The hierarchy levels of a cache
- # - name: disk_cache_two
- # memory_size: 50m
- # disk_size: 1G
- # disk_path: "/tmp/disk_cache_two"
- # cache_levels: "1:2"
+ {{- toYaml .Values.apisix.proxyCache.zones | nindent 10 }}
+
+ delete_uri_tail_slash: {{ .Values.apisix.deleteURITailSlash }} #
delete the '/' at the end of the URI
+ # The URI normalization in servlet is a little different from the RFC's.
+ # See
https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
+ # which is used under Tomcat.
+ # Turn this option on if you want to be compatible with servlet when
matching URI path.
+ normalize_uri_like_servlet: {{ .Values.apisix.normalizeURILikeServlet }}
+
+ # fine tune the parameters of LRU cache for some features like secret
+ lru:
+ secret:
+ ttl: {{ .Values.apisix.lru.secret.ttl }} # seconds
+ count: {{ .Values.apisix.lru.secret.count }}
+ neg_ttl: {{ .Values.apisix.lru.secret.neg_ttl }}
+ neg_count: {{ .Values.apisix.lru.secret.neg_count }}
+
+ tracing: {{ .Values.apisix.tracing }} # Enable comprehensive request
lifecycle tracing (SSL/SNI, rewrite, access, header_filter, body_filter, and
log).
+ # When disabled, OpenTelemetry
collects only a single span per request.
router:
http: {{ .Values.apisix.router.http }} # radixtree_uri: match route
by uri(base on radixtree)
@@ -147,12 +159,15 @@ data:
{{- end }}
{{- end }}
{{- end }}
- # dns_resolver:
- # {{- range $resolver := .Values.apisix.dns.resolvers }}
- # - {{ $resolver }}
- # {{- end }}
+ {{- with .Values.apisix.dns.resolvers }}
+ dns_resolver: # If not set, read from `/etc/resolv.conf`
+ {{- range $resolver := . }}
+ - {{ $resolver }}
+ {{- end }}
+ {{- end }}
dns_resolver_valid: {{.Values.apisix.dns.validity}}
resolver_timeout: {{.Values.apisix.dns.timeout}}
+ enable_resolv_search_opt: {{ .Values.apisix.dns.enableResolvSearchOpt }}
ssl:
enable: {{ .Values.apisix.ssl.enabled }}
listen:
@@ -163,6 +178,7 @@ data:
{{- end }}
ssl_protocols: {{ .Values.apisix.ssl.sslProtocols | quote }}
ssl_ciphers: {{ .Values.apisix.ssl.sslCiphers | quote }}
+ ssl_session_tickets: {{ .Values.apisix.ssl.sslSessionTickets }}
{{- if and .Values.apisix.ssl.enabled
.Values.apisix.ssl.existingCASecret }}
ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/{{
.Values.apisix.ssl.certCAFilename }}"
{{- end }}
@@ -187,6 +203,9 @@ data:
worker_processes: "{{ .Values.apisix.nginx.workerProcesses }}"
enable_cpu_affinity: {{ and true .Values.apisix.nginx.enableCPUAffinity
}}
worker_rlimit_nofile: {{ default "20480"
.Values.apisix.nginx.workerRlimitNofile }} # the number of files a worker
process can open, should be larger than worker_connections
+ worker_shutdown_timeout: "{{ default "240s"
.Values.apisix.nginx.workerShutdownTimeout }}" # timeout for a graceful
shutdown of worker processes
+ max_pending_timers: {{ default "16384"
.Values.apisix.nginx.maxPendingTimers }} # increase it if you see "too many
pending timers" error
+ max_running_timers: {{ default "4096"
.Values.apisix.nginx.maxRunningTimers }} # increase it if you see
"lua_max_running_timers are not enough" error
event:
worker_connections: {{ default "10620"
.Values.apisix.nginx.workerConnections }}
{{- with .Values.apisix.nginx.envs }}
@@ -202,6 +221,13 @@ data:
{{ $dict.name }}: {{ $dict.size }}
{{- end }}
{{- end }}
+ stream:
+ enable_access_log: {{ .Values.apisix.nginx.logs.stream.enableAccessLog
}}
+ {{- if .Values.apisix.nginx.logs.stream.enableAccessLog }}
+ access_log: "{{ .Values.apisix.nginx.logs.stream.accessLog }}"
+ access_log_format: '{{
.Values.apisix.nginx.logs.stream.accessLogFormat }}'
+ access_log_format_escape: {{
.Values.apisix.nginx.logs.stream.accessLogFormatEscape }}
+ {{- end }}
http:
enable_access_log: {{ .Values.apisix.nginx.logs.enableAccessLog }}
{{- if .Values.apisix.nginx.logs.enableAccessLog }}
@@ -210,14 +236,26 @@ data:
access_log_format_escape: {{
.Values.apisix.nginx.logs.accessLogFormatEscape }}
{{- end }}
keepalive_timeout: {{ .Values.apisix.nginx.keepaliveTimeout | quote }}
- client_header_timeout: 60s # timeout for reading client request
header, then 408 (Request Time-out) error is returned to the client
- client_body_timeout: 60s # timeout for reading client request
body, then 408 (Request Time-out) error is returned to the client
- send_timeout: 10s # timeout for transmitting a response
to the client.then the connection is closed
- underscores_in_headers: "on" # default enables the use of
underscores in client request header fields
- real_ip_header: "X-Real-IP" #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
+ client_header_timeout: {{
.Values.apisix.nginx.http.clientHeaderTimeout }} # timeout for reading
client request header, then 408 (Request Time-out) error is returned to the
client
+ client_body_timeout: {{ .Values.apisix.nginx.http.clientBodyTimeout }}
# timeout for reading client request body, then 408 (Request Time-out)
error is returned to the client
+ send_timeout: {{ .Values.apisix.nginx.http.sendTimeout }}
# timeout for transmitting a response to the client.then the connection is
closed
+ client_max_body_size: {{ .Values.apisix.nginx.http.clientMaxBodySize
}} # The maximum allowed size of the client request body.
+ # If exceeded, the 413 (Request Entity
Too Large) error is returned to the client.
+ # Note that unlike Nginx, we don't
limit the body size by default.
+ underscores_in_headers: {{
.Values.apisix.nginx.http.underscoresInHeaders | quote }} # default enables
the use of underscores in client request header fields
+ real_ip_header: {{ .Values.apisix.nginx.http.realIpHeader | quote }}
# http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
+ real_ip_recursive: {{ .Values.apisix.nginx.http.realIpRecursive |
quote }} #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive
real_ip_from: #
http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
- - 127.0.0.1
- - 'unix:'
+ {{- range $ip := .Values.apisix.nginx.http.realIpFrom }}
+ - {{ $ip | quote }}
+ {{- end }}
+ proxy_ssl_server_name: {{ .Values.apisix.nginx.http.proxySslServerName
}} # send the server name (SNI) when establishing a TLS connection with the
proxied HTTPS upstream
+ upstream:
+ keepalive: {{ .Values.apisix.nginx.http.upstream.keepalive }}
# The maximum number of idle keepalive connections to upstream
servers per worker process
+ keepalive_requests: {{
.Values.apisix.nginx.http.upstream.keepaliveRequests }} # The maximum number
of requests that can be served through one keepalive connection
+ keepalive_timeout: {{
.Values.apisix.nginx.http.upstream.keepaliveTimeout }} # Timeout during
which an idle keepalive connection to an upstream server will stay open
+ charset: {{ .Values.apisix.nginx.http.charset }} # Adds the
specified charset to the "Content-Type" response header field
+ variables_hash_max_size: {{
.Values.apisix.nginx.http.variablesHashMaxSize }} # Sets the maximum size of
the variables hash table
{{- if .Values.apisix.nginx.customLuaSharedDicts }}
custom_lua_shared_dict: # add custom shared cache to nginx.conf
{{- range $dict := .Values.apisix.nginx.customLuaSharedDicts }}
@@ -249,6 +287,9 @@ data:
stream_configuration_snippet: {{- toYaml
.Values.apisix.nginx.configurationSnippet.stream | indent 6 }}
{{- end }}
+ graphql:
+ max_size: {{ int .Values.apisix.graphql.maxSize }} # the maximum size
limitation of graphql in bytes
+
{{- if .Values.apisix.discovery.enabled }}
discovery:
{{- range $key, $value := .Values.apisix.discovery.registry }}
@@ -390,7 +431,9 @@ data:
{{- end}}
{{- end }}
prefix: {{ .Values.etcd.prefix | quote }} # configuration prefix in
etcd
- timeout: {{ .Values.etcd.timeout }} # 30 seconds
+ timeout: {{ .Values.etcd.timeout }} # The timeout in seconds when
connect/read/write to etcd
+ watch_timeout: {{ .Values.etcd.watchTimeout }} # The timeout in
seconds when watch etcd
+ startup_retry: {{ .Values.etcd.startupRetry }} # the number of
retry to etcd during the startup
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.user }}
user: {{ .Values.externalEtcd.user | quote }}
password: "{{ print "${{ APISIX_ETCD_PASSWORD }}" }}"
diff --git a/charts/apisix/templates/hpa.yaml b/charts/apisix/templates/hpa.yaml
index db3acc5..feb4095 100644
--- a/charts/apisix/templates/hpa.yaml
+++ b/charts/apisix/templates/hpa.yaml
@@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{- if .Values.autoscaling.enabled }}
+{{- if and .Values.autoscaling.enabled (not .Values.useDaemonSet) }}
apiVersion: autoscaling/{{ .Values.autoscaling.version }}
kind: HorizontalPodAutoscaler
diff --git a/charts/apisix/templates/service-gateway.yaml
b/charts/apisix/templates/service-gateway.yaml
index 7797435..71b6e6a 100644
--- a/charts/apisix/templates/service-gateway.yaml
+++ b/charts/apisix/templates/service-gateway.yaml
@@ -76,6 +76,24 @@ spec:
port: {{ .port }}
targetPort: {{ .port }}
{{- end }}
+ {{- if .Values.apisix.proxyProtocol.listenHttpPort }}
+ - name: apisix-gateway-pp
+ port: {{ .Values.apisix.proxyProtocol.listenHttpPort }}
+ targetPort: {{ .Values.apisix.proxyProtocol.listenHttpPort }}
+ {{- if (and (eq .Values.service.type "NodePort") (not (empty
.Values.apisix.proxyProtocol.listenHttpNodePort))) }}
+ nodePort: {{ .Values.apisix.proxyProtocol.listenHttpNodePort }}
+ {{- end }}
+ protocol: TCP
+ {{- end }}
+ {{- if .Values.apisix.proxyProtocol.listenHttpsPort }}
+ - name: apisix-gateway-pp-tls
+ port: {{ .Values.apisix.proxyProtocol.listenHttpsPort }}
+ targetPort: {{ .Values.apisix.proxyProtocol.listenHttpsPort }}
+ {{- if (and (eq .Values.service.type "NodePort") (not (empty
.Values.apisix.proxyProtocol.listenHttpsNodePort))) }}
+ nodePort: {{ .Values.apisix.proxyProtocol.listenHttpsNodePort }}
+ {{- end }}
+ protocol: TCP
+ {{- end }}
{{- if and .Values.service.stream.enabled (or (gt (len
.Values.service.stream.tcp) 0) (gt (len .Values.service.stream.udp) 0)) }}
{{- with .Values.service.stream }}
{{- if (gt (len .tcp) 0) }}
diff --git a/charts/apisix/values.yaml b/charts/apisix/values.yaml
index f1dc02b..41a4cd8 100644
--- a/charts/apisix/values.yaml
+++ b/charts/apisix/values.yaml
@@ -65,8 +65,6 @@ podDisruptionBudget:
# -- Set pod resource requests & limits
resources: {}
- # -- Use the host's network namespace
-
# We usually recommend not to specify default resources and to leave this as
a conscious
# choice for the user. This also increases chances charts run on
environments with little
# resources, such as Minikube. If you do want to specify resources,
uncomment the following
@@ -77,6 +75,8 @@ resources: {}
# requests:
# cpu: 100m
# memory: 128Mi
+
+# -- Use the host's network namespace
hostNetwork: false
# -- Node labels for Apache APISIX pod assignment
@@ -108,6 +108,7 @@ timezone: ""
# key: KEY
extraEnvVars: []
+# -- Update strategy of the workload (Deployment or DaemonSet), e.g. `type:
RollingUpdate`
updateStrategy: {}
# type: RollingUpdate
@@ -119,7 +120,7 @@ extraVolumes: []
# - name: extras
# emptyDir: {}
-# -- Additional `volume`, See [Kubernetes
Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
+# -- Additional `volumeMounts` for the APISIX container, See [Kubernetes
Volumes](https://kubernetes.io/docs/concepts/storage/volumes/) for the detail.
extraVolumeMounts: []
# - name: extras
# mountPath: /usr/share/extras
@@ -141,41 +142,55 @@ initContainer:
tag: 1.28
autoscaling:
+ # -- Enable HorizontalPodAutoscaler for APISIX (only when useDaemonSet is
false)
enabled: false
# -- HPA version, the value is "v2" or "v2beta1", default "v2"
version: v2
+ # -- Minimum number of APISIX replicas
minReplicas: 1
+ # -- Maximum number of APISIX replicas
maxReplicas: 100
+ # -- Target average CPU utilization percentage that triggers scaling
targetCPUUtilizationPercentage: 80
+ # -- Target average memory utilization percentage that triggers scaling
targetMemoryUtilizationPercentage: 80
+# -- String to partially override the chart fullname
nameOverride: ""
+# -- String to fully override the chart fullname
fullnameOverride: ""
serviceAccount:
+ # -- Whether a ServiceAccount should be created for the APISIX pods
create: false
+ # -- Annotations to add to the ServiceAccount
annotations: {}
+ # -- Name of the ServiceAccount to use. If not set and create is true, a
name is generated from the chart fullname
name: ""
rbac:
+ # -- Whether RBAC resources (ClusterRole and ClusterRoleBinding) should be
created
create: false
service:
# -- Apache APISIX service type for user access itself
type: NodePort
- # -- Setting how the Service route external traffic
- # If you want to keep the client source IP, you can set this to Local.
-
+ # -- Setting how the Service route external traffic.
+ # If you want to keep the client source IP, you can set this to Local,
# ref:
https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: Cluster
# type: LoadBalancer
# annotations:
# service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ # -- IPs for which nodes in the cluster will also accept traffic for the
service
externalIPs: []
# -- Apache APISIX service settings for http
http:
+ # -- Enable plain HTTP listeners
enabled: true
+ # -- Kubernetes service port for HTTP traffic
servicePort: 80
+ # -- Container port APISIX listens on for HTTP traffic
containerPort: 9080
# -- Support multiple http ports, See
[Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L24)
additionalContainerPorts: []
@@ -186,13 +201,17 @@ service:
# enable_http2: true
# -- Apache APISIX service settings for tls
tls:
+ # -- Kubernetes service port for HTTPS traffic
servicePort: 443
# nodePort: 4443
# -- Apache APISIX service settings for stream. L4 proxy (TCP/UDP)
stream:
+ # -- Enable the stream (L4 proxy) subsystem
enabled: false
+ # -- TCP proxy port list, element format: port number, or a map with
`addr` and optional `tls`
tcp: []
+ # -- UDP proxy port list
udp: []
# - secretName: apisix-tls
# hosts:
@@ -205,6 +224,7 @@ service:
# -- Using ingress access Apache APISIX service
ingress:
+ # -- Enable an Ingress resource in front of the APISIX service
enabled: false
# -- (number) Service port to send traffic. Defaults to
`service.http.servicePort`.
servicePort:
@@ -212,9 +232,11 @@ ingress:
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
+ # -- Ingress host and path rules
hosts:
- host: apisix.local
paths: []
+ # -- Ingress TLS settings
tls: []
control:
@@ -242,6 +264,7 @@ control:
servicePort: 9090
# -- Using ingress access Apache APISIX Control service
ingress:
+ # -- Enable an Ingress resource in front of the Control API service
enabled: false
# -- Ingress annotations
annotations:
@@ -250,10 +273,12 @@ control:
# kubernetes.io/tls-acme: "true"
# -- Ingress Class Name
# className: "nginx"
+ # -- Ingress host and path rules
hosts:
- host: apisix-control.local
paths:
- "/*"
+ # -- Ingress TLS settings
tls: []
# - secretName: apisix-tls
# hosts:
@@ -278,16 +303,87 @@ metrics:
apisix:
# -- Enable nginx IPv6 resolver
enableIPv6: true
+ # -- Enable HTTP/2 on the HTTP listeners
enableHTTP2: true
# -- Whether the APISIX version number should be shown in Server header
enableServerTokens: true
+ # -- When true, the upstream status is always written to the
`X-APISIX-Upstream-Status` response header; when false, it is written only for
5xx responses
+ showUpstreamStatusInResponseHeader: false
+
+ # -- PROXY Protocol configuration.
+ proxyProtocol:
+ # -- (int) The HTTP port that accepts the PROXY Protocol. It differs from
`service.http` ports and `apisix.admin` port:
+ # this port only accepts HTTP requests carrying the PROXY Protocol, while
the other ports only accept plain HTTP
+ # requests. If you enable the PROXY Protocol, you must use this port to
receive HTTP requests with it.
+ # When set, the port is also exposed on the gateway Service.
+ listenHttpPort:
+ # -- (int) The nodePort of the PROXY Protocol HTTP port, only used if
service.type is NodePort.
+ # If not set, a random port will be assigned by Kubernetes.
+ listenHttpNodePort:
+ # -- (int) The HTTPS port that accepts the PROXY Protocol.
+ # When set, the port is also exposed on the gateway Service.
+ listenHttpsPort:
+ # -- (int) The nodePort of the PROXY Protocol HTTPS port, only used if
service.type is NodePort.
+ # If not set, a random port will be assigned by Kubernetes.
+ listenHttpsNodePort:
+ # -- Accept the PROXY Protocol on every service.stream.tcp port.
+ enableTcpPP: false
+ # -- Send the PROXY Protocol to the upstream server on every
service.stream.tcp port.
+ enableTcpPPToUpstream: false
+
+ # -- Proxy caching configuration used by the proxy-cache plugin.
+ proxyCache:
+ # -- The default caching time in disk if the upstream does not specify the
cache time
+ cacheTtl: 10s
+ # -- The parameters of a cache. The `memory_size` field stores the cache
index for the
+ # disk strategy and the cache content for the memory strategy;
`disk_size`, `disk_path`
+ # and `cache_levels` only apply to the disk strategy.
+ zones:
+ - name: disk_cache_one
+ memory_size: 50m
+ disk_size: 1G
+ disk_path: "/tmp/disk_cache_one"
+ cache_levels: "1:2"
+ - name: memory_cache
+ memory_size: 50m
+
+ graphql:
+ # -- The maximum size in bytes of GraphQL queries APISIX parses when
matching routes by GraphQL attributes (default 1MiB)
+ maxSize: 1048576
+
+ # -- Delete the '/' at the end of the URI
+ deleteURITailSlash: false
+
+ # -- The URI normalization in servlet is a little different from the RFC's.
+ # See
https://github.com/jakartaee/servlet/blob/master/spec/src/main/asciidoc/servlet-spec-body.adoc#352-uri-path-canonicalization,
+ # which is used under Tomcat.
+ # Turn this option on if you want to be compatible with servlet when
matching URI path.
+ normalizeURILikeServlet: false
+
+ # -- fine tune the parameters of LRU cache for some features like secret
+ lru:
+ secret:
+ # -- TTL in seconds for cached secret values
+ ttl: 300
+ # -- Maximum number of cached secret values
+ count: 512
+ # -- TTL in seconds for cached negative (failed lookup) results
+ neg_ttl: 60
+ # -- Maximum number of cached negative (failed lookup) results
+ neg_count: 512
+
+ # -- Enable comprehensive request lifecycle tracing (SSL/SNI, rewrite,
access, header_filter, body_filter, and log).
+ # When disabled, OpenTelemetry collects only a single span per request.
+ tracing: false
+
# -- Use Pod metadata.uid as the APISIX id.
setIDFromPodUID: false
# -- Whether to add a custom lua module
luaModuleHook:
+ # -- Enable loading a custom lua module hook
enabled: false
# -- extend lua_package_path to load third party code
luaPath: ""
@@ -306,7 +402,9 @@ apisix:
path: ""
ssl:
+ # -- Enable HTTPS listeners
enabled: false
+ # -- Container port APISIX listens on for HTTPS traffic
containerPort: 9443
# -- Support multiple https ports, See
[Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99)
additionalContainerPorts: []
@@ -317,11 +415,15 @@ apisix:
existingCASecret: ""
# -- Filename be used in the apisix.ssl.existingCASecret
certCAFilename: ""
+ # -- Enable HTTP/3 (QUIC) on the HTTPS listeners
enableHTTP3: false
# -- TLS protocols allowed to use.
sslProtocols: "TLSv1.2 TLSv1.3"
# -- TLS ciphers allowed to use.
sslCiphers:
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES25
[...]
+ # -- Enable or disable TLS session tickets. Disabled by default because
session tickets
+ # defeat Perfect Forward Secrecy (see
https://github.com/mozilla/server-side-tls/issues/135)
+ sslSessionTickets: false
# -- Define SNI to fallback if none is presented by client
fallbackSNI: ""
@@ -352,7 +454,7 @@ apisix:
# ref: https://apisix.apache.org/docs/apisix/deployment-modes/
role: "traditional"
role_traditional:
- # enum: etcd, yaml
+ # -- Config provider for the traditional role. enum: etcd, yaml
config_provider: "etcd"
# -- Standalone rules configuration
@@ -414,29 +516,86 @@ apisix:
- 127.0.0.1/24
# -- Using ingress access Apache APISIX admin service
ingress:
+ # -- Enable an Ingress resource in front of the Admin API service
enabled: false
# -- Ingress annotations
annotations:
{}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
+ # -- Ingress host and path rules
hosts:
- host: apisix-admin.local
paths:
- "/apisix"
+ # -- Ingress TLS settings
tls: []
# - secretName: apisix-tls
# hosts:
# - chart-example.local
nginx:
+ # -- The number of files a worker process can open, should be larger than
apisix.nginx.workerConnections
workerRlimitNofile: "20480"
+ # -- The maximum number of connections that each worker process can open
workerConnections: "10620"
+ # -- The number of nginx worker processes. `auto` means the number of CPU
cores
workerProcesses: auto
+ # -- Bind nginx worker processes to CPUs
enableCPUAffinity: true
+ # -- Timeout for a graceful shutdown of worker processes
+ workerShutdownTimeout: "240s"
+ # -- Maximum number of pending timers. Increase it if you see "too many
pending timers" error
+ maxPendingTimers: 16384
+ # -- Maximum number of running timers. Increase it if you see
"lua_max_running_timers are not enough" error
+ maxRunningTimers: 4096
# -- Timeout during which a keep-alive client connection will stay open on
the server side.
keepaliveTimeout: 60s
+ # -- List of environment variable names allowed to be accessed within
nginx (rendered as nginx `env` directives)
envs: []
+ # -- Nginx HTTP subsystem configurations
+ http:
+ # -- timeout for reading client request header, then 408 (Request
Time-out) error is returned to the client
+ clientHeaderTimeout: "60s"
+ # -- timeout for reading client request body, then 408 (Request
Time-out) error is returned to the client
+ clientBodyTimeout: "60s"
+ # -- timeout for transmitting a response to the client, then the
connection is closed
+ sendTimeout: "10s"
+ # -- The maximum allowed size of the client request body.
+ # If exceeded, the 413 (Request Entity Too Large) error is returned to
the client.
+ # Note that unlike Nginx, we don't limit the body size by default (0
means no limit).
+ clientMaxBodySize: 0
+ # -- Enable the use of underscores in client request header fields
+ underscoresInHeaders: "on"
+ # -- The request header used to determine the client's real IP address,
+ # see
[real_ip_header](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header)
+ realIpHeader: "X-Real-IP"
+ # -- Whether to search for the real IP recursively when the header set
in apisix.nginx.http.realIpHeader contains multiple addresses,
+ # see
[real_ip_recursive](http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_recursive)
+ realIpRecursive: "off"
+ # -- Trusted addresses from which the real IP header is honored,
+ # see
[set_real_ip_from](http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from)
+ realIpFrom:
+ - 127.0.0.1
+ - "unix:"
+ # -- Enables or disables passing of the server name through TLS Server
Name Indication extension (SNI, RFC 6066)
+ # when establishing a connection with the proxied HTTPS server
+ proxySslServerName: true
+ # -- Keepalive settings for connections from APISIX to upstream servers
+ upstream:
+ # -- Maximum number of idle keepalive connections to upstream servers
that are preserved in the cache of each worker process.
+ # When this number is exceeded, the least recently used connections
are closed
+ keepalive: 320
+ # -- Maximum number of requests that can be served through one
keepalive connection.
+ # After the maximum number of requests is made, the connection is
closed
+ keepaliveRequests: 1000
+ # -- Timeout during which an idle keepalive connection to an upstream
server will stay open
+ keepaliveTimeout: 60s
+ # -- The charset added to the "Content-Type" response header field,
+ # see
[charset](http://nginx.org/en/docs/http/ngx_http_charset_module.html#charset)
+ charset: utf-8
+ # -- The maximum size of the nginx variables hash table
+ variablesHashMaxSize: 2048
# access log and error log configuration
logs:
# -- Enable access log or not, default true
@@ -451,18 +610,36 @@ apisix:
errorLog: "/dev/stderr"
# -- Error log level
errorLogLevel: "warn"
- # -- Custom configuration snippet.
+ # -- Stream (L4 proxy) access log configuration
+ stream:
+ # -- Enable stream access log or not, default false
+ enableAccessLog: false
+ # -- Stream access log path
+ accessLog: "logs/access_stream.log"
+ # -- Stream access log format
+ accessLogFormat: '$remote_addr [$time_local] $protocol $status
$bytes_sent $bytes_received $session_time'
+ # -- Allows setting json or default characters escaping in variables
for stream
+ accessLogFormatEscape: default
+ # -- Custom nginx configuration snippets injected into the generated
nginx.conf.
+ # As arbitrary configuration can be added here, it is your responsibility
to make sure
+ # the snippets don't conflict with the configuration generated by APISIX.
configurationSnippet:
+ # -- Snippet added to the nginx `main` (top-level) block
main: |
+ # -- Snippet added to the beginning of the nginx `http` block
httpStart: |
+ # -- Snippet added to the end of the nginx `http` block
httpEnd: |
+ # -- Snippet added to the nginx `server` block that proxies regular
traffic
httpSrv: |
+ # -- Snippet added to the nginx `server` block that serves the Admin API
httpAdmin: |
+ # -- Snippet added to the nginx `stream` block
stream: |
# -- Add custom
[lua_shared_dict](https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_shared_dict)
settings,
@@ -533,15 +710,18 @@ apisix:
# This is for allowing the default `host` and `port` of
`.discovery.registry.kubernetes.service`.
dns:
- resolvers:
- - 127.0.0.1
- - 172.20.0.10
- - 114.114.114.114
- - 223.5.5.5
- - 1.1.1.1
- - 8.8.8.8
+ # -- Nameservers used by APISIX to resolve upstream domain names.
+ # When empty (default), nameservers are read from `/etc/resolv.conf`,
+ # which is usually what you want inside Kubernetes
+ resolvers: []
+ # - 127.0.0.1
+ # - 8.8.8.8
+ # -- Override the TTL in seconds of valid DNS records
validity: 30
+ # -- DNS resolver timeout in seconds
timeout: 5
+ # -- Honor the `search` option in `/etc/resolv.conf` when resolving domain
names
+ enableResolvSearchOpt: true
vault:
# -- Enable or disable the vault integration
@@ -556,7 +736,7 @@ apisix:
prefix: ""
prometheus:
- # ref: https://apisix.apache.org/docs/apisix/plugins/prometheus/
+ # -- Enable Prometheus metrics. ref:
https://apisix.apache.org/docs/apisix/plugins/prometheus/
enabled: false
# -- path of the metrics endpoint
path: /apisix/prometheus/metrics
@@ -583,6 +763,7 @@ apisix:
wasm:
# -- Enable Wasm Plugins. See [wasm
plugin](https://apisix.apache.org/docs/apisix/next/wasm/)
enabled: false
+ # -- List of Wasm plugins, each item with `name`, `priority` and `file`
(path or URL of the wasm binary)
plugins: []
# -- customPlugins allows you to mount your own HTTP plugins.
@@ -608,7 +789,9 @@ apisix:
path: "mount-path"
status:
+ # -- The IP address on which the status endpoint (`/status`,
`/status/ready`) listens
ip: "0.0.0.0"
+ # -- The port on which the status endpoint listens
port: 7085
# -- When configured, APISIX will trust the `X-Forwarded-*` Headers passed
in requests from the IP/CIDR in the list.
@@ -651,6 +834,10 @@ etcd:
prefix: "/apisix"
# -- Set the timeout value in seconds for subsequent socket operations from
apisix to etcd cluster
timeout: 30
+ # -- Set the timeout value in seconds for watching etcd
+ watchTimeout: 50
+ # -- The number of retries to etcd during startup
+ startupRetry: 2
# -- if etcd.enabled is true, set more values of bitnamilegacy/etcd helm
chart
auth:
@@ -679,14 +866,19 @@ etcd:
enabled: false
service:
+ # -- etcd client service port
port: 2379
+ # -- Number of etcd replicas, only used when etcd.enabled is true
replicaCount: 3
+ # -- Auto compaction retention for mvcc key value store, only used when
etcd.enabled is true
autoCompactionRetention: "1h"
+ # -- Auto compaction mode (periodic or revision), only used when
etcd.enabled is true
autoCompactionMode: "periodic"
# -- Ingress controller configuration
ingress-controller:
+ # -- Enable the apisix-ingress-controller sub-chart
enabled: false
webhook:
# Specifies whether to enable the validation webhook.