controller: ## The name of the Ingress Controller daemonset or deployment. name: controller ## The kind of the Ingress Controller installation - deployment or daemonset. kind: deployment ## Annotations for deployments and daemonsets annotations: {} ## Deploys the Ingress Controller for NGINX Plus. nginxplus: false # Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. nginxReloadTimeout: 60000 ## Support for App Protect WAF appprotect: ## Enable the App Protect WAF module in the Ingress Controller. enable: false ## Sets log level for App Protect WAF. Allowed values: fatal, error, warn, info, debug, trace # logLevel: fatal ## Support for App Protect DoS appprotectdos: ## Enable the App Protect DoS module in the Ingress Controller. enable: false ## Enable debugging for App Protect DoS. debug: false ## Max number of nginx processes to support. maxWorkers: 0 ## Max number of ADMD instances. maxDaemons: 0 ## RAM memory size to consume in MB. memory: 0 ## Enables the Ingress Controller pods to use the host's network namespace. hostNetwork: false ## DNS policy for the Ingress Controller pods dnsPolicy: ClusterFirst ## Enables debugging for NGINX. Uses the nginx-debug binary. Requires error-log-level: debug in the ConfigMap via `controller.config.entries`. nginxDebug: false ## The log level of the Ingress Controller. logLevel: 1 ## A list of custom ports to expose on the NGINX Ingress Controller pod. Follows the conventional Kubernetes yaml syntax for container ports. customPorts: [8140] image: ## The image repository of the Ingress Controller. repository: nginx/nginx-ingress ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag. # tag: "3.1.1" ## The digest of the Ingress Controller image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" ## The pull policy for the Ingress Controller image. pullPolicy: IfNotPresent ## The lifecycle of the Ingress Controller pods. lifecycle: {} ## The custom ConfigMap to use instead of the one provided by default customConfigMap: "" config: ## The name of the ConfigMap used by the Ingress Controller. ## Autogenerated if not set or set to "". # name: nginx-config ## The annotations of the Ingress Controller configmap. annotations: {} ## The entries of the ConfigMap for customizing NGINX configuration. entries: {} ## It is recommended to use your own TLS certificates and keys defaultTLS: ## The base64-encoded TLS certificate for the default HTTPS server. By default, a pre-generated self-signed certificate is used. ## Note: It is recommended that you specify your own certificate. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. cert: "" ## The base64-encoded TLS key for the default HTTPS server. By default, a pre-generated key is used. ## Note: It is recommended that you specify your own key. Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. key: "" ## The secret with a TLS certificate and key for the default HTTPS server. ## The value must follow the following format: `/`. ## Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. ## Note: Alternatively, omitting the default server secret completely will configure NGINX to reject TLS connections to the default server. ## Format: / secret: "" wildcardTLS: ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. cert: "" ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. key: "" ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. ## The value must follow the following format: `/`. ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. ## Format: / secret: "" ## The node selector for pod assignment for the Ingress Controller pods. # nodeSelector: {} ## The termination grace period of the Ingress Controller pod. terminationGracePeriodSeconds: 30 ## HorizontalPodAutoscaling (HPA) autoscaling: ## Enables HorizontalPodAutoscaling. enabled: false ## The annotations of the Ingress Controller HorizontalPodAutoscaler. annotations: {} ## Minimum number of replicas for the HPA. minReplicas: 1 ## Maximum number of replicas for the HPA. maxReplicas: 3 ## The target cpu utilization percentage. targetCPUUtilizationPercentage: 50 ## The target memory utilization percentage. targetMemoryUtilizationPercentage: 50 ## The resources of the Ingress Controller pods. resources: requests: cpu: 100m memory: 128Mi # limits: # cpu: 1 # memory: 1Gi ## The tolerations of the Ingress Controller pods. tolerations: [] ## The affinity of the Ingress Controller pods. affinity: {} ## The topology spread constraints of the Ingress controller pods. # topologySpreadConstraints: {} ## The additional environment variables to be set on the Ingress Controller pods. env: [] # - name: MY_VAR # value: myvalue ## The volumes of the Ingress Controller pods. volumes: [] # - name: extra-conf # configMap: # name: extra-conf ## The volumeMounts of the Ingress Controller pods. volumeMounts: [] # - name: extra-conf # mountPath: /etc/nginx/conf.d/extra.conf # subPath: extra.conf ## InitContainers for the Ingress Controller pods. initContainers: [] # - name: init-container # image: busybox:1.34 # command: ['sh', '-c', 'echo this is initial setup!'] ## The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available. minReadySeconds: 0 ## Pod disruption budget for the Ingress Controller pods. podDisruptionBudget: ## Enables PodDisruptionBudget. enabled: false ## The annotations of the Ingress Controller pod disruption budget. annotations: {} ## The number of Ingress Controller pods that should be available. This is a mutually exclusive setting with "maxUnavailable". # minAvailable: 1 ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". # maxUnavailable: 1 ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value. strategy: {} ## Extra containers for the Ingress Controller pods. extraContainers: [] # - name: container # image: busybox:1.34 # command: ['sh', '-c', 'echo this is a sidecar!'] ## The number of replicas of the Ingress Controller deployment. replicaCount: 1 ## A class of the Ingress Controller. ## IngressClass resource with the name equal to the class must be deployed. Otherwise, ## the Ingress Controller will fail to start. ## The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. ## The Ingress Controller processes all the resources that do not have the "ingressClassName" field for all versions of kubernetes. ingressClass: nginx ## New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. setAsDefaultIngress: false ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespaceLabel". watchNamespace: "" ## Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with "controller.watchNamespace". watchNamespaceLabel: "" ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. watchSecretNamespace: "" ## Enable the custom resources. enableCustomResources: true ## Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use controller.enableOIDC instead. enablePreviewPolicies: false ## Enable OIDC policies. enableOIDC: false ## Include year in log header. This parameter will be removed in release 2.7 and the year will be included by default. includeYear: false ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. enableTLSPassthrough: false ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. enableCertManager: false ## Enable external DNS for Virtual Server resources. Requires controller.enableCustomResources. enableExternalDNS: false globalConfiguration: ## Creates the GlobalConfiguration custom resource. Requires controller.enableCustomResources. create: false ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. spec: {} # listeners: # - name: dns-udp # port: 5353 # protocol: UDP # - name: dns-tcp # port: 5353 # protocol: TCP ## Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources. enableSnippets: false ## Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request. ## Useful for external health-checking of the Ingress Controller. healthStatus: false ## Sets the URI of health status location in the default server. Requires controller.healthStatus. healthStatusURI: "/nginx-health" nginxStatus: ## Enable the NGINX stub_status, or the NGINX Plus API. enable: true ## Set the port where the NGINX stub_status or the NGINX Plus API is exposed. port: 8080 ## Add IPv4 IP/CIDR blocks to the allow list for NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. allowCidrs: "127.0.0.1" service: ## Creates a service to expose the Ingress Controller pods. create: true ## The type of service to create for the Ingress Controller. type: LoadBalancer ## The externalTrafficPolicy of the service. The value Local preserves the client source IP. externalTrafficPolicy: Local ## The annotations of the Ingress Controller service. annotations: {} ## The extra labels of the service. extraLabels: {} ## The static IP address for the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. loadBalancerIP: "" ## The list of external IPs for the Ingress Controller service. externalIPs: [] ## The IP ranges (CIDR) that are allowed to access the load balancer. Requires controller.service.type set to LoadBalancer. The cloud provider must support this feature. loadBalancerSourceRanges: [] ## Whether to automatically allocate NodePorts (only for LoadBalancers). # allocateLoadBalancerNodePorts: false ## Dual stack preference. ## Valid values: SingleStack, PreferDualStack, RequireDualStack # ipFamilyPolicy: SingleStack ## List of IP families assigned to this service. ## Valid values: IPv4, IPv6 # ipFamilies: # - IPv6 httpPort: ## Enables the HTTP port for the Ingress Controller service. enable: true ## The HTTP port of the Ingress Controller service. port: 80 ## The custom NodePort for the HTTP port. Requires controller.service.type set to NodePort. # nodePort: 80 ## The HTTP port on the POD where the Ingress Controller service is running. targetPort: 80 httpsPort: ## Enables the HTTPS port for the Ingress Controller service. enable: true ## The HTTPS port of the Ingress Controller service. port: 443 ## The custom NodePort for the HTTPS port. Requires controller.service.type set to NodePort. # nodePort: 443 ## The HTTPS port on the POD where the Ingress Controller service is running. targetPort: 443 ## A list of custom ports to expose through the Ingress Controller service. Follows the conventional Kubernetes yaml syntax for service ports. customPorts: [8140] serviceAccount: ## The annotations of the service account of the Ingress Controller pods. annotations: {} ## The name of the service account of the Ingress Controller pods. Used for RBAC. ## Autogenerated if not set or set to "". # name: nginx-ingress ## The name of the secret containing docker registry credentials. ## Secret must exist in the same namespace as the helm release. imagePullSecretName: "" serviceMonitor: ## Creates a serviceMonitor to expose statistics on the kubernetes pods. create: false ## Kubernetes object labels to attach to the serviceMonitor object. labels: {} ## A set of labels to allow the selection of endpoints for the ServiceMonitor. selectorMatchLabels: {} ## A list of endpoints allowed as part of this ServiceMonitor. endpoints: [] reportIngressStatus: ## Updates the address field in the status of Ingress resources with an external address of the Ingress Controller. ## You must also specify the source of the external address either through an external service via controller.reportIngressStatus.externalService, ## controller.reportIngressStatus.ingressLink or the external-status-address entry in the ConfigMap via controller.config.entries. ## Note: controller.config.entries.external-status-address takes precedence over the others. enable: true ## Specifies the name of the service with the type LoadBalancer through which the Ingress Controller is exposed externally. ## The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. ## controller.reportIngressStatus.enable must be set to true. ## The default is autogenerated and matches the created service (see controller.service.create). # externalService: nginx-ingress ## Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. ## The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. ## controller.reportIngressStatus.enable must be set to true. ingressLink: "" ## Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. controller.reportIngressStatus.enable must be set to true. enableLeaderElection: true ## Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. ## Autogenerated if not set or set to "". # leaderElectionLockName: "nginx-ingress-leader-election" ## The annotations of the leader election configmap. annotations: {} pod: ## The annotations of the Ingress Controller pod. annotations: {} ## The additional extra labels of the Ingress Controller pod. extraLabels: {} ## The PriorityClass of the Ingress Controller pods. # priorityClassName: "" readyStatus: ## Enables readiness endpoint "/nginx-ready". The endpoint returns a success code when NGINX has loaded all the config after startup. enable: true ## Set the port where the readiness endpoint is exposed. port: 8081 ## The number of seconds after the Ingress Controller pod has started before readiness probes are initiated. initialDelaySeconds: 0 ## Enable collection of latency metrics for upstreams. Requires prometheus.create. enableLatencyMetrics: false ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. disableIPV6: false ## Configure root filesystem as read-only and add volumes for temporary data. readOnlyRootFilesystem: false rbac: ## Configures RBAC. create: true prometheus: ## Expose NGINX or NGINX Plus metrics in the Prometheus format. create: true ## Configures the port to scrape the metrics. port: 9113 ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Prometheus endpoint. secret: "" ## Configures the HTTP scheme used. scheme: http serviceInsight: ## Expose NGINX Plus Service Insight endpoint. create: false ## Configures the port to expose endpoint. port: 9114 ## Specifies the namespace/name of a Kubernetes TLS Secret which will be used to protect the Service Insight endpoint. secret: "" ## Configures the HTTP scheme used. scheme: http nginxServiceMesh: ## Enables integration with NGINX Service Mesh. enable: false ## Enables NGINX Service Mesh workload to route egress traffic through the Ingress Controller. ## Requires nginxServiceMesh.enable enableEgress: false