OptionTypeDefault ValueDescription
settings.watchNamespaces[]stringwhitelist of namespaces for Gloo Edge to watch for services and CRDs. Empty list means all namespaces. If this and WatchNamespaceSelectors are specified, this takes precedence and WatchNamespaceSelectors is ignored
settings.watchNamespaceSelectorsinterfaceA list of Kubernetes selectors that specify the set of namespaces to restrict the namespaces that Gloo controllers take into consideration when watching for resources. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. An empty list means all namespaces. If this and WatchNamespaces are specified, WatchNamespaces takes precedence and this is ignored
settings.writeNamespacestringnamespace where intermediary CRDs will be written to, e.g. Upstreams written by Gloo Edge Discovery.
settings.integrations.knative.enabledboolenabled knative components
settings.integrations.knative.versionstringthe version of knative installed to the cluster. if using version < 0.8.0, Gloo Edge will use Knative’s ClusterIngress API for configuration rather than the namespace-scoped Ingress
settings.integrations.knative.proxy.image.tagstringThe image tag for the container.
settings.integrations.knative.proxy.image.repositorystringThe image repository (name) for the container.
settings.integrations.knative.proxy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
settings.integrations.knative.proxy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
settings.integrations.knative.proxy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
settings.integrations.knative.proxy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
settings.integrations.knative.proxy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
settings.integrations.knative.proxy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
settings.integrations.knative.proxy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
settings.integrations.knative.proxy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
settings.integrations.knative.proxy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
settings.integrations.knative.proxy.httpPortintHTTP port for the proxy
settings.integrations.knative.proxy.httpsPortintHTTPS port for the proxy
settings.integrations.knative.proxy.tracingstringtracing configuration
settings.integrations.knative.proxy.runAsUserfloat64Explicitly set the user ID for the pod to run as. Default is 10101
settings.integrations.knative.proxy.loopBackAddressstringName on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
settings.integrations.knative.proxy.statsboolControls whether or not Envoy stats are enabled
settings.integrations.knative.proxy.extraClusterIngressProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the cluster ingress proxy deployment.
settings.integrations.knative.proxy.extraClusterIngressProxyAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the cluster ingress proxy deployment.
settings.integrations.knative.proxy.internal.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.internal.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.internal.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.replicasintnumber of instances to deploy
settings.integrations.knative.proxy.customEnv[].namestring
settings.integrations.knative.proxy.customEnv[].valuestring
settings.integrations.knative.proxy.customEnv[].valueFrom.fieldRef.apiVersionstring
settings.integrations.knative.proxy.customEnv[].valueFrom.fieldRef.fieldPathstring
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.containerNamestring
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.resourcestring
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorint64
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorint32
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorbool
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]string
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]string
settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.namestring
settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.keystring
settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.optionalbool
settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.namestring
settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.keystring
settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.optionalbool
settings.integrations.knative.proxy.restartPolicystringrestart policy to use when the pod exits
settings.integrations.knative.proxy.priorityClassNamestringname of a defined priority class
settings.integrations.knative.proxy.nodeNamestringname of node to run on
settings.integrations.knative.proxy.nodeSelector.NAMEstringlabel selector for nodes
settings.integrations.knative.proxy.tolerations[].keystring
settings.integrations.knative.proxy.tolerations[].operatorstring
settings.integrations.knative.proxy.tolerations[].valuestring
settings.integrations.knative.proxy.tolerations[].effectstring
settings.integrations.knative.proxy.tolerations[].tolerationSecondsint64
settings.integrations.knative.proxy.affinity.NAMEinterface
settings.integrations.knative.proxy.hostAliases[]interface
settings.integrations.knative.proxy.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
settings.integrations.knative.proxy.resources.limits.memorystringamount of memory
settings.integrations.knative.proxy.resources.limits.cpustringamount of CPUs
settings.integrations.knative.proxy.resources.requests.memorystringamount of memory
settings.integrations.knative.proxy.resources.requests.cpustringamount of CPUs
settings.integrations.knative.proxy.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.service.typestringK8s service type
settings.integrations.knative.proxy.service.extraAnnotations.NAMEstringextra annotations to add to the service
settings.integrations.knative.proxy.service.loadBalancerIPstringIP address of the load balancer
settings.integrations.knative.proxy.service.httpPortintHTTP port for the knative/ingress proxy service
settings.integrations.knative.proxy.service.httpsPortintHTTPS port for the knative/ingress proxy service
settings.integrations.knative.proxy.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.containerSecurityContext.capabilities.add[]string
settings.integrations.knative.proxy.containerSecurityContext.capabilities.drop[]string
settings.integrations.knative.proxy.containerSecurityContext.privilegedbool
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.userstring
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.rolestring
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.typestring
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.levelstring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.runAsUserNamestring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.hostProcessbool
settings.integrations.knative.proxy.containerSecurityContext.runAsUserint64
settings.integrations.knative.proxy.containerSecurityContext.runAsGroupint64
settings.integrations.knative.proxy.containerSecurityContext.runAsNonRootbool
settings.integrations.knative.proxy.containerSecurityContext.readOnlyRootFilesystembool
settings.integrations.knative.proxy.containerSecurityContext.allowPrivilegeEscalationbool
settings.integrations.knative.proxy.containerSecurityContext.procMountstring
settings.integrations.knative.proxy.containerSecurityContext.seccompProfile.typestring
settings.integrations.knative.proxy.containerSecurityContext.seccompProfile.localhostProfilestring
settings.integrations.knative.proxy.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
settings.integrations.knative.requireIngressClassboolonly serve traffic for Knative Ingress objects with the annotation ’networking.knative.dev/ingress.class: gloo.ingress.networking.knative.dev’.
settings.integrations.knative.extraKnativeInternalLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the knative internal deployment.
settings.integrations.knative.extraKnativeInternalAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the knative internal deployment.
settings.integrations.knative.extraKnativeExternalLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the knative external deployment.
settings.integrations.knative.extraKnativeExternalAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the knative external deployment.
settings.integrations.consul.datacenterstringDatacenter to use. If not provided, the default agent datacenter is used.
settings.integrations.consul.usernamestringUsername to use for HTTP Basic Authentication.
settings.integrations.consul.passwordstringPassword to use for HTTP Basic Authentication.
settings.integrations.consul.tokenstringToken is used to provide a per-request ACL token which overrides the agent’s default token.
settings.integrations.consul.caFilestringcaFile is the optional path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
settings.integrations.consul.caPathstringcaPath is the optional path to a directory of CA certificates to use for Consul communication, defaults to the system bundle if not specified.
settings.integrations.consul.certFilestringCertFile is the optional path to the certificate for Consul communication. If this is set then you need to also set KeyFile.
settings.integrations.consul.keyFilestringKeyFile is the optional path to the private key for Consul communication. If this is set then you need to also set CertFile.
settings.integrations.consul.insecureSkipVerifyboolInsecureSkipVerify if set to true will disable TLS host verification.
settings.integrations.consul.waitTimestringWaitTime limits how long a watches for Consul resources will block. If not provided, the agent default values will be used.
settings.integrations.consul.serviceDiscovery.dataCenters[]stringUse this parameter to restrict the data centers that will be considered when discovering and routing to services. If not provided, Gloo Edge will use all available data centers.
settings.integrations.consul.httpAddressstringThe address of the Consul HTTP server. Used by service discovery and key-value storage (if-enabled). Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
settings.integrations.consul.dnsAddressstringThe address of the DNS server used to resolve hostnames in the Consul service address. Used by service discovery (required when Consul service instances are stored as DNS names). Defaults to 127.0.0.1:8600. (the default Consul DNS server)
settings.integrations.consul.dnsPollingIntervalstringThe polling interval for the DNS server. If there is a Consul service address with a hostname instead of an IP, Gloo Edge will resolve the hostname with the configured frequency to update endpoints with any changes to DNS resolution. Defaults to 5s.
settings.integrations.consulUpstreamDiscovery.useTlsTaggingboolAllow Gloo Edge to automatically apply tls to consul services that are tagged the tlsTagName value. Requires RootCaResourceNamespace and RootCaResourceName to be set if true.
settings.integrations.consulUpstreamDiscovery.tlsTagNamestringThe tag Gloo Edge should use to identify consul services that ought to use TLS. If splitTlsServices is true, then this tag is also used to sort serviceInstances into the tls upstream. Defaults to ‘glooUseTls’.
settings.integrations.consulUpstreamDiscovery.splitTlsServicesboolIf true, then create two upstreams to be created when a consul service contains the tls tag; one with TLS and one without.
settings.integrations.consulUpstreamDiscovery.rootCa.namespacestringThe namespace of this resource.
settings.integrations.consulUpstreamDiscovery.rootCa.namestringThe name of this resource.
settings.createboolcreate a Settings CRD which provides bootstrap configuration to Gloo Edge controllers
settings.extensionsinterface
settings.singleNamespaceboolEnable to use install namespace as WatchNamespace and WriteNamespace
settings.invalidConfigPolicy.replaceInvalidRoutesboolRather than pausing configuration updates, in the event of an invalid Route defined on a virtual service or route table, Gloo Edge will serve the route with a predefined direct response action. This allows valid routes to be updated when other routes are invalid.
settings.invalidConfigPolicy.invalidRouteResponseCodeint64the response code for the direct response
settings.invalidConfigPolicy.invalidRouteResponseBodystringthe response body for the direct response
settings.linkerdboolEnable automatic Linkerd integration in Gloo Edge
settings.disableProxyGarbageCollectionboolSet this option to determine the state of an Envoy listener when the corresponding Proxy resource has no routes. If false (default), Gloo Edge will propagate the state of the Proxy to Envoy, resetting the listener to a clean slate with no routes. If true, Gloo Edge will keep serving the routes from the last applied valid configuration.
settings.regexMaxProgramSizeuint32Set this field to specify the RE2 default max program size which is a rough estimate of how complex the compiled regex is to evaluate. If not specified, this defaults to 1024.
settings.disableKubernetesDestinationsboolEnable or disable Gloo Edge to scan Kubernetes services in the cluster and create in-memory Upstream resources to represent them. These resources enable Gloo Edge to route requests to a Kubernetes service. Note that if you have a large number of services in your cluster and you do not restrict the namespaces that Gloo Edge watches, the API snapshot increases which can have a negative impact on the Gloo Edge translation time. In addition, load balancing is done in kube-proxy which can have further performance impacts. Using Gloo Upstreams as a routing destination bypasses kube-proxy as the request is routed to the pod directly. Alternatively, you can use Kubernetes Upstream resources as a routing destination to forward requests to the pod directly. For more information, see the docs.
settings.aws.enableCredentialsDiscoveryboolEnable AWS credentials discovery in Envoy for lambda requests. If enableServiceAccountCredentials is also set, it will take precedence as only one may be enabled in Gloo Edge
settings.aws.enableServiceAccountCredentialsboolUse ServiceAccount credentials to authenticate lambda requests. If enableCredentialsDiscovery is also set, this will take precedence as only one may be enabled in Gloo Edge
settings.aws.stsCredentialsRegionstringRegional endpoint to use for AWS STS requests. If empty will default to global sts endpoint.
settings.aws.propagateOriginalRoutingboolSend downstream path and method as x-envoy-original-path and x-envoy-original-method headers on the request to AWS lambda.
settings.aws.credential_refresh_delay.secondsint32The value of this duration in seconds.
settings.aws.credential_refresh_delay.nanosint32The value of this duration in nanoseconds.
settings.aws.fallbackToFirstFunctionboolIt will use the first function which if discovery is enabled the first function is the first function name alphabetically from the last discovery run. Defaults to false.
settings.rateLimitinterfacePartial config for Gloo Edge Enterprise’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit descriptors here, which define the limits for requests based on their descriptors. Configure rate-limits (composed of actions, which define how request characteristics get translated into descriptors) on the VirtualHost or its routes.
settings.ratelimitServerinterfaceExternal Ratelimit Server configuration for Gloo Edge Open Sources’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://docs.solo.io/gloo-edge/main/guides/security/rate_limiting/)
settings.circuitBreakers.maxConnectionsuint32Set this field to specify the maximum number of connections that Envoy will make to the upstream cluster. If not specified, the default is 1024.
settings.circuitBreakers.maxPendingRequestsuint32Set this field to specify the maximum number of pending requests that Envoy will allow to the upstream cluster. If not specified, the default is 1024.
settings.circuitBreakers.maxRequestsuint32Set this field to specify the maximum number of parallel requests that Envoy will make to the upstream cluster. If not specified, the default is 1024.
settings.circuitBreakers.maxRetriesuint32Set this field to specify the maximum number of parallel retries that Envoy will allow to the upstream cluster. If not specified, the default is 3.
settings.enableRestEdsboolWhether or not to use rest xds for all EDS by default. Defaults to false.
settings.devModeboolWhether or not to enable dev mode. Defaults to false. Setting to true at install time will expose the gloo dev admin endpoint on port 10010. Not recommended for production. Warning: this value is deprecated as of 1.17 and will be removed in a future release.
settings.secretOptions.sources[].vault.addressstringAddress of the Vault server. This should be a complete URL such as http://solo.io and include port if necessary (vault’s default port is 8200).
settings.secretOptions.sources[].vault.rootKeystringAll keys stored in Vault will begin with this Vault this can be used to run multiple instances of Gloo against the same Vault cluster defaults to gloo.
settings.secretOptions.sources[].vault.pathPrefixstringOptional. The name of a Vault Secrets Engine to which Vault should route traffic. For more info see https://learn.hashicorp.com/tutorials/vault/getting-started-secrets-engines. Defaults to ‘secret’.
settings.secretOptions.sources[].vault.tlsConfig.caCertstringPath to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
settings.secretOptions.sources[].vault.tlsConfig.caPathstringPath to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
settings.secretOptions.sources[].vault.tlsConfig.clientCertstringPath to the certificate for Vault communication.
settings.secretOptions.sources[].vault.tlsConfig.clientKeystringPath to the private key for Vault communication.
settings.secretOptions.sources[].vault.tlsConfig.tlsServerNamestringIf set, it is used to set the SNI host when connecting via TLS.
settings.secretOptions.sources[].vault.tlsConfig.insecureboolDisables TLS verification when set to true.
settings.secretOptions.sources[].vault.accessTokenstringVault token to use for authentication. Only one of accessToken or aws may be set.
settings.secretOptions.sources[].vault.aws.vaultRolestringThe Vault role we are trying to authenticate to. This is not necessarily the same as the AWS role to which the Vault role is configured.
settings.secretOptions.sources[].vault.aws.regionstringThe AWS region to use for the login attempt.
settings.secretOptions.sources[].vault.aws.iamServerIdHeaderstringThe IAM Server ID Header required to be included in the request.
settings.secretOptions.sources[].vault.aws.mountPathstringThe Vault path on which the AWS auth is mounted.
settings.secretOptions.sources[].vault.aws.accessKeyIDstringOptional. The Access Key ID as provided by the security credentials on the AWS IAM resource. In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
settings.secretOptions.sources[].vault.aws.secretAccessKeystringOptional. The Secret Access Key as provided by the security credentials on the AWS IAM resource. In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
settings.secretOptions.sources[].vault.aws.sessionTokenstringThe Session Token as provided by the security credentials on the AWS IAM resource.
settings.secretOptions.sources[].vault.aws.leaseIncrementuint32The time increment, in seconds, used in renewing the lease of the Vault token. See: https://developer.hashicorp.com/vault/docs/concepts/lease#lease-durations-and-renewal. Defaults to 0, which causes the default TTL to be used.
settings.secretOptions.sources[].directory.directorystringDirectory to read secrets from.
settings.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
license_keystringYour Gloo Edge license key.
create_license_secretbooltrueCreate a secret for the license specified in ’license_key’. Set to ‘false’ if you use ’license_secret_name’ instead.
gloo.license_secret_namestringlicenseThe name of a secret that contains your Gloo Edge license key. Set ‘create_license_key’ to ‘false’ to disable use of the default license secret.
gloo.redis.deployment.initContainer.image.tagstring1.28The image tag for the container.
gloo.redis.deployment.initContainer.image.repositorystringbusyboxThe image repository (name) for the container.
gloo.redis.deployment.initContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.redis.deployment.initContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.redis.deployment.initContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.redis.deployment.initContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.redis.deployment.initContainer.image.registrystringdocker.ioThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.redis.deployment.initContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.redis.deployment.initContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.redis.deployment.initContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.redis.deployment.initContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.redis.deployment.initContainer.securityContext.capabilities.add[]string
gloo.redis.deployment.initContainer.securityContext.capabilities.drop[]string
gloo.redis.deployment.initContainer.securityContext.privilegedbool
gloo.redis.deployment.initContainer.securityContext.seLinuxOptions.userstring
gloo.redis.deployment.initContainer.securityContext.seLinuxOptions.rolestring
gloo.redis.deployment.initContainer.securityContext.seLinuxOptions.typestring
gloo.redis.deployment.initContainer.securityContext.seLinuxOptions.levelstring
gloo.redis.deployment.initContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.redis.deployment.initContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo.redis.deployment.initContainer.securityContext.windowsOptions.runAsUserNamestring
gloo.redis.deployment.initContainer.securityContext.windowsOptions.hostProcessbool
gloo.redis.deployment.initContainer.securityContext.runAsUserint64
gloo.redis.deployment.initContainer.securityContext.runAsGroupint64
gloo.redis.deployment.initContainer.securityContext.runAsNonRootbool
gloo.redis.deployment.initContainer.securityContext.readOnlyRootFilesystembool
gloo.redis.deployment.initContainer.securityContext.allowPrivilegeEscalationbool
gloo.redis.deployment.initContainer.securityContext.procMountstring
gloo.redis.deployment.initContainer.securityContext.seccompProfile.typestring
gloo.redis.deployment.initContainer.securityContext.seccompProfile.localhostProfilestring
gloo.redis.deployment.initContainer.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.redis.deployment.namestringredis
gloo.redis.deployment.staticPortuint6379
gloo.redis.deployment.runAsUserfloat64Explicitly set the user ID for the container to run as in the podSecurityContext. Default is 999. If a podSecurityContext is defined for the pod , this value is not applied.
gloo.redis.deployment.runAsGroupfloat64Explicitly set the group ID for the container to run as in the podSecurityContext. Default is 999. If a podSecurityContext is defined for the pod, this value is not applied.
gloo.redis.deployment.fsGroupfloat64Explicitly set the fsGroup ID for the container to run as in the podSecurityContext. Default is 999. If a podSecurityContext is defined for the pod, this value is not applied.
gloo.redis.deployment.floatingUserIdboolfalseset to true to allow the cluster to dynamically assign a user ID. If podSecurityContext is defined, this value is not applied.
gloo.redis.deployment.extraRedisLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the redis deployment.
gloo.redis.deployment.enablePodSecurityContextbooltrueWhether or not to render the pod security context. Default is true.
gloo.redis.deployment.podSecurityContext.seLinuxOptions.userstring
gloo.redis.deployment.podSecurityContext.seLinuxOptions.rolestring
gloo.redis.deployment.podSecurityContext.seLinuxOptions.typestring
gloo.redis.deployment.podSecurityContext.seLinuxOptions.levelstring
gloo.redis.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.redis.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.redis.deployment.podSecurityContext.windowsOptions.runAsUserNamestring
gloo.redis.deployment.podSecurityContext.windowsOptions.hostProcessbool
gloo.redis.deployment.podSecurityContext.runAsUserint64
gloo.redis.deployment.podSecurityContext.runAsGroupint64
gloo.redis.deployment.podSecurityContext.runAsNonRootbool
gloo.redis.deployment.podSecurityContext.supplementalGroups[]int64
gloo.redis.deployment.podSecurityContext.fsGroupint64
gloo.redis.deployment.podSecurityContext.sysctls[].namestring
gloo.redis.deployment.podSecurityContext.sysctls[].valuestring
gloo.redis.deployment.podSecurityContext.fsGroupChangePolicystring
gloo.redis.deployment.podSecurityContext.seccompProfile.typestring
gloo.redis.deployment.podSecurityContext.seccompProfile.localhostProfilestring
gloo.redis.deployment.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.redis.deployment.persistence.enabledboolIf set to true, the redis data will be persisted. Default is false.
gloo.redis.deployment.replicasintnumber of instances to deploy
gloo.redis.deployment.customEnv[].namestring
gloo.redis.deployment.customEnv[].valuestring
gloo.redis.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.redis.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.redis.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.redis.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.redis.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.redis.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.redis.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.redis.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.redis.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.redis.deployment.priorityClassNamestringname of a defined priority class
gloo.redis.deployment.nodeNamestringname of node to run on
gloo.redis.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.redis.deployment.tolerations[].keystring
gloo.redis.deployment.tolerations[].operatorstring
gloo.redis.deployment.tolerations[].valuestring
gloo.redis.deployment.tolerations[].effectstring
gloo.redis.deployment.tolerations[].tolerationSecondsint64
gloo.redis.deployment.affinity.NAMEinterface
gloo.redis.deployment.hostAliases[]interface
gloo.redis.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.redis.deployment.resources.limits.memorystringamount of memory
gloo.redis.deployment.resources.limits.cpustringamount of CPUs
gloo.redis.deployment.resources.requests.memorystringamount of memory
gloo.redis.deployment.resources.requests.cpustringamount of CPUs
gloo.redis.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.redis.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.redis.deployment.redisContainerSecurityContext.capabilities.add[]string
gloo.redis.deployment.redisContainerSecurityContext.capabilities.drop[]string
gloo.redis.deployment.redisContainerSecurityContext.privilegedbool
gloo.redis.deployment.redisContainerSecurityContext.seLinuxOptions.userstring
gloo.redis.deployment.redisContainerSecurityContext.seLinuxOptions.rolestring
gloo.redis.deployment.redisContainerSecurityContext.seLinuxOptions.typestring
gloo.redis.deployment.redisContainerSecurityContext.seLinuxOptions.levelstring
gloo.redis.deployment.redisContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.redis.deployment.redisContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.redis.deployment.redisContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.redis.deployment.redisContainerSecurityContext.windowsOptions.hostProcessbool
gloo.redis.deployment.redisContainerSecurityContext.runAsUserint64
gloo.redis.deployment.redisContainerSecurityContext.runAsGroupint64
gloo.redis.deployment.redisContainerSecurityContext.runAsNonRootbool
gloo.redis.deployment.redisContainerSecurityContext.readOnlyRootFilesystembool
gloo.redis.deployment.redisContainerSecurityContext.allowPrivilegeEscalationbool
gloo.redis.deployment.redisContainerSecurityContext.procMountstring
gloo.redis.deployment.redisContainerSecurityContext.seccompProfile.typestring
gloo.redis.deployment.redisContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.redis.deployment.redisContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.redis.deployment.image.tagstring7.2.5-alpineThe image tag for the container.
gloo.redis.deployment.image.repositorystringredisThe image repository (name) for the container.
gloo.redis.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.redis.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.redis.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.redis.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.redis.deployment.image.registrystringdocker.ioThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.redis.deployment.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.redis.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.redis.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.redis.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.redis.service.portuint6379This is the port set for the redis service.
gloo.redis.service.namestringredisThis is the name of the redis service. If there is an external service, this can be used to set the endpoint of the external service. Set redis.disabled if setting the value of the redis service.
gloo.redis.service.dbuint0This is the db number of the redis service, can be any int from 0 to 15, this field ignored when using clustered redis or when ClientSideShardingEnabled is true
gloo.redis.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.redis.tlsEnabledboolfalseEnables tls for redis. Default is false.
gloo.redis.cert.enabledboolfalseIf set to true, a secret for redis will be created, and cert.crt and cert.key will be required. If redis.disabled is not set the socket type is set to tsl. If redis.disabled is set, then only a secret will be created containing the cert and key. The secret is mounted to the rate-limiter and redis deployments with the cert and key. Default is false.
gloo.redis.cert.crtstringTLS certificate. If CACert is not provided, this will be used as the CA cert as well as the TLS cert for the redis server.
gloo.redis.cert.keystringTLS certificate key.
gloo.redis.cert.cacrtstringOptional. CA certificate.
gloo.redis.cert.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.redis.clientSideShardingEnabledboolfalseIf set to true, Envoy will be used as a Redis proxy and load balance requests between redis instances scaled via replicas. Default is false.
gloo.redis.disabledboolfalseIf set to true, Redis service creation will be blocked. When set to true when global.extensions.glooRedis.enableAcl is set to true as well, the redis secret will not be created. The client you will have to create the secret to provide the password, the key used for the password is redis-password. Default is false.
gloo.redis.clusteredboolfalseIf true, we create the correct client to handle clustered redis. Default is false
gloo.redis.aclPrefixstringuser default +@all allkeys on >The ACL policy for the default redis user. This is the prefix only, and if overridden, should end with < to signal the password.
gloo.namespace.createboolcreate the installation namespace
gloo.kubeGateway.enabledboolfalseEnable the Gloo Gateway Kubernetes Gateway API controller.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.repositorystringgloo-ee-envoy-wrapperThe image repository (name) for the container.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.add[]string
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.drop[]string
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.privilegedbool
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.userstring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.rolestring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.typestring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.levelstring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.runAsUserNamestring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.hostProcessbool
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsUserint64
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsGroupint64
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsNonRootbool
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.readOnlyRootFilesystembool
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.allowPrivilegeEscalationbool
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.procMountstring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seccompProfile.typestring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seccompProfile.localhostProfilestring
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.limits.memorystringamount of memory
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.limits.cpustringamount of CPUs
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.requests.memorystringamount of memory
gloo.kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.requests.cpustringamount of CPUs
gloo.kubeGateway.gatewayParameters.glooGateway.proxyDeployment.replicasint32number of instances to deploy. If set to null, a default of 1 will be imposed.
gloo.kubeGateway.gatewayParameters.glooGateway.service.typestringK8s service type. If set to null, a default of LoadBalancer will be imposed.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.tagstringThe image tag for the container.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.repositorystringThe image repository (name) for the container.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.capabilities.add[]string
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.capabilities.drop[]string
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.privilegedbool
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.userstring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.rolestring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.typestring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.levelstring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.runAsUserNamestring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.hostProcessbool
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.runAsUserint64
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.runAsGroupint64
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.runAsNonRootbool
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.readOnlyRootFilesystembool
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.allowPrivilegeEscalationbool
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.procMountstring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seccompProfile.typestring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seccompProfile.localhostProfilestring
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.logLevelstringLog level for sds. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.limits.memorystringamount of memory
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.limits.cpustringamount of CPUs
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.requests.memorystringamount of memory
gloo.kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.requests.cpustringamount of CPUs
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.tagstringThe image tag for the container.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.repositorystringThe image repository (name) for the container.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.capabilities.add[]string
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.capabilities.drop[]string
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.privilegedbool
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.userstring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.rolestring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.typestring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.levelstring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.runAsUserNamestring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.hostProcessbool
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.runAsUserint64
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.runAsGroupint64
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.runAsNonRootbool
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.readOnlyRootFilesystembool
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.allowPrivilegeEscalationbool
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.procMountstring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seccompProfile.typestring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seccompProfile.localhostProfilestring
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.logLevelstringLog level for istio-proxy. Options include “info”, “debug”, “warning”, and “error”. Default level is info Default is ‘warning’.
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “cluster.local”
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “Kubernetes”
gloo.kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.istioDiscoveryAddressstringdiscoveryAddress field of the PROXY_CONFIG environment variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “istiod.istio-system.svc:15012”
gloo.kubeGateway.gatewayParameters.glooGateway.istio.customSidecars[]interfaceOverride the default Istio sidecar in gateway-proxy with a custom container. Ignored if Istio.enabled is false
gloo.kubeGateway.gatewayParameters.glooGateway.stats.enabledboolEnable the prometheus endpoint
gloo.kubeGateway.gatewayParameters.glooGateway.stats.routePrefixRewritestringSet the prefix rewrite used for the prometheus endpoint
gloo.kubeGateway.gatewayParameters.glooGateway.stats.enableStatsRouteboolEnable the stats endpoint
gloo.kubeGateway.gatewayParameters.glooGateway.stats.statsRoutePrefixRewritestringSet the prefix rewrite used for the stats endpoint
gloo.kubeGateway.gatewayParameters.glooGateway.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. Default is false.
gloo.settings.watchNamespaces[]stringwhitelist of namespaces for Gloo Edge to watch for services and CRDs. Empty list means all namespaces. If this and WatchNamespaceSelectors are specified, this takes precedence and WatchNamespaceSelectors is ignored
gloo.settings.watchNamespaceSelectorsinterfaceA list of Kubernetes selectors that specify the set of namespaces to restrict the namespaces that Gloo controllers take into consideration when watching for resources. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. An empty list means all namespaces. If this and WatchNamespaces are specified, WatchNamespaces takes precedence and this is ignored
gloo.settings.writeNamespacestringnamespace where intermediary CRDs will be written to, e.g. Upstreams written by Gloo Edge Discovery.
gloo.settings.integrations.knative.enabledboolenabled knative components
gloo.settings.integrations.knative.versionstringthe version of knative installed to the cluster. if using version < 0.8.0, Gloo Edge will use Knative’s ClusterIngress API for configuration rather than the namespace-scoped Ingress
gloo.settings.integrations.knative.proxy.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
gloo.settings.integrations.knative.proxy.image.repositorystringgloo-ee-envoy-wrapperThe image repository (name) for the container.
gloo.settings.integrations.knative.proxy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.settings.integrations.knative.proxy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.settings.integrations.knative.proxy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.settings.integrations.knative.proxy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.settings.integrations.knative.proxy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.settings.integrations.knative.proxy.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.settings.integrations.knative.proxy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.settings.integrations.knative.proxy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.settings.integrations.knative.proxy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.settings.integrations.knative.proxy.httpPortintHTTP port for the proxy
gloo.settings.integrations.knative.proxy.httpsPortintHTTPS port for the proxy
gloo.settings.integrations.knative.proxy.tracingstringtracing configuration
gloo.settings.integrations.knative.proxy.runAsUserfloat64Explicitly set the user ID for the pod to run as. Default is 10101
gloo.settings.integrations.knative.proxy.loopBackAddressstringName on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
gloo.settings.integrations.knative.proxy.statsboolControls whether or not Envoy stats are enabled
gloo.settings.integrations.knative.proxy.extraClusterIngressProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the cluster ingress proxy deployment.
gloo.settings.integrations.knative.proxy.extraClusterIngressProxyAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the cluster ingress proxy deployment.
gloo.settings.integrations.knative.proxy.internal.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.settings.integrations.knative.proxy.internal.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.settings.integrations.knative.proxy.internal.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.settings.integrations.knative.proxy.replicasintnumber of instances to deploy
gloo.settings.integrations.knative.proxy.customEnv[].namestring
gloo.settings.integrations.knative.proxy.customEnv[].valuestring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.namestring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.keystring
gloo.settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.settings.integrations.knative.proxy.restartPolicystringrestart policy to use when the pod exits
gloo.settings.integrations.knative.proxy.priorityClassNamestringname of a defined priority class
gloo.settings.integrations.knative.proxy.nodeNamestringname of node to run on
gloo.settings.integrations.knative.proxy.nodeSelector.NAMEstringlabel selector for nodes
gloo.settings.integrations.knative.proxy.tolerations[].keystring
gloo.settings.integrations.knative.proxy.tolerations[].operatorstring
gloo.settings.integrations.knative.proxy.tolerations[].valuestring
gloo.settings.integrations.knative.proxy.tolerations[].effectstring
gloo.settings.integrations.knative.proxy.tolerations[].tolerationSecondsint64
gloo.settings.integrations.knative.proxy.affinity.NAMEinterface
gloo.settings.integrations.knative.proxy.hostAliases[]interface
gloo.settings.integrations.knative.proxy.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.settings.integrations.knative.proxy.resources.limits.memorystringamount of memory
gloo.settings.integrations.knative.proxy.resources.limits.cpustringamount of CPUs
gloo.settings.integrations.knative.proxy.resources.requests.memorystringamount of memory
gloo.settings.integrations.knative.proxy.resources.requests.cpustringamount of CPUs
gloo.settings.integrations.knative.proxy.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.settings.integrations.knative.proxy.service.typestringK8s service type
gloo.settings.integrations.knative.proxy.service.extraAnnotations.NAMEstringextra annotations to add to the service
gloo.settings.integrations.knative.proxy.service.loadBalancerIPstringIP address of the load balancer
gloo.settings.integrations.knative.proxy.service.httpPortintHTTP port for the knative/ingress proxy service
gloo.settings.integrations.knative.proxy.service.httpsPortintHTTPS port for the knative/ingress proxy service
gloo.settings.integrations.knative.proxy.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.settings.integrations.knative.proxy.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.settings.integrations.knative.proxy.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.settings.integrations.knative.proxy.containerSecurityContext.capabilities.add[]string
gloo.settings.integrations.knative.proxy.containerSecurityContext.capabilities.drop[]string
gloo.settings.integrations.knative.proxy.containerSecurityContext.privilegedbool
gloo.settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.userstring
gloo.settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.rolestring
gloo.settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.typestring
gloo.settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.levelstring
gloo.settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.runAsUserNamestring
gloo.settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.hostProcessbool
gloo.settings.integrations.knative.proxy.containerSecurityContext.runAsUserint64
gloo.settings.integrations.knative.proxy.containerSecurityContext.runAsGroupint64
gloo.settings.integrations.knative.proxy.containerSecurityContext.runAsNonRootbool
gloo.settings.integrations.knative.proxy.containerSecurityContext.readOnlyRootFilesystembool
gloo.settings.integrations.knative.proxy.containerSecurityContext.allowPrivilegeEscalationbool
gloo.settings.integrations.knative.proxy.containerSecurityContext.procMountstring
gloo.settings.integrations.knative.proxy.containerSecurityContext.seccompProfile.typestring
gloo.settings.integrations.knative.proxy.containerSecurityContext.seccompProfile.localhostProfilestring
gloo.settings.integrations.knative.proxy.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.settings.integrations.knative.requireIngressClassboolonly serve traffic for Knative Ingress objects with the annotation ’networking.knative.dev/ingress.class: gloo.ingress.networking.knative.dev’.
gloo.settings.integrations.knative.extraKnativeInternalLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the knative internal deployment.
gloo.settings.integrations.knative.extraKnativeInternalAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the knative internal deployment.
gloo.settings.integrations.knative.extraKnativeExternalLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the knative external deployment.
gloo.settings.integrations.knative.extraKnativeExternalAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the knative external deployment.
gloo.settings.integrations.consul.datacenterstringDatacenter to use. If not provided, the default agent datacenter is used.
gloo.settings.integrations.consul.usernamestringUsername to use for HTTP Basic Authentication.
gloo.settings.integrations.consul.passwordstringPassword to use for HTTP Basic Authentication.
gloo.settings.integrations.consul.tokenstringToken is used to provide a per-request ACL token which overrides the agent’s default token.
gloo.settings.integrations.consul.caFilestringcaFile is the optional path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
gloo.settings.integrations.consul.caPathstringcaPath is the optional path to a directory of CA certificates to use for Consul communication, defaults to the system bundle if not specified.
gloo.settings.integrations.consul.certFilestringCertFile is the optional path to the certificate for Consul communication. If this is set then you need to also set KeyFile.
gloo.settings.integrations.consul.keyFilestringKeyFile is the optional path to the private key for Consul communication. If this is set then you need to also set CertFile.
gloo.settings.integrations.consul.insecureSkipVerifyboolInsecureSkipVerify if set to true will disable TLS host verification.
gloo.settings.integrations.consul.waitTimestringWaitTime limits how long a watches for Consul resources will block. If not provided, the agent default values will be used.
gloo.settings.integrations.consul.serviceDiscovery.dataCenters[]stringUse this parameter to restrict the data centers that will be considered when discovering and routing to services. If not provided, Gloo Edge will use all available data centers.
gloo.settings.integrations.consul.httpAddressstringThe address of the Consul HTTP server. Used by service discovery and key-value storage (if-enabled). Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
gloo.settings.integrations.consul.dnsAddressstringThe address of the DNS server used to resolve hostnames in the Consul service address. Used by service discovery (required when Consul service instances are stored as DNS names). Defaults to 127.0.0.1:8600. (the default Consul DNS server)
gloo.settings.integrations.consul.dnsPollingIntervalstringThe polling interval for the DNS server. If there is a Consul service address with a hostname instead of an IP, Gloo Edge will resolve the hostname with the configured frequency to update endpoints with any changes to DNS resolution. Defaults to 5s.
gloo.settings.integrations.consulUpstreamDiscovery.useTlsTaggingboolAllow Gloo Edge to automatically apply tls to consul services that are tagged the tlsTagName value. Requires RootCaResourceNamespace and RootCaResourceName to be set if true.
gloo.settings.integrations.consulUpstreamDiscovery.tlsTagNamestringThe tag Gloo Edge should use to identify consul services that ought to use TLS. If splitTlsServices is true, then this tag is also used to sort serviceInstances into the tls upstream. Defaults to ‘glooUseTls’.
gloo.settings.integrations.consulUpstreamDiscovery.splitTlsServicesboolIf true, then create two upstreams to be created when a consul service contains the tls tag; one with TLS and one without.
gloo.settings.integrations.consulUpstreamDiscovery.rootCa.namespacestringThe namespace of this resource.
gloo.settings.integrations.consulUpstreamDiscovery.rootCa.namestringThe name of this resource.
gloo.settings.createboolcreate a Settings CRD which provides bootstrap configuration to Gloo Edge controllers
gloo.settings.extensionsinterface
gloo.settings.singleNamespaceboolEnable to use install namespace as WatchNamespace and WriteNamespace
gloo.settings.invalidConfigPolicy.replaceInvalidRoutesboolRather than pausing configuration updates, in the event of an invalid Route defined on a virtual service or route table, Gloo Edge will serve the route with a predefined direct response action. This allows valid routes to be updated when other routes are invalid.
gloo.settings.invalidConfigPolicy.invalidRouteResponseCodeint64the response code for the direct response
gloo.settings.invalidConfigPolicy.invalidRouteResponseBodystringthe response body for the direct response
gloo.settings.linkerdboolEnable automatic Linkerd integration in Gloo Edge
gloo.settings.disableProxyGarbageCollectionboolSet this option to determine the state of an Envoy listener when the corresponding Proxy resource has no routes. If false (default), Gloo Edge will propagate the state of the Proxy to Envoy, resetting the listener to a clean slate with no routes. If true, Gloo Edge will keep serving the routes from the last applied valid configuration.
gloo.settings.regexMaxProgramSizeuint32Set this field to specify the RE2 default max program size which is a rough estimate of how complex the compiled regex is to evaluate. If not specified, this defaults to 1024.
gloo.settings.disableKubernetesDestinationsboolEnable or disable Gloo Edge to scan Kubernetes services in the cluster and create in-memory Upstream resources to represent them. These resources enable Gloo Edge to route requests to a Kubernetes service. Note that if you have a large number of services in your cluster and you do not restrict the namespaces that Gloo Edge watches, the API snapshot increases which can have a negative impact on the Gloo Edge translation time. In addition, load balancing is done in kube-proxy which can have further performance impacts. Using Gloo Upstreams as a routing destination bypasses kube-proxy as the request is routed to the pod directly. Alternatively, you can use Kubernetes Upstream resources as a routing destination to forward requests to the pod directly. For more information, see the docs.
gloo.settings.aws.enableCredentialsDiscoveryboolEnable AWS credentials discovery in Envoy for lambda requests. If enableServiceAccountCredentials is also set, it will take precedence as only one may be enabled in Gloo Edge
gloo.settings.aws.enableServiceAccountCredentialsboolUse ServiceAccount credentials to authenticate lambda requests. If enableCredentialsDiscovery is also set, this will take precedence as only one may be enabled in Gloo Edge
gloo.settings.aws.stsCredentialsRegionstringRegional endpoint to use for AWS STS requests. If empty will default to global sts endpoint.
gloo.settings.aws.propagateOriginalRoutingboolSend downstream path and method as x-envoy-original-path and x-envoy-original-method headers on the request to AWS lambda.
gloo.settings.aws.credential_refresh_delay.secondsint32The value of this duration in seconds.
gloo.settings.aws.credential_refresh_delay.nanosint32The value of this duration in nanoseconds.
gloo.settings.aws.fallbackToFirstFunctionboolIt will use the first function which if discovery is enabled the first function is the first function name alphabetically from the last discovery run. Defaults to false.
gloo.settings.rateLimitinterfacePartial config for Gloo Edge Enterprise’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit descriptors here, which define the limits for requests based on their descriptors. Configure rate-limits (composed of actions, which define how request characteristics get translated into descriptors) on the VirtualHost or its routes.
gloo.settings.ratelimitServerinterfaceExternal Ratelimit Server configuration for Gloo Edge Open Sources’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://docs.solo.io/gloo-edge/main/guides/security/rate_limiting/)
gloo.settings.circuitBreakers.maxConnectionsuint32Set this field to specify the maximum number of connections that Envoy will make to the upstream cluster. If not specified, the default is 1024.
gloo.settings.circuitBreakers.maxPendingRequestsuint32Set this field to specify the maximum number of pending requests that Envoy will allow to the upstream cluster. If not specified, the default is 1024.
gloo.settings.circuitBreakers.maxRequestsuint32Set this field to specify the maximum number of parallel requests that Envoy will make to the upstream cluster. If not specified, the default is 1024.
gloo.settings.circuitBreakers.maxRetriesuint32Set this field to specify the maximum number of parallel retries that Envoy will allow to the upstream cluster. If not specified, the default is 3.
gloo.settings.enableRestEdsboolWhether or not to use rest xds for all EDS by default. Defaults to false.
gloo.settings.devModeboolWhether or not to enable dev mode. Defaults to false. Setting to true at install time will expose the gloo dev admin endpoint on port 10010. Not recommended for production. Warning: this value is deprecated as of 1.17 and will be removed in a future release.
gloo.settings.secretOptions.sources[].vault.addressstringAddress of the Vault server. This should be a complete URL such as http://solo.io and include port if necessary (vault’s default port is 8200).
gloo.settings.secretOptions.sources[].vault.rootKeystringAll keys stored in Vault will begin with this Vault this can be used to run multiple instances of Gloo against the same Vault cluster defaults to gloo.
gloo.settings.secretOptions.sources[].vault.pathPrefixstringOptional. The name of a Vault Secrets Engine to which Vault should route traffic. For more info see https://learn.hashicorp.com/tutorials/vault/getting-started-secrets-engines. Defaults to ‘secret’.
gloo.settings.secretOptions.sources[].vault.tlsConfig.caCertstringPath to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
gloo.settings.secretOptions.sources[].vault.tlsConfig.caPathstringPath to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
gloo.settings.secretOptions.sources[].vault.tlsConfig.clientCertstringPath to the certificate for Vault communication.
gloo.settings.secretOptions.sources[].vault.tlsConfig.clientKeystringPath to the private key for Vault communication.
gloo.settings.secretOptions.sources[].vault.tlsConfig.tlsServerNamestringIf set, it is used to set the SNI host when connecting via TLS.
gloo.settings.secretOptions.sources[].vault.tlsConfig.insecureboolDisables TLS verification when set to true.
gloo.settings.secretOptions.sources[].vault.accessTokenstringVault token to use for authentication. Only one of accessToken or aws may be set.
gloo.settings.secretOptions.sources[].vault.aws.vaultRolestringThe Vault role we are trying to authenticate to. This is not necessarily the same as the AWS role to which the Vault role is configured.
gloo.settings.secretOptions.sources[].vault.aws.regionstringThe AWS region to use for the login attempt.
gloo.settings.secretOptions.sources[].vault.aws.iamServerIdHeaderstringThe IAM Server ID Header required to be included in the request.
gloo.settings.secretOptions.sources[].vault.aws.mountPathstringThe Vault path on which the AWS auth is mounted.
gloo.settings.secretOptions.sources[].vault.aws.accessKeyIDstringOptional. The Access Key ID as provided by the security credentials on the AWS IAM resource. In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
gloo.settings.secretOptions.sources[].vault.aws.secretAccessKeystringOptional. The Secret Access Key as provided by the security credentials on the AWS IAM resource. In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
gloo.settings.secretOptions.sources[].vault.aws.sessionTokenstringThe Session Token as provided by the security credentials on the AWS IAM resource.
gloo.settings.secretOptions.sources[].vault.aws.leaseIncrementuint32The time increment, in seconds, used in renewing the lease of the Vault token. See: https://developer.hashicorp.com/vault/docs/concepts/lease#lease-durations-and-renewal. Defaults to 0, which causes the default TTL to be used.
gloo.settings.secretOptions.sources[].directory.directorystringDirectory to read secrets from.
gloo.settings.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gloo.deployment.xdsPortintport where gloo serves xDS API to Envoy.
gloo.gloo.deployment.restXdsPortuint32port where gloo serves REST xDS API to Envoy.
gloo.gloo.deployment.validationPortintport where gloo serves gRPC Proxy Validation to Gateway.
gloo.gloo.deployment.proxyDebugPortintport where gloo serves gRPC Proxy contents to glooctl.
gloo.gloo.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
gloo.gloo.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo.gloo.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo.gloo.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo.gloo.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo.gloo.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo.gloo.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo.gloo.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. If a SecurityContext is defined for the container, this value is not applied for the container.
gloo.gloo.deployment.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gloo.gloo.deployment.externalTrafficPolicystringSet the external traffic policy on the gloo service.
gloo.gloo.deployment.extraGlooLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the primary gloo deployment.
gloo.gloo.deployment.extraGlooAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the primary gloo deployment.
gloo.gloo.deployment.livenessProbeEnabledboolSet to true to enable a liveness probe for Gloo Edge (default is false).
gloo.gloo.deployment.ossImageTagstring1.17.14Used for debugging. The version of Gloo OSS that the current version of Gloo Enterprise was built with.
gloo.gloo.deployment.podSecurityContext.seLinuxOptions.userstring
gloo.gloo.deployment.podSecurityContext.seLinuxOptions.rolestring
gloo.gloo.deployment.podSecurityContext.seLinuxOptions.typestring
gloo.gloo.deployment.podSecurityContext.seLinuxOptions.levelstring
gloo.gloo.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gloo.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gloo.deployment.podSecurityContext.windowsOptions.runAsUserNamestring
gloo.gloo.deployment.podSecurityContext.windowsOptions.hostProcessbool
gloo.gloo.deployment.podSecurityContext.runAsUserint64
gloo.gloo.deployment.podSecurityContext.runAsGroupint64
gloo.gloo.deployment.podSecurityContext.runAsNonRootbool
gloo.gloo.deployment.podSecurityContext.supplementalGroups[]int64
gloo.gloo.deployment.podSecurityContext.fsGroupint64
gloo.gloo.deployment.podSecurityContext.sysctls[].namestring
gloo.gloo.deployment.podSecurityContext.sysctls[].valuestring
gloo.gloo.deployment.podSecurityContext.fsGroupChangePolicystring
gloo.gloo.deployment.podSecurityContext.seccompProfile.typestring
gloo.gloo.deployment.podSecurityContext.seccompProfile.localhostProfilestring
gloo.gloo.deployment.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gloo.deployment.replicasintnumber of instances to deploy
gloo.gloo.deployment.customEnv[].namestring
gloo.gloo.deployment.customEnv[].valuestring
gloo.gloo.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.gloo.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.gloo.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.gloo.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.gloo.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.gloo.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.gloo.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.gloo.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.gloo.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.gloo.deployment.priorityClassNamestringname of a defined priority class
gloo.gloo.deployment.nodeNamestringname of node to run on
gloo.gloo.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.gloo.deployment.tolerations[].keystring
gloo.gloo.deployment.tolerations[].operatorstring
gloo.gloo.deployment.tolerations[].valuestring
gloo.gloo.deployment.tolerations[].effectstring
gloo.gloo.deployment.tolerations[].tolerationSecondsint64
gloo.gloo.deployment.affinity.NAMEinterface
gloo.gloo.deployment.hostAliases[]interface
gloo.gloo.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.gloo.deployment.resources.limits.memorystringamount of memory
gloo.gloo.deployment.resources.limits.cpustringamount of CPUs
gloo.gloo.deployment.resources.requests.memorystringamount of memory
gloo.gloo.deployment.resources.requests.cpustringamount of CPUs
gloo.gloo.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gloo.deployment.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
gloo.gloo.deployment.image.repositorystringgloo-eeThe image repository (name) for the container.
gloo.gloo.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.gloo.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.gloo.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.gloo.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.gloo.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.gloo.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.gloo.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.gloo.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.gloo.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.gloo.deployment.glooContainerSecurityContext.capabilities.add[]string
gloo.gloo.deployment.glooContainerSecurityContext.capabilities.drop[]string
gloo.gloo.deployment.glooContainerSecurityContext.privilegedbool
gloo.gloo.deployment.glooContainerSecurityContext.seLinuxOptions.userstring
gloo.gloo.deployment.glooContainerSecurityContext.seLinuxOptions.rolestring
gloo.gloo.deployment.glooContainerSecurityContext.seLinuxOptions.typestring
gloo.gloo.deployment.glooContainerSecurityContext.seLinuxOptions.levelstring
gloo.gloo.deployment.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gloo.deployment.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gloo.deployment.glooContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.gloo.deployment.glooContainerSecurityContext.windowsOptions.hostProcessbool
gloo.gloo.deployment.glooContainerSecurityContext.runAsUserint64
gloo.gloo.deployment.glooContainerSecurityContext.runAsGroupint64
gloo.gloo.deployment.glooContainerSecurityContext.runAsNonRootbool
gloo.gloo.deployment.glooContainerSecurityContext.readOnlyRootFilesystembool
gloo.gloo.deployment.glooContainerSecurityContext.allowPrivilegeEscalationbool
gloo.gloo.deployment.glooContainerSecurityContext.procMountstring
gloo.gloo.deployment.glooContainerSecurityContext.seccompProfile.typestring
gloo.gloo.deployment.glooContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.gloo.deployment.glooContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gloo.serviceAccount.extraAnnotations.NAMEstringextra annotations to add to the service account
gloo.gloo.serviceAccount.disableAutomountbooldisable automounting the service account to the gateway proxy. not mounting the token hardens the proxy container, but may interfere with service mesh integrations
gloo.gloo.serviceAccount.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gloo.splitLogOutputboolSet to true to send debug/info/warning logs to stdout, error/fatal/panic to stderr. Set to false to send all logs to stdout
gloo.gloo.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gloo.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info
gloo.gloo.disableLeaderElectionboolSet to true to disable leader election, and ensure all running replicas are considered the leader. Do not enable this with multiple replicas of Gloo
gloo.gloo.headerSecretRefNsMatchesUsboolSet to true to require that secrets sent in headers via headerSecretRefs come from the same namespace as the destination upstream. Default: false
gloo.gloo.podDisruptionBudget.minAvailablestringCorresponds directly with the minAvailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with maxUnavailable.
gloo.gloo.podDisruptionBudget.maxUnavailablestringCorresponds directly with the maxUnavailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with minAvailable.
gloo.discovery.deployment.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
gloo.discovery.deployment.image.repositorystringdiscovery-eeThe image repository (name) for the container.
gloo.discovery.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.discovery.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.discovery.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.discovery.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.discovery.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.discovery.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.discovery.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.discovery.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.discovery.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.discovery.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
gloo.discovery.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo.discovery.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo.discovery.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo.discovery.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo.discovery.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo.discovery.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo.discovery.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gloo.discovery.deployment.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gloo.discovery.deployment.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101
gloo.discovery.deployment.extraDiscoveryLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the gloo edge discovery deployment.
gloo.discovery.deployment.extraDiscoveryAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the gloo edge discovery deployment.
gloo.discovery.deployment.enablePodSecurityContextboolWhether or not to render the pod security context. Default is true
gloo.discovery.deployment.discoveryContainerSecurityContext.capabilities.add[]string
gloo.discovery.deployment.discoveryContainerSecurityContext.capabilities.drop[]string
gloo.discovery.deployment.discoveryContainerSecurityContext.privilegedbool
gloo.discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.userstring
gloo.discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.rolestring
gloo.discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.typestring
gloo.discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.levelstring
gloo.discovery.deployment.discoveryContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.discovery.deployment.discoveryContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.discovery.deployment.discoveryContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.discovery.deployment.discoveryContainerSecurityContext.windowsOptions.hostProcessbool
gloo.discovery.deployment.discoveryContainerSecurityContext.runAsUserint64
gloo.discovery.deployment.discoveryContainerSecurityContext.runAsGroupint64
gloo.discovery.deployment.discoveryContainerSecurityContext.runAsNonRootbool
gloo.discovery.deployment.discoveryContainerSecurityContext.readOnlyRootFilesystembool
gloo.discovery.deployment.discoveryContainerSecurityContext.allowPrivilegeEscalationbool
gloo.discovery.deployment.discoveryContainerSecurityContext.procMountstring
gloo.discovery.deployment.discoveryContainerSecurityContext.seccompProfile.typestring
gloo.discovery.deployment.discoveryContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.discovery.deployment.discoveryContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.discovery.deployment.replicasintnumber of instances to deploy
gloo.discovery.deployment.customEnv[].namestring
gloo.discovery.deployment.customEnv[].valuestring
gloo.discovery.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.discovery.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.discovery.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.discovery.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.discovery.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.discovery.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.discovery.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.discovery.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.discovery.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.discovery.deployment.priorityClassNamestringname of a defined priority class
gloo.discovery.deployment.nodeNamestringname of node to run on
gloo.discovery.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.discovery.deployment.tolerations[].keystring
gloo.discovery.deployment.tolerations[].operatorstring
gloo.discovery.deployment.tolerations[].valuestring
gloo.discovery.deployment.tolerations[].effectstring
gloo.discovery.deployment.tolerations[].tolerationSecondsint64
gloo.discovery.deployment.affinity.NAMEinterface
gloo.discovery.deployment.hostAliases[]interface
gloo.discovery.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.discovery.deployment.resources.limits.memorystringamount of memory
gloo.discovery.deployment.resources.limits.cpustringamount of CPUs
gloo.discovery.deployment.resources.requests.memorystringamount of memory
gloo.discovery.deployment.resources.requests.cpustringamount of CPUs
gloo.discovery.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.discovery.fdsModestringmode for function discovery (blacklist or whitelist). See more info in the settings docs
gloo.discovery.udsOptions.enabledboolEnable upstream discovery service. Defaults to true.
gloo.discovery.udsOptions.watchLabels.NAMEstringMap of labels to watch. Only services which match all of the selectors specified here will be discovered by UDS.
gloo.discovery.fdsOptions.graphqlEnabledboolEnable GraphQL schema generation on the function discovery service. Defaults to true.
gloo.discovery.enabledboolenable Discovery features
gloo.discovery.serviceAccount.extraAnnotations.NAMEstringextra annotations to add to the service account
gloo.discovery.serviceAccount.disableAutomountbooldisable automounting the service account to the gateway proxy. not mounting the token hardens the proxy container, but may interfere with service mesh integrations
gloo.discovery.serviceAccount.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.discovery.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
gloo.gateway.enabledboolenable Gloo Edge API Gateway features
gloo.gateway.validation.enabledboolenable Gloo Edge API Gateway validation hook (default true)
gloo.gateway.validation.alwaysAcceptResourcesboolunless this is set this to false in order to ensure validation webhook rejects invalid resources. by default, validation webhook will only log and report metrics for invalid resource admission without rejecting them outright.
gloo.gateway.validation.allowWarningsboolset this to false in order to ensure validation webhook rejects resources that would have warning status or rejected status, rather than just rejected.
gloo.gateway.validation.warnMissingTlsSecretboolset this to true in order to treat missing tls secret references as warnings, causing validation to allow this state. This supports eventually consistent workflows where TLS secrets may not yet be present when VirtualServices that reference them are created. This field has no effect if allowWarnings is false or acceptAllResources is true.
gloo.gateway.validation.serverEnabledboolBy providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as warn_route_short_circuiting and disable_transformation_validation.
gloo.gateway.validation.disableTransformationValidationboolset this to true to disable transformation validation. This may bring significant performance benefits if using many transformations, at the cost of possibly incorrect transformations being sent to Envoy. When using this value make sure to pre-validate transformations.
gloo.gateway.validation.warnRouteShortCircuitingboolWrite a warning to route resources if validation produced a route ordering warning (defaults to false). By setting to true, this means that Gloo Edge will start assigning warnings to resources that would result in route short-circuiting within a virtual host.
gloo.gateway.validation.secretNamestringName of the Kubernetes Secret containing TLS certificates used by the validation webhook server. This secret will be created by the certGen Job if the certGen Job is enabled.
gloo.gateway.validation.failurePolicystringfailurePolicy defines how unrecognized errors from the Gateway validation endpoint are handled - allowed values are ‘Ignore’ or ‘Fail’. Defaults to Ignore
gloo.gateway.validation.webhook.enabledboolenable validation webhook (default true)
gloo.gateway.validation.webhook.disableHelmHookbooldo not create the webhook as helm hook (default false)
gloo.gateway.validation.webhook.timeoutSecondsintthe timeout for the webhook, defaults to 10
gloo.gateway.validation.webhook.extraAnnotations.NAMEstringextra annotations to add to the webhook
gloo.gateway.validation.webhook.skipDeleteValidationResources[]stringresource types in this list will not use webhook valdaition for DELETEs. Use ‘’ to skip validation for all resources. Valid values are ‘virtualservices’, ‘routetables’,‘upstreams’, ‘secrets’, ‘ratelimitconfigs’, and ‘’. Invalid values will be accepted but will not be used.
gloo.gateway.validation.webhook.enablePolicyApiboolenable validation of Policy Api resources (RouteOptions, VirtualHostOptions) (default: true). NOTE: This only applies if the Kubernetes Gateway Integration is also enabled (kubeGateway.enabled).
gloo.gateway.validation.webhook.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gateway.validation.validationServerGrpcMaxSizeBytesintgRPC max message size in bytes for the gloo validation server
gloo.gateway.validation.livenessProbeEnabledboolSet to true to enable a liveness probe for the gateway (default is false). You must also set the ‘Probes’ value to true.
gloo.gateway.certGenJob.image.tagstring1.17.14The image tag for the container.
gloo.gateway.certGenJob.image.repositorystringcertgenThe image repository (name) for the container.
gloo.gateway.certGenJob.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.gateway.certGenJob.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.gateway.certGenJob.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.gateway.certGenJob.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.gateway.certGenJob.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.gateway.certGenJob.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.gateway.certGenJob.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.gateway.certGenJob.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.gateway.certGenJob.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.gateway.certGenJob.restartPolicystringrestart policy to use when the pod exits
gloo.gateway.certGenJob.priorityClassNamestringname of a defined priority class
gloo.gateway.certGenJob.nodeNamestringname of node to run on
gloo.gateway.certGenJob.nodeSelector.NAMEstringlabel selector for nodes
gloo.gateway.certGenJob.tolerations[].keystring
gloo.gateway.certGenJob.tolerations[].operatorstring
gloo.gateway.certGenJob.tolerations[].valuestring
gloo.gateway.certGenJob.tolerations[].effectstring
gloo.gateway.certGenJob.tolerations[].tolerationSecondsint64
gloo.gateway.certGenJob.affinity.NAMEinterface
gloo.gateway.certGenJob.hostAliases[]interface
gloo.gateway.certGenJob.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.gateway.certGenJob.activeDeadlineSecondsintDeadline in seconds for Kubernetes jobs.
gloo.gateway.certGenJob.backoffLimitintSpecifies the number of retries before marking this job failed. In kubernetes, defaults to 6
gloo.gateway.certGenJob.completionsintSpecifies the desired number of successfully finished pods the job should be run with.
gloo.gateway.certGenJob.manualSelectorboolControls generation of pod labels and pod selectors.
gloo.gateway.certGenJob.parallelismintSpecifies the maximum desired number of pods the job should run at any given time.
gloo.gateway.certGenJob.ttlSecondsAfterFinishedintClean up the finished job after this many seconds. Defaults to 300 for the rollout jobs and 60 for the rest.
gloo.gateway.certGenJob.extraPodLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the job.
gloo.gateway.certGenJob.extraPodAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the job.
gloo.gateway.certGenJob.containerSecurityContext.capabilities.add[]string
gloo.gateway.certGenJob.containerSecurityContext.capabilities.drop[]string
gloo.gateway.certGenJob.containerSecurityContext.privilegedbool
gloo.gateway.certGenJob.containerSecurityContext.seLinuxOptions.userstring
gloo.gateway.certGenJob.containerSecurityContext.seLinuxOptions.rolestring
gloo.gateway.certGenJob.containerSecurityContext.seLinuxOptions.typestring
gloo.gateway.certGenJob.containerSecurityContext.seLinuxOptions.levelstring
gloo.gateway.certGenJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gateway.certGenJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gateway.certGenJob.containerSecurityContext.windowsOptions.runAsUserNamestring
gloo.gateway.certGenJob.containerSecurityContext.windowsOptions.hostProcessbool
gloo.gateway.certGenJob.containerSecurityContext.runAsUserint64
gloo.gateway.certGenJob.containerSecurityContext.runAsGroupint64
gloo.gateway.certGenJob.containerSecurityContext.runAsNonRootbool
gloo.gateway.certGenJob.containerSecurityContext.readOnlyRootFilesystembool
gloo.gateway.certGenJob.containerSecurityContext.allowPrivilegeEscalationbool
gloo.gateway.certGenJob.containerSecurityContext.procMountstring
gloo.gateway.certGenJob.containerSecurityContext.seccompProfile.typestring
gloo.gateway.certGenJob.containerSecurityContext.seccompProfile.localhostProfilestring
gloo.gateway.certGenJob.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gateway.certGenJob.kubeResourceOverride.NAMEinterfaceoverride fields in the gateway-certgen job.
gloo.gateway.certGenJob.mtlsKubeResourceOverride.NAMEinterfaceoverride fields in the gloo-mtls-certgen job.
gloo.gateway.certGenJob.enabledboolenable the job that generates the certificates for the validating webhook at install time (default true)
gloo.gateway.certGenJob.setTtlAfterFinishedboolSet ttlSecondsAfterFinished on the job. Defaults to true
gloo.gateway.certGenJob.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gloo.gateway.certGenJob.forceRotationboolIf true, will create new certs even if the old one are still valid.
gloo.gateway.certGenJob.rotationDurationstringTime duration string indicating the (environment-specific) expected time for all pods to pick up a secret update via SDS. This is only applicable to the mTLS certgen job and cron job. If this duration is too short, secret changes may not have time to propagate to all pods, and some requests may be dropped during cert rotation. Since we do 2 secret updates during a cert rotation, the certgen job is expected to run for at least twice this amount of time. If activeDeadlineSeconds is set on the job, make sure it is at least twice as long as the rotation duration, otherwise the certgen job might time out.
gloo.gateway.certGenJob.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gloo.gateway.certGenJob.resources.limits.memorystringamount of memory
gloo.gateway.certGenJob.resources.limits.cpustringamount of CPUs
gloo.gateway.certGenJob.resources.requests.memorystringamount of memory
gloo.gateway.certGenJob.resources.requests.cpustringamount of CPUs
gloo.gateway.certGenJob.runOnUpdateboolenable to run the job also on pre-upgrade
gloo.gateway.certGenJob.cron.enabledboolenable the cronjob
gloo.gateway.certGenJob.cron.schedulestringCron job scheduling
gloo.gateway.certGenJob.cron.mtlsKubeResourceOverride.NAMEinterfaceoverride fields in the gloo-mtls-certgen cronjob.
gloo.gateway.certGenJob.cron.validationWebhookKubeResourceOverride.NAMEinterfaceoverride fields in the gateway-certgen cronjob.
gloo.gateway.rolloutJob.restartPolicystringrestart policy to use when the pod exits
gloo.gateway.rolloutJob.priorityClassNamestringname of a defined priority class
gloo.gateway.rolloutJob.nodeNamestringname of node to run on
gloo.gateway.rolloutJob.nodeSelector.NAMEstringlabel selector for nodes
gloo.gateway.rolloutJob.tolerations[].keystring
gloo.gateway.rolloutJob.tolerations[].operatorstring
gloo.gateway.rolloutJob.tolerations[].valuestring
gloo.gateway.rolloutJob.tolerations[].effectstring
gloo.gateway.rolloutJob.tolerations[].tolerationSecondsint64
gloo.gateway.rolloutJob.affinity.NAMEinterface
gloo.gateway.rolloutJob.hostAliases[]interface
gloo.gateway.rolloutJob.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.gateway.rolloutJob.activeDeadlineSecondsintDeadline in seconds for Kubernetes jobs.
gloo.gateway.rolloutJob.backoffLimitintSpecifies the number of retries before marking this job failed. In kubernetes, defaults to 6
gloo.gateway.rolloutJob.completionsintSpecifies the desired number of successfully finished pods the job should be run with.
gloo.gateway.rolloutJob.manualSelectorboolControls generation of pod labels and pod selectors.
gloo.gateway.rolloutJob.parallelismintSpecifies the maximum desired number of pods the job should run at any given time.
gloo.gateway.rolloutJob.ttlSecondsAfterFinishedintClean up the finished job after this many seconds. Defaults to 300 for the rollout jobs and 60 for the rest.
gloo.gateway.rolloutJob.extraPodLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the job.
gloo.gateway.rolloutJob.extraPodAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the job.
gloo.gateway.rolloutJob.containerSecurityContext.capabilities.add[]string
gloo.gateway.rolloutJob.containerSecurityContext.capabilities.drop[]string
gloo.gateway.rolloutJob.containerSecurityContext.privilegedbool
gloo.gateway.rolloutJob.containerSecurityContext.seLinuxOptions.userstring
gloo.gateway.rolloutJob.containerSecurityContext.seLinuxOptions.rolestring
gloo.gateway.rolloutJob.containerSecurityContext.seLinuxOptions.typestring
gloo.gateway.rolloutJob.containerSecurityContext.seLinuxOptions.levelstring
gloo.gateway.rolloutJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gateway.rolloutJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gateway.rolloutJob.containerSecurityContext.windowsOptions.runAsUserNamestring
gloo.gateway.rolloutJob.containerSecurityContext.windowsOptions.hostProcessbool
gloo.gateway.rolloutJob.containerSecurityContext.runAsUserint64
gloo.gateway.rolloutJob.containerSecurityContext.runAsGroupint64
gloo.gateway.rolloutJob.containerSecurityContext.runAsNonRootbool
gloo.gateway.rolloutJob.containerSecurityContext.readOnlyRootFilesystembool
gloo.gateway.rolloutJob.containerSecurityContext.allowPrivilegeEscalationbool
gloo.gateway.rolloutJob.containerSecurityContext.procMountstring
gloo.gateway.rolloutJob.containerSecurityContext.seccompProfile.typestring
gloo.gateway.rolloutJob.containerSecurityContext.seccompProfile.localhostProfilestring
gloo.gateway.rolloutJob.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gateway.rolloutJob.enabledboolEnable the job that applies default Gloo Edge custom resources at install and upgrade time (default true).
gloo.gateway.rolloutJob.image.tagstring1.17.14The image tag for the container.
gloo.gateway.rolloutJob.image.repositorystringkubectlThe image repository (name) for the container.
gloo.gateway.rolloutJob.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.gateway.rolloutJob.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.gateway.rolloutJob.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.gateway.rolloutJob.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.gateway.rolloutJob.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.gateway.rolloutJob.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.gateway.rolloutJob.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.gateway.rolloutJob.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.gateway.rolloutJob.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.gateway.rolloutJob.resources.limits.memorystringamount of memory
gloo.gateway.rolloutJob.resources.limits.cpustringamount of CPUs
gloo.gateway.rolloutJob.resources.requests.memorystringamount of memory
gloo.gateway.rolloutJob.resources.requests.cpustringamount of CPUs
gloo.gateway.rolloutJob.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gloo.gateway.rolloutJob.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gloo.gateway.rolloutJob.timeoutintTime to wait in seconds until the job has completed. If it exceeds this limit, it is deemed to have failed. Defaults to 120
gloo.gateway.cleanupJob.restartPolicystringrestart policy to use when the pod exits
gloo.gateway.cleanupJob.priorityClassNamestringname of a defined priority class
gloo.gateway.cleanupJob.nodeNamestringname of node to run on
gloo.gateway.cleanupJob.nodeSelector.NAMEstringlabel selector for nodes
gloo.gateway.cleanupJob.tolerations[].keystring
gloo.gateway.cleanupJob.tolerations[].operatorstring
gloo.gateway.cleanupJob.tolerations[].valuestring
gloo.gateway.cleanupJob.tolerations[].effectstring
gloo.gateway.cleanupJob.tolerations[].tolerationSecondsint64
gloo.gateway.cleanupJob.affinity.NAMEinterface
gloo.gateway.cleanupJob.hostAliases[]interface
gloo.gateway.cleanupJob.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.gateway.cleanupJob.activeDeadlineSecondsintDeadline in seconds for Kubernetes jobs.
gloo.gateway.cleanupJob.backoffLimitintSpecifies the number of retries before marking this job failed. In kubernetes, defaults to 6
gloo.gateway.cleanupJob.completionsintSpecifies the desired number of successfully finished pods the job should be run with.
gloo.gateway.cleanupJob.manualSelectorboolControls generation of pod labels and pod selectors.
gloo.gateway.cleanupJob.parallelismintSpecifies the maximum desired number of pods the job should run at any given time.
gloo.gateway.cleanupJob.ttlSecondsAfterFinishedintClean up the finished job after this many seconds. Defaults to 300 for the rollout jobs and 60 for the rest.
gloo.gateway.cleanupJob.extraPodLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the job.
gloo.gateway.cleanupJob.extraPodAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the job.
gloo.gateway.cleanupJob.containerSecurityContext.capabilities.add[]string
gloo.gateway.cleanupJob.containerSecurityContext.capabilities.drop[]string
gloo.gateway.cleanupJob.containerSecurityContext.privilegedbool
gloo.gateway.cleanupJob.containerSecurityContext.seLinuxOptions.userstring
gloo.gateway.cleanupJob.containerSecurityContext.seLinuxOptions.rolestring
gloo.gateway.cleanupJob.containerSecurityContext.seLinuxOptions.typestring
gloo.gateway.cleanupJob.containerSecurityContext.seLinuxOptions.levelstring
gloo.gateway.cleanupJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gateway.cleanupJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gateway.cleanupJob.containerSecurityContext.windowsOptions.runAsUserNamestring
gloo.gateway.cleanupJob.containerSecurityContext.windowsOptions.hostProcessbool
gloo.gateway.cleanupJob.containerSecurityContext.runAsUserint64
gloo.gateway.cleanupJob.containerSecurityContext.runAsGroupint64
gloo.gateway.cleanupJob.containerSecurityContext.runAsNonRootbool
gloo.gateway.cleanupJob.containerSecurityContext.readOnlyRootFilesystembool
gloo.gateway.cleanupJob.containerSecurityContext.allowPrivilegeEscalationbool
gloo.gateway.cleanupJob.containerSecurityContext.procMountstring
gloo.gateway.cleanupJob.containerSecurityContext.seccompProfile.typestring
gloo.gateway.cleanupJob.containerSecurityContext.seccompProfile.localhostProfilestring
gloo.gateway.cleanupJob.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gateway.cleanupJob.enabledboolEnable the job that removes Gloo Edge custom resources when Gloo Edge is uninstalled (default true).
gloo.gateway.cleanupJob.image.tagstring1.17.14The image tag for the container.
gloo.gateway.cleanupJob.image.repositorystringkubectlThe image repository (name) for the container.
gloo.gateway.cleanupJob.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.gateway.cleanupJob.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.gateway.cleanupJob.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.gateway.cleanupJob.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.gateway.cleanupJob.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.gateway.cleanupJob.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.gateway.cleanupJob.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.gateway.cleanupJob.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.gateway.cleanupJob.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.gateway.cleanupJob.resources.limits.memorystringamount of memory
gloo.gateway.cleanupJob.resources.limits.cpustringamount of CPUs
gloo.gateway.cleanupJob.resources.requests.memorystringamount of memory
gloo.gateway.cleanupJob.resources.requests.cpustringamount of CPUs
gloo.gateway.cleanupJob.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gloo.gateway.cleanupJob.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gloo.gateway.updateValuesbooltrueif true, will use a provided helm helper ‘gloo.updatevalues’ to update values during template render - useful for plugins/extensions
gloo.gateway.proxyServiceAccount.extraAnnotations.NAMEstringextra annotations to add to the service account
gloo.gateway.proxyServiceAccount.disableAutomountbooldisable automounting the service account to the gateway proxy. not mounting the token hardens the proxy container, but may interfere with service mesh integrations
gloo.gateway.proxyServiceAccount.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gateway.readGatewaysFromAllNamespacesboolif true, read Gateway custom resources from all watched namespaces rather than just the namespace of the Gateway controller
gloo.gateway.isolateVirtualHostsBySslConfigboolif true, Added support for the envoy.filters.listener.tls_inspector listener_filter when using the gateway.isolateVirtualHostsBySslConfig=true global setting.
gloo.gateway.compressedProxySpecboolif true, enables compression for the Proxy CRD spec
gloo.gateway.persistProxySpecboolEnable writing Proxy CRD to etcd. Disabled by default for performance.
gloo.gateway.translateEmptyGatewaysboolIf true, the gateways will be translated into Envoy listeners even if no VirtualServices exist.
gloo.gateway.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.kind.deployment.replicasintnumber of instances to deploy
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].namestring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valuestring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.gatewayProxies.NAME.kind.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.gatewayProxies.NAME.kind.deployment.priorityClassNamestringname of a defined priority class
gloo.gatewayProxies.NAME.kind.deployment.nodeNamestringname of node to run on
gloo.gatewayProxies.NAME.kind.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.gatewayProxies.NAME.kind.deployment.tolerations[].keystring
gloo.gatewayProxies.NAME.kind.deployment.tolerations[].operatorstring
gloo.gatewayProxies.NAME.kind.deployment.tolerations[].valuestring
gloo.gatewayProxies.NAME.kind.deployment.tolerations[].effectstring
gloo.gatewayProxies.NAME.kind.deployment.tolerations[].tolerationSecondsint64
gloo.gatewayProxies.NAME.kind.deployment.affinity.NAMEinterface
gloo.gatewayProxies.NAME.kind.deployment.hostAliases[]interface
gloo.gatewayProxies.NAME.kind.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.gatewayProxies.NAME.kind.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.kind.daemonSet.hostPortboolwhether or not to enable host networking on the pod. Only relevant when running as a DaemonSet
gloo.gatewayProxies.NAME.kind.daemonSet.hostNetworkbool
gloo.gatewayProxies.NAME.namespacestringNamespace in which to deploy this gateway proxy. Defaults to the value of Settings.WriteNamespace
gloo.gatewayProxies.NAME.podTemplate.httpPortintHTTP port for the gateway service target port.
gloo.gatewayProxies.NAME.podTemplate.httpsPortintHTTPS port for the gateway service target port.
gloo.gatewayProxies.NAME.podTemplate.extraPorts[]interfaceextra ports for the gateway pod.
gloo.gatewayProxies.NAME.podTemplate.extraAnnotations.NAMEstringextra annotations to add to the pod.
gloo.gatewayProxies.NAME.podTemplate.nodeNamestringname of node to run on.
gloo.gatewayProxies.NAME.podTemplate.nodeSelector.NAMEstringlabel selector for nodes.
gloo.gatewayProxies.NAME.podTemplate.tolerations[].keystring
gloo.gatewayProxies.NAME.podTemplate.tolerations[].operatorstring
gloo.gatewayProxies.NAME.podTemplate.tolerations[].valuestring
gloo.gatewayProxies.NAME.podTemplate.tolerations[].effectstring
gloo.gatewayProxies.NAME.podTemplate.tolerations[].tolerationSecondsint64
gloo.gatewayProxies.NAME.podTemplate.probesboolSet to true to enable a readiness probe (default is false). Then, you can also enable a liveness probe.
gloo.gatewayProxies.NAME.podTemplate.livenessProbeEnabledboolSet to true to enable a liveness probe (default is false).
gloo.gatewayProxies.NAME.podTemplate.resources.limits.memorystringamount of memory
gloo.gatewayProxies.NAME.podTemplate.resources.limits.cpustringamount of CPUs
gloo.gatewayProxies.NAME.podTemplate.resources.requests.memorystringamount of memory
gloo.gatewayProxies.NAME.podTemplate.resources.requests.cpustringamount of CPUs
gloo.gatewayProxies.NAME.podTemplate.disableNetBindbooldon’t add the NET_BIND_SERVICE capability to the pod. This means that the gateway proxy will not be able to bind to ports below 1024. If podSecurityContext is defined, this value is not applied.
gloo.gatewayProxies.NAME.podTemplate.runUnprivilegedboolrun Envoy as an unprivileged user. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gloo.gatewayProxies.NAME.podTemplate.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. If podSecurityContext is defined, this value is not applied.
gloo.gatewayProxies.NAME.podTemplate.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gloo.gatewayProxies.NAME.podTemplate.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101. If podSecurityContext is defined, this value is not applied.
gloo.gatewayProxies.NAME.podTemplate.gracefulShutdown.enabledboolEnable grace period before shutdown to finish current requests while Envoy health checks fail to e.g. notify external load balancers. NOTE: This will not have any effect if you have not defined health checks via the health check filter
gloo.gatewayProxies.NAME.podTemplate.gracefulShutdown.sleepTimeSecondsintTime (in seconds) for the preStop hook to wait before allowing Envoy to terminate
gloo.gatewayProxies.NAME.podTemplate.terminationGracePeriodSecondsintTime in seconds to wait for the pod to terminate gracefully. See kubernetes docs for more info.
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.exec.command[]string
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.pathstring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.portint64
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.portint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.portstring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.hoststring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.schemestring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.httpHeaders[].namestring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.httpHeaders[].valuestring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.portint64
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.portint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.portstring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.hoststring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.grpc.portint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.grpc.servicestring
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.initialDelaySecondsint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.timeoutSecondsint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.periodSecondsint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.successThresholdint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.failureThresholdint32
gloo.gatewayProxies.NAME.podTemplate.customReadinessProbe.terminationGracePeriodSecondsint64
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.exec.command[]string
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.pathstring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.portint64
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.portint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.portstring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.hoststring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.schemestring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.httpHeaders[].namestring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.httpHeaders[].valuestring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.portint64
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.portint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.portstring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.hoststring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.grpc.portint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.grpc.servicestring
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.initialDelaySecondsint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.timeoutSecondsint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.periodSecondsint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.successThresholdint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.failureThresholdint32
gloo.gatewayProxies.NAME.podTemplate.customLivenessProbe.terminationGracePeriodSecondsint64
gloo.gatewayProxies.NAME.podTemplate.extraGatewayProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the gloo edge gateway-proxy deployment.
gloo.gatewayProxies.NAME.podTemplate.extraContainers[]interfaceExtra containers to be added to the array of containers on the gateway proxy deployment.
gloo.gatewayProxies.NAME.podTemplate.extraInitContainers[]interfaceExtra initContainers to be added to the array of initContainers on the gateway proxy deployment.
gloo.gatewayProxies.NAME.podTemplate.enablePodSecurityContextboolWhether or not to render the pod security context. Default is true.
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.userstring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.rolestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.typestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.levelstring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.runAsUserNamestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.hostProcessbool
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.runAsUserint64
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.runAsGroupint64
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.runAsNonRootbool
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.supplementalGroups[]int64
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.fsGroupint64
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.sysctls[].namestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.sysctls[].valuestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.fsGroupChangePolicystring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.seccompProfile.typestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.seccompProfile.localhostProfilestring
gloo.gatewayProxies.NAME.podTemplate.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gatewayProxies.NAME.podTemplate.image.tagstringThe image tag for the container.
gloo.gatewayProxies.NAME.podTemplate.image.repositorystringThe image repository (name) for the container.
gloo.gatewayProxies.NAME.podTemplate.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.gatewayProxies.NAME.podTemplate.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.gatewayProxies.NAME.podTemplate.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.gatewayProxies.NAME.podTemplate.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.gatewayProxies.NAME.podTemplate.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.gatewayProxies.NAME.podTemplate.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.gatewayProxies.NAME.podTemplate.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.gatewayProxies.NAME.podTemplate.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.gatewayProxies.NAME.podTemplate.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.capabilities.add[]string
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.capabilities.drop[]string
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.privilegedbool
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.userstring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.rolestring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.typestring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.levelstring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.hostProcessbool
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.runAsUserint64
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.runAsGroupint64
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.runAsNonRootbool
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.readOnlyRootFilesystembool
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.allowPrivilegeEscalationbool
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.procMountstring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seccompProfile.typestring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gatewayProxies.NAME.configMap.data.NAMEstring
gloo.gatewayProxies.NAME.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.customStaticLayerinterfaceConfigure the static layer for global overrides to Envoy behavior, as defined in the Envoy bootstrap YAML. You cannot use this setting to set overload or upstream layers. For more info, see the Envoy docs. https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#config-runtime
gloo.gatewayProxies.NAME.globalDownstreamMaxConnectionsuint32the number of concurrent connections needed. limit used to protect against exhausting file descriptors on host machine
gloo.gatewayProxies.NAME.healthyPanicThresholdint8the percentage of healthy hosts required to load balance based on health status of hosts
gloo.gatewayProxies.NAME.service.typestringgateway service type. default is LoadBalancer
gloo.gatewayProxies.NAME.service.httpPortintHTTP port for the gateway service
gloo.gatewayProxies.NAME.service.httpsPortintHTTPS port for the gateway service
gloo.gatewayProxies.NAME.service.httpNodePortintHTTP nodeport for the gateway service if using type NodePort
gloo.gatewayProxies.NAME.service.httpsNodePortintHTTPS nodeport for the gateway service if using type NodePort
gloo.gatewayProxies.NAME.service.clusterIPstringstatic clusterIP (or None) when gatewayProxies[].gatewayProxy.service.type is ClusterIP
gloo.gatewayProxies.NAME.service.extraAnnotations.NAMEstring
gloo.gatewayProxies.NAME.service.externalTrafficPolicystring
gloo.gatewayProxies.NAME.service.namestringCustom name override for the service resource of the proxy
gloo.gatewayProxies.NAME.service.httpsFirstboolList HTTPS port before HTTP
gloo.gatewayProxies.NAME.service.loadBalancerIPstringIP address of the load balancer
gloo.gatewayProxies.NAME.service.loadBalancerSourceRanges[]stringList of IP CIDR ranges that are allowed to access the load balancer
gloo.gatewayProxies.NAME.service.customPorts[]interfaceList of custom port to expose in the Envoy proxy. Each element follows conventional port syntax (port, targetPort, protocol, name)
gloo.gatewayProxies.NAME.service.externalIPs[]stringexternalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service
gloo.gatewayProxies.NAME.service.configDumpService.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.antiAffinityboolconfigure anti affinity such that pods are preferably not co-located
gloo.gatewayProxies.NAME.affinity.NAMEinterface
gloo.gatewayProxies.NAME.topologySpreadConstraints[]interfaceconfigure topologySpreadConstraints for gateway proxy pods
gloo.gatewayProxies.NAME.tracing.provider.NAMEinterface
gloo.gatewayProxies.NAME.tracing.cluster[].NAMEinterface
gloo.gatewayProxies.NAME.gatewaySettings.enabledboolenable/disable default gateways
gloo.gatewayProxies.NAME.gatewaySettings.disableGeneratedGatewaysboolset to true to disable the gateway generation for a gateway proxy
gloo.gatewayProxies.NAME.gatewaySettings.disableHttpGatewayboolSet to true to disable http gateway generation.
gloo.gatewayProxies.NAME.gatewaySettings.disableHttpsGatewayboolSet to true to disable https gateway generation.
gloo.gatewayProxies.NAME.gatewaySettings.ipv4Onlyboolset to true if your network allows ipv4 addresses only. Sets the Gateway spec’s bindAddress to 0.0.0.0 instead of ::
gloo.gatewayProxies.NAME.gatewaySettings.useProxyProtobooluse proxy protocol
gloo.gatewayProxies.NAME.gatewaySettings.httpHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the http gateway
gloo.gatewayProxies.NAME.gatewaySettings.httpsHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the https gateway
gloo.gatewayProxies.NAME.gatewaySettings.customHttpGateway.NAMEinterfacecustom yaml to use for http gateway settings
gloo.gatewayProxies.NAME.gatewaySettings.customHttpsGateway.NAMEinterfacecustom yaml to use for https gateway settings
gloo.gatewayProxies.NAME.gatewaySettings.accessLoggingService.NAMEinterfacecustom yaml to use for access logging service (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk/)
gloo.gatewayProxies.NAME.gatewaySettings.options.NAMEinterfacecustom options for http(s) gateways (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk/#listeneroptions)
gloo.gatewayProxies.NAME.gatewaySettings.httpGatewayKubeOverride.NAMEinterface
gloo.gatewayProxies.NAME.gatewaySettings.httpsGatewayKubeOverride.NAMEinterface
gloo.gatewayProxies.NAME.gatewaySettings.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.extraEnvoyArgs[]stringEnvoy container args, (e.g. https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
gloo.gatewayProxies.NAME.extraContainersHelperstring
gloo.gatewayProxies.NAME.extraInitContainersHelperstring
gloo.gatewayProxies.NAME.extraVolumes[].NAMEinterface
gloo.gatewayProxies.NAME.extraVolumeHelperstring
gloo.gatewayProxies.NAME.extraListenersHelperstring
gloo.gatewayProxies.NAME.stats.enabledboolControls whether or not Envoy stats are enabled
gloo.gatewayProxies.NAME.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo.gatewayProxies.NAME.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo.gatewayProxies.NAME.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo.gatewayProxies.NAME.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo.gatewayProxies.NAME.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo.gatewayProxies.NAME.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo.gatewayProxies.NAME.readConfigboolexpose a read-only subset of the Envoy admin api
gloo.gatewayProxies.NAME.readConfigMulticlusterboolexpose a read-only subset of the Envoy admin api to gloo-fed
gloo.gatewayProxies.NAME.extraProxyVolumeMounts[].NAMEinterface
gloo.gatewayProxies.NAME.extraProxyVolumeMountHelperstringname of custom made named template allowing for extra volume mounts on the proxy container
gloo.gatewayProxies.NAME.loopBackAddressstringName on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
gloo.gatewayProxies.NAME.failover.enabledbool(Enterprise Only): Configure this proxy for failover
gloo.gatewayProxies.NAME.failover.portuint(Enterprise Only): Port to use for failover Gateway Bind port, and service. Default is 15443
gloo.gatewayProxies.NAME.failover.nodePortuint(Enterprise Only): Optional NodePort for failover Service
gloo.gatewayProxies.NAME.failover.secretNamestring(Enterprise Only): Secret containing downstream Ssl Secrets Default is failover-downstream
gloo.gatewayProxies.NAME.failover.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.disabledboolSkips creation of this gateway proxy. Used to turn off gateway proxies created by preceding configurations
gloo.gatewayProxies.NAME.envoyApiVersionstringVersion of the Envoy API to use for the xDS transport and resources. Default is V3
gloo.gatewayProxies.NAME.envoyBootstrapExtensions[].NAMEinterfaceList of bootstrap extensions to add to Envoy bootstrap config. Examples include Wasm Service (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-wasmservice).
gloo.gatewayProxies.NAME.envoyOverloadManager.NAMEinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gloo.gatewayProxies.NAME.envoyStaticClusters[].NAMEinterfaceList of extra static clusters to be added to Envoy bootstrap config. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster
gloo.gatewayProxies.NAME.horizontalPodAutoscaler.apiVersionstringaccepts autoscaling/v1, autoscaling/v2beta2 or autoscaling/v2. Note: autoscaling/v2beta2 is deprecated as of Kubernetes 1.26.
gloo.gatewayProxies.NAME.horizontalPodAutoscaler.minReplicasint32minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.
gloo.gatewayProxies.NAME.horizontalPodAutoscaler.maxReplicasint32maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.
gloo.gatewayProxies.NAME.horizontalPodAutoscaler.targetCPUUtilizationPercentageint32target average CPU utilization (represented as a percentage of requested CPU) over all the pods. Used only with apiVersion autoscaling/v1
gloo.gatewayProxies.NAME.horizontalPodAutoscaler.metrics[].NAMEinterfacemetrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). Used only with apiVersion autoscaling/v2beta2
gloo.gatewayProxies.NAME.horizontalPodAutoscaler.behavior.NAMEinterfacebehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). Used only with apiVersion autoscaling/v2beta2
gloo.gatewayProxies.NAME.horizontalPodAutoscaler.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.podDisruptionBudget.minAvailablestringCorresponds directly with the minAvailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with maxUnavailable.
gloo.gatewayProxies.NAME.podDisruptionBudget.maxUnavailablestringCorresponds directly with the maxUnavailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with minAvailable.
gloo.gatewayProxies.NAME.podDisruptionBudget.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.NAME.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Defaults to “cluster.local”
gloo.gatewayProxies.NAME.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Defaults to “Kubernetes”
gloo.gatewayProxies.NAME.istioDiscoveryAddressstringdiscoveryAddress field of the PROXY_CONFIG environment variable. Defaults to “istiod.istio-system.svc:15012”
gloo.gatewayProxies.NAME.istioSpiffeCertProviderAddressstringAddress of the spiffe certificate provider. Defaults to istioDiscoveryAddress
gloo.gatewayProxies.NAME.envoyLogLevelstringLevel at which the pod should log. Options include “trace”, “info”, “debug”, “warn”, “error”, “critical” and “off”. Default level is info
gloo.gatewayProxies.NAME.envoyStatsConfig.NAMEinterfaceEnvoy statistics configuration, such as tagging. For more info, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig
gloo.gatewayProxies.NAME.xdsServiceAddressstringThe k8s service name for the xds server. Defaults to gloo.
gloo.gatewayProxies.NAME.xdsServicePortuint32The k8s service port for the xds server. Defaults to the value from .Values.gloo.deployment.xdsPort, but can be overridden to use, for example, xds-relay.
gloo.gatewayProxies.NAME.tcpKeepaliveTimeSecondsuint32The amount of time in seconds for connections to be idle before sending keep-alive probes. Defaults to 60. See here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive
gloo.gatewayProxies.NAME.disableCoreDumpsboolIf set to true, Envoy will not generate core dumps in the event of a crash. Defaults to false
gloo.gatewayProxies.NAME.disableExtauthSidecarboolIf set to true, this gateway proxy will not come up with an extauth sidecar container when global.extAuth.envoySidecar is enabled. This setting has no effect otherwise. Defaults to false
gloo.gatewayProxies.NAME.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.kind.deployment.replicasintnumber of instances to deploy
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].namestring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valuestring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.gatewayProxies.gatewayProxy.kind.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.gatewayProxies.gatewayProxy.kind.deployment.priorityClassNamestringname of a defined priority class
gloo.gatewayProxies.gatewayProxy.kind.deployment.nodeNamestringname of node to run on
gloo.gatewayProxies.gatewayProxy.kind.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.gatewayProxies.gatewayProxy.kind.deployment.tolerations[].keystring
gloo.gatewayProxies.gatewayProxy.kind.deployment.tolerations[].operatorstring
gloo.gatewayProxies.gatewayProxy.kind.deployment.tolerations[].valuestring
gloo.gatewayProxies.gatewayProxy.kind.deployment.tolerations[].effectstring
gloo.gatewayProxies.gatewayProxy.kind.deployment.tolerations[].tolerationSecondsint64
gloo.gatewayProxies.gatewayProxy.kind.deployment.affinity.NAMEinterface
gloo.gatewayProxies.gatewayProxy.kind.deployment.hostAliases[]interface
gloo.gatewayProxies.gatewayProxy.kind.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.gatewayProxies.gatewayProxy.kind.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.kind.daemonSet.hostPortboolwhether or not to enable host networking on the pod. Only relevant when running as a DaemonSet
gloo.gatewayProxies.gatewayProxy.kind.daemonSet.hostNetworkbool
gloo.gatewayProxies.gatewayProxy.namespacestringNamespace in which to deploy this gateway proxy. Defaults to the value of Settings.WriteNamespace
gloo.gatewayProxies.gatewayProxy.podTemplate.httpPortintHTTP port for the gateway service target port.
gloo.gatewayProxies.gatewayProxy.podTemplate.httpsPortintHTTPS port for the gateway service target port.
gloo.gatewayProxies.gatewayProxy.podTemplate.extraPorts[]interfaceextra ports for the gateway pod.
gloo.gatewayProxies.gatewayProxy.podTemplate.extraAnnotations.NAMEstringextra annotations to add to the pod.
gloo.gatewayProxies.gatewayProxy.podTemplate.nodeNamestringname of node to run on.
gloo.gatewayProxies.gatewayProxy.podTemplate.nodeSelector.NAMEstringlabel selector for nodes.
gloo.gatewayProxies.gatewayProxy.podTemplate.tolerations[].keystring
gloo.gatewayProxies.gatewayProxy.podTemplate.tolerations[].operatorstring
gloo.gatewayProxies.gatewayProxy.podTemplate.tolerations[].valuestring
gloo.gatewayProxies.gatewayProxy.podTemplate.tolerations[].effectstring
gloo.gatewayProxies.gatewayProxy.podTemplate.tolerations[].tolerationSecondsint64
gloo.gatewayProxies.gatewayProxy.podTemplate.probesboolSet to true to enable a readiness probe (default is false). Then, you can also enable a liveness probe.
gloo.gatewayProxies.gatewayProxy.podTemplate.livenessProbeEnabledboolSet to true to enable a liveness probe (default is false).
gloo.gatewayProxies.gatewayProxy.podTemplate.resources.limits.memorystringamount of memory
gloo.gatewayProxies.gatewayProxy.podTemplate.resources.limits.cpustringamount of CPUs
gloo.gatewayProxies.gatewayProxy.podTemplate.resources.requests.memorystringamount of memory
gloo.gatewayProxies.gatewayProxy.podTemplate.resources.requests.cpustringamount of CPUs
gloo.gatewayProxies.gatewayProxy.podTemplate.disableNetBindbooldon’t add the NET_BIND_SERVICE capability to the pod. This means that the gateway proxy will not be able to bind to ports below 1024. If podSecurityContext is defined, this value is not applied.
gloo.gatewayProxies.gatewayProxy.podTemplate.runUnprivilegedboolrun Envoy as an unprivileged user. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gloo.gatewayProxies.gatewayProxy.podTemplate.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. If podSecurityContext is defined, this value is not applied.
gloo.gatewayProxies.gatewayProxy.podTemplate.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gloo.gatewayProxies.gatewayProxy.podTemplate.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101. If podSecurityContext is defined, this value is not applied.
gloo.gatewayProxies.gatewayProxy.podTemplate.gracefulShutdown.enabledboolEnable grace period before shutdown to finish current requests while Envoy health checks fail to e.g. notify external load balancers. NOTE: This will not have any effect if you have not defined health checks via the health check filter
gloo.gatewayProxies.gatewayProxy.podTemplate.gracefulShutdown.sleepTimeSecondsintTime (in seconds) for the preStop hook to wait before allowing Envoy to terminate
gloo.gatewayProxies.gatewayProxy.podTemplate.terminationGracePeriodSecondsintTime in seconds to wait for the pod to terminate gracefully. See kubernetes docs for more info.
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.exec.command[]string
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.pathstring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.portint64
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.portint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.portstring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.hoststring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.schemestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.httpHeaders[].namestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.httpHeaders[].valuestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.portint64
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.portint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.portstring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.hoststring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.grpc.portint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.grpc.servicestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.initialDelaySecondsint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.timeoutSecondsint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.periodSecondsint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.successThresholdint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.failureThresholdint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.terminationGracePeriodSecondsint64
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.exec.command[]string
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.pathstring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.portint64
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.portint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.portstring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.hoststring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.schemestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.httpHeaders[].namestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.httpHeaders[].valuestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.portint64
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.portint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.portstring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.hoststring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.grpc.portint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.grpc.servicestring
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.initialDelaySecondsint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.timeoutSecondsint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.periodSecondsint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.successThresholdint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.failureThresholdint32
gloo.gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.terminationGracePeriodSecondsint64
gloo.gatewayProxies.gatewayProxy.podTemplate.extraGatewayProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the gloo edge gateway-proxy deployment.
gloo.gatewayProxies.gatewayProxy.podTemplate.extraContainers[]interfaceExtra containers to be added to the array of containers on the gateway proxy deployment.
gloo.gatewayProxies.gatewayProxy.podTemplate.extraInitContainers[]interfaceExtra initContainers to be added to the array of initContainers on the gateway proxy deployment.
gloo.gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContextboolWhether or not to render the pod security context. Default is true.
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.userstring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.rolestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.typestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.levelstring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.runAsUserNamestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.hostProcessbool
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.runAsUserint64
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.runAsGroupint64
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.runAsNonRootbool
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.supplementalGroups[]int64
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.fsGroupint64
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.sysctls[].namestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.sysctls[].valuestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.fsGroupChangePolicystring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seccompProfile.typestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seccompProfile.localhostProfilestring
gloo.gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.repositorystringgloo-ee-envoy-wrapperThe image repository (name) for the container.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.gatewayProxies.gatewayProxy.podTemplate.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.gatewayProxies.gatewayProxy.podTemplate.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.gatewayProxies.gatewayProxy.podTemplate.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.capabilities.add[]string
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.capabilities.drop[]string
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.privilegedbool
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.userstring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.rolestring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.typestring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.levelstring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.hostProcessbool
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.runAsUserint64
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.runAsGroupint64
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.runAsNonRootbool
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.readOnlyRootFilesystembool
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.allowPrivilegeEscalationbool
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.procMountstring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seccompProfile.typestring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.gatewayProxies.gatewayProxy.configMap.data.NAMEstring
gloo.gatewayProxies.gatewayProxy.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.customStaticLayerinterfaceConfigure the static layer for global overrides to Envoy behavior, as defined in the Envoy bootstrap YAML. You cannot use this setting to set overload or upstream layers. For more info, see the Envoy docs. https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#config-runtime
gloo.gatewayProxies.gatewayProxy.globalDownstreamMaxConnectionsuint32the number of concurrent connections needed. limit used to protect against exhausting file descriptors on host machine
gloo.gatewayProxies.gatewayProxy.healthyPanicThresholdint8the percentage of healthy hosts required to load balance based on health status of hosts
gloo.gatewayProxies.gatewayProxy.service.typestringgateway service type. default is LoadBalancer
gloo.gatewayProxies.gatewayProxy.service.httpPortintHTTP port for the gateway service
gloo.gatewayProxies.gatewayProxy.service.httpsPortintHTTPS port for the gateway service
gloo.gatewayProxies.gatewayProxy.service.httpNodePortintHTTP nodeport for the gateway service if using type NodePort
gloo.gatewayProxies.gatewayProxy.service.httpsNodePortintHTTPS nodeport for the gateway service if using type NodePort
gloo.gatewayProxies.gatewayProxy.service.clusterIPstringstatic clusterIP (or None) when gatewayProxies[].gatewayProxy.service.type is ClusterIP
gloo.gatewayProxies.gatewayProxy.service.extraAnnotations.NAMEstring
gloo.gatewayProxies.gatewayProxy.service.extraAnnotations.prometheus.io/pathstring/metrics
gloo.gatewayProxies.gatewayProxy.service.extraAnnotations.prometheus.io/portstring8081
gloo.gatewayProxies.gatewayProxy.service.extraAnnotations.prometheus.io/scrapestringtrue
gloo.gatewayProxies.gatewayProxy.service.externalTrafficPolicystring
gloo.gatewayProxies.gatewayProxy.service.namestringCustom name override for the service resource of the proxy
gloo.gatewayProxies.gatewayProxy.service.httpsFirstboolList HTTPS port before HTTP
gloo.gatewayProxies.gatewayProxy.service.loadBalancerIPstringIP address of the load balancer
gloo.gatewayProxies.gatewayProxy.service.loadBalancerSourceRanges[]stringList of IP CIDR ranges that are allowed to access the load balancer
gloo.gatewayProxies.gatewayProxy.service.customPorts[]interfaceList of custom port to expose in the Envoy proxy. Each element follows conventional port syntax (port, targetPort, protocol, name)
gloo.gatewayProxies.gatewayProxy.service.externalIPs[]stringexternalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service
gloo.gatewayProxies.gatewayProxy.service.configDumpService.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.antiAffinityboolconfigure anti affinity such that pods are preferably not co-located
gloo.gatewayProxies.gatewayProxy.affinity.NAMEinterface
gloo.gatewayProxies.gatewayProxy.topologySpreadConstraints[]interfaceconfigure topologySpreadConstraints for gateway proxy pods
gloo.gatewayProxies.gatewayProxy.tracing.provider.NAMEinterface
gloo.gatewayProxies.gatewayProxy.tracing.cluster[].NAMEinterface
gloo.gatewayProxies.gatewayProxy.gatewaySettings.enabledboolenable/disable default gateways
gloo.gatewayProxies.gatewayProxy.gatewaySettings.disableGeneratedGatewaysboolset to true to disable the gateway generation for a gateway proxy
gloo.gatewayProxies.gatewayProxy.gatewaySettings.disableHttpGatewayboolSet to true to disable http gateway generation.
gloo.gatewayProxies.gatewayProxy.gatewaySettings.disableHttpsGatewayboolSet to true to disable https gateway generation.
gloo.gatewayProxies.gatewayProxy.gatewaySettings.ipv4Onlyboolset to true if your network allows ipv4 addresses only. Sets the Gateway spec’s bindAddress to 0.0.0.0 instead of ::
gloo.gatewayProxies.gatewayProxy.gatewaySettings.useProxyProtobooluse proxy protocol
gloo.gatewayProxies.gatewayProxy.gatewaySettings.httpHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the http gateway
gloo.gatewayProxies.gatewayProxy.gatewaySettings.httpsHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the https gateway
gloo.gatewayProxies.gatewayProxy.gatewaySettings.customHttpGateway.NAMEinterfacecustom yaml to use for http gateway settings
gloo.gatewayProxies.gatewayProxy.gatewaySettings.customHttpsGateway.NAMEinterfacecustom yaml to use for https gateway settings
gloo.gatewayProxies.gatewayProxy.gatewaySettings.accessLoggingService.NAMEinterfacecustom yaml to use for access logging service (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk/)
gloo.gatewayProxies.gatewayProxy.gatewaySettings.options.NAMEinterfacecustom options for http(s) gateways (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk/#listeneroptions)
gloo.gatewayProxies.gatewayProxy.gatewaySettings.httpGatewayKubeOverride.NAMEinterface
gloo.gatewayProxies.gatewayProxy.gatewaySettings.httpsGatewayKubeOverride.NAMEinterface
gloo.gatewayProxies.gatewayProxy.gatewaySettings.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.extraEnvoyArgs[]stringEnvoy container args, (e.g. https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
gloo.gatewayProxies.gatewayProxy.extraContainersHelperstring
gloo.gatewayProxies.gatewayProxy.extraInitContainersHelperstring
gloo.gatewayProxies.gatewayProxy.extraVolumes[].NAMEinterface
gloo.gatewayProxies.gatewayProxy.extraVolumeHelperstring
gloo.gatewayProxies.gatewayProxy.extraListenersHelperstring
gloo.gatewayProxies.gatewayProxy.stats.enabledboolControls whether or not Envoy stats are enabled
gloo.gatewayProxies.gatewayProxy.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo.gatewayProxies.gatewayProxy.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo.gatewayProxies.gatewayProxy.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo.gatewayProxies.gatewayProxy.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo.gatewayProxies.gatewayProxy.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo.gatewayProxies.gatewayProxy.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo.gatewayProxies.gatewayProxy.readConfigboolexpose a read-only subset of the Envoy admin api
gloo.gatewayProxies.gatewayProxy.readConfigMulticlusterboolexpose a read-only subset of the Envoy admin api to gloo-fed
gloo.gatewayProxies.gatewayProxy.extraProxyVolumeMounts[].NAMEinterface
gloo.gatewayProxies.gatewayProxy.extraProxyVolumeMountHelperstringname of custom made named template allowing for extra volume mounts on the proxy container
gloo.gatewayProxies.gatewayProxy.loopBackAddressstringName on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
gloo.gatewayProxies.gatewayProxy.failover.enabledbool(Enterprise Only): Configure this proxy for failover
gloo.gatewayProxies.gatewayProxy.failover.portuint(Enterprise Only): Port to use for failover Gateway Bind port, and service. Default is 15443
gloo.gatewayProxies.gatewayProxy.failover.nodePortuint(Enterprise Only): Optional NodePort for failover Service
gloo.gatewayProxies.gatewayProxy.failover.secretNamestring(Enterprise Only): Secret containing downstream Ssl Secrets Default is failover-downstream
gloo.gatewayProxies.gatewayProxy.failover.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.disabledboolSkips creation of this gateway proxy. Used to turn off gateway proxies created by preceding configurations
gloo.gatewayProxies.gatewayProxy.envoyApiVersionstringVersion of the Envoy API to use for the xDS transport and resources. Default is V3
gloo.gatewayProxies.gatewayProxy.envoyBootstrapExtensions[].NAMEinterfaceList of bootstrap extensions to add to Envoy bootstrap config. Examples include Wasm Service (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-wasmservice).
gloo.gatewayProxies.gatewayProxy.envoyOverloadManager.NAMEinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gloo.gatewayProxies.gatewayProxy.envoyStaticClusters[].NAMEinterfaceList of extra static clusters to be added to Envoy bootstrap config. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster
gloo.gatewayProxies.gatewayProxy.horizontalPodAutoscaler.apiVersionstringaccepts autoscaling/v1, autoscaling/v2beta2 or autoscaling/v2. Note: autoscaling/v2beta2 is deprecated as of Kubernetes 1.26.
gloo.gatewayProxies.gatewayProxy.horizontalPodAutoscaler.minReplicasint32minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.
gloo.gatewayProxies.gatewayProxy.horizontalPodAutoscaler.maxReplicasint32maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.
gloo.gatewayProxies.gatewayProxy.horizontalPodAutoscaler.targetCPUUtilizationPercentageint32target average CPU utilization (represented as a percentage of requested CPU) over all the pods. Used only with apiVersion autoscaling/v1
gloo.gatewayProxies.gatewayProxy.horizontalPodAutoscaler.metrics[].NAMEinterfacemetrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). Used only with apiVersion autoscaling/v2beta2
gloo.gatewayProxies.gatewayProxy.horizontalPodAutoscaler.behavior.NAMEinterfacebehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). Used only with apiVersion autoscaling/v2beta2
gloo.gatewayProxies.gatewayProxy.horizontalPodAutoscaler.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.podDisruptionBudget.minAvailablestringCorresponds directly with the minAvailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with maxUnavailable.
gloo.gatewayProxies.gatewayProxy.podDisruptionBudget.maxUnavailablestringCorresponds directly with the maxUnavailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with minAvailable.
gloo.gatewayProxies.gatewayProxy.podDisruptionBudget.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.gatewayProxies.gatewayProxy.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Defaults to “cluster.local”
gloo.gatewayProxies.gatewayProxy.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Defaults to “Kubernetes”
gloo.gatewayProxies.gatewayProxy.istioDiscoveryAddressstringdiscoveryAddress field of the PROXY_CONFIG environment variable. Defaults to “istiod.istio-system.svc:15012”
gloo.gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddressstringAddress of the spiffe certificate provider. Defaults to istioDiscoveryAddress
gloo.gatewayProxies.gatewayProxy.envoyLogLevelstringLevel at which the pod should log. Options include “trace”, “info”, “debug”, “warn”, “error”, “critical” and “off”. Default level is info
gloo.gatewayProxies.gatewayProxy.envoyStatsConfig.NAMEinterfaceEnvoy statistics configuration, such as tagging. For more info, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig
gloo.gatewayProxies.gatewayProxy.xdsServiceAddressstringThe k8s service name for the xds server. Defaults to gloo.
gloo.gatewayProxies.gatewayProxy.xdsServicePortuint32The k8s service port for the xds server. Defaults to the value from .Values.gloo.deployment.xdsPort, but can be overridden to use, for example, xds-relay.
gloo.gatewayProxies.gatewayProxy.tcpKeepaliveTimeSecondsuint32The amount of time in seconds for connections to be idle before sending keep-alive probes. Defaults to 60. See here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive
gloo.gatewayProxies.gatewayProxy.disableCoreDumpsboolIf set to true, Envoy will not generate core dumps in the event of a crash. Defaults to false
gloo.gatewayProxies.gatewayProxy.disableExtauthSidecarboolIf set to true, this gateway proxy will not come up with an extauth sidecar container when global.extAuth.envoySidecar is enabled. This setting has no effect otherwise. Defaults to false
gloo.gatewayProxies.gatewayProxy.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.ingress.enabledbool
gloo.ingress.deployment.image.tagstringThe image tag for the container.
gloo.ingress.deployment.image.repositorystringThe image repository (name) for the container.
gloo.ingress.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.ingress.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.ingress.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.ingress.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.ingress.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.ingress.deployment.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.ingress.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.ingress.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.ingress.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.ingress.deployment.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gloo.ingress.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gloo.ingress.deployment.extraIngressLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the ingress deployment.
gloo.ingress.deployment.extraIngressAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the ingress deployment.
gloo.ingress.deployment.statsboolControls whether or not Envoy stats are enabled
gloo.ingress.deployment.ingressContainerSecurityContext.capabilities.add[]string
gloo.ingress.deployment.ingressContainerSecurityContext.capabilities.drop[]string
gloo.ingress.deployment.ingressContainerSecurityContext.privilegedbool
gloo.ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.userstring
gloo.ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.rolestring
gloo.ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.typestring
gloo.ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.levelstring
gloo.ingress.deployment.ingressContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.ingress.deployment.ingressContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.ingress.deployment.ingressContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.ingress.deployment.ingressContainerSecurityContext.windowsOptions.hostProcessbool
gloo.ingress.deployment.ingressContainerSecurityContext.runAsUserint64
gloo.ingress.deployment.ingressContainerSecurityContext.runAsGroupint64
gloo.ingress.deployment.ingressContainerSecurityContext.runAsNonRootbool
gloo.ingress.deployment.ingressContainerSecurityContext.readOnlyRootFilesystembool
gloo.ingress.deployment.ingressContainerSecurityContext.allowPrivilegeEscalationbool
gloo.ingress.deployment.ingressContainerSecurityContext.procMountstring
gloo.ingress.deployment.ingressContainerSecurityContext.seccompProfile.typestring
gloo.ingress.deployment.ingressContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.ingress.deployment.ingressContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.ingress.deployment.replicasintnumber of instances to deploy
gloo.ingress.deployment.customEnv[].namestring
gloo.ingress.deployment.customEnv[].valuestring
gloo.ingress.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.ingress.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.ingress.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.ingress.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.ingress.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.ingress.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.ingress.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.ingress.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.ingress.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.ingress.deployment.priorityClassNamestringname of a defined priority class
gloo.ingress.deployment.nodeNamestringname of node to run on
gloo.ingress.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.ingress.deployment.tolerations[].keystring
gloo.ingress.deployment.tolerations[].operatorstring
gloo.ingress.deployment.tolerations[].valuestring
gloo.ingress.deployment.tolerations[].effectstring
gloo.ingress.deployment.tolerations[].tolerationSecondsint64
gloo.ingress.deployment.affinity.NAMEinterface
gloo.ingress.deployment.hostAliases[]interface
gloo.ingress.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.ingress.deployment.resources.limits.memorystringamount of memory
gloo.ingress.deployment.resources.limits.cpustringamount of CPUs
gloo.ingress.deployment.resources.requests.memorystringamount of memory
gloo.ingress.deployment.resources.requests.cpustringamount of CPUs
gloo.ingress.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.ingress.requireIngressClassboolonly serve traffic for Ingress objects with the Ingress Class annotation ‘kubernetes.io/ingress.class’. By default the annotation value must be set to ‘gloo’, however this can be overridden via customIngressClass.
gloo.ingress.customIngressClassboolOnly relevant when requireIngressClass is set to true. Setting this value will cause the Gloo Edge Ingress Controller to process only those Ingress objects which have their ingress class set to this value (e.g. ‘kubernetes.io/ingress.class=SOMEVALUE’).
gloo.ingressProxy.deployment.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
gloo.ingressProxy.deployment.image.repositorystringgloo-ee-envoy-wrapperThe image repository (name) for the container.
gloo.ingressProxy.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.ingressProxy.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.ingressProxy.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.ingressProxy.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.ingressProxy.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.ingressProxy.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.ingressProxy.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.ingressProxy.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.ingressProxy.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.ingressProxy.deployment.httpPortintHTTP port for the ingress container
gloo.ingressProxy.deployment.httpsPortintHTTPS port for the ingress container
gloo.ingressProxy.deployment.extraPorts[]interface
gloo.ingressProxy.deployment.extraAnnotations.NAMEstring
gloo.ingressProxy.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gloo.ingressProxy.deployment.runAsUserfloat64Explicitly set the user ID for the pod to run as. Default is 10101
gloo.ingressProxy.deployment.extraIngressProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the ingress proxy deployment.
gloo.ingressProxy.deployment.statsboolControls whether or not Envoy stats are enabled
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.capabilities.add[]string
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.capabilities.drop[]string
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.privilegedbool
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.userstring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.rolestring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.typestring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.levelstring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.hostProcessbool
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.runAsUserint64
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.runAsGroupint64
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.runAsNonRootbool
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.readOnlyRootFilesystembool
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.allowPrivilegeEscalationbool
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.procMountstring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.seccompProfile.typestring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.ingressProxy.deployment.ingressProxyContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.ingressProxy.deployment.replicasintnumber of instances to deploy
gloo.ingressProxy.deployment.customEnv[].namestring
gloo.ingressProxy.deployment.customEnv[].valuestring
gloo.ingressProxy.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.ingressProxy.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.ingressProxy.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.ingressProxy.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.ingressProxy.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.ingressProxy.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.ingressProxy.deployment.priorityClassNamestringname of a defined priority class
gloo.ingressProxy.deployment.nodeNamestringname of node to run on
gloo.ingressProxy.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.ingressProxy.deployment.tolerations[].keystring
gloo.ingressProxy.deployment.tolerations[].operatorstring
gloo.ingressProxy.deployment.tolerations[].valuestring
gloo.ingressProxy.deployment.tolerations[].effectstring
gloo.ingressProxy.deployment.tolerations[].tolerationSecondsint64
gloo.ingressProxy.deployment.affinity.NAMEinterface
gloo.ingressProxy.deployment.hostAliases[]interface
gloo.ingressProxy.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.ingressProxy.deployment.resources.limits.memorystringamount of memory
gloo.ingressProxy.deployment.resources.limits.cpustringamount of CPUs
gloo.ingressProxy.deployment.resources.requests.memorystringamount of memory
gloo.ingressProxy.deployment.resources.requests.cpustringamount of CPUs
gloo.ingressProxy.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.ingressProxy.configMap.data.NAMEstring
gloo.ingressProxy.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.ingressProxy.tracingstring
gloo.ingressProxy.loopBackAddressstringName on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
gloo.ingressProxy.labelstringValue for label gloo. Use a unique value to use several ingress proxy instances in the same cluster. Default is ingress-proxy
gloo.ingressProxy.service.typestringK8s service type
gloo.ingressProxy.service.extraAnnotations.NAMEstringextra annotations to add to the service
gloo.ingressProxy.service.loadBalancerIPstringIP address of the load balancer
gloo.ingressProxy.service.httpPortintHTTP port for the knative/ingress proxy service
gloo.ingressProxy.service.httpsPortintHTTPS port for the knative/ingress proxy service
gloo.ingressProxy.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.k8s.clusterNamestringcluster name to use when referencing services.
gloo.accessLogger.image.tagstringThe image tag for the container.
gloo.accessLogger.image.repositorystringThe image repository (name) for the container.
gloo.accessLogger.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.accessLogger.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.accessLogger.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.accessLogger.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.accessLogger.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.accessLogger.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.accessLogger.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.accessLogger.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.accessLogger.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.accessLogger.portuint
gloo.accessLogger.serviceNamestring
gloo.accessLogger.enabledbool
gloo.accessLogger.stats.enabledboolControls whether or not Envoy stats are enabled
gloo.accessLogger.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo.accessLogger.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo.accessLogger.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo.accessLogger.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo.accessLogger.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo.accessLogger.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo.accessLogger.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gloo.accessLogger.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101
gloo.accessLogger.extraAccessLoggerLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the access logger deployment.
gloo.accessLogger.extraAccessLoggerAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the access logger deployment.
gloo.accessLogger.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.accessLogger.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.accessLogger.accessLoggerContainerSecurityContext.capabilities.add[]string
gloo.accessLogger.accessLoggerContainerSecurityContext.capabilities.drop[]string
gloo.accessLogger.accessLoggerContainerSecurityContext.privilegedbool
gloo.accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.userstring
gloo.accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.rolestring
gloo.accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.typestring
gloo.accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.levelstring
gloo.accessLogger.accessLoggerContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.accessLogger.accessLoggerContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.accessLogger.accessLoggerContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.accessLogger.accessLoggerContainerSecurityContext.windowsOptions.hostProcessbool
gloo.accessLogger.accessLoggerContainerSecurityContext.runAsUserint64
gloo.accessLogger.accessLoggerContainerSecurityContext.runAsGroupint64
gloo.accessLogger.accessLoggerContainerSecurityContext.runAsNonRootbool
gloo.accessLogger.accessLoggerContainerSecurityContext.readOnlyRootFilesystembool
gloo.accessLogger.accessLoggerContainerSecurityContext.allowPrivilegeEscalationbool
gloo.accessLogger.accessLoggerContainerSecurityContext.procMountstring
gloo.accessLogger.accessLoggerContainerSecurityContext.seccompProfile.typestring
gloo.accessLogger.accessLoggerContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.accessLogger.accessLoggerContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.accessLogger.replicasintnumber of instances to deploy
gloo.accessLogger.customEnv[].namestring
gloo.accessLogger.customEnv[].valuestring
gloo.accessLogger.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.accessLogger.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.accessLogger.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.accessLogger.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.accessLogger.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.accessLogger.customEnv[].valueFrom.secretKeyRef.namestring
gloo.accessLogger.customEnv[].valueFrom.secretKeyRef.keystring
gloo.accessLogger.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.accessLogger.restartPolicystringrestart policy to use when the pod exits
gloo.accessLogger.priorityClassNamestringname of a defined priority class
gloo.accessLogger.nodeNamestringname of node to run on
gloo.accessLogger.nodeSelector.NAMEstringlabel selector for nodes
gloo.accessLogger.tolerations[].keystring
gloo.accessLogger.tolerations[].operatorstring
gloo.accessLogger.tolerations[].valuestring
gloo.accessLogger.tolerations[].effectstring
gloo.accessLogger.tolerations[].tolerationSecondsint64
gloo.accessLogger.affinity.NAMEinterface
gloo.accessLogger.hostAliases[]interface
gloo.accessLogger.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.accessLogger.resources.limits.memorystringamount of memory
gloo.accessLogger.resources.limits.cpustringamount of CPUs
gloo.accessLogger.resources.requests.memorystringamount of memory
gloo.accessLogger.resources.requests.cpustringamount of CPUs
gloo.accessLogger.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
redis.deployment.initContainer.image.tagstring1.28The image tag for the container.
redis.deployment.initContainer.image.repositorystringbusyboxThe image repository (name) for the container.
redis.deployment.initContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
redis.deployment.initContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
redis.deployment.initContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
redis.deployment.initContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
redis.deployment.initContainer.image.registrystringdocker.ioThe image hostname prefix and registry, such as quay.io/solo-io.
redis.deployment.initContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
redis.deployment.initContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
redis.deployment.initContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
redis.deployment.initContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
redis.deployment.initContainer.securityContext.capabilities.add[]string
redis.deployment.initContainer.securityContext.capabilities.drop[]string
redis.deployment.initContainer.securityContext.privilegedbool
redis.deployment.initContainer.securityContext.seLinuxOptions.userstring
redis.deployment.initContainer.securityContext.seLinuxOptions.rolestring
redis.deployment.initContainer.securityContext.seLinuxOptions.typestring
redis.deployment.initContainer.securityContext.seLinuxOptions.levelstring
redis.deployment.initContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
redis.deployment.initContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
redis.deployment.initContainer.securityContext.windowsOptions.runAsUserNamestring
redis.deployment.initContainer.securityContext.windowsOptions.hostProcessbool
redis.deployment.initContainer.securityContext.runAsUserint64
redis.deployment.initContainer.securityContext.runAsGroupint64
redis.deployment.initContainer.securityContext.runAsNonRootbool
redis.deployment.initContainer.securityContext.readOnlyRootFilesystembool
redis.deployment.initContainer.securityContext.allowPrivilegeEscalationbool
redis.deployment.initContainer.securityContext.procMountstring
redis.deployment.initContainer.securityContext.seccompProfile.typestring
redis.deployment.initContainer.securityContext.seccompProfile.localhostProfilestring
redis.deployment.initContainer.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
redis.deployment.namestringredis
redis.deployment.staticPortuint6379
redis.deployment.runAsUserfloat64Explicitly set the user ID for the container to run as in the podSecurityContext. Default is 999. If a podSecurityContext is defined for the pod , this value is not applied.
redis.deployment.runAsGroupfloat64Explicitly set the group ID for the container to run as in the podSecurityContext. Default is 999. If a podSecurityContext is defined for the pod, this value is not applied.
redis.deployment.fsGroupfloat64Explicitly set the fsGroup ID for the container to run as in the podSecurityContext. Default is 999. If a podSecurityContext is defined for the pod, this value is not applied.
redis.deployment.floatingUserIdboolfalseset to true to allow the cluster to dynamically assign a user ID. If podSecurityContext is defined, this value is not applied.
redis.deployment.extraRedisLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the redis deployment.
redis.deployment.enablePodSecurityContextbooltrueWhether or not to render the pod security context. Default is true.
redis.deployment.podSecurityContext.seLinuxOptions.userstring
redis.deployment.podSecurityContext.seLinuxOptions.rolestring
redis.deployment.podSecurityContext.seLinuxOptions.typestring
redis.deployment.podSecurityContext.seLinuxOptions.levelstring
redis.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
redis.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
redis.deployment.podSecurityContext.windowsOptions.runAsUserNamestring
redis.deployment.podSecurityContext.windowsOptions.hostProcessbool
redis.deployment.podSecurityContext.runAsUserint64
redis.deployment.podSecurityContext.runAsGroupint64
redis.deployment.podSecurityContext.runAsNonRootbool
redis.deployment.podSecurityContext.supplementalGroups[]int64
redis.deployment.podSecurityContext.fsGroupint64
redis.deployment.podSecurityContext.sysctls[].namestring
redis.deployment.podSecurityContext.sysctls[].valuestring
redis.deployment.podSecurityContext.fsGroupChangePolicystring
redis.deployment.podSecurityContext.seccompProfile.typestring
redis.deployment.podSecurityContext.seccompProfile.localhostProfilestring
redis.deployment.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
redis.deployment.persistence.enabledboolfalseIf set to true, the redis data will be persisted. Default is false.
redis.deployment.replicasintnumber of instances to deploy
redis.deployment.customEnv[].namestring
redis.deployment.customEnv[].valuestring
redis.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
redis.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
redis.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
redis.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
redis.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
redis.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
redis.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
redis.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
redis.deployment.customEnv[].valueFrom.secretKeyRef.namestring
redis.deployment.customEnv[].valueFrom.secretKeyRef.keystring
redis.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
redis.deployment.restartPolicystringrestart policy to use when the pod exits
redis.deployment.priorityClassNamestringname of a defined priority class
redis.deployment.nodeNamestringname of node to run on
redis.deployment.nodeSelector.NAMEstringlabel selector for nodes
redis.deployment.tolerations[].keystring
redis.deployment.tolerations[].operatorstring
redis.deployment.tolerations[].valuestring
redis.deployment.tolerations[].effectstring
redis.deployment.tolerations[].tolerationSecondsint64
redis.deployment.affinity.NAMEinterface
redis.deployment.hostAliases[]interface
redis.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
redis.deployment.resources.limits.memorystringamount of memory
redis.deployment.resources.limits.cpustringamount of CPUs
redis.deployment.resources.requests.memorystringamount of memory
redis.deployment.resources.requests.cpustringamount of CPUs
redis.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
redis.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
redis.deployment.redisContainerSecurityContext.capabilities.add[]string
redis.deployment.redisContainerSecurityContext.capabilities.drop[]string
redis.deployment.redisContainerSecurityContext.privilegedbool
redis.deployment.redisContainerSecurityContext.seLinuxOptions.userstring
redis.deployment.redisContainerSecurityContext.seLinuxOptions.rolestring
redis.deployment.redisContainerSecurityContext.seLinuxOptions.typestring
redis.deployment.redisContainerSecurityContext.seLinuxOptions.levelstring
redis.deployment.redisContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
redis.deployment.redisContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
redis.deployment.redisContainerSecurityContext.windowsOptions.runAsUserNamestring
redis.deployment.redisContainerSecurityContext.windowsOptions.hostProcessbool
redis.deployment.redisContainerSecurityContext.runAsUserint64
redis.deployment.redisContainerSecurityContext.runAsGroupint64
redis.deployment.redisContainerSecurityContext.runAsNonRootbool
redis.deployment.redisContainerSecurityContext.readOnlyRootFilesystembool
redis.deployment.redisContainerSecurityContext.allowPrivilegeEscalationbool
redis.deployment.redisContainerSecurityContext.procMountstring
redis.deployment.redisContainerSecurityContext.seccompProfile.typestring
redis.deployment.redisContainerSecurityContext.seccompProfile.localhostProfilestring
redis.deployment.redisContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
redis.deployment.image.tagstring7.2.4-alpineThe image tag for the container.
redis.deployment.image.repositorystringredisThe image repository (name) for the container.
redis.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
redis.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
redis.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
redis.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
redis.deployment.image.registrystringdocker.ioThe image hostname prefix and registry, such as quay.io/solo-io.
redis.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
redis.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
redis.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
redis.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
redis.service.portuint6379This is the port set for the redis service.
redis.service.namestringredisThis is the name of the redis service. If there is an external service, this can be used to set the endpoint of the external service. Set redis.disabled if setting the value of the redis service.
redis.service.dbuint0This is the db number of the redis service, can be any int from 0 to 15, this field ignored when using clustered redis or when ClientSideShardingEnabled is true
redis.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
redis.tlsEnabledboolfalseEnables tls for redis. Default is false.
redis.cert.enabledboolfalseIf set to true, a secret for redis will be created, and cert.crt and cert.key will be required. If redis.disabled is not set the socket type is set to tsl. If redis.disabled is set, then only a secret will be created containing the cert and key. The secret is mounted to the rate-limiter and redis deployments with the cert and key. Default is false.
redis.cert.crtstringTLS certificate. If CACert is not provided, this will be used as the CA cert as well as the TLS cert for the redis server.
redis.cert.keystringTLS certificate key.
redis.cert.cacrtstringOptional. CA certificate.
redis.cert.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
redis.clientSideShardingEnabledboolfalseIf set to true, Envoy will be used as a Redis proxy and load balance requests between redis instances scaled via replicas. Default is false.
redis.disabledboolfalseIf set to true, Redis service creation will be blocked. When set to true when global.extensions.glooRedis.enableAcl is set to true as well, the redis secret will not be created. The client you will have to create the secret to provide the password, the key used for the password is redis-password. Default is false.
redis.clusteredboolfalseIf true, we create the correct client to handle clustered redis. Default is false
redis.aclPrefixstringuser default +@all allkeys on >The ACL policy for the default redis user. This is the prefix only, and if overridden, should end with < to signal the password.
observability.enabledbooltrueif true, deploy observability service (default true)
observability.deployment.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
observability.deployment.image.repositorystringobservability-eeThe image repository (name) for the container.
observability.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
observability.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
observability.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
observability.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
observability.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
observability.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
observability.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
observability.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
observability.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
observability.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
observability.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
observability.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
observability.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
observability.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
observability.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
observability.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
observability.deployment.runAsUserfloat64Explicitly set the user ID for the container to run as. Default is 10101
observability.deployment.floatingUserIdboolfalseset to true to allow the cluster to dynamically assign a user ID
observability.deployment.extraObservabilityLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the Observability deployment.
observability.deployment.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info
observability.deployment.observabilityContainerSecurityContext.capabilities.add[]string
observability.deployment.observabilityContainerSecurityContext.capabilities.drop[]string
observability.deployment.observabilityContainerSecurityContext.privilegedbool
observability.deployment.observabilityContainerSecurityContext.seLinuxOptions.userstring
observability.deployment.observabilityContainerSecurityContext.seLinuxOptions.rolestring
observability.deployment.observabilityContainerSecurityContext.seLinuxOptions.typestring
observability.deployment.observabilityContainerSecurityContext.seLinuxOptions.levelstring
observability.deployment.observabilityContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
observability.deployment.observabilityContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
observability.deployment.observabilityContainerSecurityContext.windowsOptions.runAsUserNamestring
observability.deployment.observabilityContainerSecurityContext.windowsOptions.hostProcessbool
observability.deployment.observabilityContainerSecurityContext.runAsUserint64
observability.deployment.observabilityContainerSecurityContext.runAsGroupint64
observability.deployment.observabilityContainerSecurityContext.runAsNonRootbool
observability.deployment.observabilityContainerSecurityContext.readOnlyRootFilesystembool
observability.deployment.observabilityContainerSecurityContext.allowPrivilegeEscalationbool
observability.deployment.observabilityContainerSecurityContext.procMountstring
observability.deployment.observabilityContainerSecurityContext.seccompProfile.typestring
observability.deployment.observabilityContainerSecurityContext.seccompProfile.localhostProfilestring
observability.deployment.observabilityContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
observability.deployment.replicasintnumber of instances to deploy
observability.deployment.customEnv[].namestring
observability.deployment.customEnv[].valuestring
observability.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
observability.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
observability.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
observability.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
observability.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
observability.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
observability.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
observability.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
observability.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
observability.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
observability.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
observability.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
observability.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
observability.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
observability.deployment.customEnv[].valueFrom.secretKeyRef.namestring
observability.deployment.customEnv[].valueFrom.secretKeyRef.keystring
observability.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
observability.deployment.restartPolicystringrestart policy to use when the pod exits
observability.deployment.priorityClassNamestringname of a defined priority class
observability.deployment.nodeNamestringname of node to run on
observability.deployment.nodeSelector.NAMEstringlabel selector for nodes
observability.deployment.tolerations[].keystring
observability.deployment.tolerations[].operatorstring
observability.deployment.tolerations[].valuestring
observability.deployment.tolerations[].effectstring
observability.deployment.tolerations[].tolerationSecondsint64
observability.deployment.affinity.NAMEinterface
observability.deployment.hostAliases[]interface
observability.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
observability.deployment.resources.limits.memorystringamount of memory
observability.deployment.resources.limits.cpustringamount of CPUs
observability.deployment.resources.requests.memorystringamount of memory
observability.deployment.resources.requests.cpustringamount of CPUs
observability.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
observability.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
observability.customGrafana.enabledboolfalseSet to true to indicate that the observability pod should talk to a custom grafana instance
observability.customGrafana.usernamestringSet this and the ‘password’ field to authenticate to the custom grafana instance using basic auth
observability.customGrafana.passwordstringSet this and the ‘username’ field to authenticate to the custom grafana instance using basic auth
observability.customGrafana.apiKeystringAuthenticate to the custom grafana instance using this api key
observability.customGrafana.urlstringThe URL for the custom grafana instance
observability.customGrafana.caBundlestringThe Certificate Authority used to verify the server certificates.
observability.customGrafana.dataSourcestringThe data source for Gloo-generated dashboards to point to; defaults to null (ie Grafana’s default data source)’
observability.customGrafana.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
observability.upstreamDashboardTemplatestringProvide a custom dashboard template to use when generating per-upstream dashboards. The only variables available for use in this template are: {{.Uid}} and {{.EnvoyClusterName}}. Recommended to use Helm’s –set-file to provide this value.
observability.rbac.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
observability.serviceAccount.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
observability.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
observability.secret.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
rbac.createboolfalse
grafanainterface
prometheus.rbacinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.podSecurityPolicyinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.imagePullSecretsinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.serviceAccountsinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.commonMetaLabelsinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.configmapReloadinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.serverinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.ruleFilesinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.scrapeConfigFilesinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.serverFilesinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.extraScrapeConfigsinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.alertRelabelConfigsinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.networkPolicyinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.forceNamespaceinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.extraManifestsinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.alertmanagerinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.kube-state-metricsinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.prometheus-node-exporterinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.prometheus-pushgatewayinterfaceSee https://github.com/prometheus-community/helm-charts/blob/prometheus-25.21.0/charts/prometheus/values.yaml
prometheus.enabledbooltrueWhether the default Prometheus chart is enabled. Enabled by default.
prometheus.nameOverridestringglooe-prometheusThe name of the default Prometheus installation. Defaults to ‘glooe-prometheus’
prometheus.prometheusServerMigrationJob.restartPolicystringOnFailurerestart policy to use when the pod exits
prometheus.prometheusServerMigrationJob.priorityClassNamestringname of a defined priority class
prometheus.prometheusServerMigrationJob.nodeNamestringname of node to run on
prometheus.prometheusServerMigrationJob.nodeSelector.NAMEstringlabel selector for nodes
prometheus.prometheusServerMigrationJob.tolerations[].keystring
prometheus.prometheusServerMigrationJob.tolerations[].operatorstring
prometheus.prometheusServerMigrationJob.tolerations[].valuestring
prometheus.prometheusServerMigrationJob.tolerations[].effectstring
prometheus.prometheusServerMigrationJob.tolerations[].tolerationSecondsint64
prometheus.prometheusServerMigrationJob.affinity.NAMEinterface
prometheus.prometheusServerMigrationJob.hostAliases[]interface
prometheus.prometheusServerMigrationJob.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
prometheus.prometheusServerMigrationJob.activeDeadlineSecondsintDeadline in seconds for Kubernetes jobs.
prometheus.prometheusServerMigrationJob.backoffLimitintSpecifies the number of retries before marking this job failed. In kubernetes, defaults to 6
prometheus.prometheusServerMigrationJob.completionsintSpecifies the desired number of successfully finished pods the job should be run with.
prometheus.prometheusServerMigrationJob.manualSelectorboolControls generation of pod labels and pod selectors.
prometheus.prometheusServerMigrationJob.parallelismintSpecifies the maximum desired number of pods the job should run at any given time.
prometheus.prometheusServerMigrationJob.ttlSecondsAfterFinishedint300Clean up the finished job after this many seconds. Defaults to 300 for the rollout jobs and 60 for the rest.
prometheus.prometheusServerMigrationJob.extraPodLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the job.
prometheus.prometheusServerMigrationJob.extraPodAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the job.
prometheus.prometheusServerMigrationJob.containerSecurityContext.capabilities.add[]string
prometheus.prometheusServerMigrationJob.containerSecurityContext.capabilities.drop[]string
prometheus.prometheusServerMigrationJob.containerSecurityContext.privilegedbool
prometheus.prometheusServerMigrationJob.containerSecurityContext.seLinuxOptions.userstring
prometheus.prometheusServerMigrationJob.containerSecurityContext.seLinuxOptions.rolestring
prometheus.prometheusServerMigrationJob.containerSecurityContext.seLinuxOptions.typestring
prometheus.prometheusServerMigrationJob.containerSecurityContext.seLinuxOptions.levelstring
prometheus.prometheusServerMigrationJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
prometheus.prometheusServerMigrationJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
prometheus.prometheusServerMigrationJob.containerSecurityContext.windowsOptions.runAsUserNamestring
prometheus.prometheusServerMigrationJob.containerSecurityContext.windowsOptions.hostProcessbool
prometheus.prometheusServerMigrationJob.containerSecurityContext.runAsUserint64
prometheus.prometheusServerMigrationJob.containerSecurityContext.runAsGroupint64
prometheus.prometheusServerMigrationJob.containerSecurityContext.runAsNonRootbool
prometheus.prometheusServerMigrationJob.containerSecurityContext.readOnlyRootFilesystembool
prometheus.prometheusServerMigrationJob.containerSecurityContext.allowPrivilegeEscalationbool
prometheus.prometheusServerMigrationJob.containerSecurityContext.procMountstring
prometheus.prometheusServerMigrationJob.containerSecurityContext.seccompProfile.typestring
prometheus.prometheusServerMigrationJob.containerSecurityContext.seccompProfile.localhostProfilestring
prometheus.prometheusServerMigrationJob.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
prometheus.prometheusServerMigrationJob.enabledbooltrueEnable the job that deletes the Prometheus server deployment if necessary at upgrade time to allow for applying a new Prometheus chart with breaking changes (default true).
prometheus.prometheusServerMigrationJob.image.tagstring1.29.2The image tag for the container.
prometheus.prometheusServerMigrationJob.image.repositorystringk8sThe image repository (name) for the container.
prometheus.prometheusServerMigrationJob.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
prometheus.prometheusServerMigrationJob.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
prometheus.prometheusServerMigrationJob.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
prometheus.prometheusServerMigrationJob.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
prometheus.prometheusServerMigrationJob.image.registrystringdocker.io/alpineThe image hostname prefix and registry, such as quay.io/solo-io.
prometheus.prometheusServerMigrationJob.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
prometheus.prometheusServerMigrationJob.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
prometheus.prometheusServerMigrationJob.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
prometheus.prometheusServerMigrationJob.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
prometheus.prometheusServerMigrationJob.resources.limits.memorystringamount of memory
prometheus.prometheusServerMigrationJob.resources.limits.cpustringamount of CPUs
prometheus.prometheusServerMigrationJob.resources.requests.memorystringamount of memory
prometheus.prometheusServerMigrationJob.resources.requests.cpustringamount of CPUs
prometheus.prometheusServerMigrationJob.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
prometheus.prometheusServerMigrationJob.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
prometheus.prometheusServerMigrationJob.timeoutintTime to wait in seconds until the job has completed. If it exceeds this limit, it is deemed to have failed. Defaults to 120
gateway-portal-web-serverinterface
tags.NAMEstring
gloo-fed.global.image.tagstringThe image tag for the container.
gloo-fed.global.image.repositorystringThe image repository (name) for the container.
gloo-fed.global.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.global.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.global.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.global.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.global.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.global.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.global.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.global.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.global.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.global.extensionsinterface
gloo-fed.global.glooRbac.createboolcreate rbac rules for the gloo-system service account
gloo-fed.global.glooRbac.namespacedbooluse Roles instead of ClusterRoles
gloo-fed.global.glooRbac.nameSuffixstringWhen nameSuffix is nonempty, append ‘-$nameSuffix’ to the names of Gloo Edge RBAC resources; e.g. when nameSuffix is ‘foo’, the role ‘gloo-resource-reader’ will become ‘gloo-resource-reader-foo’
gloo-fed.global.glooStats.enabledboolControls whether or not Envoy stats are enabled
gloo-fed.global.glooStats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo-fed.global.glooStats.setDatadogAnnotationsboolSets the default datadog annotations
gloo-fed.global.glooStats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo-fed.global.glooStats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo-fed.global.glooStats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo-fed.global.glooStats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo-fed.global.glooMtls.enabledboolEnables internal mtls authentication
gloo-fed.global.glooMtls.sds.image.tagstringThe image tag for the container.
gloo-fed.global.glooMtls.sds.image.repositorystringThe image repository (name) for the container.
gloo-fed.global.glooMtls.sds.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.global.glooMtls.sds.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.global.glooMtls.sds.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.global.glooMtls.sds.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.global.glooMtls.sds.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.global.glooMtls.sds.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.global.glooMtls.sds.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.global.glooMtls.sds.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.global.glooMtls.sds.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.global.glooMtls.sds.securityContext.capabilities.add[]string
gloo-fed.global.glooMtls.sds.securityContext.capabilities.drop[]string
gloo-fed.global.glooMtls.sds.securityContext.privilegedbool
gloo-fed.global.glooMtls.sds.securityContext.seLinuxOptions.userstring
gloo-fed.global.glooMtls.sds.securityContext.seLinuxOptions.rolestring
gloo-fed.global.glooMtls.sds.securityContext.seLinuxOptions.typestring
gloo-fed.global.glooMtls.sds.securityContext.seLinuxOptions.levelstring
gloo-fed.global.glooMtls.sds.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo-fed.global.glooMtls.sds.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo-fed.global.glooMtls.sds.securityContext.windowsOptions.runAsUserNamestring
gloo-fed.global.glooMtls.sds.securityContext.windowsOptions.hostProcessbool
gloo-fed.global.glooMtls.sds.securityContext.runAsUserint64
gloo-fed.global.glooMtls.sds.securityContext.runAsGroupint64
gloo-fed.global.glooMtls.sds.securityContext.runAsNonRootbool
gloo-fed.global.glooMtls.sds.securityContext.readOnlyRootFilesystembool
gloo-fed.global.glooMtls.sds.securityContext.allowPrivilegeEscalationbool
gloo-fed.global.glooMtls.sds.securityContext.procMountstring
gloo-fed.global.glooMtls.sds.securityContext.seccompProfile.typestring
gloo-fed.global.glooMtls.sds.securityContext.seccompProfile.localhostProfilestring
gloo-fed.global.glooMtls.sds.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo-fed.global.glooMtls.sds.logLevelstringLog level for sds. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
gloo-fed.global.glooMtls.sds.sdsResources.limits.memorystringamount of memory
gloo-fed.global.glooMtls.sds.sdsResources.limits.cpustringamount of CPUs
gloo-fed.global.glooMtls.sds.sdsResources.requests.memorystringamount of memory
gloo-fed.global.glooMtls.sds.sdsResources.requests.cpustringamount of CPUs
gloo-fed.global.glooMtls.envoy.image.tagstringThe image tag for the container.
gloo-fed.global.glooMtls.envoy.image.repositorystringThe image repository (name) for the container.
gloo-fed.global.glooMtls.envoy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.global.glooMtls.envoy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.global.glooMtls.envoy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.global.glooMtls.envoy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.global.glooMtls.envoy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.global.glooMtls.envoy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.global.glooMtls.envoy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.global.glooMtls.envoy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.global.glooMtls.envoy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.global.glooMtls.envoy.securityContext.capabilities.add[]string
gloo-fed.global.glooMtls.envoy.securityContext.capabilities.drop[]string
gloo-fed.global.glooMtls.envoy.securityContext.privilegedbool
gloo-fed.global.glooMtls.envoy.securityContext.seLinuxOptions.userstring
gloo-fed.global.glooMtls.envoy.securityContext.seLinuxOptions.rolestring
gloo-fed.global.glooMtls.envoy.securityContext.seLinuxOptions.typestring
gloo-fed.global.glooMtls.envoy.securityContext.seLinuxOptions.levelstring
gloo-fed.global.glooMtls.envoy.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo-fed.global.glooMtls.envoy.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo-fed.global.glooMtls.envoy.securityContext.windowsOptions.runAsUserNamestring
gloo-fed.global.glooMtls.envoy.securityContext.windowsOptions.hostProcessbool
gloo-fed.global.glooMtls.envoy.securityContext.runAsUserint64
gloo-fed.global.glooMtls.envoy.securityContext.runAsGroupint64
gloo-fed.global.glooMtls.envoy.securityContext.runAsNonRootbool
gloo-fed.global.glooMtls.envoy.securityContext.readOnlyRootFilesystembool
gloo-fed.global.glooMtls.envoy.securityContext.allowPrivilegeEscalationbool
gloo-fed.global.glooMtls.envoy.securityContext.procMountstring
gloo-fed.global.glooMtls.envoy.securityContext.seccompProfile.typestring
gloo-fed.global.glooMtls.envoy.securityContext.seccompProfile.localhostProfilestring
gloo-fed.global.glooMtls.envoy.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo-fed.global.glooMtls.istioProxy.image.tagstringThe image tag for the container.
gloo-fed.global.glooMtls.istioProxy.image.repositorystringThe image repository (name) for the container.
gloo-fed.global.glooMtls.istioProxy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.global.glooMtls.istioProxy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.global.glooMtls.istioProxy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.global.glooMtls.istioProxy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.global.glooMtls.istioProxy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.global.glooMtls.istioProxy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.global.glooMtls.istioProxy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.global.glooMtls.istioProxy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.global.glooMtls.istioProxy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.global.glooMtls.istioProxy.securityContext.capabilities.add[]string
gloo-fed.global.glooMtls.istioProxy.securityContext.capabilities.drop[]string
gloo-fed.global.glooMtls.istioProxy.securityContext.privilegedbool
gloo-fed.global.glooMtls.istioProxy.securityContext.seLinuxOptions.userstring
gloo-fed.global.glooMtls.istioProxy.securityContext.seLinuxOptions.rolestring
gloo-fed.global.glooMtls.istioProxy.securityContext.seLinuxOptions.typestring
gloo-fed.global.glooMtls.istioProxy.securityContext.seLinuxOptions.levelstring
gloo-fed.global.glooMtls.istioProxy.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo-fed.global.glooMtls.istioProxy.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo-fed.global.glooMtls.istioProxy.securityContext.windowsOptions.runAsUserNamestring
gloo-fed.global.glooMtls.istioProxy.securityContext.windowsOptions.hostProcessbool
gloo-fed.global.glooMtls.istioProxy.securityContext.runAsUserint64
gloo-fed.global.glooMtls.istioProxy.securityContext.runAsGroupint64
gloo-fed.global.glooMtls.istioProxy.securityContext.runAsNonRootbool
gloo-fed.global.glooMtls.istioProxy.securityContext.readOnlyRootFilesystembool
gloo-fed.global.glooMtls.istioProxy.securityContext.allowPrivilegeEscalationbool
gloo-fed.global.glooMtls.istioProxy.securityContext.procMountstring
gloo-fed.global.glooMtls.istioProxy.securityContext.seccompProfile.typestring
gloo-fed.global.glooMtls.istioProxy.securityContext.seccompProfile.localhostProfilestring
gloo-fed.global.glooMtls.istioProxy.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo-fed.global.glooMtls.istioProxy.logLevelstringLog level for istio-proxy. Options include “info”, “debug”, “warning”, and “error”. Default level is info Default is ‘warning’.
gloo-fed.global.glooMtls.istioProxy.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “cluster.local”
gloo-fed.global.glooMtls.istioProxy.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “Kubernetes”
gloo-fed.global.glooMtls.istioProxy.istioDiscoveryAddressstringdiscoveryAddress field of the PROXY_CONFIG environment variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “istiod.istio-system.svc:15012”
gloo-fed.global.glooMtls.envoySidecarResources.limits.memorystringamount of memory
gloo-fed.global.glooMtls.envoySidecarResources.limits.cpustringamount of CPUs
gloo-fed.global.glooMtls.envoySidecarResources.requests.memorystringamount of memory
gloo-fed.global.glooMtls.envoySidecarResources.requests.cpustringamount of CPUs
gloo-fed.global.glooMtls.sdsResources.limits.memorystringamount of memory
gloo-fed.global.glooMtls.sdsResources.limits.cpustringamount of CPUs
gloo-fed.global.glooMtls.sdsResources.requests.memorystringamount of memory
gloo-fed.global.glooMtls.sdsResources.requests.cpustringamount of CPUs
gloo-fed.global.istioSDS.enabledboolEnables SDS cert-rotator sidecar for istio mTLS cert rotation. Warning: this value is deprecated and will be removed in a future release. Use global.istioIntegration.enabled instead.
gloo-fed.global.istioSDS.customSidecars[]interfaceOverride the default Istio sidecar in gateway-proxy with a custom container. Ignored if IstioSDS.enabled is false
gloo-fed.global.istioIntegration.enabledboolEnables Istio integration for Gloo Edge, adding the sds and istio-proxy containers to gateways for Istio mTLS cert rotation.
gloo-fed.global.istioIntegration.enableAutoMtlsboolEnables Istio auto mtls configuration for Gloo Edge upstreams.
gloo-fed.global.istioIntegration.disableAutoinjectionboolAnnotate all pods (excluding those whitelisted by other config values) to with an explicit ‘do not inject’ annotation to prevent Istio from adding sidecars to all pods. It’s recommended that this be set to true, as some pods do not immediately work with an Istio sidecar without extra manual configuration. Warning: this value is not supported with Kubernetes Gateway API proxy.
gloo-fed.global.istioIntegration.labelInstallNamespaceboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. If creating a namespace for Gloo, include the ‘istio-injection: enabled’ label (or ‘istio.io/rev=’ if ‘istioSidecarRevTag’ field is also set) to allow Istio sidecar injection for Gloo pods. Be aware that Istio’s default injection behavior will auto-inject a sidecar into all pods in such a marked namespace. Disabling this behavior in Istio’s configs or using gloo’s global.istioIntegration.disableAutoinjection flag is recommended.
gloo-fed.global.istioIntegration.whitelistDiscoveryboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Annotate the discovery pod for Istio sidecar injection to ensure that it gets a sidecar even when namespace-wide auto-injection is disabled. Generally only needed for FDS is enabled.
gloo-fed.global.istioIntegration.enableIstioSidecarOnGatewayboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Enable Istio sidecar injection on the gateway-proxy deployment. Ignored if LabelInstallNamespace is not ’true’. Ignored if disableAutoinjection is ’true’.
gloo-fed.global.istioIntegration.istioSidecarRevTagstringWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Value of revision tag for Istio sidecar injection on the gateway-proxy and discovery deployments (when enabled with LabelInstallNamespace, WhitelistDiscovery or EnableIstioSidecarOnGateway). If set, applies the label ‘istio.io/rev:’ instead of ‘sidecar.istio.io/inject’ or ‘istio-injection:enabled’. Ignored if disableAutoinjection is ’true’.
gloo-fed.global.istioIntegration.appendXForwardedHostboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Enable appending the X-Forwarded-Host header with the Istio-provided value. Default: true.
gloo-fed.global.extraSpecsboolAdd additional specs to include in the settings manifest, as defined by a helm partial. Defaults to false in open source, and true in enterprise.
gloo-fed.global.extauthCustomYamlboolInject whatever yaml exists in .Values.global.extensions.extAuth into settings.spec.extauth, instead of structured yaml (which is enterprise only). Defaults to true in open source, and false in enterprise
gloo-fed.global.consoleinterfaceConfiguration options for the Enterprise Console (UI).
gloo-fed.global.graphqlinterface(Enterprise Only): GraphQL configuration options.
gloo-fed.global.configMaps[].namestringName of the ConfigMap to create (required).
gloo-fed.global.configMaps[].namespacestringNamespace in which to create the ConfigMap. If empty, defaults to Gloo Edge install namespace.
gloo-fed.global.configMaps[].data.NAMEstringKey-value pairs of ConfigMap data.
gloo-fed.global.extraCustomResourcesboolAdd additional custom resources to create, as defined by a helm partial. Defaults to false in open source, and true in enterprise.
gloo-fed.global.additionalLabels.NAMEstringAdditional labels to add to all gloo resources.
gloo-fed.global.podSecurityStandards.container.enableRestrictedContainerDefaultsboolSet to true to default all containers to a security policy that minimally conforms to a restricted container security policy.
gloo-fed.global.podSecurityStandards.container.defaultSeccompProfileTypestringThe seccomp profile type to use for default restricted container securityContexts. Valid values are ‘RuntimeDefault’ and ‘Localhost’. Default is ‘RuntimeDefault’. Has no effect if enableRestrictedContainerDefaults is false.
gloo-fed.global.securitySettings.floatingUserIdboolIf true, use ’true’ as default value for all instances of floatingUserId. In OSS, has the additional effects of rendering charts as if ‘discovery.deployment.enablePodSecurityContext=false’ and ‘gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false’. In EE templates has the additional effects of rendering charts as if ‘redis.deployment.enablePodSecurityContext=false’, and in the ExtAuth deployment’s podSecurityContext, behavior will match the local ‘floatingUserId’ and fsGroup will not be rendered.
gloo-fed.global.console.readOnlyboolIf true, then custom resources can only be viewed in read-only mode in the UI. If false, then resources can be created, updated, and deleted via the UI (default false).
gloo-fed.global.console.apiExplorerEnabledboolWhether the GraphQL API Explorer is enabled (default true).
gloo-fed.enabledboolIf true, deploy federation service (default true).
gloo-fed.create_license_secretboolfalseCreate a secret for the license specified in ’license_key’. Set to ‘false’ if you use ’license_secret_name’ instead.
gloo-fed.license_secret_namestringThe name of a secret that contains your Gloo Edge license key. Set ‘create_license_key’ to ‘false’ to disable use of the default license secret.
gloo-fed.license_keystringYour Gloo Edge license key.
gloo-fed.enableMultiClusterRbacbool
gloo-fed.glooFedApiserver.enablebool
gloo-fed.glooFedApiserver.replicasint
gloo-fed.glooFedApiserver.image.tagstringThe image tag for the container.
gloo-fed.glooFedApiserver.image.repositorystringThe image repository (name) for the container.
gloo-fed.glooFedApiserver.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.glooFedApiserver.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFedApiserver.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFedApiserver.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.glooFedApiserver.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.glooFedApiserver.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.glooFedApiserver.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.glooFedApiserver.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.glooFedApiserver.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.glooFedApiserver.portint
gloo-fed.glooFedApiserver.healthCheckPortint
gloo-fed.glooFedApiserver.resources.limits.memorystringamount of memory
gloo-fed.glooFedApiserver.resources.limits.cpustringamount of CPUs
gloo-fed.glooFedApiserver.resources.requests.memorystringamount of memory
gloo-fed.glooFedApiserver.resources.requests.cpustringamount of CPUs
gloo-fed.glooFedApiserver.stats.enabledboolControls whether or not Envoy stats are enabled
gloo-fed.glooFedApiserver.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo-fed.glooFedApiserver.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo-fed.glooFedApiserver.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo-fed.glooFedApiserver.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo-fed.glooFedApiserver.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo-fed.glooFedApiserver.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo-fed.glooFedApiserver.floatingUserIdbool
gloo-fed.glooFedApiserver.runAsUserfloat64
gloo-fed.glooFedApiserver.console.image.tagstringThe image tag for the container.
gloo-fed.glooFedApiserver.console.image.repositorystringThe image repository (name) for the container.
gloo-fed.glooFedApiserver.console.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.glooFedApiserver.console.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFedApiserver.console.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFedApiserver.console.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.glooFedApiserver.console.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.glooFedApiserver.console.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.glooFedApiserver.console.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.glooFedApiserver.console.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.glooFedApiserver.console.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.glooFedApiserver.console.portint
gloo-fed.glooFedApiserver.console.resources.limits.memorystringamount of memory
gloo-fed.glooFedApiserver.console.resources.limits.cpustringamount of CPUs
gloo-fed.glooFedApiserver.console.resources.requests.memorystringamount of memory
gloo-fed.glooFedApiserver.console.resources.requests.cpustringamount of CPUs
gloo-fed.glooFedApiserver.envoy.image.tagstringThe image tag for the container.
gloo-fed.glooFedApiserver.envoy.image.repositorystringThe image repository (name) for the container.
gloo-fed.glooFedApiserver.envoy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.glooFedApiserver.envoy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFedApiserver.envoy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFedApiserver.envoy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.glooFedApiserver.envoy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.glooFedApiserver.envoy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.glooFedApiserver.envoy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.glooFedApiserver.envoy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.glooFedApiserver.envoy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.glooFedApiserver.envoy.resources.limits.memorystringamount of memory
gloo-fed.glooFedApiserver.envoy.resources.limits.cpustringamount of CPUs
gloo-fed.glooFedApiserver.envoy.resources.requests.memorystringamount of memory
gloo-fed.glooFedApiserver.envoy.resources.requests.cpustringamount of CPUs
gloo-fed.glooFedApiserver.envoy.bootstrapConfig.configMapNamestring
gloo-fed.glooFedApiserver.namespaceRestrictedModeboolIf true: Convert the ClusterRole used in apiserver to Role. Useful in single-namespace deployments of gloo-ee where permissions can be more restrictive–recommended to not set in a multi-cluster deployment. Default is false.
gloo-fed.glooFedApiserver.replicasintnumber of instances to deploy
gloo-fed.glooFedApiserver.customEnv[].namestring
gloo-fed.glooFedApiserver.customEnv[].valuestring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo-fed.glooFedApiserver.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo-fed.glooFedApiserver.customEnv[].valueFrom.configMapKeyRef.namestring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.configMapKeyRef.keystring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo-fed.glooFedApiserver.customEnv[].valueFrom.secretKeyRef.namestring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.secretKeyRef.keystring
gloo-fed.glooFedApiserver.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo-fed.glooFedApiserver.restartPolicystringrestart policy to use when the pod exits
gloo-fed.glooFedApiserver.priorityClassNamestringname of a defined priority class
gloo-fed.glooFedApiserver.nodeNamestringname of node to run on
gloo-fed.glooFedApiserver.nodeSelector.NAMEstringlabel selector for nodes
gloo-fed.glooFedApiserver.tolerations[].keystring
gloo-fed.glooFedApiserver.tolerations[].operatorstring
gloo-fed.glooFedApiserver.tolerations[].valuestring
gloo-fed.glooFedApiserver.tolerations[].effectstring
gloo-fed.glooFedApiserver.tolerations[].tolerationSecondsint64
gloo-fed.glooFedApiserver.affinity.NAMEinterface
gloo-fed.glooFedApiserver.hostAliases[]interface
gloo-fed.glooFedApiserver.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo-fed.glooFedApiserver.resources.limits.memorystringamount of memory
gloo-fed.glooFedApiserver.resources.limits.cpustringamount of CPUs
gloo-fed.glooFedApiserver.resources.requests.memorystringamount of memory
gloo-fed.glooFedApiserver.resources.requests.cpustringamount of CPUs
gloo-fed.glooFedApiserver.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo-fed.glooFed.image.tagstringThe image tag for the container.
gloo-fed.glooFed.image.repositorystringThe image repository (name) for the container.
gloo-fed.glooFed.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.glooFed.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFed.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.glooFed.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.glooFed.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.glooFed.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.glooFed.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.glooFed.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.glooFed.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.glooFed.replicasint
gloo-fed.glooFed.stats.enabledboolControls whether or not Envoy stats are enabled
gloo-fed.glooFed.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo-fed.glooFed.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo-fed.glooFed.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo-fed.glooFed.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo-fed.glooFed.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo-fed.glooFed.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo-fed.glooFed.retries.clusterWatcherRemote.typestringThe type of delay to use when retrying. Must be either ‘backoff’ (for exponential backoff) or ‘fixed’ (for fixed intervals).
gloo-fed.glooFed.retries.clusterWatcherRemote.delaystringThe delay between retries. For exponential backoff, this is the delay for the initial retry. This must be a Duration string, e.g. ‘100ms’ or ‘1m5s’.
gloo-fed.glooFed.retries.clusterWatcherRemote.maxDelaystringThe maximum delay between retries. This can be used to cap the retry interval when exponential backoff is used. If set to 0, there will be no maximum delay. This must be a Duration string, e.g. ‘100ms’ or ‘1m5s’.
gloo-fed.glooFed.retries.clusterWatcherRemote.maxJitterstringThe maximum amount of random jitter to add between retries. If this value is greater than 0, retries will be done with a random amount of jitter, up to maxJitter. If this value is 0, then no randomness will be added to retries. This must be a Duration string, e.g. ‘100ms’ or ‘1m5s’.
gloo-fed.glooFed.retries.clusterWatcherRemote.attemptsuintThe maximum number of attempts to make. Set to 0 to retry forever.
gloo-fed.glooFed.retries.clusterWatcherLocal.typestringThe type of delay to use when retrying. Must be either ‘backoff’ (for exponential backoff) or ‘fixed’ (for fixed intervals).
gloo-fed.glooFed.retries.clusterWatcherLocal.delaystringThe delay between retries. For exponential backoff, this is the delay for the initial retry. This must be a Duration string, e.g. ‘100ms’ or ‘1m5s’.
gloo-fed.glooFed.retries.clusterWatcherLocal.maxDelaystringThe maximum delay between retries. This can be used to cap the retry interval when exponential backoff is used. If set to 0, there will be no maximum delay. This must be a Duration string, e.g. ‘100ms’ or ‘1m5s’.
gloo-fed.glooFed.retries.clusterWatcherLocal.maxJitterstringThe maximum amount of random jitter to add between retries. If this value is greater than 0, retries will be done with a random amount of jitter, up to maxJitter. If this value is 0, then no randomness will be added to retries. This must be a Duration string, e.g. ‘100ms’ or ‘1m5s’.
gloo-fed.glooFed.retries.clusterWatcherLocal.attemptsuintThe maximum number of attempts to make. Set to 0 to retry forever.
gloo-fed.glooFed.roleRules[].verbs[]string
gloo-fed.glooFed.roleRules[].apiGroups[]string
gloo-fed.glooFed.roleRules[].resources[]string
gloo-fed.glooFed.roleRules[].resourceNames[]string
gloo-fed.glooFed.roleRules[].nonResourceURLs[]string
gloo-fed.glooFed.volumes[].namestring
gloo-fed.glooFed.volumes[].hostPath.pathstring
gloo-fed.glooFed.volumes[].hostPath.typestring
gloo-fed.glooFed.volumes[].emptyDir.mediumstring
gloo-fed.glooFed.volumes[].emptyDir.sizeLimitint64
gloo-fed.glooFed.volumes[].emptyDir.sizeLimitint32
gloo-fed.glooFed.volumes[].emptyDir.sizeLimitbool
gloo-fed.glooFed.volumes[].emptyDir.sizeLimit[]uint
gloo-fed.glooFed.volumes[].emptyDir.sizeLimit[]int32
gloo-fed.glooFed.volumes[].emptyDir.sizeLimit[]string
gloo-fed.glooFed.volumes[].emptyDir.sizeLimit[]string
gloo-fed.glooFed.volumes[].gcePersistentDisk.pdNamestring
gloo-fed.glooFed.volumes[].gcePersistentDisk.fsTypestring
gloo-fed.glooFed.volumes[].gcePersistentDisk.partitionint32
gloo-fed.glooFed.volumes[].gcePersistentDisk.readOnlybool
gloo-fed.glooFed.volumes[].awsElasticBlockStore.volumeIDstring
gloo-fed.glooFed.volumes[].awsElasticBlockStore.fsTypestring
gloo-fed.glooFed.volumes[].awsElasticBlockStore.partitionint32
gloo-fed.glooFed.volumes[].awsElasticBlockStore.readOnlybool
gloo-fed.glooFed.volumes[].gitRepo.repositorystring
gloo-fed.glooFed.volumes[].gitRepo.revisionstring
gloo-fed.glooFed.volumes[].gitRepo.directorystring
gloo-fed.glooFed.volumes[].secret.secretNamestring
gloo-fed.glooFed.volumes[].secret.items[].keystring
gloo-fed.glooFed.volumes[].secret.items[].pathstring
gloo-fed.glooFed.volumes[].secret.items[].modeint32
gloo-fed.glooFed.volumes[].secret.defaultModeint32
gloo-fed.glooFed.volumes[].secret.optionalbool
gloo-fed.glooFed.volumes[].nfs.serverstring
gloo-fed.glooFed.volumes[].nfs.pathstring
gloo-fed.glooFed.volumes[].nfs.readOnlybool
gloo-fed.glooFed.volumes[].iscsi.targetPortalstring
gloo-fed.glooFed.volumes[].iscsi.iqnstring
gloo-fed.glooFed.volumes[].iscsi.lunint32
gloo-fed.glooFed.volumes[].iscsi.iscsiInterfacestring
gloo-fed.glooFed.volumes[].iscsi.fsTypestring
gloo-fed.glooFed.volumes[].iscsi.readOnlybool
gloo-fed.glooFed.volumes[].iscsi.portals[]string
gloo-fed.glooFed.volumes[].iscsi.chapAuthDiscoverybool
gloo-fed.glooFed.volumes[].iscsi.chapAuthSessionbool
gloo-fed.glooFed.volumes[].iscsi.secretRef.namestring
gloo-fed.glooFed.volumes[].iscsi.initiatorNamestring
gloo-fed.glooFed.volumes[].glusterfs.endpointsstring
gloo-fed.glooFed.volumes[].glusterfs.pathstring
gloo-fed.glooFed.volumes[].glusterfs.readOnlybool
gloo-fed.glooFed.volumes[].persistentVolumeClaim.claimNamestring
gloo-fed.glooFed.volumes[].persistentVolumeClaim.readOnlybool
gloo-fed.glooFed.volumes[].rbd.monitors[]string
gloo-fed.glooFed.volumes[].rbd.imagestring
gloo-fed.glooFed.volumes[].rbd.fsTypestring
gloo-fed.glooFed.volumes[].rbd.poolstring
gloo-fed.glooFed.volumes[].rbd.userstring
gloo-fed.glooFed.volumes[].rbd.keyringstring
gloo-fed.glooFed.volumes[].rbd.secretRef.namestring
gloo-fed.glooFed.volumes[].rbd.readOnlybool
gloo-fed.glooFed.volumes[].flexVolume.driverstring
gloo-fed.glooFed.volumes[].flexVolume.fsTypestring
gloo-fed.glooFed.volumes[].flexVolume.secretRef.namestring
gloo-fed.glooFed.volumes[].flexVolume.readOnlybool
gloo-fed.glooFed.volumes[].flexVolume.options.NAMEstring
gloo-fed.glooFed.volumes[].cinder.volumeIDstring
gloo-fed.glooFed.volumes[].cinder.fsTypestring
gloo-fed.glooFed.volumes[].cinder.readOnlybool
gloo-fed.glooFed.volumes[].cinder.secretRef.namestring
gloo-fed.glooFed.volumes[].cephfs.monitors[]string
gloo-fed.glooFed.volumes[].cephfs.pathstring
gloo-fed.glooFed.volumes[].cephfs.userstring
gloo-fed.glooFed.volumes[].cephfs.secretFilestring
gloo-fed.glooFed.volumes[].cephfs.secretRef.namestring
gloo-fed.glooFed.volumes[].cephfs.readOnlybool
gloo-fed.glooFed.volumes[].flocker.datasetNamestring
gloo-fed.glooFed.volumes[].flocker.datasetUUIDstring
gloo-fed.glooFed.volumes[].downwardAPI.items[].pathstring
gloo-fed.glooFed.volumes[].downwardAPI.items[].fieldRef.apiVersionstring
gloo-fed.glooFed.volumes[].downwardAPI.items[].fieldRef.fieldPathstring
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.containerNamestring
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.resourcestring
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.divisorint64
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.divisorint32
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.divisorbool
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.divisor[]uint
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.divisor[]int32
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.divisor[]string
gloo-fed.glooFed.volumes[].downwardAPI.items[].resourceFieldRef.divisor[]string
gloo-fed.glooFed.volumes[].downwardAPI.items[].modeint32
gloo-fed.glooFed.volumes[].downwardAPI.defaultModeint32
gloo-fed.glooFed.volumes[].fc.targetWWNs[]string
gloo-fed.glooFed.volumes[].fc.lunint32
gloo-fed.glooFed.volumes[].fc.fsTypestring
gloo-fed.glooFed.volumes[].fc.readOnlybool
gloo-fed.glooFed.volumes[].fc.wwids[]string
gloo-fed.glooFed.volumes[].azureFile.secretNamestring
gloo-fed.glooFed.volumes[].azureFile.shareNamestring
gloo-fed.glooFed.volumes[].azureFile.readOnlybool
gloo-fed.glooFed.volumes[].configMap.namestring
gloo-fed.glooFed.volumes[].configMap.items[].keystring
gloo-fed.glooFed.volumes[].configMap.items[].pathstring
gloo-fed.glooFed.volumes[].configMap.items[].modeint32
gloo-fed.glooFed.volumes[].configMap.defaultModeint32
gloo-fed.glooFed.volumes[].configMap.optionalbool
gloo-fed.glooFed.volumes[].vsphereVolume.volumePathstring
gloo-fed.glooFed.volumes[].vsphereVolume.fsTypestring
gloo-fed.glooFed.volumes[].vsphereVolume.storagePolicyNamestring
gloo-fed.glooFed.volumes[].vsphereVolume.storagePolicyIDstring
gloo-fed.glooFed.volumes[].quobyte.registrystring
gloo-fed.glooFed.volumes[].quobyte.volumestring
gloo-fed.glooFed.volumes[].quobyte.readOnlybool
gloo-fed.glooFed.volumes[].quobyte.userstring
gloo-fed.glooFed.volumes[].quobyte.groupstring
gloo-fed.glooFed.volumes[].quobyte.tenantstring
gloo-fed.glooFed.volumes[].azureDisk.diskNamestring
gloo-fed.glooFed.volumes[].azureDisk.diskURIstring
gloo-fed.glooFed.volumes[].azureDisk.cachingModestring
gloo-fed.glooFed.volumes[].azureDisk.fsTypestring
gloo-fed.glooFed.volumes[].azureDisk.readOnlybool
gloo-fed.glooFed.volumes[].azureDisk.kindstring
gloo-fed.glooFed.volumes[].photonPersistentDisk.pdIDstring
gloo-fed.glooFed.volumes[].photonPersistentDisk.fsTypestring
gloo-fed.glooFed.volumes[].projected.sources[].secret.namestring
gloo-fed.glooFed.volumes[].projected.sources[].secret.items[].keystring
gloo-fed.glooFed.volumes[].projected.sources[].secret.items[].pathstring
gloo-fed.glooFed.volumes[].projected.sources[].secret.items[].modeint32
gloo-fed.glooFed.volumes[].projected.sources[].secret.optionalbool
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].pathstring
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].fieldRef.apiVersionstring
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].fieldRef.fieldPathstring
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.containerNamestring
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.resourcestring
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.divisorint64
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.divisorint32
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.divisorbool
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.divisor[]uint
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.divisor[]int32
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.divisor[]string
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].resourceFieldRef.divisor[]string
gloo-fed.glooFed.volumes[].projected.sources[].downwardAPI.items[].modeint32
gloo-fed.glooFed.volumes[].projected.sources[].configMap.namestring
gloo-fed.glooFed.volumes[].projected.sources[].configMap.items[].keystring
gloo-fed.glooFed.volumes[].projected.sources[].configMap.items[].pathstring
gloo-fed.glooFed.volumes[].projected.sources[].configMap.items[].modeint32
gloo-fed.glooFed.volumes[].projected.sources[].configMap.optionalbool
gloo-fed.glooFed.volumes[].projected.sources[].serviceAccountToken.audiencestring
gloo-fed.glooFed.volumes[].projected.sources[].serviceAccountToken.expirationSecondsint64
gloo-fed.glooFed.volumes[].projected.sources[].serviceAccountToken.pathstring
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.namestring
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.signerNamestring
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.labelSelector.matchLabels.NAMEstring
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.labelSelector.matchExpressions[].keystring
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.labelSelector.matchExpressions[].operatorstring
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.labelSelector.matchExpressions[].values[]string
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.optionalbool
gloo-fed.glooFed.volumes[].projected.sources[].clusterTrustBundle.pathstring
gloo-fed.glooFed.volumes[].projected.defaultModeint32
gloo-fed.glooFed.volumes[].portworxVolume.volumeIDstring
gloo-fed.glooFed.volumes[].portworxVolume.fsTypestring
gloo-fed.glooFed.volumes[].portworxVolume.readOnlybool
gloo-fed.glooFed.volumes[].scaleIO.gatewaystring
gloo-fed.glooFed.volumes[].scaleIO.systemstring
gloo-fed.glooFed.volumes[].scaleIO.secretRef.namestring
gloo-fed.glooFed.volumes[].scaleIO.sslEnabledbool
gloo-fed.glooFed.volumes[].scaleIO.protectionDomainstring
gloo-fed.glooFed.volumes[].scaleIO.storagePoolstring
gloo-fed.glooFed.volumes[].scaleIO.storageModestring
gloo-fed.glooFed.volumes[].scaleIO.volumeNamestring
gloo-fed.glooFed.volumes[].scaleIO.fsTypestring
gloo-fed.glooFed.volumes[].scaleIO.readOnlybool
gloo-fed.glooFed.volumes[].storageos.volumeNamestring
gloo-fed.glooFed.volumes[].storageos.volumeNamespacestring
gloo-fed.glooFed.volumes[].storageos.fsTypestring
gloo-fed.glooFed.volumes[].storageos.readOnlybool
gloo-fed.glooFed.volumes[].storageos.secretRef.namestring
gloo-fed.glooFed.volumes[].csi.driverstring
gloo-fed.glooFed.volumes[].csi.readOnlybool
gloo-fed.glooFed.volumes[].csi.fsTypestring
gloo-fed.glooFed.volumes[].csi.volumeAttributes.NAMEstring
gloo-fed.glooFed.volumes[].csi.nodePublishSecretRef.namestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.namestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.generateNamestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.namespacestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.selfLinkstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.uidstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.resourceVersionstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.generationint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestampuint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestampint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestampstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[]int
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]uint8
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]int
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.creationTimestamp[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestampuint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestampint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestampstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[]int
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]uint8
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]int
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionTimestamp[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.deletionGracePeriodSecondsint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.labels.NAMEstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.annotations.NAMEstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.ownerReferences[].apiVersionstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.ownerReferences[].kindstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.ownerReferences[].namestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.ownerReferences[].uidstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.ownerReferences[].controllerbool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.ownerReferences[].blockOwnerDeletionbool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.finalizers[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].managerstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].operationstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].apiVersionstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].timeuint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].timeint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].timestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[]int
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]uint8
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]int64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]int
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].time[][]bool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].fieldsTypestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].fieldsV1.-[]uint8
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.metadata.managedFields[].subresourcestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.accessModes[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.selector.matchLabels.NAMEstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.selector.matchExpressions[].keystring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.selector.matchExpressions[].operatorstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.selector.matchExpressions[].values[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.limits.NAMEint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.limits.NAMEint32
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.limits.NAMEbool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.limits.NAME[]uint
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.limits.NAME[]int32
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.limits.NAME[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.limits.NAME[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.requests.NAMEint64
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.requests.NAMEint32
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.requests.NAMEbool
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.requests.NAME[]uint
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.requests.NAME[]int32
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.requests.NAME[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.resources.requests.NAME[]string
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.volumeNamestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.storageClassNamestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.volumeModestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.dataSource.apiGroupstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.dataSource.kindstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.dataSource.namestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.dataSourceRef.apiGroupstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.dataSourceRef.kindstring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.dataSourceRef.namestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.dataSourceRef.namespacestring
gloo-fed.glooFed.volumes[].ephemeral.volumeClaimTemplate.spec.volumeAttributesClassNamestring
gloo-fed.glooFed.glooFed.securityContext.capabilities.add[]string
gloo-fed.glooFed.glooFed.securityContext.capabilities.drop[]string
gloo-fed.glooFed.glooFed.securityContext.privilegedbool
gloo-fed.glooFed.glooFed.securityContext.seLinuxOptions.userstring
gloo-fed.glooFed.glooFed.securityContext.seLinuxOptions.rolestring
gloo-fed.glooFed.glooFed.securityContext.seLinuxOptions.typestring
gloo-fed.glooFed.glooFed.securityContext.seLinuxOptions.levelstring
gloo-fed.glooFed.glooFed.securityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo-fed.glooFed.glooFed.securityContext.windowsOptions.gmsaCredentialSpecstring
gloo-fed.glooFed.glooFed.securityContext.windowsOptions.runAsUserNamestring
gloo-fed.glooFed.glooFed.securityContext.windowsOptions.hostProcessbool
gloo-fed.glooFed.glooFed.securityContext.runAsUserint64
gloo-fed.glooFed.glooFed.securityContext.runAsGroupint64
gloo-fed.glooFed.glooFed.securityContext.runAsNonRootbool
gloo-fed.glooFed.glooFed.securityContext.readOnlyRootFilesystembool
gloo-fed.glooFed.glooFed.securityContext.allowPrivilegeEscalationbool
gloo-fed.glooFed.glooFed.securityContext.procMountstring
gloo-fed.glooFed.glooFed.securityContext.seccompProfile.typestring
gloo-fed.glooFed.glooFed.securityContext.seccompProfile.localhostProfilestring
gloo-fed.glooFed.glooFed.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo-fed.glooFed.glooFed.volumeMounts[].namestring
gloo-fed.glooFed.glooFed.volumeMounts[].readOnlybool
gloo-fed.glooFed.glooFed.volumeMounts[].mountPathstring
gloo-fed.glooFed.glooFed.volumeMounts[].subPathstring
gloo-fed.glooFed.glooFed.volumeMounts[].mountPropagationstring
gloo-fed.glooFed.glooFed.volumeMounts[].subPathExprstring
gloo-fed.glooFed.podSecurityContext.seLinuxOptions.userstring
gloo-fed.glooFed.podSecurityContext.seLinuxOptions.rolestring
gloo-fed.glooFed.podSecurityContext.seLinuxOptions.typestring
gloo-fed.glooFed.podSecurityContext.seLinuxOptions.levelstring
gloo-fed.glooFed.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo-fed.glooFed.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo-fed.glooFed.podSecurityContext.windowsOptions.runAsUserNamestring
gloo-fed.glooFed.podSecurityContext.windowsOptions.hostProcessbool
gloo-fed.glooFed.podSecurityContext.runAsUserint64
gloo-fed.glooFed.podSecurityContext.runAsGroupint64
gloo-fed.glooFed.podSecurityContext.runAsNonRootbool
gloo-fed.glooFed.podSecurityContext.supplementalGroups[]int64
gloo-fed.glooFed.podSecurityContext.fsGroupint64
gloo-fed.glooFed.podSecurityContext.sysctls[].namestring
gloo-fed.glooFed.podSecurityContext.sysctls[].valuestring
gloo-fed.glooFed.podSecurityContext.fsGroupChangePolicystring
gloo-fed.glooFed.podSecurityContext.seccompProfile.typestring
gloo-fed.glooFed.podSecurityContext.seccompProfile.localhostProfilestring
gloo-fed.glooFed.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo-fed.glooFed.replicasintnumber of instances to deploy
gloo-fed.glooFed.customEnv[].namestring
gloo-fed.glooFed.customEnv[].valuestring
gloo-fed.glooFed.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo-fed.glooFed.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo-fed.glooFed.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo-fed.glooFed.customEnv[].valueFrom.configMapKeyRef.namestring
gloo-fed.glooFed.customEnv[].valueFrom.configMapKeyRef.keystring
gloo-fed.glooFed.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo-fed.glooFed.customEnv[].valueFrom.secretKeyRef.namestring
gloo-fed.glooFed.customEnv[].valueFrom.secretKeyRef.keystring
gloo-fed.glooFed.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo-fed.glooFed.restartPolicystringrestart policy to use when the pod exits
gloo-fed.glooFed.priorityClassNamestringname of a defined priority class
gloo-fed.glooFed.nodeNamestringname of node to run on
gloo-fed.glooFed.nodeSelector.NAMEstringlabel selector for nodes
gloo-fed.glooFed.tolerations[].keystring
gloo-fed.glooFed.tolerations[].operatorstring
gloo-fed.glooFed.tolerations[].valuestring
gloo-fed.glooFed.tolerations[].effectstring
gloo-fed.glooFed.tolerations[].tolerationSecondsint64
gloo-fed.glooFed.affinity.NAMEinterface
gloo-fed.glooFed.hostAliases[]interface
gloo-fed.glooFed.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo-fed.glooFed.resources.limits.memorystringamount of memory
gloo-fed.glooFed.resources.limits.cpustringamount of CPUs
gloo-fed.glooFed.resources.requests.memorystringamount of memory
gloo-fed.glooFed.resources.requests.cpustringamount of CPUs
gloo-fed.glooFed.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo-fed.rbac.createbool
gloo-fed.rbacWebhook.image.tagstringThe image tag for the container.
gloo-fed.rbacWebhook.image.repositorystringThe image repository (name) for the container.
gloo-fed.rbacWebhook.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo-fed.rbacWebhook.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo-fed.rbacWebhook.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo-fed.rbacWebhook.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo-fed.rbacWebhook.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo-fed.rbacWebhook.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo-fed.rbacWebhook.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo-fed.rbacWebhook.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo-fed.rbacWebhook.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo-fed.rbacWebhook.resources.limits.memorystringamount of memory
gloo-fed.rbacWebhook.resources.limits.cpustringamount of CPUs
gloo-fed.rbacWebhook.resources.requests.memorystringamount of memory
gloo-fed.rbacWebhook.resources.requests.cpustringamount of CPUs
global.image.tagstringThe image tag for the container.
global.image.repositorystringThe image repository (name) for the container.
global.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.image.registrystringquay.io/solo-ioThe image hostname prefix and registry, such as quay.io/solo-io.
global.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.image.fipsboolfalse[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.extensionsinterface
global.glooRbac.createbooltruecreate rbac rules for the gloo-system service account
global.glooRbac.namespacedbooluse Roles instead of ClusterRoles
global.glooRbac.nameSuffixstringWhen nameSuffix is nonempty, append ‘-$nameSuffix’ to the names of Gloo Edge RBAC resources; e.g. when nameSuffix is ‘foo’, the role ‘gloo-resource-reader’ will become ‘gloo-resource-reader-foo’
global.glooStats.enabledbooltrueControls whether or not Envoy stats are enabled
global.glooStats.routePrefixRewritestring/stats/prometheusThe Envoy stats endpoint to which the metrics are written
global.glooStats.setDatadogAnnotationsboolSets the default datadog annotations
global.glooStats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
global.glooStats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
global.glooStats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
global.glooStats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
global.glooMtls.enabledboolfalseEnables internal mtls authentication
global.glooMtls.sds.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
global.glooMtls.sds.image.repositorystringsds-eeThe image repository (name) for the container.
global.glooMtls.sds.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.glooMtls.sds.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.glooMtls.sds.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.glooMtls.sds.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.glooMtls.sds.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.glooMtls.sds.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.glooMtls.sds.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.glooMtls.sds.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.glooMtls.sds.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.glooMtls.sds.securityContext.capabilities.add[]string
global.glooMtls.sds.securityContext.capabilities.drop[]string
global.glooMtls.sds.securityContext.privilegedbool
global.glooMtls.sds.securityContext.seLinuxOptions.userstring
global.glooMtls.sds.securityContext.seLinuxOptions.rolestring
global.glooMtls.sds.securityContext.seLinuxOptions.typestring
global.glooMtls.sds.securityContext.seLinuxOptions.levelstring
global.glooMtls.sds.securityContext.windowsOptions.gmsaCredentialSpecNamestring
global.glooMtls.sds.securityContext.windowsOptions.gmsaCredentialSpecstring
global.glooMtls.sds.securityContext.windowsOptions.runAsUserNamestring
global.glooMtls.sds.securityContext.windowsOptions.hostProcessbool
global.glooMtls.sds.securityContext.runAsUserint64
global.glooMtls.sds.securityContext.runAsGroupint64
global.glooMtls.sds.securityContext.runAsNonRootbool
global.glooMtls.sds.securityContext.readOnlyRootFilesystembool
global.glooMtls.sds.securityContext.allowPrivilegeEscalationbool
global.glooMtls.sds.securityContext.procMountstring
global.glooMtls.sds.securityContext.seccompProfile.typestring
global.glooMtls.sds.securityContext.seccompProfile.localhostProfilestring
global.glooMtls.sds.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.glooMtls.sds.logLevelstringLog level for sds. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
global.glooMtls.sds.sdsResources.limits.memorystringamount of memory
global.glooMtls.sds.sdsResources.limits.cpustringamount of CPUs
global.glooMtls.sds.sdsResources.requests.memorystringamount of memory
global.glooMtls.sds.sdsResources.requests.cpustringamount of CPUs
global.glooMtls.envoy.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
global.glooMtls.envoy.image.repositorystringgloo-ee-envoy-wrapperThe image repository (name) for the container.
global.glooMtls.envoy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.glooMtls.envoy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.glooMtls.envoy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.glooMtls.envoy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.glooMtls.envoy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.glooMtls.envoy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.glooMtls.envoy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.glooMtls.envoy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.glooMtls.envoy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.glooMtls.envoy.securityContext.capabilities.add[]string
global.glooMtls.envoy.securityContext.capabilities.drop[]string
global.glooMtls.envoy.securityContext.privilegedbool
global.glooMtls.envoy.securityContext.seLinuxOptions.userstring
global.glooMtls.envoy.securityContext.seLinuxOptions.rolestring
global.glooMtls.envoy.securityContext.seLinuxOptions.typestring
global.glooMtls.envoy.securityContext.seLinuxOptions.levelstring
global.glooMtls.envoy.securityContext.windowsOptions.gmsaCredentialSpecNamestring
global.glooMtls.envoy.securityContext.windowsOptions.gmsaCredentialSpecstring
global.glooMtls.envoy.securityContext.windowsOptions.runAsUserNamestring
global.glooMtls.envoy.securityContext.windowsOptions.hostProcessbool
global.glooMtls.envoy.securityContext.runAsUserint64
global.glooMtls.envoy.securityContext.runAsGroupint64
global.glooMtls.envoy.securityContext.runAsNonRootbool
global.glooMtls.envoy.securityContext.readOnlyRootFilesystembool
global.glooMtls.envoy.securityContext.allowPrivilegeEscalationbool
global.glooMtls.envoy.securityContext.procMountstring
global.glooMtls.envoy.securityContext.seccompProfile.typestring
global.glooMtls.envoy.securityContext.seccompProfile.localhostProfilestring
global.glooMtls.envoy.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.glooMtls.istioProxy.image.tagstringThe image tag for the container.
global.glooMtls.istioProxy.image.repositorystringThe image repository (name) for the container.
global.glooMtls.istioProxy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.glooMtls.istioProxy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.glooMtls.istioProxy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.glooMtls.istioProxy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.glooMtls.istioProxy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.glooMtls.istioProxy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.glooMtls.istioProxy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.glooMtls.istioProxy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.glooMtls.istioProxy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.glooMtls.istioProxy.securityContext.capabilities.add[]string
global.glooMtls.istioProxy.securityContext.capabilities.drop[]string
global.glooMtls.istioProxy.securityContext.privilegedbool
global.glooMtls.istioProxy.securityContext.seLinuxOptions.userstring
global.glooMtls.istioProxy.securityContext.seLinuxOptions.rolestring
global.glooMtls.istioProxy.securityContext.seLinuxOptions.typestring
global.glooMtls.istioProxy.securityContext.seLinuxOptions.levelstring
global.glooMtls.istioProxy.securityContext.windowsOptions.gmsaCredentialSpecNamestring
global.glooMtls.istioProxy.securityContext.windowsOptions.gmsaCredentialSpecstring
global.glooMtls.istioProxy.securityContext.windowsOptions.runAsUserNamestring
global.glooMtls.istioProxy.securityContext.windowsOptions.hostProcessbool
global.glooMtls.istioProxy.securityContext.runAsUserint64
global.glooMtls.istioProxy.securityContext.runAsGroupint64
global.glooMtls.istioProxy.securityContext.runAsNonRootbool
global.glooMtls.istioProxy.securityContext.readOnlyRootFilesystembool
global.glooMtls.istioProxy.securityContext.allowPrivilegeEscalationbool
global.glooMtls.istioProxy.securityContext.procMountstring
global.glooMtls.istioProxy.securityContext.seccompProfile.typestring
global.glooMtls.istioProxy.securityContext.seccompProfile.localhostProfilestring
global.glooMtls.istioProxy.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.glooMtls.istioProxy.logLevelstringLog level for istio-proxy. Options include “info”, “debug”, “warning”, and “error”. Default level is info Default is ‘warning’.
global.glooMtls.istioProxy.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “cluster.local”
global.glooMtls.istioProxy.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “Kubernetes”
global.glooMtls.istioProxy.istioDiscoveryAddressstringdiscoveryAddress field of the PROXY_CONFIG environment variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “istiod.istio-system.svc:15012”
global.glooMtls.envoySidecarResources.limits.memorystringamount of memory
global.glooMtls.envoySidecarResources.limits.cpustringamount of CPUs
global.glooMtls.envoySidecarResources.requests.memorystringamount of memory
global.glooMtls.envoySidecarResources.requests.cpustringamount of CPUs
global.glooMtls.sdsResources.limits.memorystringamount of memory
global.glooMtls.sdsResources.limits.cpustringamount of CPUs
global.glooMtls.sdsResources.requests.memorystringamount of memory
global.glooMtls.sdsResources.requests.cpustringamount of CPUs
global.istioSDS.enabledboolEnables SDS cert-rotator sidecar for istio mTLS cert rotation. Warning: this value is deprecated and will be removed in a future release. Use global.istioIntegration.enabled instead.
global.istioSDS.customSidecars[]interfaceOverride the default Istio sidecar in gateway-proxy with a custom container. Ignored if IstioSDS.enabled is false
global.istioIntegration.enabledboolEnables Istio integration for Gloo Edge, adding the sds and istio-proxy containers to gateways for Istio mTLS cert rotation.
global.istioIntegration.enableAutoMtlsboolEnables Istio auto mtls configuration for Gloo Edge upstreams.
global.istioIntegration.disableAutoinjectionboolAnnotate all pods (excluding those whitelisted by other config values) to with an explicit ‘do not inject’ annotation to prevent Istio from adding sidecars to all pods. It’s recommended that this be set to true, as some pods do not immediately work with an Istio sidecar without extra manual configuration. Warning: this value is not supported with Kubernetes Gateway API proxy.
global.istioIntegration.labelInstallNamespaceboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. If creating a namespace for Gloo, include the ‘istio-injection: enabled’ label (or ‘istio.io/rev=’ if ‘istioSidecarRevTag’ field is also set) to allow Istio sidecar injection for Gloo pods. Be aware that Istio’s default injection behavior will auto-inject a sidecar into all pods in such a marked namespace. Disabling this behavior in Istio’s configs or using gloo’s global.istioIntegration.disableAutoinjection flag is recommended.
global.istioIntegration.whitelistDiscoveryboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Annotate the discovery pod for Istio sidecar injection to ensure that it gets a sidecar even when namespace-wide auto-injection is disabled. Generally only needed for FDS is enabled.
global.istioIntegration.enableIstioSidecarOnGatewayboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Enable Istio sidecar injection on the gateway-proxy deployment. Ignored if LabelInstallNamespace is not ’true’. Ignored if disableAutoinjection is ’true’.
global.istioIntegration.istioSidecarRevTagstringWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Value of revision tag for Istio sidecar injection on the gateway-proxy and discovery deployments (when enabled with LabelInstallNamespace, WhitelistDiscovery or EnableIstioSidecarOnGateway). If set, applies the label ‘istio.io/rev:’ instead of ‘sidecar.istio.io/inject’ or ‘istio-injection:enabled’. Ignored if disableAutoinjection is ’true’.
global.istioIntegration.appendXForwardedHostboolWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Enable appending the X-Forwarded-Host header with the Istio-provided value. Default: true.
global.extraSpecsbooltrueAdd additional specs to include in the settings manifest, as defined by a helm partial. Defaults to false in open source, and true in enterprise.
global.extauthCustomYamlboolfalseInject whatever yaml exists in .Values.global.extensions.extAuth into settings.spec.extauth, instead of structured yaml (which is enterprise only). Defaults to true in open source, and false in enterprise
global.consoleinterfaceConfiguration options for the Enterprise Console (UI).
global.graphqlinterface(Enterprise Only): GraphQL configuration options.
global.configMaps[].namestringName of the ConfigMap to create (required).
global.configMaps[].namespacestringNamespace in which to create the ConfigMap. If empty, defaults to Gloo Edge install namespace.
global.configMaps[].data.NAMEstringKey-value pairs of ConfigMap data.
global.extraCustomResourcesbooltrueAdd additional custom resources to create, as defined by a helm partial. Defaults to false in open source, and true in enterprise.
global.additionalLabels.NAMEstringAdditional labels to add to all gloo resources.
global.podSecurityStandards.container.enableRestrictedContainerDefaultsboolSet to true to default all containers to a security policy that minimally conforms to a restricted container security policy.
global.podSecurityStandards.container.defaultSeccompProfileTypestringThe seccomp profile type to use for default restricted container securityContexts. Valid values are ‘RuntimeDefault’ and ‘Localhost’. Default is ‘RuntimeDefault’. Has no effect if enableRestrictedContainerDefaults is false.
global.securitySettings.floatingUserIdboolIf true, use ’true’ as default value for all instances of floatingUserId. In OSS, has the additional effects of rendering charts as if ‘discovery.deployment.enablePodSecurityContext=false’ and ‘gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false’. In EE templates has the additional effects of rendering charts as if ‘redis.deployment.enablePodSecurityContext=false’, and in the ExtAuth deployment’s podSecurityContext, behavior will match the local ‘floatingUserId’ and fsGroup will not be rendered.
global.stats.enabledboolControls whether or not Envoy stats are enabled
global.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
global.stats.setDatadogAnnotationsboolSets the default datadog annotations
global.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
global.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
global.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
global.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
global.stats.serviceMonitor.releaseLabelstringThe release label used for the Pod/Service Monitor (default prom)
global.stats.podMonitor.releaseLabelstringThe release label used for the Pod/Service Monitor (default prom)
global.extensions.extAuth.enabledbooltrueif true, deploy ExtAuth service (default true)
global.extensions.extAuth.userIdHeaderstringx-user-id
global.extensions.extAuth.deployment.namestringextauth
global.extensions.extAuth.deployment.glooAddressstring
global.extensions.extAuth.deployment.glooPortuint9977Sets the port of the gloo xDS server in the ratelimit sidecar envoy bootstrap config
global.extensions.extAuth.deployment.portuint8083
global.extensions.extAuth.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
global.extensions.extAuth.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
global.extensions.extAuth.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
global.extensions.extAuth.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
global.extensions.extAuth.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
global.extensions.extAuth.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
global.extensions.extAuth.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
global.extensions.extAuth.deployment.runAsUserfloat64Explicitly set the user ID for the container to run as. Default is 10101
global.extensions.extAuth.deployment.livenessProbeEnabledboolSet to true to enable a liveness probe for ExtAuth (default is false).
global.extensions.extAuth.deployment.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101
global.extensions.extAuth.deployment.floatingUserIdboolfalseset to true to allow the cluster to dynamically assign a user ID
global.extensions.extAuth.deployment.extraExtAuthLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the ExtAuth deployment.
global.extensions.extAuth.deployment.extraVolume[].NAMEinterfacecustom defined yaml for allowing extra volume on the extauth container
global.extensions.extAuth.deployment.extraVolumeMount[].NAMEinterfacecustom defined yaml for allowing extra volume mounts on the extauth container
global.extensions.extAuth.deployment.podDisruptionBudget.minAvailableint32An eviction is allowed if at least “minAvailable” pods selected by “selector” will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying “100%”.
global.extensions.extAuth.deployment.podDisruptionBudget.maxUnavailableint32An eviction is allowed if at most “maxUnavailable” pods selected by “selector” are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with “minAvailable”.
global.extensions.extAuth.deployment.redis.certs[].secretNamestringThis is the name to the Opaque kubernetes secret containing the cert. The secret data key names should be ‘ca.crt’, ’tls.crt’, and ’tls.key’.
global.extensions.extAuth.deployment.redis.certs[].mountPathstringPath used to mount the secret. This should be a unique path, for each secret.
global.extensions.extAuth.deployment.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info
global.extensions.extAuth.deployment.logToFileLocationstringIf set, the extauth pod will log to this file instead of stdout
global.extensions.extAuth.deployment.replicasintnumber of instances to deploy
global.extensions.extAuth.deployment.customEnv[].namestring
global.extensions.extAuth.deployment.customEnv[].valuestring
global.extensions.extAuth.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
global.extensions.extAuth.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
global.extensions.extAuth.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
global.extensions.extAuth.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
global.extensions.extAuth.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
global.extensions.extAuth.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
global.extensions.extAuth.deployment.customEnv[].valueFrom.secretKeyRef.namestring
global.extensions.extAuth.deployment.customEnv[].valueFrom.secretKeyRef.keystring
global.extensions.extAuth.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
global.extensions.extAuth.deployment.restartPolicystringrestart policy to use when the pod exits
global.extensions.extAuth.deployment.priorityClassNamestringname of a defined priority class
global.extensions.extAuth.deployment.nodeNamestringname of node to run on
global.extensions.extAuth.deployment.nodeSelector.NAMEstringlabel selector for nodes
global.extensions.extAuth.deployment.tolerations[].keystring
global.extensions.extAuth.deployment.tolerations[].operatorstring
global.extensions.extAuth.deployment.tolerations[].valuestring
global.extensions.extAuth.deployment.tolerations[].effectstring
global.extensions.extAuth.deployment.tolerations[].tolerationSecondsint64
global.extensions.extAuth.deployment.affinity.NAMEinterface
global.extensions.extAuth.deployment.hostAliases[]interface
global.extensions.extAuth.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
global.extensions.extAuth.deployment.resources.limits.memorystringamount of memory
global.extensions.extAuth.deployment.resources.limits.cpustringamount of CPUs
global.extensions.extAuth.deployment.resources.requests.memorystringamount of memory
global.extensions.extAuth.deployment.resources.requests.cpustringamount of CPUs
global.extensions.extAuth.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.extAuth.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.capabilities.add[]string
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.capabilities.drop[]string
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.privilegedbool
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.seLinuxOptions.userstring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.seLinuxOptions.rolestring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.seLinuxOptions.typestring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.seLinuxOptions.levelstring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.windowsOptions.runAsUserNamestring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.windowsOptions.hostProcessbool
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.runAsUserint64
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.runAsGroupint64
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.runAsNonRootbool
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.readOnlyRootFilesystembool
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.allowPrivilegeEscalationbool
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.procMountstring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.seccompProfile.typestring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.seccompProfile.localhostProfilestring
global.extensions.extAuth.deployment.extAuthContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.extensions.extAuth.deployment.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
global.extensions.extAuth.deployment.image.repositorystringextauth-eeThe image repository (name) for the container.
global.extensions.extAuth.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.extensions.extAuth.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.extensions.extAuth.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.extensions.extAuth.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.extensions.extAuth.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.extensions.extAuth.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.extensions.extAuth.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.extensions.extAuth.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.extensions.extAuth.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.extensions.extAuth.service.portuint8083
global.extensions.extAuth.service.namestringextauth
global.extensions.extAuth.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.extAuth.signingKey.namestringextauth-signing-key
global.extensions.extAuth.signingKey.signing-keystring
global.extensions.extAuth.tlsEnabledboolfalseif true, have extauth terminate TLS itself (whereas Gloo mTLS mode runs an Envoy and SDS sidecars to do TLS termination and cert rotation)
global.extensions.extAuth.secretNamestringthe name of the tls secret used to secure connections to the extauth service
global.extensions.extAuth.certPathstringlocation of tls termination cert, if omitted defaults to /etc/envoy/ssl/tls.crt
global.extensions.extAuth.keyPathstringlocation of tls termination key, if omitted defaults to /etc/envoy/ssl/tls.key
global.extensions.extAuth.plugins.NAME.image.tagstringThe image tag for the container.
global.extensions.extAuth.plugins.NAME.image.repositorystringThe image repository (name) for the container.
global.extensions.extAuth.plugins.NAME.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.extensions.extAuth.plugins.NAME.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.extensions.extAuth.plugins.NAME.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.extensions.extAuth.plugins.NAME.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.extensions.extAuth.plugins.NAME.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.extensions.extAuth.plugins.NAME.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.extensions.extAuth.plugins.NAME.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.extensions.extAuth.plugins.NAME.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.extensions.extAuth.plugins.NAME.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.extensions.extAuth.envoySidecarboolfalseif true, deploy ExtAuth as a sidecar with envoy (defaults to false)
global.extensions.extAuth.standaloneDeploymentbooltrueif true, create a standalone ExtAuth deployment (defaults to true)
global.extensions.extAuth.serverUpstreamNamestringif set, this is the name of the upstream that we define in Settings to use as the target cluster in the ext_authz http filter. If not set, the name ’extauth’ (if ‘standaloneDeployment’ is true) or ’extauth-sidecar’ (if ‘standaloneDeployment’ is false) will be used.
global.extensions.extAuth.transportApiVersionstringV3Determines the API version for the ext_authz transport protocol that will be used by Envoy to communicate with the auth server. Defaults to ‘V3’’
global.extensions.extAuth.serviceNamestringext-auth
global.extensions.extAuth.requestTimeoutstringTimeout for the ext auth service to respond (defaults to 200ms)
global.extensions.extAuth.headersToRedactstringSpace separated list of headers to redact from the logs. To avoid the default redactions, specify ‘-’ as the value
global.extensions.extAuth.secret.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.extAuth.upstream.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.extAuth.requestBody.maxRequestBytesuint32Sets the maximum size of a message body that the filter will hold in memory, returning 413 and not initiating the authorization process when reaching the maximum (defaults to 4KB)
global.extensions.extAuth.requestBody.allowPartialMessageboolif true, Envoy will buffer the message until max_request_bytes is reached, dispatch the authorization request, and not return an error
global.extensions.extAuth.requestBody.packAsBytesboolif true, Envoy will send the body sent to the external authorization service with raw bytes
global.extensions.extAuth.affinity.NAMEinterfaceAffinity rules to be applied. If unset, require extAuth pods to be scheduled on nodes with already-running gateway-proxy pods
global.extensions.extAuth.antiAffinity.NAMEinterfaceAnti-affinity rules to be applied
global.extensions.extAuth.namedExtAuth.NAME.namespacestringThe namespace of this resource.
global.extensions.extAuth.namedExtAuth.NAME.namestringThe name of this resource.
global.extensions.rateLimit.enabledbooltrueif true, deploy rate limit service (default true)
global.extensions.rateLimit.serverUpstreamNamestringrate-limitif set, this is the name of the upstream that we define in Settings to use as the target cluster in the rate_limit http filter. Default is rate-limit.
global.extensions.rateLimit.deployment.namestringrate-limit
global.extensions.rateLimit.deployment.glooAddressstringgloo
global.extensions.rateLimit.deployment.glooPortuint9977Sets the port of the gloo xDS server in the ratelimit sidecar envoy bootstrap config
global.extensions.rateLimit.deployment.dynamodb.regionstringus-east-2aws region to run DynamoDB requests in
global.extensions.rateLimit.deployment.dynamodb.secretNamestringname of the aws secret in gloo’s installation namespace that has aws creds (if provided, uses DynamoDB to back rate-limiting service instead of Redis)
global.extensions.rateLimit.deployment.dynamodb.tableNamestringrate-limitsDynamoDB table name used to back rate limit service (default rate-limits)
global.extensions.rateLimit.deployment.dynamodb.consistentReadsbooltrueif true, reads from DynamoDB will be strongly consistent (default false)
global.extensions.rateLimit.deployment.dynamodb.batchSizeuint8100batch size for get requests to DynamoDB (max 100, default 100)
global.extensions.rateLimit.deployment.aerospike.addressstringThe IP address or hostname of the Aerospike database. The address must be reachable from Gloo Edge, such as in a virtual machine with a public IP address or in a pod in the cluster. By setting this value, you also enable Aerospike database as the backing storage for the rate limit service.
global.extensions.rateLimit.deployment.aerospike.namespacestringsolo-namespaceThe Aerospike namespace of the database.
global.extensions.rateLimit.deployment.aerospike.setstringratelimiterThe Aerospike name of the database set.
global.extensions.rateLimit.deployment.aerospike.portint3000The port of the rateLimit.deployment.aerospike.address.
global.extensions.rateLimit.deployment.aerospike.batchSizeint5000The size of the batch, which is the number of keys sent in the request.
global.extensions.rateLimit.deployment.aerospike.commitLevelint1The level of guaranteed consistency for transaction commits on the Aerospike server. For possible values, see the Aerospike commit policy.
global.extensions.rateLimit.deployment.aerospike.readModeSCint0The read mode for strong consistency (SC) options. For possible values, see the Aerospike read mode SC.
global.extensions.rateLimit.deployment.aerospike.readModeAPint0The read mode for availability (AP). For possible values, see the Aerospike read mode AP.
global.extensions.rateLimit.deployment.aerospike.tls.namestringThe subject name of the TLS authority. For more information, see the Aerospike docs. To enable TLS, you must provide at least this value and the certSecretName value.
global.extensions.rateLimit.deployment.aerospike.tls.versionstring1.3The TLS version. Versions 1.0, 1.1, 1.2, and 1.3 are supported.
global.extensions.rateLimit.deployment.aerospike.tls.insecureboolfalseThe TLS insecure setting. If set to true, the authority of the certificate on the client’s end is not authenticated. You might use insecure mode in non-production environments when the certificate is not known.
global.extensions.rateLimit.deployment.aerospike.tls.certSecretNamestringThe name of the kubernetes.io/tls secret that has the tls.crt and tls.key data. To enable TLS, you must provide at least this value and the name value.
global.extensions.rateLimit.deployment.aerospike.tls.rootCASecretNamestringThe secret name for the Opaque root CA that sets the key as tls.crt.
global.extensions.rateLimit.deployment.aerospike.tls.curveGroups[]stringThe TLS identifier for an elliptic curve. For more information, see TLS supported groups.
global.extensions.rateLimit.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
global.extensions.rateLimit.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
global.extensions.rateLimit.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
global.extensions.rateLimit.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
global.extensions.rateLimit.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
global.extensions.rateLimit.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
global.extensions.rateLimit.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
global.extensions.rateLimit.deployment.runAsUserfloat64Explicitly set the user ID for the container to run as in the podSecurityContext. Default is 10101. If podSecurityContext is defined, this value is not applied.
global.extensions.rateLimit.deployment.livenessProbeEnabledboolSet to true to enable a liveness probe for RateLimit (default is false).
global.extensions.rateLimit.deployment.floatingUserIdboolfalseset to true to allow the cluster to dynamically assign a user ID in the podSecurityContext. If podSecurityContext is defined, this value is not applied.
global.extensions.rateLimit.deployment.extraRateLimitLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the rateLimit deployment.
global.extensions.rateLimit.deployment.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
global.extensions.rateLimit.deployment.podDisruptionBudget.minAvailableint32An eviction is allowed if at least “minAvailable” pods selected by “selector” will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying “100%”.
global.extensions.rateLimit.deployment.podDisruptionBudget.maxUnavailableint32An eviction is allowed if at most “maxUnavailable” pods selected by “selector” are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with “minAvailable”.
global.extensions.rateLimit.deployment.podSecurityContext.seLinuxOptions.userstring
global.extensions.rateLimit.deployment.podSecurityContext.seLinuxOptions.rolestring
global.extensions.rateLimit.deployment.podSecurityContext.seLinuxOptions.typestring
global.extensions.rateLimit.deployment.podSecurityContext.seLinuxOptions.levelstring
global.extensions.rateLimit.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
global.extensions.rateLimit.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
global.extensions.rateLimit.deployment.podSecurityContext.windowsOptions.runAsUserNamestring
global.extensions.rateLimit.deployment.podSecurityContext.windowsOptions.hostProcessbool
global.extensions.rateLimit.deployment.podSecurityContext.runAsUserint64
global.extensions.rateLimit.deployment.podSecurityContext.runAsGroupint64
global.extensions.rateLimit.deployment.podSecurityContext.runAsNonRootbool
global.extensions.rateLimit.deployment.podSecurityContext.supplementalGroups[]int64
global.extensions.rateLimit.deployment.podSecurityContext.fsGroupint64
global.extensions.rateLimit.deployment.podSecurityContext.sysctls[].namestring
global.extensions.rateLimit.deployment.podSecurityContext.sysctls[].valuestring
global.extensions.rateLimit.deployment.podSecurityContext.fsGroupChangePolicystring
global.extensions.rateLimit.deployment.podSecurityContext.seccompProfile.typestring
global.extensions.rateLimit.deployment.podSecurityContext.seccompProfile.localhostProfilestring
global.extensions.rateLimit.deployment.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.extensions.rateLimit.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.rateLimit.deployment.replicasintnumber of instances to deploy
global.extensions.rateLimit.deployment.customEnv[].namestring
global.extensions.rateLimit.deployment.customEnv[].valuestring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
global.extensions.rateLimit.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
global.extensions.rateLimit.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
global.extensions.rateLimit.deployment.customEnv[].valueFrom.secretKeyRef.namestring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.secretKeyRef.keystring
global.extensions.rateLimit.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
global.extensions.rateLimit.deployment.restartPolicystringrestart policy to use when the pod exits
global.extensions.rateLimit.deployment.priorityClassNamestringname of a defined priority class
global.extensions.rateLimit.deployment.nodeNamestringname of node to run on
global.extensions.rateLimit.deployment.nodeSelector.NAMEstringlabel selector for nodes
global.extensions.rateLimit.deployment.tolerations[].keystring
global.extensions.rateLimit.deployment.tolerations[].operatorstring
global.extensions.rateLimit.deployment.tolerations[].valuestring
global.extensions.rateLimit.deployment.tolerations[].effectstring
global.extensions.rateLimit.deployment.tolerations[].tolerationSecondsint64
global.extensions.rateLimit.deployment.affinity.NAMEinterface
global.extensions.rateLimit.deployment.hostAliases[]interface
global.extensions.rateLimit.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
global.extensions.rateLimit.deployment.resources.limits.memorystringamount of memory
global.extensions.rateLimit.deployment.resources.limits.cpustringamount of CPUs
global.extensions.rateLimit.deployment.resources.requests.memorystringamount of memory
global.extensions.rateLimit.deployment.resources.requests.cpustringamount of CPUs
global.extensions.rateLimit.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.capabilities.add[]string
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.capabilities.drop[]string
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.privilegedbool
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.seLinuxOptions.userstring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.seLinuxOptions.rolestring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.seLinuxOptions.typestring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.seLinuxOptions.levelstring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.windowsOptions.runAsUserNamestring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.windowsOptions.hostProcessbool
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.runAsUserint64
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.runAsGroupint64
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.runAsNonRootbool
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.readOnlyRootFilesystembool
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.allowPrivilegeEscalationbool
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.procMountstring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.seccompProfile.typestring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.seccompProfile.localhostProfilestring
global.extensions.rateLimit.deployment.rateLimitContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.extensions.rateLimit.deployment.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
global.extensions.rateLimit.deployment.image.repositorystringrate-limit-eeThe image repository (name) for the container.
global.extensions.rateLimit.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.extensions.rateLimit.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.extensions.rateLimit.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.extensions.rateLimit.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.extensions.rateLimit.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.extensions.rateLimit.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.extensions.rateLimit.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.extensions.rateLimit.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.extensions.rateLimit.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.extensions.rateLimit.service.portuint18081
global.extensions.rateLimit.service.namestringrate-limit
global.extensions.rateLimit.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.rateLimit.upstream.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.rateLimit.customRateLimitinterface
global.extensions.rateLimit.beforeAuthboolfalseIf true, rate limiting checks occur before auth (default false). If gloo.settings.ratelimitServer is set, this value will be ignored.
global.extensions.rateLimit.affinity.NAMEinterfaceAffinity rules to be applied
global.extensions.rateLimit.antiAffinity.NAMEinterfaceAnti-affinity rules to be applied
global.extensions.extProcinterfaceGlobal configuration for External Processing filter.
global.extensions.caching.enabledboolfalseif true, deploy caching service (default false)
global.extensions.caching.namestringcaching-servicename for the service,omitempty
global.extensions.caching.deployment.namestringcaching-service
global.extensions.caching.deployment.image.tagstringVersion number, ex. 1.8.0The image tag for the container.
global.extensions.caching.deployment.image.repositorystringcaching-eeThe image repository (name) for the container.
global.extensions.caching.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.extensions.caching.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.extensions.caching.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.extensions.caching.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.extensions.caching.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.extensions.caching.deployment.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.extensions.caching.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.extensions.caching.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.extensions.caching.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.extensions.caching.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
global.extensions.caching.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
global.extensions.caching.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
global.extensions.caching.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
global.extensions.caching.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
global.extensions.caching.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
global.extensions.caching.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
global.extensions.caching.deployment.glooAddressstringgloo
global.extensions.caching.deployment.runAsUserfloat64Explicitly set the user ID for the container to run as. Default is 10101
global.extensions.caching.deployment.floatingUserIdboolset to true to allow the cluster to dynamically assign a user ID
global.extensions.caching.deployment.affinity.NAMEinterfaceAffinity rules to be applied
global.extensions.caching.deployment.antiAffinity.NAMEinterfaceAnti-affinity rules to be applied
global.extensions.caching.deployment.extraCachingLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the Caching deployment.
global.extensions.caching.deployment.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info
global.extensions.caching.deployment.podDisruptionBudget.minAvailableint32An eviction is allowed if at least “minAvailable” pods selected by “selector” will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying “100%”.
global.extensions.caching.deployment.podDisruptionBudget.maxUnavailableint32An eviction is allowed if at most “maxUnavailable” pods selected by “selector” are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with “minAvailable”.
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.capabilities.add[]string
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.capabilities.drop[]string
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.privilegedbool
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.seLinuxOptions.userstring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.seLinuxOptions.rolestring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.seLinuxOptions.typestring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.seLinuxOptions.levelstring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.windowsOptions.runAsUserNamestring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.windowsOptions.hostProcessbool
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.runAsUserint64
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.runAsGroupint64
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.runAsNonRootbool
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.readOnlyRootFilesystembool
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.allowPrivilegeEscalationbool
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.procMountstring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.seccompProfile.typestring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.seccompProfile.localhostProfilestring
global.extensions.caching.deployment.cachingServiceContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.extensions.caching.deployment.replicasintnumber of instances to deploy
global.extensions.caching.deployment.customEnv[].namestring
global.extensions.caching.deployment.customEnv[].valuestring
global.extensions.caching.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
global.extensions.caching.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
global.extensions.caching.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
global.extensions.caching.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
global.extensions.caching.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
global.extensions.caching.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
global.extensions.caching.deployment.customEnv[].valueFrom.secretKeyRef.namestring
global.extensions.caching.deployment.customEnv[].valueFrom.secretKeyRef.keystring
global.extensions.caching.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
global.extensions.caching.deployment.restartPolicystringrestart policy to use when the pod exits
global.extensions.caching.deployment.priorityClassNamestringname of a defined priority class
global.extensions.caching.deployment.nodeNamestringname of node to run on
global.extensions.caching.deployment.nodeSelector.NAMEstringlabel selector for nodes
global.extensions.caching.deployment.tolerations[].keystring
global.extensions.caching.deployment.tolerations[].operatorstring
global.extensions.caching.deployment.tolerations[].valuestring
global.extensions.caching.deployment.tolerations[].effectstring
global.extensions.caching.deployment.tolerations[].tolerationSecondsint64
global.extensions.caching.deployment.affinity.NAMEinterface
global.extensions.caching.deployment.hostAliases[]interface
global.extensions.caching.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
global.extensions.caching.deployment.resources.limits.memorystringamount of memory
global.extensions.caching.deployment.resources.limits.cpustringamount of CPUs
global.extensions.caching.deployment.resources.requests.memorystringamount of memory
global.extensions.caching.deployment.resources.requests.cpustringamount of CPUs
global.extensions.caching.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.caching.upstream.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.caching.service.typestringK8s service type
global.extensions.caching.service.extraAnnotations.NAMEstringextra annotations to add to the service
global.extensions.caching.service.loadBalancerIPstringIP address of the load balancer
global.extensions.caching.service.httpPortint8085HTTP port for the knative/ingress proxy service
global.extensions.caching.service.httpsPortintHTTPS port for the knative/ingress proxy service
global.extensions.caching.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.extensions.glooRedis.enableAclbooltrueWhether to include the ACL policy on redis install. Set to true if you want to provide an external redis endpoint. If redis.disabled is set to true, you will have to create the redis secret, redis, to provide the password. The secret uses the key, redis-password, for the password value. Defaults to true.
global.extensions.dataPlanePerProxyboolIf set to true, a distinct set of data-plane resources (ratelimit, extauth, redis, caching) will be created for each enabled gateway proxy and each gateway proxy will exclusively use its associated data-plane resources. Eg: If there are two gateway proxies defined, gw-ingress and gw-internal, two sets of data-plane resources will be created (ie: ratelimit-gw-ingress, extauth-gw-ingress, redis-gw-ingress and caching-gw-ingress to be used solely by gw-ingress and ratelimit-gw-internal, extauth-gw-internal, redis-gw-internal and caching-gw-internal to be used solely by gw-internal). This is useful in cases where it’s desirable to completely isolate the data-planes across proxies. One such case is when proxies receive dramatically different levels of traffic. In that case, one might want to isolate the lower trafficked proxy’s data-plane in order to prevent latency from competition for resources, while also allocating additional resources to the higher trafficked proxy’s components. There may also be security reasons to want isolated data-planes. On the other hand, when set to false, only one set of data-plane resources (ie ratelimit, extauth, caching, redis) will be created and used by all proxies. Note that when set to true, each proxy will have to be manually configured to use the uniquely-named per-proxy services, including in the case where there is only one proxy enabled. Note that this only applies to classic Gateways and not kube Gateways. Defaults to false.
global.graphql.changeValidation.rejectBreakingboolfalseWhether to reject breaking GraphQL schema updates (default false).
global.graphql.changeValidation.rules.dangerousToBreakingboolfalseWhether the RULE_DANGEROUS_TO_BREAKING processing rule is enabled (default false).
global.graphql.changeValidation.rules.deprecatedFieldRemovalDangerousboolfalseWhether the RULE_DEPRECATED_FIELD_REMOVAL_DANGEROUS processing rule is enabled (default false).
global.graphql.changeValidation.rules.ignoreDescriptionChangesboolfalseWhether the RULE_IGNORE_DESCRIPTION_CHANGES processing rule is enabled (default false).
global.graphql.changeValidation.rules.ignoreUnreachableboolfalseWhether the RULE_IGNORE_UNREACHABLE processing rule is enabled (default false).