OptionTypeDefault ValueDescription
namespace.createboolfalsecreate the installation namespace
kubeGateway.enabledboolfalseEnable the Gloo Gateway Kubernetes Gateway API controller.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.repositorystringgloo-envoy-wrapperThe image repository (name) for the container.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.add[]string
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.drop[]string
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.privilegedbool
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.userstring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.rolestring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.typestring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seLinuxOptions.levelstring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.runAsUserNamestring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.windowsOptions.hostProcessbool
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsUserint6410101
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsGroupint64
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.runAsNonRootbooltrue
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.readOnlyRootFilesystembooltrue
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.allowPrivilegeEscalationboolfalse
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.procMountstring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seccompProfile.typestring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.seccompProfile.localhostProfilestring
kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.limits.memorystringamount of memory
kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.limits.cpustringamount of CPUs
kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.requests.memorystringamount of memory
kubeGateway.gatewayParameters.glooGateway.envoyContainer.resources.requests.cpustringamount of CPUs
kubeGateway.gatewayParameters.glooGateway.proxyDeployment.replicasint321number of instances to deploy. If set to null, a default of 1 will be imposed.
kubeGateway.gatewayParameters.glooGateway.service.typestringLoadBalancerK8s service type. If set to null, a default of LoadBalancer will be imposed.
kubeGateway.gatewayParameters.glooGateway.service.extraLabels.NAMEstringExtra labels to add to the service.
kubeGateway.gatewayParameters.glooGateway.service.extraAnnotations.NAMEstringExtra annotations to add to the service.
kubeGateway.gatewayParameters.glooGateway.serviceAccount.extraLabels.NAMEstringExtra labels to add to the service account.
kubeGateway.gatewayParameters.glooGateway.serviceAccount.extraAnnotations.NAMEstringExtra annotations to add to the service account.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.repositorystringsdsThe image repository (name) for the container.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.capabilities.add[]string
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.capabilities.drop[]string
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.privilegedbool
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.userstring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.rolestring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.typestring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seLinuxOptions.levelstring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.runAsUserNamestring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.windowsOptions.hostProcessbool
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.runAsUserint64
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.runAsGroupint64
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.runAsNonRootbool
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.readOnlyRootFilesystembool
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.allowPrivilegeEscalationbool
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.procMountstring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seccompProfile.typestring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.seccompProfile.localhostProfilestring
kubeGateway.gatewayParameters.glooGateway.sdsContainer.logLevelstringinfoLog level for sds. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.limits.memorystringamount of memory
kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.limits.cpustringamount of CPUs
kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.requests.memorystringamount of memory
kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.requests.cpustringamount of CPUs
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.tagstring1.22.0The image tag for the container.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.repositorystringproxyv2The image repository (name) for the container.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.registrystringdocker.io/istioThe image hostname prefix and registry, such as quay.io/solo-io.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.capabilities.add[]string
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.capabilities.drop[]string
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.privilegedbool
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.userstring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.rolestring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.typestring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seLinuxOptions.levelstring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.gmsaCredentialSpecNamestring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.gmsaCredentialSpecstring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.runAsUserNamestring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.windowsOptions.hostProcessbool
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.runAsUserint64
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.runAsGroupint64
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.runAsNonRootbool
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.readOnlyRootFilesystembool
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.allowPrivilegeEscalationbool
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.procMountstring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seccompProfile.typestring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.seccompProfile.localhostProfilestring
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.logLevelstringwarningLog level for istio-proxy. Options include “info”, “debug”, “warning”, and “error”. Default level is info Default is ‘warning’.
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.istioMetaMeshIdstringcluster.localISTIO_META_MESH_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “cluster.local”
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.istioMetaClusterIdstringKubernetesISTIO_META_CLUSTER_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “Kubernetes”
kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.istioDiscoveryAddressstringistiod.istio-system.svc:15012discoveryAddress field of the PROXY_CONFIG environment variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “istiod.istio-system.svc:15012”
kubeGateway.gatewayParameters.glooGateway.istio.customSidecars[]interfaceOverride the default Istio sidecar in gateway-proxy with a custom container. Ignored if Istio.enabled is false
kubeGateway.gatewayParameters.glooGateway.stats.enabledbooltrueEnable the prometheus endpoint
kubeGateway.gatewayParameters.glooGateway.stats.routePrefixRewritestring/stats/prometheusSet the prefix rewrite used for the prometheus endpoint
kubeGateway.gatewayParameters.glooGateway.stats.enableStatsRoutebooltrueEnable the stats endpoint
kubeGateway.gatewayParameters.glooGateway.stats.statsRoutePrefixRewritestring/statsSet the prefix rewrite used for the stats endpoint
kubeGateway.gatewayParameters.glooGateway.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. Default is false.
settings.watchNamespaces[]stringwhitelist of namespaces for Gloo Edge to watch for services and CRDs. Empty list means all namespaces. If this and WatchNamespaceSelectors are specified, this takes precedence and WatchNamespaceSelectors is ignored
settings.watchNamespaceSelectorsinterfaceA list of Kubernetes selectors that specify the set of namespaces to restrict the namespaces that Gloo controllers take into consideration when watching for resources. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. An empty list means all namespaces. If this and WatchNamespaces are specified, WatchNamespaces takes precedence and this is ignored
settings.writeNamespacestringnamespace where intermediary CRDs will be written to, e.g. Upstreams written by Gloo Edge Discovery.
settings.integrations.knative.enabledboolfalseenabled knative components
settings.integrations.knative.versionstring0.10.0the version of knative installed to the cluster. if using version < 0.8.0, Gloo Edge will use Knative’s ClusterIngress API for configuration rather than the namespace-scoped Ingress
settings.integrations.knative.proxy.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
settings.integrations.knative.proxy.image.repositorystringgloo-envoy-wrapperThe image repository (name) for the container.
settings.integrations.knative.proxy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
settings.integrations.knative.proxy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
settings.integrations.knative.proxy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
settings.integrations.knative.proxy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
settings.integrations.knative.proxy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
settings.integrations.knative.proxy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
settings.integrations.knative.proxy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
settings.integrations.knative.proxy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
settings.integrations.knative.proxy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
settings.integrations.knative.proxy.httpPortint8080HTTP port for the proxy
settings.integrations.knative.proxy.httpsPortint8443HTTPS port for the proxy
settings.integrations.knative.proxy.tracingstringtracing configuration
settings.integrations.knative.proxy.runAsUserfloat64Explicitly set the user ID for the pod to run as. Default is 10101
settings.integrations.knative.proxy.loopBackAddressstring127.0.0.1Name on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
settings.integrations.knative.proxy.statsboolControls whether or not Envoy stats are enabled
settings.integrations.knative.proxy.extraClusterIngressProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the cluster ingress proxy deployment.
settings.integrations.knative.proxy.extraClusterIngressProxyAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the cluster ingress proxy deployment.
settings.integrations.knative.proxy.internal.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.internal.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.internal.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.replicasint1number of instances to deploy
settings.integrations.knative.proxy.customEnv[].namestring
settings.integrations.knative.proxy.customEnv[].valuestring
settings.integrations.knative.proxy.customEnv[].valueFrom.fieldRef.apiVersionstring
settings.integrations.knative.proxy.customEnv[].valueFrom.fieldRef.fieldPathstring
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.containerNamestring
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.resourcestring
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorint64
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorint32
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisorbool
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]string
settings.integrations.knative.proxy.customEnv[].valueFrom.resourceFieldRef.divisor[]string
settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.namestring
settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.keystring
settings.integrations.knative.proxy.customEnv[].valueFrom.configMapKeyRef.optionalbool
settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.namestring
settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.keystring
settings.integrations.knative.proxy.customEnv[].valueFrom.secretKeyRef.optionalbool
settings.integrations.knative.proxy.restartPolicystringrestart policy to use when the pod exits
settings.integrations.knative.proxy.priorityClassNamestringname of a defined priority class
settings.integrations.knative.proxy.nodeNamestringname of node to run on
settings.integrations.knative.proxy.nodeSelector.NAMEstringlabel selector for nodes
settings.integrations.knative.proxy.tolerations[].keystring
settings.integrations.knative.proxy.tolerations[].operatorstring
settings.integrations.knative.proxy.tolerations[].valuestring
settings.integrations.knative.proxy.tolerations[].effectstring
settings.integrations.knative.proxy.tolerations[].tolerationSecondsint64
settings.integrations.knative.proxy.affinity.NAMEinterface
settings.integrations.knative.proxy.hostAliases[]interface
settings.integrations.knative.proxy.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
settings.integrations.knative.proxy.resources.limits.memorystringamount of memory
settings.integrations.knative.proxy.resources.limits.cpustringamount of CPUs
settings.integrations.knative.proxy.resources.requests.memorystringamount of memory
settings.integrations.knative.proxy.resources.requests.cpustringamount of CPUs
settings.integrations.knative.proxy.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.service.typestringLoadBalancerK8s service type
settings.integrations.knative.proxy.service.extraAnnotations.NAMEstringextra annotations to add to the service
settings.integrations.knative.proxy.service.loadBalancerIPstringIP address of the load balancer
settings.integrations.knative.proxy.service.httpPortint80HTTP port for the knative/ingress proxy service
settings.integrations.knative.proxy.service.httpsPortint443HTTPS port for the knative/ingress proxy service
settings.integrations.knative.proxy.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
settings.integrations.knative.proxy.containerSecurityContext.capabilities.add[]string
settings.integrations.knative.proxy.containerSecurityContext.capabilities.drop[]string
settings.integrations.knative.proxy.containerSecurityContext.privilegedbool
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.userstring
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.rolestring
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.typestring
settings.integrations.knative.proxy.containerSecurityContext.seLinuxOptions.levelstring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.runAsUserNamestring
settings.integrations.knative.proxy.containerSecurityContext.windowsOptions.hostProcessbool
settings.integrations.knative.proxy.containerSecurityContext.runAsUserint64
settings.integrations.knative.proxy.containerSecurityContext.runAsGroupint64
settings.integrations.knative.proxy.containerSecurityContext.runAsNonRootbool
settings.integrations.knative.proxy.containerSecurityContext.readOnlyRootFilesystembool
settings.integrations.knative.proxy.containerSecurityContext.allowPrivilegeEscalationbool
settings.integrations.knative.proxy.containerSecurityContext.procMountstring
settings.integrations.knative.proxy.containerSecurityContext.seccompProfile.typestring
settings.integrations.knative.proxy.containerSecurityContext.seccompProfile.localhostProfilestring
settings.integrations.knative.proxy.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
settings.integrations.knative.requireIngressClassboolonly serve traffic for Knative Ingress objects with the annotation ’networking.knative.dev/ingress.class: gloo.ingress.networking.knative.dev’.
settings.integrations.knative.extraKnativeInternalLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the knative internal deployment.
settings.integrations.knative.extraKnativeInternalAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the knative internal deployment.
settings.integrations.knative.extraKnativeExternalLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the knative external deployment.
settings.integrations.knative.extraKnativeExternalAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the knative external deployment.
settings.integrations.consul.datacenterstringDatacenter to use. If not provided, the default agent datacenter is used.
settings.integrations.consul.usernamestringUsername to use for HTTP Basic Authentication.
settings.integrations.consul.passwordstringPassword to use for HTTP Basic Authentication.
settings.integrations.consul.tokenstringToken is used to provide a per-request ACL token which overrides the agent’s default token.
settings.integrations.consul.caFilestringcaFile is the optional path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
settings.integrations.consul.caPathstringcaPath is the optional path to a directory of CA certificates to use for Consul communication, defaults to the system bundle if not specified.
settings.integrations.consul.certFilestringCertFile is the optional path to the certificate for Consul communication. If this is set then you need to also set KeyFile.
settings.integrations.consul.keyFilestringKeyFile is the optional path to the private key for Consul communication. If this is set then you need to also set CertFile.
settings.integrations.consul.insecureSkipVerifyboolInsecureSkipVerify if set to true will disable TLS host verification.
settings.integrations.consul.waitTimestringWaitTime limits how long a watches for Consul resources will block. If not provided, the agent default values will be used.
settings.integrations.consul.serviceDiscovery.dataCenters[]stringUse this parameter to restrict the data centers that will be considered when discovering and routing to services. If not provided, Gloo Edge will use all available data centers.
settings.integrations.consul.httpAddressstringThe address of the Consul HTTP server. Used by service discovery and key-value storage (if-enabled). Defaults to the value of the standard CONSUL_HTTP_ADDR env if set, otherwise to 127.0.0.1:8500.
settings.integrations.consul.dnsAddressstringThe address of the DNS server used to resolve hostnames in the Consul service address. Used by service discovery (required when Consul service instances are stored as DNS names). Defaults to 127.0.0.1:8600. (the default Consul DNS server)
settings.integrations.consul.dnsPollingIntervalstringThe polling interval for the DNS server. If there is a Consul service address with a hostname instead of an IP, Gloo Edge will resolve the hostname with the configured frequency to update endpoints with any changes to DNS resolution. Defaults to 5s.
settings.integrations.consulUpstreamDiscovery.useTlsTaggingboolAllow Gloo Edge to automatically apply tls to consul services that are tagged the tlsTagName value. Requires RootCaResourceNamespace and RootCaResourceName to be set if true.
settings.integrations.consulUpstreamDiscovery.tlsTagNamestringThe tag Gloo Edge should use to identify consul services that ought to use TLS. If splitTlsServices is true, then this tag is also used to sort serviceInstances into the tls upstream. Defaults to ‘glooUseTls’.
settings.integrations.consulUpstreamDiscovery.splitTlsServicesboolIf true, then create two upstreams to be created when a consul service contains the tls tag; one with TLS and one without.
settings.integrations.consulUpstreamDiscovery.rootCa.namespacestringThe namespace of this resource.
settings.integrations.consulUpstreamDiscovery.rootCa.namestringThe name of this resource.
settings.createbooltruecreate a Settings CRD which provides bootstrap configuration to Gloo Edge controllers
settings.extensionsinterface
settings.singleNamespaceboolEnable to use install namespace as WatchNamespace and WriteNamespace
settings.invalidConfigPolicy.replaceInvalidRoutesboolfalseRather than pausing configuration updates, in the event of an invalid Route defined on a virtual service or route table, Gloo Edge will serve the route with a predefined direct response action. This allows valid routes to be updated when other routes are invalid.
settings.invalidConfigPolicy.invalidRouteResponseCodeint64404the response code for the direct response
settings.invalidConfigPolicy.invalidRouteResponseBodystringGloo Gateway has invalid configuration. Administrators should run glooctl check to find and fix config errors.the response body for the direct response
settings.linkerdboolfalseEnable automatic Linkerd integration in Gloo Edge
settings.disableProxyGarbageCollectionboolfalseSet this option to determine the state of an Envoy listener when the corresponding Proxy resource has no routes. If false (default), Gloo Edge will propagate the state of the Proxy to Envoy, resetting the listener to a clean slate with no routes. If true, Gloo Edge will keep serving the routes from the last applied valid configuration.
settings.regexMaxProgramSizeuint321024Set this field to specify the RE2 default max program size which is a rough estimate of how complex the compiled regex is to evaluate. If not specified, this defaults to 1024.
settings.disableKubernetesDestinationsboolfalseEnable or disable Gloo Edge to scan Kubernetes services in the cluster and create in-memory Upstream resources to represent them. These resources enable Gloo Edge to route requests to a Kubernetes service. Note that if you have a large number of services in your cluster and you do not restrict the namespaces that Gloo Edge watches, the API snapshot increases which can have a negative impact on the Gloo Edge translation time. In addition, load balancing is done in kube-proxy which can have further performance impacts. Using Gloo Upstreams as a routing destination bypasses kube-proxy as the request is routed to the pod directly. Alternatively, you can use Kubernetes Upstream resources as a routing destination to forward requests to the pod directly. For more information, see the docs.
settings.aws.enableCredentialsDiscoveryboolEnable AWS credentials discovery in Envoy for lambda requests. If enableServiceAccountCredentials is also set, it will take precedence as only one may be enabled in Gloo Edge
settings.aws.enableServiceAccountCredentialsboolUse ServiceAccount credentials to authenticate lambda requests. If enableCredentialsDiscovery is also set, this will take precedence as only one may be enabled in Gloo Edge
settings.aws.stsCredentialsRegionstringRegional endpoint to use for AWS STS requests. If empty will default to global sts endpoint.
settings.aws.propagateOriginalRoutingboolSend downstream path and method as x-envoy-original-path and x-envoy-original-method headers on the request to AWS lambda.
settings.aws.credential_refresh_delay.secondsint32The value of this duration in seconds.
settings.aws.credential_refresh_delay.nanosint32The value of this duration in nanoseconds.
settings.aws.fallbackToFirstFunctionboolIt will use the first function which if discovery is enabled the first function is the first function name alphabetically from the last discovery run. Defaults to false.
settings.rateLimitinterfacePartial config for Gloo Edge Enterprise’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://github.com/lyft/ratelimit#configuration) Configure rate-limit descriptors here, which define the limits for requests based on their descriptors. Configure rate-limits (composed of actions, which define how request characteristics get translated into descriptors) on the VirtualHost or its routes.
settings.ratelimitServerinterfaceExternal Ratelimit Server configuration for Gloo Edge Open Sources’s rate-limiting service, based on Envoy’s rate-limit service; supports Envoy’s rate-limit service API. (reference here: https://docs.solo.io/gloo-edge/main/guides/security/rate_limiting/)
settings.circuitBreakers.maxConnectionsuint32Set this field to specify the maximum number of connections that Envoy will make to the upstream cluster. If not specified, the default is 1024.
settings.circuitBreakers.maxPendingRequestsuint32Set this field to specify the maximum number of pending requests that Envoy will allow to the upstream cluster. If not specified, the default is 1024.
settings.circuitBreakers.maxRequestsuint32Set this field to specify the maximum number of parallel requests that Envoy will make to the upstream cluster. If not specified, the default is 1024.
settings.circuitBreakers.maxRetriesuint32Set this field to specify the maximum number of parallel retries that Envoy will allow to the upstream cluster. If not specified, the default is 3.
settings.enableRestEdsboolfalseWhether or not to use rest xds for all EDS by default. Defaults to false.
settings.devModeboolWhether or not to enable dev mode. Defaults to false. Setting to true at install time will expose the gloo dev admin endpoint on port 10010. Not recommended for production. Warning: this value is deprecated as of 1.17 and will be removed in a future release.
settings.secretOptions.sources[].vault.addressstringAddress of the Vault server. This should be a complete URL such as http://solo.io and include port if necessary (vault’s default port is 8200).
settings.secretOptions.sources[].vault.rootKeystringAll keys stored in Vault will begin with this Vault this can be used to run multiple instances of Gloo against the same Vault cluster defaults to gloo.
settings.secretOptions.sources[].vault.pathPrefixstringOptional. The name of a Vault Secrets Engine to which Vault should route traffic. For more info see https://learn.hashicorp.com/tutorials/vault/getting-started-secrets-engines. Defaults to ‘secret’.
settings.secretOptions.sources[].vault.tlsConfig.caCertstringPath to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
settings.secretOptions.sources[].vault.tlsConfig.caPathstringPath to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate.
settings.secretOptions.sources[].vault.tlsConfig.clientCertstringPath to the certificate for Vault communication.
settings.secretOptions.sources[].vault.tlsConfig.clientKeystringPath to the private key for Vault communication.
settings.secretOptions.sources[].vault.tlsConfig.tlsServerNamestringIf set, it is used to set the SNI host when connecting via TLS.
settings.secretOptions.sources[].vault.tlsConfig.insecureboolDisables TLS verification when set to true.
settings.secretOptions.sources[].vault.accessTokenstringVault token to use for authentication. Only one of accessToken or aws may be set.
settings.secretOptions.sources[].vault.aws.vaultRolestringThe Vault role we are trying to authenticate to. This is not necessarily the same as the AWS role to which the Vault role is configured.
settings.secretOptions.sources[].vault.aws.regionstringThe AWS region to use for the login attempt.
settings.secretOptions.sources[].vault.aws.iamServerIdHeaderstringThe IAM Server ID Header required to be included in the request.
settings.secretOptions.sources[].vault.aws.mountPathstringThe Vault path on which the AWS auth is mounted.
settings.secretOptions.sources[].vault.aws.accessKeyIDstringOptional. The Access Key ID as provided by the security credentials on the AWS IAM resource. In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
settings.secretOptions.sources[].vault.aws.secretAccessKeystringOptional. The Secret Access Key as provided by the security credentials on the AWS IAM resource. In cases such as receiving temporary credentials through assumed roles with AWS Security Token Service (STS) or IAM Roles for Service Accounts (IRSA), this field can be omitted. https://developer.hashicorp.com/vault/docs/auth/aws#iam-authentication-inferences.
settings.secretOptions.sources[].vault.aws.sessionTokenstringThe Session Token as provided by the security credentials on the AWS IAM resource.
settings.secretOptions.sources[].vault.aws.leaseIncrementuint32The time increment, in seconds, used in renewing the lease of the Vault token. See: https://developer.hashicorp.com/vault/docs/concepts/lease#lease-durations-and-renewal. Defaults to 0, which causes the default TTL to be used.
settings.secretOptions.sources[].directory.directorystringDirectory to read secrets from.
settings.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.deployment.xdsPortint9977port where gloo serves xDS API to Envoy.
gloo.deployment.restXdsPortuint329976port where gloo serves REST xDS API to Envoy.
gloo.deployment.validationPortint9988port where gloo serves gRPC Proxy Validation to Gateway.
gloo.deployment.proxyDebugPortint9966port where gloo serves gRPC Proxy contents to glooctl.
gloo.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
gloo.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gloo.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
gloo.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gloo.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gloo.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gloo.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gloo.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. If a SecurityContext is defined for the container, this value is not applied for the container.
gloo.deployment.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gloo.deployment.externalTrafficPolicystringSet the external traffic policy on the gloo service.
gloo.deployment.extraGlooLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the primary gloo deployment.
gloo.deployment.extraGlooAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the primary gloo deployment.
gloo.deployment.livenessProbeEnabledboolSet to true to enable a liveness probe for Gloo Edge (default is false).
gloo.deployment.ossImageTagstring<release_version, ex: 1.2.3>Used for debugging. The version of Gloo OSS that the current version of Gloo Enterprise was built with.
gloo.deployment.podSecurityContext.seLinuxOptions.userstring
gloo.deployment.podSecurityContext.seLinuxOptions.rolestring
gloo.deployment.podSecurityContext.seLinuxOptions.typestring
gloo.deployment.podSecurityContext.seLinuxOptions.levelstring
gloo.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.deployment.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.deployment.podSecurityContext.windowsOptions.runAsUserNamestring
gloo.deployment.podSecurityContext.windowsOptions.hostProcessbool
gloo.deployment.podSecurityContext.runAsUserint64
gloo.deployment.podSecurityContext.runAsGroupint64
gloo.deployment.podSecurityContext.runAsNonRootbool
gloo.deployment.podSecurityContext.supplementalGroups[]int64
gloo.deployment.podSecurityContext.fsGroupint64
gloo.deployment.podSecurityContext.sysctls[].namestring
gloo.deployment.podSecurityContext.sysctls[].valuestring
gloo.deployment.podSecurityContext.fsGroupChangePolicystring
gloo.deployment.podSecurityContext.seccompProfile.typestring
gloo.deployment.podSecurityContext.seccompProfile.localhostProfilestring
gloo.deployment.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.deployment.replicasint1number of instances to deploy
gloo.deployment.customEnv[].namestring
gloo.deployment.customEnv[].valuestring
gloo.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gloo.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gloo.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gloo.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gloo.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gloo.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gloo.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gloo.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gloo.deployment.restartPolicystringrestart policy to use when the pod exits
gloo.deployment.priorityClassNamestringname of a defined priority class
gloo.deployment.nodeNamestringname of node to run on
gloo.deployment.nodeSelector.NAMEstringlabel selector for nodes
gloo.deployment.tolerations[].keystring
gloo.deployment.tolerations[].operatorstring
gloo.deployment.tolerations[].valuestring
gloo.deployment.tolerations[].effectstring
gloo.deployment.tolerations[].tolerationSecondsint64
gloo.deployment.affinity.NAMEinterface
gloo.deployment.hostAliases[]interface
gloo.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gloo.deployment.resources.limits.memorystringamount of memory
gloo.deployment.resources.limits.cpustringamount of CPUs
gloo.deployment.resources.requests.memorystringamount of memory
gloo.deployment.resources.requests.cpustringamount of CPUs
gloo.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.deployment.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
gloo.deployment.image.repositorystringglooThe image repository (name) for the container.
gloo.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gloo.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gloo.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gloo.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gloo.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gloo.deployment.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gloo.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gloo.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gloo.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gloo.deployment.glooContainerSecurityContext.capabilities.add[]string
gloo.deployment.glooContainerSecurityContext.capabilities.drop[]string
gloo.deployment.glooContainerSecurityContext.privilegedbool
gloo.deployment.glooContainerSecurityContext.seLinuxOptions.userstring
gloo.deployment.glooContainerSecurityContext.seLinuxOptions.rolestring
gloo.deployment.glooContainerSecurityContext.seLinuxOptions.typestring
gloo.deployment.glooContainerSecurityContext.seLinuxOptions.levelstring
gloo.deployment.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gloo.deployment.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gloo.deployment.glooContainerSecurityContext.windowsOptions.runAsUserNamestring
gloo.deployment.glooContainerSecurityContext.windowsOptions.hostProcessbool
gloo.deployment.glooContainerSecurityContext.runAsUserint64
gloo.deployment.glooContainerSecurityContext.runAsGroupint64
gloo.deployment.glooContainerSecurityContext.runAsNonRootbool
gloo.deployment.glooContainerSecurityContext.readOnlyRootFilesystembool
gloo.deployment.glooContainerSecurityContext.allowPrivilegeEscalationbool
gloo.deployment.glooContainerSecurityContext.procMountstring
gloo.deployment.glooContainerSecurityContext.seccompProfile.typestring
gloo.deployment.glooContainerSecurityContext.seccompProfile.localhostProfilestring
gloo.deployment.glooContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gloo.serviceAccount.extraAnnotations.NAMEstringextra annotations to add to the service account
gloo.serviceAccount.disableAutomountbooldisable automounting the service account to the gateway proxy. not mounting the token hardens the proxy container, but may interfere with service mesh integrations
gloo.serviceAccount.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.splitLogOutputboolSet to true to send debug/info/warning logs to stdout, error/fatal/panic to stderr. Set to false to send all logs to stdout
gloo.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gloo.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info
gloo.disableLeaderElectionboolSet to true to disable leader election, and ensure all running replicas are considered the leader. Do not enable this with multiple replicas of Gloo
gloo.headerSecretRefNsMatchesUsboolSet to true to require that secrets sent in headers via headerSecretRefs come from the same namespace as the destination upstream. Default: false
gloo.podDisruptionBudget.minAvailablestringCorresponds directly with the minAvailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with maxUnavailable.
gloo.podDisruptionBudget.maxUnavailablestringCorresponds directly with the maxUnavailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with minAvailable.
discovery.deployment.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
discovery.deployment.image.repositorystringdiscoveryThe image repository (name) for the container.
discovery.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
discovery.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
discovery.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
discovery.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
discovery.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
discovery.deployment.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
discovery.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
discovery.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
discovery.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
discovery.deployment.stats.enabledboolControls whether or not Envoy stats are enabled
discovery.deployment.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
discovery.deployment.stats.setDatadogAnnotationsboolSets the default datadog annotations
discovery.deployment.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
discovery.deployment.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
discovery.deployment.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
discovery.deployment.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
discovery.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
discovery.deployment.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
discovery.deployment.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101
discovery.deployment.extraDiscoveryLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the gloo edge discovery deployment.
discovery.deployment.extraDiscoveryAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the gloo edge discovery deployment.
discovery.deployment.enablePodSecurityContextbooltrueWhether or not to render the pod security context. Default is true
discovery.deployment.discoveryContainerSecurityContext.capabilities.add[]string
discovery.deployment.discoveryContainerSecurityContext.capabilities.drop[]string
discovery.deployment.discoveryContainerSecurityContext.privilegedbool
discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.userstring
discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.rolestring
discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.typestring
discovery.deployment.discoveryContainerSecurityContext.seLinuxOptions.levelstring
discovery.deployment.discoveryContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
discovery.deployment.discoveryContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
discovery.deployment.discoveryContainerSecurityContext.windowsOptions.runAsUserNamestring
discovery.deployment.discoveryContainerSecurityContext.windowsOptions.hostProcessbool
discovery.deployment.discoveryContainerSecurityContext.runAsUserint64
discovery.deployment.discoveryContainerSecurityContext.runAsGroupint64
discovery.deployment.discoveryContainerSecurityContext.runAsNonRootbool
discovery.deployment.discoveryContainerSecurityContext.readOnlyRootFilesystembool
discovery.deployment.discoveryContainerSecurityContext.allowPrivilegeEscalationbool
discovery.deployment.discoveryContainerSecurityContext.procMountstring
discovery.deployment.discoveryContainerSecurityContext.seccompProfile.typestring
discovery.deployment.discoveryContainerSecurityContext.seccompProfile.localhostProfilestring
discovery.deployment.discoveryContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
discovery.deployment.replicasint1number of instances to deploy
discovery.deployment.customEnv[].namestring
discovery.deployment.customEnv[].valuestring
discovery.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
discovery.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
discovery.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
discovery.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
discovery.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
discovery.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
discovery.deployment.customEnv[].valueFrom.secretKeyRef.namestring
discovery.deployment.customEnv[].valueFrom.secretKeyRef.keystring
discovery.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
discovery.deployment.restartPolicystringrestart policy to use when the pod exits
discovery.deployment.priorityClassNamestringname of a defined priority class
discovery.deployment.nodeNamestringname of node to run on
discovery.deployment.nodeSelector.NAMEstringlabel selector for nodes
discovery.deployment.tolerations[].keystring
discovery.deployment.tolerations[].operatorstring
discovery.deployment.tolerations[].valuestring
discovery.deployment.tolerations[].effectstring
discovery.deployment.tolerations[].tolerationSecondsint64
discovery.deployment.affinity.NAMEinterface
discovery.deployment.hostAliases[]interface
discovery.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
discovery.deployment.resources.limits.memorystringamount of memory
discovery.deployment.resources.limits.cpustringamount of CPUs
discovery.deployment.resources.requests.memorystringamount of memory
discovery.deployment.resources.requests.cpustringamount of CPUs
discovery.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
discovery.fdsModestringWHITELISTmode for function discovery (blacklist or whitelist). See more info in the settings docs
discovery.udsOptions.enabledboolEnable upstream discovery service. Defaults to true.
discovery.udsOptions.watchLabels.NAMEstringMap of labels to watch. Only services which match all of the selectors specified here will be discovered by UDS.
discovery.fdsOptions.graphqlEnabledboolEnable GraphQL schema generation on the function discovery service. Defaults to true.
discovery.enabledbooltrueenable Discovery features
discovery.serviceAccount.extraAnnotations.NAMEstringextra annotations to add to the service account
discovery.serviceAccount.disableAutomountbooldisable automounting the service account to the gateway proxy. not mounting the token hardens the proxy container, but may interfere with service mesh integrations
discovery.serviceAccount.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
discovery.logLevelstringLevel at which the pod should log. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
gateway.enabledbooltrueenable Gloo Edge API Gateway features
gateway.validation.enabledbooltrueenable Gloo Edge API Gateway validation hook (default true)
gateway.validation.alwaysAcceptResourcesbooltrueunless this is set this to false in order to ensure validation webhook rejects invalid resources. by default, validation webhook will only log and report metrics for invalid resource admission without rejecting them outright.
gateway.validation.allowWarningsbooltrueset this to false in order to ensure validation webhook rejects resources that would have warning status or rejected status, rather than just rejected.
gateway.validation.warnMissingTlsSecretboolfalseset this to true in order to treat missing tls secret references as warnings, causing validation to allow this state. This supports eventually consistent workflows where TLS secrets may not yet be present when VirtualServices that reference them are created. This field has no effect if allowWarnings is false or acceptAllResources is true.
gateway.validation.serverEnabledbooltrueBy providing the validation field (parent of this object) the user is implicitly opting into validation. This field allows the user to opt out of the validation server, while still configuring pre-existing fields such as warn_route_short_circuiting and disable_transformation_validation.
gateway.validation.disableTransformationValidationboolfalseset this to true to disable transformation validation. This may bring significant performance benefits if using many transformations, at the cost of possibly incorrect transformations being sent to Envoy. When using this value make sure to pre-validate transformations.
gateway.validation.warnRouteShortCircuitingboolfalseWrite a warning to route resources if validation produced a route ordering warning (defaults to false). By setting to true, this means that Gloo Edge will start assigning warnings to resources that would result in route short-circuiting within a virtual host.
gateway.validation.secretNamestringgateway-validation-certsName of the Kubernetes Secret containing TLS certificates used by the validation webhook server. This secret will be created by the certGen Job if the certGen Job is enabled.
gateway.validation.failurePolicystringIgnorefailurePolicy defines how unrecognized errors from the Gateway validation endpoint are handled - allowed values are ‘Ignore’ or ‘Fail’. Defaults to Ignore
gateway.validation.webhook.enabledbooltrueenable validation webhook (default true)
gateway.validation.webhook.disableHelmHookboolfalsedo not create the webhook as helm hook (default false)
gateway.validation.webhook.timeoutSecondsintthe timeout for the webhook, defaults to 10
gateway.validation.webhook.extraAnnotations.NAMEstringextra annotations to add to the webhook
gateway.validation.webhook.skipDeleteValidationResources[]stringresource types in this list will not use webhook valdaition for DELETEs. Use ‘’ to skip validation for all resources. Valid values are ‘virtualservices’, ‘routetables’,‘upstreams’, ‘secrets’, ‘ratelimitconfigs’, and ‘’. Invalid values will be accepted but will not be used.
gateway.validation.webhook.enablePolicyApibooltrueenable validation of Policy Api resources (RouteOptions, VirtualHostOptions) (default: true). NOTE: This only applies if the Kubernetes Gateway Integration is also enabled (kubeGateway.enabled).
gateway.validation.webhook.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gateway.validation.validationServerGrpcMaxSizeBytesint104857600gRPC max message size in bytes for the gloo validation server
gateway.validation.livenessProbeEnabledboolSet to true to enable a liveness probe for the gateway (default is false). You must also set the ‘Probes’ value to true.
gateway.certGenJob.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
gateway.certGenJob.image.repositorystringcertgenThe image repository (name) for the container.
gateway.certGenJob.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gateway.certGenJob.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gateway.certGenJob.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gateway.certGenJob.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gateway.certGenJob.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gateway.certGenJob.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gateway.certGenJob.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gateway.certGenJob.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gateway.certGenJob.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gateway.certGenJob.restartPolicystringOnFailurerestart policy to use when the pod exits
gateway.certGenJob.priorityClassNamestringname of a defined priority class
gateway.certGenJob.nodeNamestringname of node to run on
gateway.certGenJob.nodeSelector.NAMEstringlabel selector for nodes
gateway.certGenJob.tolerations[].keystring
gateway.certGenJob.tolerations[].operatorstring
gateway.certGenJob.tolerations[].valuestring
gateway.certGenJob.tolerations[].effectstring
gateway.certGenJob.tolerations[].tolerationSecondsint64
gateway.certGenJob.affinity.NAMEinterface
gateway.certGenJob.hostAliases[]interface
gateway.certGenJob.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gateway.certGenJob.activeDeadlineSecondsintDeadline in seconds for Kubernetes jobs.
gateway.certGenJob.backoffLimitintSpecifies the number of retries before marking this job failed. In kubernetes, defaults to 6
gateway.certGenJob.completionsintSpecifies the desired number of successfully finished pods the job should be run with.
gateway.certGenJob.manualSelectorboolControls generation of pod labels and pod selectors.
gateway.certGenJob.parallelismintSpecifies the maximum desired number of pods the job should run at any given time.
gateway.certGenJob.ttlSecondsAfterFinishedint60Clean up the finished job after this many seconds. Defaults to 300 for the rollout jobs and 60 for the rest.
gateway.certGenJob.extraPodLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the job.
gateway.certGenJob.extraPodAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the job.
gateway.certGenJob.containerSecurityContext.capabilities.add[]string
gateway.certGenJob.containerSecurityContext.capabilities.drop[]string
gateway.certGenJob.containerSecurityContext.privilegedbool
gateway.certGenJob.containerSecurityContext.seLinuxOptions.userstring
gateway.certGenJob.containerSecurityContext.seLinuxOptions.rolestring
gateway.certGenJob.containerSecurityContext.seLinuxOptions.typestring
gateway.certGenJob.containerSecurityContext.seLinuxOptions.levelstring
gateway.certGenJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gateway.certGenJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gateway.certGenJob.containerSecurityContext.windowsOptions.runAsUserNamestring
gateway.certGenJob.containerSecurityContext.windowsOptions.hostProcessbool
gateway.certGenJob.containerSecurityContext.runAsUserint64
gateway.certGenJob.containerSecurityContext.runAsGroupint64
gateway.certGenJob.containerSecurityContext.runAsNonRootbool
gateway.certGenJob.containerSecurityContext.readOnlyRootFilesystembool
gateway.certGenJob.containerSecurityContext.allowPrivilegeEscalationbool
gateway.certGenJob.containerSecurityContext.procMountstring
gateway.certGenJob.containerSecurityContext.seccompProfile.typestring
gateway.certGenJob.containerSecurityContext.seccompProfile.localhostProfilestring
gateway.certGenJob.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gateway.certGenJob.kubeResourceOverride.NAMEinterfaceoverride fields in the gateway-certgen job.
gateway.certGenJob.mtlsKubeResourceOverride.NAMEinterfaceoverride fields in the gloo-mtls-certgen job.
gateway.certGenJob.enabledbooltrueenable the job that generates the certificates for the validating webhook at install time (default true)
gateway.certGenJob.setTtlAfterFinishedbooltrueSet ttlSecondsAfterFinished on the job. Defaults to true
gateway.certGenJob.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gateway.certGenJob.forceRotationbooltrueIf true, will create new certs even if the old one are still valid.
gateway.certGenJob.rotationDurationstring65sTime duration string indicating the (environment-specific) expected time for all pods to pick up a secret update via SDS. This is only applicable to the mTLS certgen job and cron job. If this duration is too short, secret changes may not have time to propagate to all pods, and some requests may be dropped during cert rotation. Since we do 2 secret updates during a cert rotation, the certgen job is expected to run for at least twice this amount of time. If activeDeadlineSeconds is set on the job, make sure it is at least twice as long as the rotation duration, otherwise the certgen job might time out.
gateway.certGenJob.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gateway.certGenJob.resources.limits.memorystringamount of memory
gateway.certGenJob.resources.limits.cpustringamount of CPUs
gateway.certGenJob.resources.requests.memorystringamount of memory
gateway.certGenJob.resources.requests.cpustringamount of CPUs
gateway.certGenJob.runOnUpdateboolfalseenable to run the job also on pre-upgrade
gateway.certGenJob.cron.enabledboolfalseenable the cronjob
gateway.certGenJob.cron.schedulestring* * * * *Cron job scheduling
gateway.certGenJob.cron.mtlsKubeResourceOverride.NAMEinterfaceoverride fields in the gloo-mtls-certgen cronjob.
gateway.certGenJob.cron.validationWebhookKubeResourceOverride.NAMEinterfaceoverride fields in the gateway-certgen cronjob.
gateway.rolloutJob.restartPolicystringOnFailurerestart policy to use when the pod exits
gateway.rolloutJob.priorityClassNamestringname of a defined priority class
gateway.rolloutJob.nodeNamestringname of node to run on
gateway.rolloutJob.nodeSelector.NAMEstringlabel selector for nodes
gateway.rolloutJob.tolerations[].keystring
gateway.rolloutJob.tolerations[].operatorstring
gateway.rolloutJob.tolerations[].valuestring
gateway.rolloutJob.tolerations[].effectstring
gateway.rolloutJob.tolerations[].tolerationSecondsint64
gateway.rolloutJob.affinity.NAMEinterface
gateway.rolloutJob.hostAliases[]interface
gateway.rolloutJob.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gateway.rolloutJob.activeDeadlineSecondsintDeadline in seconds for Kubernetes jobs.
gateway.rolloutJob.backoffLimitintSpecifies the number of retries before marking this job failed. In kubernetes, defaults to 6
gateway.rolloutJob.completionsintSpecifies the desired number of successfully finished pods the job should be run with.
gateway.rolloutJob.manualSelectorboolControls generation of pod labels and pod selectors.
gateway.rolloutJob.parallelismintSpecifies the maximum desired number of pods the job should run at any given time.
gateway.rolloutJob.ttlSecondsAfterFinishedint300Clean up the finished job after this many seconds. Defaults to 300 for the rollout jobs and 60 for the rest.
gateway.rolloutJob.extraPodLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the job.
gateway.rolloutJob.extraPodAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the job.
gateway.rolloutJob.containerSecurityContext.capabilities.add[]string
gateway.rolloutJob.containerSecurityContext.capabilities.drop[]string
gateway.rolloutJob.containerSecurityContext.privilegedbool
gateway.rolloutJob.containerSecurityContext.seLinuxOptions.userstring
gateway.rolloutJob.containerSecurityContext.seLinuxOptions.rolestring
gateway.rolloutJob.containerSecurityContext.seLinuxOptions.typestring
gateway.rolloutJob.containerSecurityContext.seLinuxOptions.levelstring
gateway.rolloutJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gateway.rolloutJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gateway.rolloutJob.containerSecurityContext.windowsOptions.runAsUserNamestring
gateway.rolloutJob.containerSecurityContext.windowsOptions.hostProcessbool
gateway.rolloutJob.containerSecurityContext.runAsUserint64
gateway.rolloutJob.containerSecurityContext.runAsGroupint64
gateway.rolloutJob.containerSecurityContext.runAsNonRootbool
gateway.rolloutJob.containerSecurityContext.readOnlyRootFilesystembool
gateway.rolloutJob.containerSecurityContext.allowPrivilegeEscalationbool
gateway.rolloutJob.containerSecurityContext.procMountstring
gateway.rolloutJob.containerSecurityContext.seccompProfile.typestring
gateway.rolloutJob.containerSecurityContext.seccompProfile.localhostProfilestring
gateway.rolloutJob.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gateway.rolloutJob.enabledbooltrueEnable the job that applies default Gloo Edge custom resources at install and upgrade time (default true).
gateway.rolloutJob.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
gateway.rolloutJob.image.repositorystringkubectlThe image repository (name) for the container.
gateway.rolloutJob.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gateway.rolloutJob.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gateway.rolloutJob.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gateway.rolloutJob.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gateway.rolloutJob.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gateway.rolloutJob.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gateway.rolloutJob.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gateway.rolloutJob.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gateway.rolloutJob.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gateway.rolloutJob.resources.limits.memorystringamount of memory
gateway.rolloutJob.resources.limits.cpustringamount of CPUs
gateway.rolloutJob.resources.requests.memorystringamount of memory
gateway.rolloutJob.resources.requests.cpustringamount of CPUs
gateway.rolloutJob.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gateway.rolloutJob.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gateway.rolloutJob.timeoutint120Time to wait in seconds until the job has completed. If it exceeds this limit, it is deemed to have failed. Defaults to 120
gateway.cleanupJob.restartPolicystringOnFailurerestart policy to use when the pod exits
gateway.cleanupJob.priorityClassNamestringname of a defined priority class
gateway.cleanupJob.nodeNamestringname of node to run on
gateway.cleanupJob.nodeSelector.NAMEstringlabel selector for nodes
gateway.cleanupJob.tolerations[].keystring
gateway.cleanupJob.tolerations[].operatorstring
gateway.cleanupJob.tolerations[].valuestring
gateway.cleanupJob.tolerations[].effectstring
gateway.cleanupJob.tolerations[].tolerationSecondsint64
gateway.cleanupJob.affinity.NAMEinterface
gateway.cleanupJob.hostAliases[]interface
gateway.cleanupJob.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gateway.cleanupJob.activeDeadlineSecondsintDeadline in seconds for Kubernetes jobs.
gateway.cleanupJob.backoffLimitintSpecifies the number of retries before marking this job failed. In kubernetes, defaults to 6
gateway.cleanupJob.completionsintSpecifies the desired number of successfully finished pods the job should be run with.
gateway.cleanupJob.manualSelectorboolControls generation of pod labels and pod selectors.
gateway.cleanupJob.parallelismintSpecifies the maximum desired number of pods the job should run at any given time.
gateway.cleanupJob.ttlSecondsAfterFinishedint60Clean up the finished job after this many seconds. Defaults to 300 for the rollout jobs and 60 for the rest.
gateway.cleanupJob.extraPodLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the job.
gateway.cleanupJob.extraPodAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the job.
gateway.cleanupJob.containerSecurityContext.capabilities.add[]string
gateway.cleanupJob.containerSecurityContext.capabilities.drop[]string
gateway.cleanupJob.containerSecurityContext.privilegedbool
gateway.cleanupJob.containerSecurityContext.seLinuxOptions.userstring
gateway.cleanupJob.containerSecurityContext.seLinuxOptions.rolestring
gateway.cleanupJob.containerSecurityContext.seLinuxOptions.typestring
gateway.cleanupJob.containerSecurityContext.seLinuxOptions.levelstring
gateway.cleanupJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gateway.cleanupJob.containerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gateway.cleanupJob.containerSecurityContext.windowsOptions.runAsUserNamestring
gateway.cleanupJob.containerSecurityContext.windowsOptions.hostProcessbool
gateway.cleanupJob.containerSecurityContext.runAsUserint64
gateway.cleanupJob.containerSecurityContext.runAsGroupint64
gateway.cleanupJob.containerSecurityContext.runAsNonRootbool
gateway.cleanupJob.containerSecurityContext.readOnlyRootFilesystembool
gateway.cleanupJob.containerSecurityContext.allowPrivilegeEscalationbool
gateway.cleanupJob.containerSecurityContext.procMountstring
gateway.cleanupJob.containerSecurityContext.seccompProfile.typestring
gateway.cleanupJob.containerSecurityContext.seccompProfile.localhostProfilestring
gateway.cleanupJob.containerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gateway.cleanupJob.enabledbooltrueEnable the job that removes Gloo Edge custom resources when Gloo Edge is uninstalled (default true).
gateway.cleanupJob.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
gateway.cleanupJob.image.repositorystringkubectlThe image repository (name) for the container.
gateway.cleanupJob.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gateway.cleanupJob.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gateway.cleanupJob.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gateway.cleanupJob.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gateway.cleanupJob.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gateway.cleanupJob.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gateway.cleanupJob.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gateway.cleanupJob.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gateway.cleanupJob.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gateway.cleanupJob.resources.limits.memorystringamount of memory
gateway.cleanupJob.resources.limits.cpustringamount of CPUs
gateway.cleanupJob.resources.requests.memorystringamount of memory
gateway.cleanupJob.resources.requests.cpustringamount of CPUs
gateway.cleanupJob.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
gateway.cleanupJob.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
gateway.updateValuesboolif true, will use a provided helm helper ‘gloo.updatevalues’ to update values during template render - useful for plugins/extensions
gateway.proxyServiceAccount.extraAnnotations.NAMEstringextra annotations to add to the service account
gateway.proxyServiceAccount.disableAutomountbooldisable automounting the service account to the gateway proxy. not mounting the token hardens the proxy container, but may interfere with service mesh integrations
gateway.proxyServiceAccount.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gateway.readGatewaysFromAllNamespacesboolfalseif true, read Gateway custom resources from all watched namespaces rather than just the namespace of the Gateway controller
gateway.isolateVirtualHostsBySslConfigboolfalseif true, Added support for the envoy.filters.listener.tls_inspector listener_filter when using the gateway.isolateVirtualHostsBySslConfig=true global setting.
gateway.compressedProxySpecboolif true, enables compression for the Proxy CRD spec
gateway.persistProxySpecboolEnable writing Proxy CRD to etcd. Disabled by default for performance.
gateway.translateEmptyGatewaysboolfalseIf true, the gateways will be translated into Envoy listeners even if no VirtualServices exist.
gateway.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.kind.deployment.replicasintnumber of instances to deploy
gatewayProxies.NAME.kind.deployment.customEnv[].namestring
gatewayProxies.NAME.kind.deployment.customEnv[].valuestring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gatewayProxies.NAME.kind.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gatewayProxies.NAME.kind.deployment.restartPolicystringrestart policy to use when the pod exits
gatewayProxies.NAME.kind.deployment.priorityClassNamestringname of a defined priority class
gatewayProxies.NAME.kind.deployment.nodeNamestringname of node to run on
gatewayProxies.NAME.kind.deployment.nodeSelector.NAMEstringlabel selector for nodes
gatewayProxies.NAME.kind.deployment.tolerations[].keystring
gatewayProxies.NAME.kind.deployment.tolerations[].operatorstring
gatewayProxies.NAME.kind.deployment.tolerations[].valuestring
gatewayProxies.NAME.kind.deployment.tolerations[].effectstring
gatewayProxies.NAME.kind.deployment.tolerations[].tolerationSecondsint64
gatewayProxies.NAME.kind.deployment.affinity.NAMEinterface
gatewayProxies.NAME.kind.deployment.hostAliases[]interface
gatewayProxies.NAME.kind.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gatewayProxies.NAME.kind.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.kind.daemonSet.hostPortboolwhether or not to enable host networking on the pod. Only relevant when running as a DaemonSet
gatewayProxies.NAME.kind.daemonSet.hostNetworkbool
gatewayProxies.NAME.namespacestringNamespace in which to deploy this gateway proxy. Defaults to the value of Settings.WriteNamespace
gatewayProxies.NAME.podTemplate.httpPortintHTTP port for the gateway service target port.
gatewayProxies.NAME.podTemplate.httpsPortintHTTPS port for the gateway service target port.
gatewayProxies.NAME.podTemplate.extraPorts[]interfaceextra ports for the gateway pod.
gatewayProxies.NAME.podTemplate.extraAnnotations.NAMEstringextra annotations to add to the pod.
gatewayProxies.NAME.podTemplate.nodeNamestringname of node to run on.
gatewayProxies.NAME.podTemplate.nodeSelector.NAMEstringlabel selector for nodes.
gatewayProxies.NAME.podTemplate.tolerations[].keystring
gatewayProxies.NAME.podTemplate.tolerations[].operatorstring
gatewayProxies.NAME.podTemplate.tolerations[].valuestring
gatewayProxies.NAME.podTemplate.tolerations[].effectstring
gatewayProxies.NAME.podTemplate.tolerations[].tolerationSecondsint64
gatewayProxies.NAME.podTemplate.probesboolSet to true to enable a readiness probe (default is false). Then, you can also enable a liveness probe.
gatewayProxies.NAME.podTemplate.livenessProbeEnabledboolSet to true to enable a liveness probe (default is false).
gatewayProxies.NAME.podTemplate.resources.limits.memorystringamount of memory
gatewayProxies.NAME.podTemplate.resources.limits.cpustringamount of CPUs
gatewayProxies.NAME.podTemplate.resources.requests.memorystringamount of memory
gatewayProxies.NAME.podTemplate.resources.requests.cpustringamount of CPUs
gatewayProxies.NAME.podTemplate.disableNetBindbooldon’t add the NET_BIND_SERVICE capability to the pod. This means that the gateway proxy will not be able to bind to ports below 1024. If podSecurityContext is defined, this value is not applied.
gatewayProxies.NAME.podTemplate.runUnprivilegedboolrun Envoy as an unprivileged user. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gatewayProxies.NAME.podTemplate.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. If podSecurityContext is defined, this value is not applied.
gatewayProxies.NAME.podTemplate.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gatewayProxies.NAME.podTemplate.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101. If podSecurityContext is defined, this value is not applied.
gatewayProxies.NAME.podTemplate.gracefulShutdown.enabledboolEnable grace period before shutdown to finish current requests while Envoy health checks fail to e.g. notify external load balancers. NOTE: This will not have any effect if you have not defined health checks via the health check filter
gatewayProxies.NAME.podTemplate.gracefulShutdown.sleepTimeSecondsintTime (in seconds) for the preStop hook to wait before allowing Envoy to terminate
gatewayProxies.NAME.podTemplate.terminationGracePeriodSecondsintTime in seconds to wait for the pod to terminate gracefully. See kubernetes docs for more info.
gatewayProxies.NAME.podTemplate.customReadinessProbe.exec.command[]string
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.pathstring
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.portint64
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.portint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.portstring
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.hoststring
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.schemestring
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.httpHeaders[].namestring
gatewayProxies.NAME.podTemplate.customReadinessProbe.httpGet.httpHeaders[].valuestring
gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.portint64
gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.portint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.portstring
gatewayProxies.NAME.podTemplate.customReadinessProbe.tcpSocket.hoststring
gatewayProxies.NAME.podTemplate.customReadinessProbe.grpc.portint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.grpc.servicestring
gatewayProxies.NAME.podTemplate.customReadinessProbe.initialDelaySecondsint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.timeoutSecondsint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.periodSecondsint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.successThresholdint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.failureThresholdint32
gatewayProxies.NAME.podTemplate.customReadinessProbe.terminationGracePeriodSecondsint64
gatewayProxies.NAME.podTemplate.customLivenessProbe.exec.command[]string
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.pathstring
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.portint64
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.portint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.portstring
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.hoststring
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.schemestring
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.httpHeaders[].namestring
gatewayProxies.NAME.podTemplate.customLivenessProbe.httpGet.httpHeaders[].valuestring
gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.portint64
gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.portint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.portstring
gatewayProxies.NAME.podTemplate.customLivenessProbe.tcpSocket.hoststring
gatewayProxies.NAME.podTemplate.customLivenessProbe.grpc.portint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.grpc.servicestring
gatewayProxies.NAME.podTemplate.customLivenessProbe.initialDelaySecondsint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.timeoutSecondsint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.periodSecondsint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.successThresholdint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.failureThresholdint32
gatewayProxies.NAME.podTemplate.customLivenessProbe.terminationGracePeriodSecondsint64
gatewayProxies.NAME.podTemplate.extraGatewayProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the gloo edge gateway-proxy deployment.
gatewayProxies.NAME.podTemplate.extraContainers[]interfaceExtra containers to be added to the array of containers on the gateway proxy deployment.
gatewayProxies.NAME.podTemplate.extraInitContainers[]interfaceExtra initContainers to be added to the array of initContainers on the gateway proxy deployment.
gatewayProxies.NAME.podTemplate.enablePodSecurityContextboolWhether or not to render the pod security context. Default is true.
gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.userstring
gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.rolestring
gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.typestring
gatewayProxies.NAME.podTemplate.podSecurityContext.seLinuxOptions.levelstring
gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.runAsUserNamestring
gatewayProxies.NAME.podTemplate.podSecurityContext.windowsOptions.hostProcessbool
gatewayProxies.NAME.podTemplate.podSecurityContext.runAsUserint64
gatewayProxies.NAME.podTemplate.podSecurityContext.runAsGroupint64
gatewayProxies.NAME.podTemplate.podSecurityContext.runAsNonRootbool
gatewayProxies.NAME.podTemplate.podSecurityContext.supplementalGroups[]int64
gatewayProxies.NAME.podTemplate.podSecurityContext.fsGroupint64
gatewayProxies.NAME.podTemplate.podSecurityContext.sysctls[].namestring
gatewayProxies.NAME.podTemplate.podSecurityContext.sysctls[].valuestring
gatewayProxies.NAME.podTemplate.podSecurityContext.fsGroupChangePolicystring
gatewayProxies.NAME.podTemplate.podSecurityContext.seccompProfile.typestring
gatewayProxies.NAME.podTemplate.podSecurityContext.seccompProfile.localhostProfilestring
gatewayProxies.NAME.podTemplate.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gatewayProxies.NAME.podTemplate.image.tagstringThe image tag for the container.
gatewayProxies.NAME.podTemplate.image.repositorystringThe image repository (name) for the container.
gatewayProxies.NAME.podTemplate.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gatewayProxies.NAME.podTemplate.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gatewayProxies.NAME.podTemplate.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gatewayProxies.NAME.podTemplate.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gatewayProxies.NAME.podTemplate.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gatewayProxies.NAME.podTemplate.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gatewayProxies.NAME.podTemplate.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gatewayProxies.NAME.podTemplate.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gatewayProxies.NAME.podTemplate.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.capabilities.add[]string
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.capabilities.drop[]string
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.privilegedbool
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.userstring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.rolestring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.typestring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seLinuxOptions.levelstring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.runAsUserNamestring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.windowsOptions.hostProcessbool
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.runAsUserint64
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.runAsGroupint64
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.runAsNonRootbool
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.readOnlyRootFilesystembool
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.allowPrivilegeEscalationbool
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.procMountstring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seccompProfile.typestring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.seccompProfile.localhostProfilestring
gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gatewayProxies.NAME.configMap.data.NAMEstring
gatewayProxies.NAME.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.customStaticLayerinterfaceConfigure the static layer for global overrides to Envoy behavior, as defined in the Envoy bootstrap YAML. You cannot use this setting to set overload or upstream layers. For more info, see the Envoy docs. https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#config-runtime
gatewayProxies.NAME.globalDownstreamMaxConnectionsuint32the number of concurrent connections needed. limit used to protect against exhausting file descriptors on host machine
gatewayProxies.NAME.healthyPanicThresholdint8the percentage of healthy hosts required to load balance based on health status of hosts
gatewayProxies.NAME.service.typestringgateway service type. default is LoadBalancer
gatewayProxies.NAME.service.httpPortintHTTP port for the gateway service
gatewayProxies.NAME.service.httpsPortintHTTPS port for the gateway service
gatewayProxies.NAME.service.httpNodePortintHTTP nodeport for the gateway service if using type NodePort
gatewayProxies.NAME.service.httpsNodePortintHTTPS nodeport for the gateway service if using type NodePort
gatewayProxies.NAME.service.clusterIPstringstatic clusterIP (or None) when gatewayProxies[].gatewayProxy.service.type is ClusterIP
gatewayProxies.NAME.service.extraAnnotations.NAMEstring
gatewayProxies.NAME.service.externalTrafficPolicystring
gatewayProxies.NAME.service.namestringCustom name override for the service resource of the proxy
gatewayProxies.NAME.service.httpsFirstboolList HTTPS port before HTTP
gatewayProxies.NAME.service.loadBalancerIPstringIP address of the load balancer
gatewayProxies.NAME.service.loadBalancerSourceRanges[]stringList of IP CIDR ranges that are allowed to access the load balancer
gatewayProxies.NAME.service.customPorts[]interfaceList of custom port to expose in the Envoy proxy. Each element follows conventional port syntax (port, targetPort, protocol, name)
gatewayProxies.NAME.service.externalIPs[]stringexternalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service
gatewayProxies.NAME.service.configDumpService.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.antiAffinityboolconfigure anti affinity such that pods are preferably not co-located
gatewayProxies.NAME.affinity.NAMEinterface
gatewayProxies.NAME.topologySpreadConstraints[]interfaceconfigure topologySpreadConstraints for gateway proxy pods
gatewayProxies.NAME.tracing.provider.NAMEinterface
gatewayProxies.NAME.tracing.cluster[].NAMEinterface
gatewayProxies.NAME.gatewaySettings.enabledboolenable/disable default gateways
gatewayProxies.NAME.gatewaySettings.disableGeneratedGatewaysboolset to true to disable the gateway generation for a gateway proxy
gatewayProxies.NAME.gatewaySettings.disableHttpGatewayboolSet to true to disable http gateway generation.
gatewayProxies.NAME.gatewaySettings.disableHttpsGatewayboolSet to true to disable https gateway generation.
gatewayProxies.NAME.gatewaySettings.ipv4Onlyboolset to true if your network allows ipv4 addresses only. Sets the Gateway spec’s bindAddress to 0.0.0.0 instead of ::
gatewayProxies.NAME.gatewaySettings.useProxyProtobooluse proxy protocol
gatewayProxies.NAME.gatewaySettings.httpHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the http gateway
gatewayProxies.NAME.gatewaySettings.httpsHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the https gateway
gatewayProxies.NAME.gatewaySettings.customHttpGateway.NAMEinterfacecustom yaml to use for http gateway settings
gatewayProxies.NAME.gatewaySettings.customHttpsGateway.NAMEinterfacecustom yaml to use for https gateway settings
gatewayProxies.NAME.gatewaySettings.accessLoggingService.NAMEinterfacecustom yaml to use for access logging service (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk/)
gatewayProxies.NAME.gatewaySettings.options.NAMEinterfacecustom options for http(s) gateways (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk/#listeneroptions)
gatewayProxies.NAME.gatewaySettings.httpGatewayKubeOverride.NAMEinterface
gatewayProxies.NAME.gatewaySettings.httpsGatewayKubeOverride.NAMEinterface
gatewayProxies.NAME.gatewaySettings.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.extraEnvoyArgs[]stringEnvoy container args, (e.g. https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
gatewayProxies.NAME.extraContainersHelperstring
gatewayProxies.NAME.extraInitContainersHelperstring
gatewayProxies.NAME.extraVolumes[].NAMEinterface
gatewayProxies.NAME.extraVolumeHelperstring
gatewayProxies.NAME.extraListenersHelperstring
gatewayProxies.NAME.stats.enabledboolControls whether or not Envoy stats are enabled
gatewayProxies.NAME.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gatewayProxies.NAME.stats.setDatadogAnnotationsboolSets the default datadog annotations
gatewayProxies.NAME.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gatewayProxies.NAME.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gatewayProxies.NAME.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gatewayProxies.NAME.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gatewayProxies.NAME.readConfigboolexpose a read-only subset of the Envoy admin api
gatewayProxies.NAME.readConfigMulticlusterboolexpose a read-only subset of the Envoy admin api to gloo-fed
gatewayProxies.NAME.extraProxyVolumeMounts[].NAMEinterface
gatewayProxies.NAME.extraProxyVolumeMountHelperstringname of custom made named template allowing for extra volume mounts on the proxy container
gatewayProxies.NAME.loopBackAddressstringName on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
gatewayProxies.NAME.failover.enabledbool(Enterprise Only): Configure this proxy for failover
gatewayProxies.NAME.failover.portuint(Enterprise Only): Port to use for failover Gateway Bind port, and service. Default is 15443
gatewayProxies.NAME.failover.nodePortuint(Enterprise Only): Optional NodePort for failover Service
gatewayProxies.NAME.failover.secretNamestring(Enterprise Only): Secret containing downstream Ssl Secrets Default is failover-downstream
gatewayProxies.NAME.failover.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.disabledboolSkips creation of this gateway proxy. Used to turn off gateway proxies created by preceding configurations
gatewayProxies.NAME.envoyApiVersionstringVersion of the Envoy API to use for the xDS transport and resources. Default is V3
gatewayProxies.NAME.envoyBootstrapExtensions[].NAMEinterfaceList of bootstrap extensions to add to Envoy bootstrap config. Examples include Wasm Service (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-wasmservice).
gatewayProxies.NAME.envoyOverloadManager.NAMEinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gatewayProxies.NAME.envoyStaticClusters[].NAMEinterfaceList of extra static clusters to be added to Envoy bootstrap config. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster
gatewayProxies.NAME.horizontalPodAutoscaler.apiVersionstringaccepts autoscaling/v1, autoscaling/v2beta2 or autoscaling/v2. Note: autoscaling/v2beta2 is deprecated as of Kubernetes 1.26.
gatewayProxies.NAME.horizontalPodAutoscaler.minReplicasint32minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.
gatewayProxies.NAME.horizontalPodAutoscaler.maxReplicasint32maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.
gatewayProxies.NAME.horizontalPodAutoscaler.targetCPUUtilizationPercentageint32target average CPU utilization (represented as a percentage of requested CPU) over all the pods. Used only with apiVersion autoscaling/v1
gatewayProxies.NAME.horizontalPodAutoscaler.metrics[].NAMEinterfacemetrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). Used only with apiVersion autoscaling/v2beta2
gatewayProxies.NAME.horizontalPodAutoscaler.behavior.NAMEinterfacebehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). Used only with apiVersion autoscaling/v2beta2
gatewayProxies.NAME.horizontalPodAutoscaler.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.podDisruptionBudget.minAvailablestringCorresponds directly with the minAvailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with maxUnavailable.
gatewayProxies.NAME.podDisruptionBudget.maxUnavailablestringCorresponds directly with the maxUnavailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with minAvailable.
gatewayProxies.NAME.podDisruptionBudget.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.NAME.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Defaults to “cluster.local”
gatewayProxies.NAME.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Defaults to “Kubernetes”
gatewayProxies.NAME.istioDiscoveryAddressstringdiscoveryAddress field of the PROXY_CONFIG environment variable. Defaults to “istiod.istio-system.svc:15012”
gatewayProxies.NAME.istioSpiffeCertProviderAddressstringAddress of the spiffe certificate provider. Defaults to istioDiscoveryAddress
gatewayProxies.NAME.envoyLogLevelstringLevel at which the pod should log. Options include “trace”, “info”, “debug”, “warn”, “error”, “critical” and “off”. Default level is info
gatewayProxies.NAME.envoyStatsConfig.NAMEinterfaceEnvoy statistics configuration, such as tagging. For more info, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig
gatewayProxies.NAME.xdsServiceAddressstringThe k8s service name for the xds server. Defaults to gloo.
gatewayProxies.NAME.xdsServicePortuint32The k8s service port for the xds server. Defaults to the value from .Values.gloo.deployment.xdsPort, but can be overridden to use, for example, xds-relay.
gatewayProxies.NAME.tcpKeepaliveTimeSecondsuint32The amount of time in seconds for connections to be idle before sending keep-alive probes. Defaults to 60. See here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive
gatewayProxies.NAME.disableCoreDumpsboolIf set to true, Envoy will not generate core dumps in the event of a crash. Defaults to false
gatewayProxies.NAME.disableExtauthSidecarboolIf set to true, this gateway proxy will not come up with an extauth sidecar container when global.extAuth.envoySidecar is enabled. This setting has no effect otherwise. Defaults to false
gatewayProxies.NAME.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.kind.deployment.replicasint1number of instances to deploy
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].namestring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valuestring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.namestring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.keystring
gatewayProxies.gatewayProxy.kind.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
gatewayProxies.gatewayProxy.kind.deployment.restartPolicystringrestart policy to use when the pod exits
gatewayProxies.gatewayProxy.kind.deployment.priorityClassNamestringname of a defined priority class
gatewayProxies.gatewayProxy.kind.deployment.nodeNamestringname of node to run on
gatewayProxies.gatewayProxy.kind.deployment.nodeSelector.NAMEstringlabel selector for nodes
gatewayProxies.gatewayProxy.kind.deployment.tolerations[].keystring
gatewayProxies.gatewayProxy.kind.deployment.tolerations[].operatorstring
gatewayProxies.gatewayProxy.kind.deployment.tolerations[].valuestring
gatewayProxies.gatewayProxy.kind.deployment.tolerations[].effectstring
gatewayProxies.gatewayProxy.kind.deployment.tolerations[].tolerationSecondsint64
gatewayProxies.gatewayProxy.kind.deployment.affinity.NAMEinterface
gatewayProxies.gatewayProxy.kind.deployment.hostAliases[]interface
gatewayProxies.gatewayProxy.kind.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
gatewayProxies.gatewayProxy.kind.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.kind.daemonSet.hostPortboolwhether or not to enable host networking on the pod. Only relevant when running as a DaemonSet
gatewayProxies.gatewayProxy.kind.daemonSet.hostNetworkbool
gatewayProxies.gatewayProxy.namespacestringNamespace in which to deploy this gateway proxy. Defaults to the value of Settings.WriteNamespace
gatewayProxies.gatewayProxy.podTemplate.httpPortint8080HTTP port for the gateway service target port.
gatewayProxies.gatewayProxy.podTemplate.httpsPortint8443HTTPS port for the gateway service target port.
gatewayProxies.gatewayProxy.podTemplate.extraPorts[]interfaceextra ports for the gateway pod.
gatewayProxies.gatewayProxy.podTemplate.extraAnnotations.NAMEstringextra annotations to add to the pod.
gatewayProxies.gatewayProxy.podTemplate.nodeNamestringname of node to run on.
gatewayProxies.gatewayProxy.podTemplate.nodeSelector.NAMEstringlabel selector for nodes.
gatewayProxies.gatewayProxy.podTemplate.tolerations[].keystring
gatewayProxies.gatewayProxy.podTemplate.tolerations[].operatorstring
gatewayProxies.gatewayProxy.podTemplate.tolerations[].valuestring
gatewayProxies.gatewayProxy.podTemplate.tolerations[].effectstring
gatewayProxies.gatewayProxy.podTemplate.tolerations[].tolerationSecondsint64
gatewayProxies.gatewayProxy.podTemplate.probesboolfalseSet to true to enable a readiness probe (default is false). Then, you can also enable a liveness probe.
gatewayProxies.gatewayProxy.podTemplate.livenessProbeEnabledboolSet to true to enable a liveness probe (default is false).
gatewayProxies.gatewayProxy.podTemplate.resources.limits.memorystringamount of memory
gatewayProxies.gatewayProxy.podTemplate.resources.limits.cpustringamount of CPUs
gatewayProxies.gatewayProxy.podTemplate.resources.requests.memorystringamount of memory
gatewayProxies.gatewayProxy.podTemplate.resources.requests.cpustringamount of CPUs
gatewayProxies.gatewayProxy.podTemplate.disableNetBindbooltruedon’t add the NET_BIND_SERVICE capability to the pod. This means that the gateway proxy will not be able to bind to ports below 1024. If podSecurityContext is defined, this value is not applied.
gatewayProxies.gatewayProxy.podTemplate.runUnprivilegedbooltruerun Envoy as an unprivileged user. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gatewayProxies.gatewayProxy.podTemplate.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container. If podSecurityContext is defined, this value is not applied.
gatewayProxies.gatewayProxy.podTemplate.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101. If a SecurityContext is defined for the pod or container, this value is not applied for the pod/container.
gatewayProxies.gatewayProxy.podTemplate.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101. If podSecurityContext is defined, this value is not applied.
gatewayProxies.gatewayProxy.podTemplate.gracefulShutdown.enabledboolfalseEnable grace period before shutdown to finish current requests while Envoy health checks fail to e.g. notify external load balancers. NOTE: This will not have any effect if you have not defined health checks via the health check filter
gatewayProxies.gatewayProxy.podTemplate.gracefulShutdown.sleepTimeSecondsint25Time (in seconds) for the preStop hook to wait before allowing Envoy to terminate
gatewayProxies.gatewayProxy.podTemplate.terminationGracePeriodSecondsintTime in seconds to wait for the pod to terminate gracefully. See kubernetes docs for more info.
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.exec.command[]string
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.pathstring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.portint64
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.portint32
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.portstring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.hoststring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.schemestring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.httpHeaders[].namestring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.httpGet.httpHeaders[].valuestring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.portint64
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.portint32
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.portstring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.tcpSocket.hoststring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.grpc.portint32
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.grpc.servicestring
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.initialDelaySecondsint320
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.timeoutSecondsint320
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.periodSecondsint320
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.successThresholdint320
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.failureThresholdint320
gatewayProxies.gatewayProxy.podTemplate.customReadinessProbe.terminationGracePeriodSecondsint64
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.exec.command[]string
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.pathstring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.portint64
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.portint32
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.portstring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.hoststring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.schemestring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.httpHeaders[].namestring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.httpGet.httpHeaders[].valuestring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.portint64
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.portint32
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.portstring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.tcpSocket.hoststring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.grpc.portint32
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.grpc.servicestring
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.initialDelaySecondsint320
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.timeoutSecondsint320
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.periodSecondsint320
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.successThresholdint320
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.failureThresholdint320
gatewayProxies.gatewayProxy.podTemplate.customLivenessProbe.terminationGracePeriodSecondsint64
gatewayProxies.gatewayProxy.podTemplate.extraGatewayProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the gloo edge gateway-proxy deployment.
gatewayProxies.gatewayProxy.podTemplate.extraContainers[]interfaceExtra containers to be added to the array of containers on the gateway proxy deployment.
gatewayProxies.gatewayProxy.podTemplate.extraInitContainers[]interfaceExtra initContainers to be added to the array of initContainers on the gateway proxy deployment.
gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContextbooltrueWhether or not to render the pod security context. Default is true.
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.userstring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.rolestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.typestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seLinuxOptions.levelstring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.gmsaCredentialSpecstring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.runAsUserNamestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.windowsOptions.hostProcessbool
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.runAsUserint64
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.runAsGroupint64
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.runAsNonRootbool
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.supplementalGroups[]int64
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.fsGroupint64
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.sysctls[].namestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.sysctls[].valuestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.fsGroupChangePolicystring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seccompProfile.typestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.seccompProfile.localhostProfilestring
gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gatewayProxies.gatewayProxy.podTemplate.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
gatewayProxies.gatewayProxy.podTemplate.image.repositorystringgloo-envoy-wrapperThe image repository (name) for the container.
gatewayProxies.gatewayProxy.podTemplate.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
gatewayProxies.gatewayProxy.podTemplate.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
gatewayProxies.gatewayProxy.podTemplate.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
gatewayProxies.gatewayProxy.podTemplate.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
gatewayProxies.gatewayProxy.podTemplate.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
gatewayProxies.gatewayProxy.podTemplate.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
gatewayProxies.gatewayProxy.podTemplate.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
gatewayProxies.gatewayProxy.podTemplate.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
gatewayProxies.gatewayProxy.podTemplate.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.capabilities.add[]string
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.capabilities.drop[]string
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.privilegedbool
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.userstring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.rolestring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.typestring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seLinuxOptions.levelstring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.runAsUserNamestring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.windowsOptions.hostProcessbool
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.runAsUserint64
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.runAsGroupint64
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.runAsNonRootbool
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.readOnlyRootFilesystembool
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.allowPrivilegeEscalationbool
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.procMountstring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seccompProfile.typestring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.seccompProfile.localhostProfilestring
gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
gatewayProxies.gatewayProxy.configMap.data.NAMEstring
gatewayProxies.gatewayProxy.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.customStaticLayerinterfaceConfigure the static layer for global overrides to Envoy behavior, as defined in the Envoy bootstrap YAML. You cannot use this setting to set overload or upstream layers. For more info, see the Envoy docs. https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#config-runtime
gatewayProxies.gatewayProxy.globalDownstreamMaxConnectionsuint32250000the number of concurrent connections needed. limit used to protect against exhausting file descriptors on host machine
gatewayProxies.gatewayProxy.healthyPanicThresholdint850the percentage of healthy hosts required to load balance based on health status of hosts
gatewayProxies.gatewayProxy.service.typestringLoadBalancergateway service type. default is LoadBalancer
gatewayProxies.gatewayProxy.service.httpPortint80HTTP port for the gateway service
gatewayProxies.gatewayProxy.service.httpsPortint443HTTPS port for the gateway service
gatewayProxies.gatewayProxy.service.httpNodePortintHTTP nodeport for the gateway service if using type NodePort
gatewayProxies.gatewayProxy.service.httpsNodePortintHTTPS nodeport for the gateway service if using type NodePort
gatewayProxies.gatewayProxy.service.clusterIPstringstatic clusterIP (or None) when gatewayProxies[].gatewayProxy.service.type is ClusterIP
gatewayProxies.gatewayProxy.service.extraAnnotations.NAMEstring
gatewayProxies.gatewayProxy.service.externalTrafficPolicystring
gatewayProxies.gatewayProxy.service.namestringCustom name override for the service resource of the proxy
gatewayProxies.gatewayProxy.service.httpsFirstboolList HTTPS port before HTTP
gatewayProxies.gatewayProxy.service.loadBalancerIPstringIP address of the load balancer
gatewayProxies.gatewayProxy.service.loadBalancerSourceRanges[]stringList of IP CIDR ranges that are allowed to access the load balancer
gatewayProxies.gatewayProxy.service.customPorts[]interfaceList of custom port to expose in the Envoy proxy. Each element follows conventional port syntax (port, targetPort, protocol, name)
gatewayProxies.gatewayProxy.service.externalIPs[]stringexternalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service
gatewayProxies.gatewayProxy.service.configDumpService.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.antiAffinityboolconfigure anti affinity such that pods are preferably not co-located
gatewayProxies.gatewayProxy.affinity.NAMEinterface
gatewayProxies.gatewayProxy.topologySpreadConstraints[]interfaceconfigure topologySpreadConstraints for gateway proxy pods
gatewayProxies.gatewayProxy.tracing.provider.NAMEinterface
gatewayProxies.gatewayProxy.tracing.cluster[].NAMEinterface
gatewayProxies.gatewayProxy.gatewaySettings.enabledbooltrueenable/disable default gateways
gatewayProxies.gatewayProxy.gatewaySettings.disableGeneratedGatewaysboolset to true to disable the gateway generation for a gateway proxy
gatewayProxies.gatewayProxy.gatewaySettings.disableHttpGatewayboolSet to true to disable http gateway generation.
gatewayProxies.gatewayProxy.gatewaySettings.disableHttpsGatewayboolSet to true to disable https gateway generation.
gatewayProxies.gatewayProxy.gatewaySettings.ipv4Onlyboolset to true if your network allows ipv4 addresses only. Sets the Gateway spec’s bindAddress to 0.0.0.0 instead of ::
gatewayProxies.gatewayProxy.gatewaySettings.useProxyProtoboolfalseuse proxy protocol
gatewayProxies.gatewayProxy.gatewaySettings.httpHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the http gateway
gatewayProxies.gatewayProxy.gatewaySettings.httpsHybridGateway.NAMEinterfacecustom yaml to use for hybrid gateway settings for the https gateway
gatewayProxies.gatewayProxy.gatewaySettings.customHttpGateway.NAMEinterfacecustom yaml to use for http gateway settings
gatewayProxies.gatewayProxy.gatewaySettings.customHttpsGateway.NAMEinterfacecustom yaml to use for https gateway settings
gatewayProxies.gatewayProxy.gatewaySettings.accessLoggingService.NAMEinterfacecustom yaml to use for access logging service (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/als/als.proto.sk/)
gatewayProxies.gatewayProxy.gatewaySettings.options.NAMEinterfacecustom options for http(s) gateways (https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk/#listeneroptions)
gatewayProxies.gatewayProxy.gatewaySettings.httpGatewayKubeOverride.NAMEinterface
gatewayProxies.gatewayProxy.gatewaySettings.httpsGatewayKubeOverride.NAMEinterface
gatewayProxies.gatewayProxy.gatewaySettings.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.extraEnvoyArgs[]stringEnvoy container args, (e.g. https://www.envoyproxy.io/docs/envoy/latest/operations/cli)
gatewayProxies.gatewayProxy.extraContainersHelperstring
gatewayProxies.gatewayProxy.extraInitContainersHelperstring
gatewayProxies.gatewayProxy.extraVolumes[].NAMEinterface
gatewayProxies.gatewayProxy.extraVolumeHelperstring
gatewayProxies.gatewayProxy.extraListenersHelperstring
gatewayProxies.gatewayProxy.stats.enabledboolControls whether or not Envoy stats are enabled
gatewayProxies.gatewayProxy.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
gatewayProxies.gatewayProxy.stats.setDatadogAnnotationsboolSets the default datadog annotations
gatewayProxies.gatewayProxy.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
gatewayProxies.gatewayProxy.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
gatewayProxies.gatewayProxy.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
gatewayProxies.gatewayProxy.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
gatewayProxies.gatewayProxy.readConfigboolexpose a read-only subset of the Envoy admin api
gatewayProxies.gatewayProxy.readConfigMulticlusterboolexpose a read-only subset of the Envoy admin api to gloo-fed
gatewayProxies.gatewayProxy.extraProxyVolumeMounts[].NAMEinterface
gatewayProxies.gatewayProxy.extraProxyVolumeMountHelperstringname of custom made named template allowing for extra volume mounts on the proxy container
gatewayProxies.gatewayProxy.loopBackAddressstring127.0.0.1Name on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
gatewayProxies.gatewayProxy.failover.enabledboolfalse(Enterprise Only): Configure this proxy for failover
gatewayProxies.gatewayProxy.failover.portuint15443(Enterprise Only): Port to use for failover Gateway Bind port, and service. Default is 15443
gatewayProxies.gatewayProxy.failover.nodePortuint(Enterprise Only): Optional NodePort for failover Service
gatewayProxies.gatewayProxy.failover.secretNamestringfailover-downstream(Enterprise Only): Secret containing downstream Ssl Secrets Default is failover-downstream
gatewayProxies.gatewayProxy.failover.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.disabledboolSkips creation of this gateway proxy. Used to turn off gateway proxies created by preceding configurations
gatewayProxies.gatewayProxy.envoyApiVersionstringV3Version of the Envoy API to use for the xDS transport and resources. Default is V3
gatewayProxies.gatewayProxy.envoyBootstrapExtensions[].NAMEinterfaceList of bootstrap extensions to add to Envoy bootstrap config. Examples include Wasm Service (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-wasmservice).
gatewayProxies.gatewayProxy.envoyOverloadManager.NAMEinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gatewayProxies.gatewayProxy.envoyOverloadManager.actionsinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gatewayProxies.gatewayProxy.envoyOverloadManager.bufferFactoryConfiginterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gatewayProxies.gatewayProxy.envoyOverloadManager.enabledinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gatewayProxies.gatewayProxy.envoyOverloadManager.refreshIntervalinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gatewayProxies.gatewayProxy.envoyOverloadManager.resourceMonitorsinterfaceOverload Manager definition for Envoy bootstrap config. If enabled, a list of Resource Monitors MUST be defined in order to produce a valid Envoy config (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/overload/v3/overload.proto#overload-manager).
gatewayProxies.gatewayProxy.envoyStaticClusters[].NAMEinterfaceList of extra static clusters to be added to Envoy bootstrap config. https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster
gatewayProxies.gatewayProxy.horizontalPodAutoscaler.apiVersionstringaccepts autoscaling/v1, autoscaling/v2beta2 or autoscaling/v2. Note: autoscaling/v2beta2 is deprecated as of Kubernetes 1.26.
gatewayProxies.gatewayProxy.horizontalPodAutoscaler.minReplicasint32minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down.
gatewayProxies.gatewayProxy.horizontalPodAutoscaler.maxReplicasint32maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.
gatewayProxies.gatewayProxy.horizontalPodAutoscaler.targetCPUUtilizationPercentageint32target average CPU utilization (represented as a percentage of requested CPU) over all the pods. Used only with apiVersion autoscaling/v1
gatewayProxies.gatewayProxy.horizontalPodAutoscaler.metrics[].NAMEinterfacemetrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). Used only with apiVersion autoscaling/v2beta2
gatewayProxies.gatewayProxy.horizontalPodAutoscaler.behavior.NAMEinterfacebehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). Used only with apiVersion autoscaling/v2beta2
gatewayProxies.gatewayProxy.horizontalPodAutoscaler.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.podDisruptionBudget.minAvailablestringCorresponds directly with the minAvailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with maxUnavailable.
gatewayProxies.gatewayProxy.podDisruptionBudget.maxUnavailablestringCorresponds directly with the maxUnavailable field in the PodDisruptionBudgetSpec. This value is mutually exclusive with minAvailable.
gatewayProxies.gatewayProxy.podDisruptionBudget.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
gatewayProxies.gatewayProxy.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Defaults to “cluster.local”
gatewayProxies.gatewayProxy.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Defaults to “Kubernetes”
gatewayProxies.gatewayProxy.istioDiscoveryAddressstringistiod.istio-system.svc:15012discoveryAddress field of the PROXY_CONFIG environment variable. Defaults to “istiod.istio-system.svc:15012”
gatewayProxies.gatewayProxy.istioSpiffeCertProviderAddressstringAddress of the spiffe certificate provider. Defaults to istioDiscoveryAddress
gatewayProxies.gatewayProxy.envoyLogLevelstringLevel at which the pod should log. Options include “trace”, “info”, “debug”, “warn”, “error”, “critical” and “off”. Default level is info
gatewayProxies.gatewayProxy.envoyStatsConfig.NAMEinterfaceEnvoy statistics configuration, such as tagging. For more info, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig
gatewayProxies.gatewayProxy.xdsServiceAddressstringThe k8s service name for the xds server. Defaults to gloo.
gatewayProxies.gatewayProxy.xdsServicePortuint32The k8s service port for the xds server. Defaults to the value from .Values.gloo.deployment.xdsPort, but can be overridden to use, for example, xds-relay.
gatewayProxies.gatewayProxy.tcpKeepaliveTimeSecondsuint3260The amount of time in seconds for connections to be idle before sending keep-alive probes. Defaults to 60. See here: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-tcpkeepalive
gatewayProxies.gatewayProxy.disableCoreDumpsboolfalseIf set to true, Envoy will not generate core dumps in the event of a crash. Defaults to false
gatewayProxies.gatewayProxy.disableExtauthSidecarboolfalseIf set to true, this gateway proxy will not come up with an extauth sidecar container when global.extAuth.envoySidecar is enabled. This setting has no effect otherwise. Defaults to false
gatewayProxies.gatewayProxy.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
ingress.enabledboolfalse
ingress.deployment.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
ingress.deployment.image.repositorystringingressThe image repository (name) for the container.
ingress.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
ingress.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
ingress.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
ingress.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
ingress.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
ingress.deployment.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
ingress.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
ingress.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
ingress.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
ingress.deployment.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
ingress.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
ingress.deployment.extraIngressLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the ingress deployment.
ingress.deployment.extraIngressAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the ingress deployment.
ingress.deployment.statsboolControls whether or not Envoy stats are enabled
ingress.deployment.ingressContainerSecurityContext.capabilities.add[]string
ingress.deployment.ingressContainerSecurityContext.capabilities.drop[]string
ingress.deployment.ingressContainerSecurityContext.privilegedbool
ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.userstring
ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.rolestring
ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.typestring
ingress.deployment.ingressContainerSecurityContext.seLinuxOptions.levelstring
ingress.deployment.ingressContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
ingress.deployment.ingressContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
ingress.deployment.ingressContainerSecurityContext.windowsOptions.runAsUserNamestring
ingress.deployment.ingressContainerSecurityContext.windowsOptions.hostProcessbool
ingress.deployment.ingressContainerSecurityContext.runAsUserint64
ingress.deployment.ingressContainerSecurityContext.runAsGroupint64
ingress.deployment.ingressContainerSecurityContext.runAsNonRootbool
ingress.deployment.ingressContainerSecurityContext.readOnlyRootFilesystembool
ingress.deployment.ingressContainerSecurityContext.allowPrivilegeEscalationbool
ingress.deployment.ingressContainerSecurityContext.procMountstring
ingress.deployment.ingressContainerSecurityContext.seccompProfile.typestring
ingress.deployment.ingressContainerSecurityContext.seccompProfile.localhostProfilestring
ingress.deployment.ingressContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
ingress.deployment.replicasint1number of instances to deploy
ingress.deployment.customEnv[].namestring
ingress.deployment.customEnv[].valuestring
ingress.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
ingress.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
ingress.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
ingress.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
ingress.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
ingress.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
ingress.deployment.customEnv[].valueFrom.secretKeyRef.namestring
ingress.deployment.customEnv[].valueFrom.secretKeyRef.keystring
ingress.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
ingress.deployment.restartPolicystringrestart policy to use when the pod exits
ingress.deployment.priorityClassNamestringname of a defined priority class
ingress.deployment.nodeNamestringname of node to run on
ingress.deployment.nodeSelector.NAMEstringlabel selector for nodes
ingress.deployment.tolerations[].keystring
ingress.deployment.tolerations[].operatorstring
ingress.deployment.tolerations[].valuestring
ingress.deployment.tolerations[].effectstring
ingress.deployment.tolerations[].tolerationSecondsint64
ingress.deployment.affinity.NAMEinterface
ingress.deployment.hostAliases[]interface
ingress.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
ingress.deployment.resources.limits.memorystringamount of memory
ingress.deployment.resources.limits.cpustringamount of CPUs
ingress.deployment.resources.requests.memorystringamount of memory
ingress.deployment.resources.requests.cpustringamount of CPUs
ingress.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
ingress.requireIngressClassboolonly serve traffic for Ingress objects with the Ingress Class annotation ‘kubernetes.io/ingress.class’. By default the annotation value must be set to ‘gloo’, however this can be overridden via customIngressClass.
ingress.customIngressClassboolOnly relevant when requireIngressClass is set to true. Setting this value will cause the Gloo Edge Ingress Controller to process only those Ingress objects which have their ingress class set to this value (e.g. ‘kubernetes.io/ingress.class=SOMEVALUE’).
ingressProxy.deployment.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
ingressProxy.deployment.image.repositorystringgloo-envoy-wrapperThe image repository (name) for the container.
ingressProxy.deployment.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
ingressProxy.deployment.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
ingressProxy.deployment.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
ingressProxy.deployment.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
ingressProxy.deployment.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
ingressProxy.deployment.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
ingressProxy.deployment.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
ingressProxy.deployment.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
ingressProxy.deployment.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
ingressProxy.deployment.httpPortint8080HTTP port for the ingress container
ingressProxy.deployment.httpsPortint8443HTTPS port for the ingress container
ingressProxy.deployment.extraPorts[]interface
ingressProxy.deployment.extraAnnotations.NAMEstring
ingressProxy.deployment.floatingUserIdboolIf true, allows the cluster to dynamically assign a user ID for the processes running in the container.
ingressProxy.deployment.runAsUserfloat64Explicitly set the user ID for the pod to run as. Default is 10101
ingressProxy.deployment.extraIngressProxyLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the ingress proxy deployment.
ingressProxy.deployment.statsboolControls whether or not Envoy stats are enabled
ingressProxy.deployment.ingressProxyContainerSecurityContext.capabilities.add[]string
ingressProxy.deployment.ingressProxyContainerSecurityContext.capabilities.drop[]string
ingressProxy.deployment.ingressProxyContainerSecurityContext.privilegedbool
ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.userstring
ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.rolestring
ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.typestring
ingressProxy.deployment.ingressProxyContainerSecurityContext.seLinuxOptions.levelstring
ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.runAsUserNamestring
ingressProxy.deployment.ingressProxyContainerSecurityContext.windowsOptions.hostProcessbool
ingressProxy.deployment.ingressProxyContainerSecurityContext.runAsUserint64
ingressProxy.deployment.ingressProxyContainerSecurityContext.runAsGroupint64
ingressProxy.deployment.ingressProxyContainerSecurityContext.runAsNonRootbool
ingressProxy.deployment.ingressProxyContainerSecurityContext.readOnlyRootFilesystembool
ingressProxy.deployment.ingressProxyContainerSecurityContext.allowPrivilegeEscalationbool
ingressProxy.deployment.ingressProxyContainerSecurityContext.procMountstring
ingressProxy.deployment.ingressProxyContainerSecurityContext.seccompProfile.typestring
ingressProxy.deployment.ingressProxyContainerSecurityContext.seccompProfile.localhostProfilestring
ingressProxy.deployment.ingressProxyContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
ingressProxy.deployment.replicasint1number of instances to deploy
ingressProxy.deployment.customEnv[].namestring
ingressProxy.deployment.customEnv[].valuestring
ingressProxy.deployment.customEnv[].valueFrom.fieldRef.apiVersionstring
ingressProxy.deployment.customEnv[].valueFrom.fieldRef.fieldPathstring
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.containerNamestring
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.resourcestring
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint64
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisorint32
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisorbool
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
ingressProxy.deployment.customEnv[].valueFrom.resourceFieldRef.divisor[]string
ingressProxy.deployment.customEnv[].valueFrom.configMapKeyRef.namestring
ingressProxy.deployment.customEnv[].valueFrom.configMapKeyRef.keystring
ingressProxy.deployment.customEnv[].valueFrom.configMapKeyRef.optionalbool
ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.namestring
ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.keystring
ingressProxy.deployment.customEnv[].valueFrom.secretKeyRef.optionalbool
ingressProxy.deployment.restartPolicystringrestart policy to use when the pod exits
ingressProxy.deployment.priorityClassNamestringname of a defined priority class
ingressProxy.deployment.nodeNamestringname of node to run on
ingressProxy.deployment.nodeSelector.NAMEstringlabel selector for nodes
ingressProxy.deployment.tolerations[].keystring
ingressProxy.deployment.tolerations[].operatorstring
ingressProxy.deployment.tolerations[].valuestring
ingressProxy.deployment.tolerations[].effectstring
ingressProxy.deployment.tolerations[].tolerationSecondsint64
ingressProxy.deployment.affinity.NAMEinterface
ingressProxy.deployment.hostAliases[]interface
ingressProxy.deployment.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
ingressProxy.deployment.resources.limits.memorystringamount of memory
ingressProxy.deployment.resources.limits.cpustringamount of CPUs
ingressProxy.deployment.resources.requests.memorystringamount of memory
ingressProxy.deployment.resources.requests.cpustringamount of CPUs
ingressProxy.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
ingressProxy.configMap.data.NAMEstring
ingressProxy.configMap.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
ingressProxy.tracingstring
ingressProxy.loopBackAddressstring127.0.0.1Name on which to bind the loop-back interface for this instance of Envoy. Defaults to 127.0.0.1, but other common values may be localhost or ::1
ingressProxy.labelstringingress-proxyValue for label gloo. Use a unique value to use several ingress proxy instances in the same cluster. Default is ingress-proxy
ingressProxy.service.typestringLoadBalancerK8s service type
ingressProxy.service.extraAnnotations.NAMEstringextra annotations to add to the service
ingressProxy.service.loadBalancerIPstringIP address of the load balancer
ingressProxy.service.httpPortint80HTTP port for the knative/ingress proxy service
ingressProxy.service.httpsPortint443HTTPS port for the knative/ingress proxy service
ingressProxy.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
k8s.clusterNamestringcluster.localcluster name to use when referencing services.
accessLogger.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
accessLogger.image.repositorystringaccess-loggerThe image repository (name) for the container.
accessLogger.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
accessLogger.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
accessLogger.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
accessLogger.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
accessLogger.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
accessLogger.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
accessLogger.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
accessLogger.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
accessLogger.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
accessLogger.portuint8083
accessLogger.serviceNamestringAccessLog
accessLogger.enabledboolfalse
accessLogger.stats.enabledbooltrueControls whether or not Envoy stats are enabled
accessLogger.stats.routePrefixRewritestringThe Envoy stats endpoint to which the metrics are written
accessLogger.stats.setDatadogAnnotationsboolSets the default datadog annotations
accessLogger.stats.enableStatsRouteboolEnables an additional route to the stats cluster defaulting to /stats
accessLogger.stats.statsPrefixRewritestringThe Envoy stats endpoint with general metrics for the additional stats route
accessLogger.stats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
accessLogger.stats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
accessLogger.runAsUserfloat64Explicitly set the user ID for the processes in the container to run as. Default is 10101.
accessLogger.fsGroupfloat64Explicitly set the group ID for volume ownership. Default is 10101
accessLogger.extraAccessLoggerLabels.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.labels data of the access logger deployment.
accessLogger.extraAccessLoggerAnnotations.NAMEstringOptional extra key-value pairs to add to the spec.template.metadata.annotations data of the access logger deployment.
accessLogger.service.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
accessLogger.deployment.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
accessLogger.accessLoggerContainerSecurityContext.capabilities.add[]string
accessLogger.accessLoggerContainerSecurityContext.capabilities.drop[]string
accessLogger.accessLoggerContainerSecurityContext.privilegedbool
accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.userstring
accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.rolestring
accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.typestring
accessLogger.accessLoggerContainerSecurityContext.seLinuxOptions.levelstring
accessLogger.accessLoggerContainerSecurityContext.windowsOptions.gmsaCredentialSpecNamestring
accessLogger.accessLoggerContainerSecurityContext.windowsOptions.gmsaCredentialSpecstring
accessLogger.accessLoggerContainerSecurityContext.windowsOptions.runAsUserNamestring
accessLogger.accessLoggerContainerSecurityContext.windowsOptions.hostProcessbool
accessLogger.accessLoggerContainerSecurityContext.runAsUserint64
accessLogger.accessLoggerContainerSecurityContext.runAsGroupint64
accessLogger.accessLoggerContainerSecurityContext.runAsNonRootbool
accessLogger.accessLoggerContainerSecurityContext.readOnlyRootFilesystembool
accessLogger.accessLoggerContainerSecurityContext.allowPrivilegeEscalationbool
accessLogger.accessLoggerContainerSecurityContext.procMountstring
accessLogger.accessLoggerContainerSecurityContext.seccompProfile.typestring
accessLogger.accessLoggerContainerSecurityContext.seccompProfile.localhostProfilestring
accessLogger.accessLoggerContainerSecurityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
accessLogger.replicasint1number of instances to deploy
accessLogger.customEnv[].namestring
accessLogger.customEnv[].valuestring
accessLogger.customEnv[].valueFrom.fieldRef.apiVersionstring
accessLogger.customEnv[].valueFrom.fieldRef.fieldPathstring
accessLogger.customEnv[].valueFrom.resourceFieldRef.containerNamestring
accessLogger.customEnv[].valueFrom.resourceFieldRef.resourcestring
accessLogger.customEnv[].valueFrom.resourceFieldRef.divisorint64
accessLogger.customEnv[].valueFrom.resourceFieldRef.divisorint32
accessLogger.customEnv[].valueFrom.resourceFieldRef.divisorbool
accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]uint
accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]int32
accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]string
accessLogger.customEnv[].valueFrom.resourceFieldRef.divisor[]string
accessLogger.customEnv[].valueFrom.configMapKeyRef.namestring
accessLogger.customEnv[].valueFrom.configMapKeyRef.keystring
accessLogger.customEnv[].valueFrom.configMapKeyRef.optionalbool
accessLogger.customEnv[].valueFrom.secretKeyRef.namestring
accessLogger.customEnv[].valueFrom.secretKeyRef.keystring
accessLogger.customEnv[].valueFrom.secretKeyRef.optionalbool
accessLogger.restartPolicystringrestart policy to use when the pod exits
accessLogger.priorityClassNamestringname of a defined priority class
accessLogger.nodeNamestringname of node to run on
accessLogger.nodeSelector.NAMEstringlabel selector for nodes
accessLogger.tolerations[].keystring
accessLogger.tolerations[].operatorstring
accessLogger.tolerations[].valuestring
accessLogger.tolerations[].effectstring
accessLogger.tolerations[].tolerationSecondsint64
accessLogger.affinity.NAMEinterface
accessLogger.hostAliases[]interface
accessLogger.initContainers[]interfaceInitContainers to be added to the array of initContainers on the deployment.
accessLogger.resources.limits.memorystringamount of memory
accessLogger.resources.limits.cpustringamount of CPUs
accessLogger.resources.requests.memorystringamount of memory
accessLogger.resources.requests.cpustringamount of CPUs
accessLogger.kubeResourceOverride.NAMEinterfaceoverride fields in the generated resource by specifying the yaml structure to override under the top-level key.
global.image.tagstringThe image tag for the container.
global.image.repositorystringThe image repository (name) for the container.
global.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.image.registrystringquay.io/solo-ioThe image hostname prefix and registry, such as quay.io/solo-io.
global.image.pullPolicystringIfNotPresentThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.extensionsinterface
global.glooRbac.createbooltruecreate rbac rules for the gloo-system service account
global.glooRbac.namespacedboolfalseuse Roles instead of ClusterRoles
global.glooRbac.nameSuffixstringWhen nameSuffix is nonempty, append ‘-$nameSuffix’ to the names of Gloo Edge RBAC resources; e.g. when nameSuffix is ‘foo’, the role ‘gloo-resource-reader’ will become ‘gloo-resource-reader-foo’
global.glooStats.enabledbooltrueControls whether or not Envoy stats are enabled
global.glooStats.routePrefixRewritestring/stats/prometheusThe Envoy stats endpoint to which the metrics are written
global.glooStats.setDatadogAnnotationsboolfalseSets the default datadog annotations
global.glooStats.enableStatsRouteboolfalseEnables an additional route to the stats cluster defaulting to /stats
global.glooStats.statsPrefixRewritestring/statsThe Envoy stats endpoint with general metrics for the additional stats route
global.glooStats.serviceMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Service Monitor. Requires that ’enabled’ is also true
global.glooStats.podMonitorEnabledboolWhether or not to expose an http-monitoring port that can be scraped by a Prometheus Pod Monitor. Requires that ’enabled’ is also true
global.glooMtls.enabledboolfalseEnables internal mtls authentication
global.glooMtls.sds.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
global.glooMtls.sds.image.repositorystringsdsThe image repository (name) for the container.
global.glooMtls.sds.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.glooMtls.sds.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.glooMtls.sds.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.glooMtls.sds.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.glooMtls.sds.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.glooMtls.sds.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.glooMtls.sds.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.glooMtls.sds.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.glooMtls.sds.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.glooMtls.sds.securityContext.capabilities.add[]string
global.glooMtls.sds.securityContext.capabilities.drop[]string
global.glooMtls.sds.securityContext.privilegedbool
global.glooMtls.sds.securityContext.seLinuxOptions.userstring
global.glooMtls.sds.securityContext.seLinuxOptions.rolestring
global.glooMtls.sds.securityContext.seLinuxOptions.typestring
global.glooMtls.sds.securityContext.seLinuxOptions.levelstring
global.glooMtls.sds.securityContext.windowsOptions.gmsaCredentialSpecNamestring
global.glooMtls.sds.securityContext.windowsOptions.gmsaCredentialSpecstring
global.glooMtls.sds.securityContext.windowsOptions.runAsUserNamestring
global.glooMtls.sds.securityContext.windowsOptions.hostProcessbool
global.glooMtls.sds.securityContext.runAsUserint64
global.glooMtls.sds.securityContext.runAsGroupint64
global.glooMtls.sds.securityContext.runAsNonRootbool
global.glooMtls.sds.securityContext.readOnlyRootFilesystembool
global.glooMtls.sds.securityContext.allowPrivilegeEscalationbool
global.glooMtls.sds.securityContext.procMountstring
global.glooMtls.sds.securityContext.seccompProfile.typestring
global.glooMtls.sds.securityContext.seccompProfile.localhostProfilestring
global.glooMtls.sds.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.glooMtls.sds.logLevelstringinfoLog level for sds. Options include “info”, “debug”, “warn”, “error”, “panic” and “fatal”. Default level is info.
global.glooMtls.sds.sdsResources.limits.memorystringamount of memory
global.glooMtls.sds.sdsResources.limits.cpustringamount of CPUs
global.glooMtls.sds.sdsResources.requests.memorystringamount of memory
global.glooMtls.sds.sdsResources.requests.cpustringamount of CPUs
global.glooMtls.envoy.image.tagstring<release_version, ex: 1.2.3>The image tag for the container.
global.glooMtls.envoy.image.repositorystringgloo-envoy-wrapperThe image repository (name) for the container.
global.glooMtls.envoy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.glooMtls.envoy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.glooMtls.envoy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.glooMtls.envoy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.glooMtls.envoy.image.registrystringThe image hostname prefix and registry, such as quay.io/solo-io.
global.glooMtls.envoy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.glooMtls.envoy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.glooMtls.envoy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.glooMtls.envoy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.glooMtls.envoy.securityContext.capabilities.add[]string
global.glooMtls.envoy.securityContext.capabilities.drop[]string
global.glooMtls.envoy.securityContext.privilegedbool
global.glooMtls.envoy.securityContext.seLinuxOptions.userstring
global.glooMtls.envoy.securityContext.seLinuxOptions.rolestring
global.glooMtls.envoy.securityContext.seLinuxOptions.typestring
global.glooMtls.envoy.securityContext.seLinuxOptions.levelstring
global.glooMtls.envoy.securityContext.windowsOptions.gmsaCredentialSpecNamestring
global.glooMtls.envoy.securityContext.windowsOptions.gmsaCredentialSpecstring
global.glooMtls.envoy.securityContext.windowsOptions.runAsUserNamestring
global.glooMtls.envoy.securityContext.windowsOptions.hostProcessbool
global.glooMtls.envoy.securityContext.runAsUserint64
global.glooMtls.envoy.securityContext.runAsGroupint64
global.glooMtls.envoy.securityContext.runAsNonRootbool
global.glooMtls.envoy.securityContext.readOnlyRootFilesystembool
global.glooMtls.envoy.securityContext.allowPrivilegeEscalationbool
global.glooMtls.envoy.securityContext.procMountstring
global.glooMtls.envoy.securityContext.seccompProfile.typestring
global.glooMtls.envoy.securityContext.seccompProfile.localhostProfilestring
global.glooMtls.envoy.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.glooMtls.istioProxy.image.tagstring1.22.0The image tag for the container.
global.glooMtls.istioProxy.image.repositorystringproxyv2The image repository (name) for the container.
global.glooMtls.istioProxy.image.digeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=standard.
global.glooMtls.istioProxy.image.fipsDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.
global.glooMtls.istioProxy.image.distrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.
global.glooMtls.istioProxy.image.fipsDistrolessDigeststringThe container image’s hash digest (e.g. ‘sha256:12345…’), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant’s digest (if supported), else the distroless variant’s digest (if supported), else the standard variant’s digest.
global.glooMtls.istioProxy.image.registrystringdocker.io/istioThe image hostname prefix and registry, such as quay.io/solo-io.
global.glooMtls.istioProxy.image.pullPolicystringThe image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
global.glooMtls.istioProxy.image.pullSecretstringThe image pull secret to use for the container, in the same namespace as the container pod.
global.glooMtls.istioProxy.image.variantstringSpecifies the variant of the control plane and data plane containers to deploy. Can take the values ‘standard’, ‘fips’, ‘distroless’, ‘fips-distroless’. Defaults to standard. (The ‘fips’ and ‘fips-distroless’ variants are an Enterprise-only feature)
global.glooMtls.istioProxy.image.fipsbool[Deprecated] Use ‘variant=fips’ instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)
global.glooMtls.istioProxy.securityContext.capabilities.add[]string
global.glooMtls.istioProxy.securityContext.capabilities.drop[]string
global.glooMtls.istioProxy.securityContext.privilegedbool
global.glooMtls.istioProxy.securityContext.seLinuxOptions.userstring
global.glooMtls.istioProxy.securityContext.seLinuxOptions.rolestring
global.glooMtls.istioProxy.securityContext.seLinuxOptions.typestring
global.glooMtls.istioProxy.securityContext.seLinuxOptions.levelstring
global.glooMtls.istioProxy.securityContext.windowsOptions.gmsaCredentialSpecNamestring
global.glooMtls.istioProxy.securityContext.windowsOptions.gmsaCredentialSpecstring
global.glooMtls.istioProxy.securityContext.windowsOptions.runAsUserNamestring
global.glooMtls.istioProxy.securityContext.windowsOptions.hostProcessbool
global.glooMtls.istioProxy.securityContext.runAsUserint64
global.glooMtls.istioProxy.securityContext.runAsGroupint64
global.glooMtls.istioProxy.securityContext.runAsNonRootbool
global.glooMtls.istioProxy.securityContext.readOnlyRootFilesystembool
global.glooMtls.istioProxy.securityContext.allowPrivilegeEscalationbool
global.glooMtls.istioProxy.securityContext.procMountstring
global.glooMtls.istioProxy.securityContext.seccompProfile.typestring
global.glooMtls.istioProxy.securityContext.seccompProfile.localhostProfilestring
global.glooMtls.istioProxy.securityContext.mergePolicystringHow to combine the defined security policy with the default security policy. Valid values are “”, “no-merge”, and “helm-merge”. If defined as an empty string or “no-merge”, use the defined security context as is. If “helm-merge”, merge this security context with the default security context according to the logic of the helm ‘merge’ function. This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm’s ‘merge’ function works, you can not override a ’true’ value with a ‘false’ value, and for that case you will need to define the entire security context and set this value to false. Default value is “”.
global.glooMtls.istioProxy.logLevelstringwarningLog level for istio-proxy. Options include “info”, “debug”, “warning”, and “error”. Default level is info Default is ‘warning’.
global.glooMtls.istioProxy.istioMetaMeshIdstringISTIO_META_MESH_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “cluster.local”
global.glooMtls.istioProxy.istioMetaClusterIdstringISTIO_META_CLUSTER_ID Environment Variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “Kubernetes”
global.glooMtls.istioProxy.istioDiscoveryAddressstringdiscoveryAddress field of the PROXY_CONFIG environment variable. Warning: this value is only supported with Kubernetes Gateway API proxy. Defaults to “istiod.istio-system.svc:15012”
global.glooMtls.envoySidecarResources.limits.memorystringamount of memory
global.glooMtls.envoySidecarResources.limits.cpustringamount of CPUs
global.glooMtls.envoySidecarResources.requests.memorystringamount of memory
global.glooMtls.envoySidecarResources.requests.cpustringamount of CPUs
global.glooMtls.sdsResources.limits.memorystringamount of memory
global.glooMtls.sdsResources.limits.cpustringamount of CPUs
global.glooMtls.sdsResources.requests.memorystringamount of memory
global.glooMtls.sdsResources.requests.cpustringamount of CPUs
global.istioSDS.enabledboolfalseEnables SDS cert-rotator sidecar for istio mTLS cert rotation. Warning: this value is deprecated and will be removed in a future release. Use global.istioIntegration.enabled instead.
global.istioSDS.customSidecars[]interfaceOverride the default Istio sidecar in gateway-proxy with a custom container. Ignored if IstioSDS.enabled is false
global.istioIntegration.enabledboolfalseEnables Istio integration for Gloo Edge, adding the sds and istio-proxy containers to gateways for Istio mTLS cert rotation.
global.istioIntegration.enableAutoMtlsboolfalseEnables Istio auto mtls configuration for Gloo Edge upstreams.
global.istioIntegration.disableAutoinjectionboolfalseAnnotate all pods (excluding those whitelisted by other config values) to with an explicit ‘do not inject’ annotation to prevent Istio from adding sidecars to all pods. It’s recommended that this be set to true, as some pods do not immediately work with an Istio sidecar without extra manual configuration. Warning: this value is not supported with Kubernetes Gateway API proxy.
global.istioIntegration.labelInstallNamespaceboolfalseWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. If creating a namespace for Gloo, include the ‘istio-injection: enabled’ label (or ‘istio.io/rev=’ if ‘istioSidecarRevTag’ field is also set) to allow Istio sidecar injection for Gloo pods. Be aware that Istio’s default injection behavior will auto-inject a sidecar into all pods in such a marked namespace. Disabling this behavior in Istio’s configs or using gloo’s global.istioIntegration.disableAutoinjection flag is recommended.
global.istioIntegration.whitelistDiscoveryboolfalseWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Annotate the discovery pod for Istio sidecar injection to ensure that it gets a sidecar even when namespace-wide auto-injection is disabled. Generally only needed for FDS is enabled.
global.istioIntegration.enableIstioSidecarOnGatewayboolfalseWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Enable Istio sidecar injection on the gateway-proxy deployment. Ignored if LabelInstallNamespace is not ’true’. Ignored if disableAutoinjection is ’true’.
global.istioIntegration.istioSidecarRevTagstringWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Value of revision tag for Istio sidecar injection on the gateway-proxy and discovery deployments (when enabled with LabelInstallNamespace, WhitelistDiscovery or EnableIstioSidecarOnGateway). If set, applies the label ‘istio.io/rev:’ instead of ‘sidecar.istio.io/inject’ or ‘istio-injection:enabled’. Ignored if disableAutoinjection is ’true’.
global.istioIntegration.appendXForwardedHostbooltrueWarning: This value is deprecated and will be removed in a future release. Also, you cannot use this value with a Kubernetes Gateway API proxy. Enable appending the X-Forwarded-Host header with the Istio-provided value. Default: true.
global.extraSpecsboolAdd additional specs to include in the settings manifest, as defined by a helm partial. Defaults to false in open source, and true in enterprise.
global.extauthCustomYamlbooltrueInject whatever yaml exists in .Values.global.extensions.extAuth into settings.spec.extauth, instead of structured yaml (which is enterprise only). Defaults to true in open source, and false in enterprise
global.consoleinterfaceConfiguration options for the Enterprise Console (UI).
global.graphqlinterface(Enterprise Only): GraphQL configuration options.
global.configMaps[].namestringName of the ConfigMap to create (required).
global.configMaps[].namespacestringNamespace in which to create the ConfigMap. If empty, defaults to Gloo Edge install namespace.
global.configMaps[].data.NAMEstringKey-value pairs of ConfigMap data.
global.extraCustomResourcesboolAdd additional custom resources to create, as defined by a helm partial. Defaults to false in open source, and true in enterprise.
global.additionalLabels.NAMEstringAdditional labels to add to all gloo resources.
global.podSecurityStandards.container.enableRestrictedContainerDefaultsboolSet to true to default all containers to a security policy that minimally conforms to a restricted container security policy.
global.podSecurityStandards.container.defaultSeccompProfileTypestringThe seccomp profile type to use for default restricted container securityContexts. Valid values are ‘RuntimeDefault’ and ‘Localhost’. Default is ‘RuntimeDefault’. Has no effect if enableRestrictedContainerDefaults is false.
global.securitySettings.floatingUserIdboolIf true, use ’true’ as default value for all instances of floatingUserId. In OSS, has the additional effects of rendering charts as if ‘discovery.deployment.enablePodSecurityContext=false’ and ‘gatewayProxies.gatewayProxy.podTemplate.enablePodSecurityContext=false’. In EE templates has the additional effects of rendering charts as if ‘redis.deployment.enablePodSecurityContext=false’, and in the ExtAuth deployment’s podSecurityContext, behavior will match the local ‘floatingUserId’ and fsGroup will not be rendered.