| common |
struct |
|
|
| common |
struct |
Common values shared across components. When applicable, these can be overridden in specific components. |
|
| common.addonNamespace |
string |
Namespace to install add-on components into, such as the Gloo external auth and rate limiting services. |
gloo-mesh-addons |
| common.adminNamespace |
string |
Namespace to install control plane components into. The admin namespace also contains global configuration, such as Workspace, global overrides WorkspaceSettings, and KubernetesCluster resources. |
|
| common.cluster |
string |
Name of the cluster. Be sure to modify this value to match your cluster's name. |
|
| common.clusterDomain |
string |
The local cluster domain suffix this cluster is configured with. Defaults to ‘cluster.local’. |
|
| common.devMode |
bool |
Set to true to enable development mode for the logger, which can cause panics. Do not use in production. |
false |
| common.insecure |
bool |
Permit unencrypted and unauthenticated communication between Gloo control and data planes. Do not use in production. |
false |
| common.leaderElection |
bool |
Enable leader election for the high-availability deployment. |
true |
| common.prometheusUrl |
string |
Prometheus server address. |
http://prometheus-server |
| common.readOnlyGeneratedResources |
bool |
If true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI. |
false |
| common.verbose |
bool |
Enable verbose/debug logging. |
false |
| demo |
struct |
Demo-specific features that improve quick setups. Do not use in production. |
|
| demo.manageAddonNamespace |
bool |
Automatically create the add-on namespace set in ‘common.addonNamespace’. |
false |
| experimental |
struct |
Experimental features for Gloo Platform. Disabled by default. Do not use in production. |
|
| experimental.ambientEnabled |
bool |
Allow Gloo Mesh to create Istio Ambient Mesh resources. |
false |
| experimental.asyncStatusWrites |
bool |
Enable asynchronous writing of statuses to Kubernetes objects. |
false |
| extAuthService |
struct |
Configuration for the Gloo external authentication service. |
|
| extAuthService.enabled |
bool |
Enable the Gloo external authentication service. |
false |
| extAuthService.extAuth |
struct |
Configuration for the extauth service. |
|
| extAuthService.extAuth.headersToRedact[] |
[]string |
Headers that will be redacted in the server logs. |
[“authorization”] |
| extAuthService.extAuth.healthCheckFailTimeout |
int |
When receiving a termination signal, the pod waits this amount of seconds for a request that it can use to notify Envoy that it should fail the health check for this endpoint. If no request is received within this interval, the server will shutdown gracefully. The interval should be greater than the active health check interval configured in Envoy for this service. |
15 |
| extAuthService.extAuth.healthCheckHttpPath |
string |
Path for Envoy health checks. |
/healthcheck |
| extAuthService.extAuth.healthLivenessCheckHttpPath |
string |
Path for liveness health checks. |
/livenesscheck |
| extAuthService.extAuth.image |
struct |
Values for the extauth image. |
|
| extAuthService.extAuth.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| extAuthService.extAuth.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| extAuthService.extAuth.image.repository |
string |
Image name (repository). |
ext-auth-service |
| extAuthService.extAuth.image.tag |
string |
Version tag for the container. |
0.36.2-gp-patch0 |
| extAuthService.extAuth.logLevel |
string |
Severity level to collect logs for. |
INFO |
| extAuthService.extAuth.namespacedRbac[] |
[]struct |
Scopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource. |
[{“resources”:[],“namespaces”:[]}] |
| extAuthService.extAuth.namespacedRbac[].namespaces[] |
[]string |
|
|
| extAuthService.extAuth.namespacedRbac[].resources[] |
[]string |
|
|
| extAuthService.extAuth.pluginDirectory |
string |
Directory in which the server expects Go plugin .so files. |
/auth-plugins/ |
| extAuthService.extAuth.replicas |
int |
Number of replicas to create |
1 |
| extAuthService.extAuth.resources |
struct |
Values for the container resource requests. |
|
| extAuthService.extAuth.resources.requests |
struct |
Minimum amount of compute resources required. For more info, see the Kubernetes documentation. |
|
| extAuthService.extAuth.resources.requests.cpu |
string |
Amount of CPU resource. |
125m |
| extAuthService.extAuth.resources.requests.memory |
string |
Amount of memory resource. |
256Mi |
| extAuthService.extAuth.service |
struct |
Configuration for the deployed extauth service. |
|
| extAuthService.extAuth.service.annotations |
map[string, string] |
Kubernetes service annotations. |
{} |
| extAuthService.extAuth.service.annotations.<MAP_KEY> |
string |
Kubernetes service annotations. |
|
| extAuthService.extAuth.service.debugNodePort |
int |
Only relevant if the service is of type NodePort. |
32001 |
| extAuthService.extAuth.service.debugPort |
int |
Port on the extauth server to pull logs from. |
9091 |
| extAuthService.extAuth.service.grpcNodePort |
int |
Only relevant if the service is of type NodePort. |
32000 |
| extAuthService.extAuth.service.grpcPort |
int |
Port the extauth server listens on for gRPC requests. |
8083 |
| extAuthService.extAuth.service.healthNodePort |
int |
Only relevant if the service is of type NodePort. |
32002 |
| extAuthService.extAuth.service.healthPort |
int |
Port the extauth server listens on for health checks. |
8082 |
| extAuthService.extAuth.service.type |
string |
Kubernetes service type. |
ClusterIP |
| extAuthService.extAuth.signingKey |
string |
Provide the server's secret signing key. If empty, a random key is generated. |
|
| extAuthService.extAuth.signingKeyFile |
struct |
Mount the secret as a file rather than pass the signing key as a environment variable. To ensure maximum security by default, the file is limited to 0440 permissions and the fsGroup matches the runAsGroup. |
|
| extAuthService.extAuth.signingKeyFile.enabled |
bool |
Mount the secret as a file. |
false |
| extAuthService.extAuth.signingKeyFile.fileMode |
int |
File permission. |
288 |
| extAuthService.extAuth.signingKeyFile.fsGroup |
int |
Group ID for volume ownership. |
10101 |
| extAuthService.extAuth.signingKeyFile.groupSettingEnabled |
bool |
Set to true to use a volume group. |
true |
| extAuthService.extAuth.signingKeyFile.runAsGroup |
int |
Group ID for the container to run as. |
10101 |
| extAuthService.extAuth.signingKeyFile.runAsUser |
int |
User ID for the container to run as. |
10101 |
| extAuthService.extAuth.userIdHeader |
string |
User ID header. |
|
| extAuthService.extAuth.watchNamespace |
string |
Namespaces to watch in your cluster. If omitted or empty, all namespaces are watched. |
|
| extAuthService.extraLabels |
map[string, string] |
Extra key-value pairs to add to the labels data of the extauth deployment. |
null |
| extAuthService.extraLabels.<MAP_KEY> |
string |
Extra key-value pairs to add to the labels data of the extauth deployment. |
|
| extAuthService.extraTemplateAnnotations |
map[string, string] |
Extra annotations to add to the extauth service pods. |
{“proxy.istio.io/config”:"{ "holdApplicationUntilProxyStarts": true }"} |
| extAuthService.extraTemplateAnnotations.<MAP_KEY> |
string |
Extra annotations to add to the extauth service pods. |
|
| extAuthService.extraTemplateAnnotations.proxy.istio.io/config |
string |
Extra annotations to add to the extauth service pods. |
{ “holdApplicationUntilProxyStarts”: true } |
| glooAgent |
struct |
|
|
| glooAgent |
struct |
Configuration for the Gloo agent. |
|
| glooAgent |
struct |
Configuration for the glooAgent deployment. |
|
| glooAgent.accessLogsBufferSize |
int |
Number of access logs to buffer per Envoy proxy. |
50 |
| glooAgent.deploymentOverrides |
struct |
Arbitrary overrides for the component's deployment template. |
|
| glooAgent.devMode |
bool |
Set to true to enable development mode for the logger, which can cause panics. Do not use in production. |
false |
| glooAgent.enabled |
bool |
Configuration for the Gloo agent. |
false |
| glooAgent.enabled |
bool |
Deploy a Gloo agent to the cluster. |
false |
| glooAgent.enabled |
bool |
Enable creation of the deployment/service. |
true |
| glooAgent.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“K8S_MEM_LIMIT”,“valueFrom”:{“resourceFieldRef”:{“resource”:“limits.memory”,“divisor”:“1”}}}] |
| glooAgent.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooAgent.floatingUserId |
bool |
Allow the pod to be assigned a dynamic user ID. Required for OpenShift installations. |
false |
| glooAgent.image |
struct |
Container image. |
|
| glooAgent.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| glooAgent.image.pullSecret |
string |
Image pull secret. |
|
| glooAgent.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| glooAgent.image.repository |
string |
Image name (repository). |
gloo-mesh-agent |
| glooAgent.image.tag |
string |
Version tag for the container image. |
|
| glooAgent.insecure |
bool |
Permit unencrypted and unauthenticated communication between Gloo control and data planes. Do not use in production. |
false |
| glooAgent.istiodSidecar |
struct |
Configuration for the istiod sidecar deployment. |
|
| glooAgent.istiodSidecar.createRoleBinding |
bool |
Create the cluster role binding for the istiod sidecar. Set this value to ‘true’ only when using the Vault integration. |
false |
| glooAgent.istiodSidecar.istiodServiceAccount |
struct |
Object reference for the istiod service account. |
|
| glooAgent.istiodSidecar.istiodServiceAccount.name |
string |
|
istiod |
| glooAgent.istiodSidecar.istiodServiceAccount.namespace |
string |
|
istio-system |
| glooAgent.leaderElection |
bool |
Enable leader election for the high-availability deployment. |
false |
| glooAgent.maxGrpcMessageSize |
string |
Maximum message size for gRPC messages sent and received by the management server. |
4294967295 |
| glooAgent.metricsBufferSize |
int |
Number of metrics messages to buffer per Envoy proxy. |
50 |
| glooAgent.namespacedRbac[] |
[]struct |
Scopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource. |
[{“resources”:[],“namespaces”:[]}] |
| glooAgent.namespacedRbac[].namespaces[] |
[]string |
|
|
| glooAgent.namespacedRbac[].resources[] |
[]string |
|
|
| glooAgent.ports |
map[string, uint32] |
Service ports as a map from port name to port number. |
{“grpc”:9977,“healthcheck”:8090,“http”:9988,“stats”:9091} |
| glooAgent.ports.<MAP_KEY> |
uint32 |
Service ports as a map from port name to port number. |
|
| glooAgent.ports.grpc |
uint32 |
Service ports as a map from port name to port number. |
9977 |
| glooAgent.ports.healthcheck |
uint32 |
Service ports as a map from port name to port number. |
8090 |
| glooAgent.ports.http |
uint32 |
Service ports as a map from port name to port number. |
9988 |
| glooAgent.ports.stats |
uint32 |
Service ports as a map from port name to port number. |
9091 |
| glooAgent.readOnlyGeneratedResources |
bool |
If true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI. |
false |
| glooAgent.relay |
struct |
Configuration for securing relay communication between the workload agents and the management server. |
|
| glooAgent.relay.authority |
string |
SNI name in the authority/host header used to connect to relay forwarding server. Must match server certificate CommonName. Do not change the default value. |
gloo-mesh-mgmt-server.gloo-mesh |
| glooAgent.relay.clientTlsSecret |
struct |
Custom certs: Secret containing client TLS certs used to identify the Gloo agent to the management server. If you do not specify a clientTlssSecret, you must specify a tokenSecret and a rootTlsSecret. |
|
| glooAgent.relay.clientTlsSecret.name |
string |
|
relay-client-tls-secret |
| glooAgent.relay.clientTlsSecret.namespace |
string |
|
|
| glooAgent.relay.clientTlsSecretRotationGracePeriodRatio |
string |
The ratio of the client TLS certificate lifetime to when the management server starts the certificate rotation process. |
|
| glooAgent.relay.rootTlsSecret |
struct |
Secret containing a root TLS cert used to verify the management server cert. The secret can also optionally specify a ‘tls.key’, which is used to generate the agent client cert. |
|
| glooAgent.relay.rootTlsSecret.name |
string |
|
relay-root-tls-secret |
| glooAgent.relay.rootTlsSecret.namespace |
string |
|
|
| glooAgent.relay.serverAddress |
string |
Address and port by which gloo-mesh-mgmt-server in the Gloo control plane can be accessed by the Gloo workload agents. |
|
| glooAgent.relay.tokenSecret |
struct |
Secret containing a shared token for authenticating Gloo agents when they first communicate with the management server. A token secret is not needed with ACM certs. |
|
| glooAgent.relay.tokenSecret.key |
string |
Key value of the data within the Kubernetes secret. |
token |
| glooAgent.relay.tokenSecret.name |
string |
Name of the Kubernetes secret. |
relay-identity-token-secret |
| glooAgent.relay.tokenSecret.namespace |
string |
Namespace of the Kubernetes secret. |
|
| glooAgent.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
{“requests”:{“cpu”:“50m”,“memory”:“128Mi”}} |
| glooAgent.runAsUser |
uint32 |
Static user ID to run the containers as. Unused if floatingUserId is ‘true’. |
10101 |
| glooAgent.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooAgent.serviceOverrides |
struct |
Arbitrary overrides for the component's service template. |
|
| glooAgent.serviceType |
string |
Kubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”. |
ClusterIP |
| glooAgent.sidecars |
map[string, struct] |
Optional configuration for the deployed containers. |
{} |
| glooAgent.sidecars.<MAP_KEY> |
struct |
Optional configuration for the deployed containers. |
|
| glooAgent.sidecars.<MAP_KEY>.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
|
| glooAgent.sidecars.<MAP_KEY>.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooAgent.sidecars.<MAP_KEY>.image |
struct |
Container image. |
|
| glooAgent.sidecars.<MAP_KEY>.image.pullPolicy |
string |
Image pull policy. |
|
| glooAgent.sidecars.<MAP_KEY>.image.pullSecret |
string |
Image pull secret. |
|
| glooAgent.sidecars.<MAP_KEY>.image.registry |
string |
Image registry. |
|
| glooAgent.sidecars.<MAP_KEY>.image.repository |
string |
Image name (repository). |
|
| glooAgent.sidecars.<MAP_KEY>.image.tag |
string |
Version tag for the container image. |
|
| glooAgent.sidecars.<MAP_KEY>.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
|
| glooAgent.sidecars.<MAP_KEY>.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooAgent.verbose |
bool |
Enable verbose/debug logging. |
false |
| glooMgmtServer |
struct |
|
|
| glooMgmtServer |
struct |
Configuration for the Gloo management server. |
|
| glooMgmtServer |
struct |
Configuration for the glooMgmtServer deployment. |
|
| glooMgmtServer.cloudResourcesDiscovery |
struct |
Configuration for automatic discovery of CloudResources. |
|
| glooMgmtServer.cloudResourcesDiscovery.enabled |
bool |
Enable automated discovery of CloudResources, such as AWS Lambda functions, based on CloudProvider configuration. |
true |
| glooMgmtServer.cloudResourcesDiscovery.pollingInterval |
uint16 |
Polling interval (in seconds) for calling AWS when attempting to discover CloudResources. |
10 |
| glooMgmtServer.concurrency |
uint16 |
Concurrency to use for translation operations. |
10 |
| glooMgmtServer.deploymentOverrides |
struct |
Arbitrary overrides for the component's deployment template. |
|
| glooMgmtServer.devMode |
bool |
Set to true to enable development mode for the logger, which can cause panics. Do not use in production. |
false |
| glooMgmtServer.enableClusterLoadBalancing |
bool |
Experimental: Enable cluster load balancing. The management server replicas attempt to auto-balance the number of registered workload clusters, based on the number of replicas and the number of total clusters. For example, the server might disconnect a workload cluster if the number of connected clusters is greater than the allotted number. |
false |
| glooMgmtServer.enabled |
bool |
Deploy the gloo-mesh-mgmt-server. |
false |
| glooMgmtServer.enabled |
bool |
Enable creation of the deployment/service. |
true |
| glooMgmtServer.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“POD_UID”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.uid”}}},{“name”:“K8S_MEM_LIMIT”,“valueFrom”:{“resourceFieldRef”:{“resource”:“limits.memory”,“divisor”:“1”}}},{“name”:“LICENSE_KEY”,“valueFrom”:{“secretKeyRef”:{“name”:“gloo-mesh-enterprise-license”,“key”:“key”,“optional”:true}}},{“name”:“REDIS_USERNAME”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“username”,“optional”:true}}},{“name”:“REDIS_PASSWORD”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“password”,“optional”:true}}}] |
| glooMgmtServer.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooMgmtServer.floatingUserId |
bool |
Allow the pod to be assigned a dynamic user ID. Required for OpenShift installations. |
false |
| glooMgmtServer.image |
struct |
Container image. |
|
| glooMgmtServer.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| glooMgmtServer.image.pullSecret |
string |
Image pull secret. |
|
| glooMgmtServer.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| glooMgmtServer.image.repository |
string |
Image name (repository). |
gloo-mesh-mgmt-server |
| glooMgmtServer.image.tag |
string |
Version tag for the container image. |
|
| glooMgmtServer.insecure |
bool |
Permit unencrypted and unauthenticated communication between Gloo control and data planes. Do not use in production. |
false |
| glooMgmtServer.leaderElection |
bool |
Enable leader election for the high-availability deployment. |
false |
| glooMgmtServer.maxGrpcMessageSize |
string |
Maximum message size for gRPC messages sent and received by the management server. |
4294967295 |
| glooMgmtServer.namespacedRbac[] |
[]struct |
Scopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource. |
[{“resources”:[],“namespaces”:[]}] |
| glooMgmtServer.namespacedRbac[].namespaces[] |
[]string |
|
|
| glooMgmtServer.namespacedRbac[].resources[] |
[]string |
|
|
| glooMgmtServer.ports |
map[string, uint32] |
Service ports as a map from port name to port number. |
{“grpc”:9900,“healthcheck”:8090} |
| glooMgmtServer.ports.<MAP_KEY> |
uint32 |
Service ports as a map from port name to port number. |
|
| glooMgmtServer.ports.grpc |
uint32 |
Service ports as a map from port name to port number. |
9900 |
| glooMgmtServer.ports.healthcheck |
uint32 |
Service ports as a map from port name to port number. |
8090 |
| glooMgmtServer.readOnlyGeneratedResources |
bool |
If true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI. |
false |
| glooMgmtServer.registerCluster |
bool |
Set up the management cluster with the Gloo management server and a simple workspace that selects all registered clusters and namespaces by default. This way, you can get started quickly for single cluster or testing setups. For multicluster or production setups, use your own fine-grained workspaces instead. To complete your installation, make sure to enable all other Gloo components that you want, including the Gloo agent. |
false |
| glooMgmtServer.relay |
struct |
Configuration for certificates to secure server-agent relay communication. Required only for multicluster setups. |
|
| glooMgmtServer.relay.disableCa |
bool |
To disable relay CA functionality, set to true. Set to true only when you supply your custom client certs to the agents for relay mTLS. The gloo-mesh-mgmt-server pod will not require a token secret or the signing cert secret. The agent pod will not require the token secret, but will fail without a client cert. |
false |
| glooMgmtServer.relay.disableCaCertGeneration |
bool |
Do not auto-generate self-signed CA certificates. Set to true only when you supply own. |
false |
| glooMgmtServer.relay.disableTokenGeneration |
bool |
Do not create the relay token Kubernetes secret. Set to true only when you supply own. |
false |
| glooMgmtServer.relay.pushRbac |
bool |
Push RBAC resources to the management server. Required for multicluster RBAC in the Gloo UI. |
true |
| glooMgmtServer.relay.signingTlsSecret |
struct |
Secret containing TLS certs used to sign CSRs created by workload agents. |
|
| glooMgmtServer.relay.signingTlsSecret.name |
string |
|
relay-tls-signing-secret |
| glooMgmtServer.relay.signingTlsSecret.namespace |
string |
|
|
| glooMgmtServer.relay.tlsSecret |
struct |
Secret containing client TLS certs used to secure the management server. |
|
| glooMgmtServer.relay.tlsSecret.name |
string |
|
relay-server-tls-secret |
| glooMgmtServer.relay.tlsSecret.namespace |
string |
|
|
| glooMgmtServer.relay.tokenSecret |
struct |
Secret containing a shared token for authenticating Gloo agents when they first communicate with the management server. |
|
| glooMgmtServer.relay.tokenSecret.key |
string |
Key value of the data within the Kubernetes secret. |
token |
| glooMgmtServer.relay.tokenSecret.name |
string |
Name of the Kubernetes secret. |
relay-identity-token-secret |
| glooMgmtServer.relay.tokenSecret.namespace |
string |
Namespace of the Kubernetes secret. |
|
| glooMgmtServer.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
{“requests”:{“cpu”:“125m”,“memory”:“1Gi”}} |
| glooMgmtServer.runAsUser |
uint32 |
Static user ID to run the containers as. Unused if floatingUserId is ‘true’. |
10101 |
| glooMgmtServer.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooMgmtServer.serviceAccount |
struct |
Service account configuration to use for the management server deployment. |
|
| glooMgmtServer.serviceAccount.extraAnnotations |
map[string, string] |
Extra annotations to add to the service account. |
null |
| glooMgmtServer.serviceAccount.extraAnnotations.<MAP_KEY> |
string |
Extra annotations to add to the service account. |
|
| glooMgmtServer.serviceOverrides |
struct |
Arbitrary overrides for the component's service template. |
|
| glooMgmtServer.serviceType |
string |
Kubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”. |
LoadBalancer |
| glooMgmtServer.sidecars |
map[string, struct] |
Optional configuration for the deployed containers. |
{} |
| glooMgmtServer.sidecars.<MAP_KEY> |
struct |
Optional configuration for the deployed containers. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooMgmtServer.sidecars.<MAP_KEY>.image |
struct |
Container image. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.image.pullPolicy |
string |
Image pull policy. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.image.pullSecret |
string |
Image pull secret. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.image.registry |
string |
Image registry. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.image.repository |
string |
Image name (repository). |
|
| glooMgmtServer.sidecars.<MAP_KEY>.image.tag |
string |
Version tag for the container image. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
|
| glooMgmtServer.sidecars.<MAP_KEY>.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooMgmtServer.statsPort |
uint32 |
Port on the management server deployment to pull stats from. |
9091 |
| glooMgmtServer.verbose |
bool |
Enable verbose/debug logging. |
false |
| glooNetwork |
struct |
Gloo Network configuration options. |
|
| glooNetwork.enabled |
bool |
Enable translation of network policies to enforce access policies and service isolation. |
false |
| glooPortalServer |
struct |
|
|
| glooPortalServer |
struct |
Configuration for the glooPortalServer deployment. |
|
| glooPortalServer.apiKeyStorage |
struct |
Configure backend storage for API keys. |
|
| glooPortalServer.apiKeyStorage.configPath |
string |
Path for API key storage config file |
/etc/redis/config.yaml |
| glooPortalServer.apiKeyStorage.secretKey |
string |
The string value that you want to use to hash API keys before they are stored in the backing database. |
change this |
| glooPortalServer.apiKeyStorage.type |
string |
Backend storage for API keys. Currently, redis is supported. |
redis |
| glooPortalServer.deploymentOverrides |
struct |
Arbitrary overrides for the component's deployment template. |
|
| glooPortalServer.devMode |
bool |
Set to true to enable development mode for the logger, which can cause panics. Do not use in production. |
false |
| glooPortalServer.enabled |
bool |
Deploy the Portal server for Gloo Platform Portal to the cluster. |
false |
| glooPortalServer.enabled |
bool |
Enable creation of the deployment/service. |
true |
| glooPortalServer.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“APIKEY_STORAGE_SECRET_KEY”,“valueFrom”:{“secretKeyRef”:{“name”:“portal-storage-secret-key”,“key”:“key”}}}] |
| glooPortalServer.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooPortalServer.floatingUserId |
bool |
Allow the pod to be assigned a dynamic user ID. Required for OpenShift installations. |
false |
| glooPortalServer.image |
struct |
Container image. |
|
| glooPortalServer.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| glooPortalServer.image.pullSecret |
string |
Image pull secret. |
|
| glooPortalServer.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| glooPortalServer.image.repository |
string |
Image name (repository). |
gloo-mesh-portal-server |
| glooPortalServer.image.tag |
string |
Version tag for the container image. |
|
| glooPortalServer.ports |
map[string, uint32] |
Service ports as a map from port name to port number. |
{“http”:8080} |
| glooPortalServer.ports.<MAP_KEY> |
uint32 |
Service ports as a map from port name to port number. |
|
| glooPortalServer.ports.http |
uint32 |
Service ports as a map from port name to port number. |
8080 |
| glooPortalServer.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
{“requests”:{“cpu”:“50m”,“memory”:“128Mi”}} |
| glooPortalServer.runAsUser |
uint32 |
Static user ID to run the containers as. Unused if floatingUserId is ‘true’. |
10101 |
| glooPortalServer.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooPortalServer.serviceOverrides |
struct |
Arbitrary overrides for the component's service template. |
|
| glooPortalServer.serviceType |
string |
Kubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”. |
ClusterIP |
| glooPortalServer.sidecars |
map[string, struct] |
Optional configuration for the deployed containers. |
{} |
| glooPortalServer.sidecars.<MAP_KEY> |
struct |
Optional configuration for the deployed containers. |
|
| glooPortalServer.sidecars.<MAP_KEY>.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
|
| glooPortalServer.sidecars.<MAP_KEY>.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooPortalServer.sidecars.<MAP_KEY>.image |
struct |
Container image. |
|
| glooPortalServer.sidecars.<MAP_KEY>.image.pullPolicy |
string |
Image pull policy. |
|
| glooPortalServer.sidecars.<MAP_KEY>.image.pullSecret |
string |
Image pull secret. |
|
| glooPortalServer.sidecars.<MAP_KEY>.image.registry |
string |
Image registry. |
|
| glooPortalServer.sidecars.<MAP_KEY>.image.repository |
string |
Image name (repository). |
|
| glooPortalServer.sidecars.<MAP_KEY>.image.tag |
string |
Version tag for the container image. |
|
| glooPortalServer.sidecars.<MAP_KEY>.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
|
| glooPortalServer.sidecars.<MAP_KEY>.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooPortalServer.verbose |
bool |
Enable verbose/debug logging. |
false |
| glooUi |
struct |
|
|
| glooUi |
struct |
Configuration for the glooUi deployment. |
|
| glooUi.auth |
struct |
Configure authentication for the UI. |
|
| glooUi.auth.backend |
string |
Authentication backend to use. ‘oidc’ is supported. |
|
| glooUi.auth.enabled |
bool |
Require authentication to access the UI. |
false |
| glooUi.auth.oidc |
struct |
Settings for the OpenID Connect (OIDC) backend. |
|
| glooUi.auth.oidc.appUrl |
string |
URL that the UI for OIDC app is available at, from the DNS and other ingress settings that expose OIDC app UI service. |
|
| glooUi.auth.oidc.clientId |
string |
OIDC client ID |
|
| glooUi.auth.oidc.clientSecret |
string |
Plaintext OIDC client secret, which will be encoded in base64 and stored in a secret named the value of ‘clientSecretName’. |
|
| glooUi.auth.oidc.clientSecretName |
string |
Name for the secret that will contain the client secret. |
|
| glooUi.auth.oidc.issuerUrl |
string |
Issuer URL from the OIDC provider, such as ‘https://.<provider_url>/'. |
|
| glooUi.auth.oidc.session |
struct |
Session storage configuration. If omitted, a cookie is used. |
|
| glooUi.auth.oidc.session.backend |
string |
Backend to use for auth session storage. ‘cookie’ and ‘redis’ are supported. |
|
| glooUi.auth.oidc.session.redis |
struct |
Redis instance configuration. |
|
| glooUi.auth.oidc.session.redis.host |
string |
Host at which the Redis instance is accessible. To use the default Redis deployment, specify ‘redis.gloo-mesh.svc.cluster.local:6379’. |
|
| glooUi.auth.requestTimeout |
int |
Request timeout for external auth requests in seconds. |
2 |
| glooUi.deploymentOverrides |
struct |
Arbitrary overrides for the component's deployment template. |
|
| glooUi.enabled |
bool |
Deploy the gloo-mesh-ui. |
false |
| glooUi.enabled |
bool |
Enable creation of the deployment/service. |
true |
| glooUi.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
[{“name”:“POD_NAMESPACE”,“valueFrom”:{“fieldRef”:{“fieldPath”:“metadata.namespace”}}},{“name”:“LICENSE_KEY”,“valueFrom”:{“secretKeyRef”:{“name”:“gloo-mesh-enterprise-license”,“key”:“key”,“optional”:true}}},{“name”:“REDIS_USERNAME”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“username”,“optional”:true}}},{“name”:“REDIS_PASSWORD”,“valueFrom”:{“secretKeyRef”:{“name”:“redis-auth-secrets”,“key”:“password”,“optional”:true}}},{“name”:“K8S_MEM_LIMIT”,“valueFrom”:{“resourceFieldRef”:{“resource”:“limits.memory”,“divisor”:“1”}}}] |
| glooUi.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooUi.floatingUserId |
bool |
Allow the pod to be assigned a dynamic user ID. Required for OpenShift installations. |
false |
| glooUi.image |
struct |
Container image. |
|
| glooUi.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| glooUi.image.pullSecret |
string |
Image pull secret. |
|
| glooUi.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| glooUi.image.repository |
string |
Image name (repository). |
gloo-mesh-apiserver |
| glooUi.image.tag |
string |
Version tag for the container image. |
|
| glooUi.ipVersion |
string |
Configure IP version to ipv4, ipv6 or dualStack. Defaults to dualStack. |
dualStack |
| glooUi.licenseSecretName |
string |
Provide license keys in a secret in the adminNamespace of the management cluster, instead of in the license key fields. |
|
| glooUi.namespacedRbac[] |
[]struct |
Scopes watches and RBAC policies for the given set of GVKs to the given set of namespaces. Currently, ‘secrets’ are the only supported resource. |
[{“resources”:[],“namespaces”:[]}] |
| glooUi.namespacedRbac[].namespaces[] |
[]string |
|
|
| glooUi.namespacedRbac[].resources[] |
[]string |
|
|
| glooUi.ports |
map[string, uint32] |
Service ports as a map from port name to port number. |
{“console”:8090,“grpc”:10101,“healthcheck”:8081} |
| glooUi.ports.<MAP_KEY> |
uint32 |
Service ports as a map from port name to port number. |
|
| glooUi.ports.console |
uint32 |
Service ports as a map from port name to port number. |
8090 |
| glooUi.ports.grpc |
uint32 |
Service ports as a map from port name to port number. |
10101 |
| glooUi.ports.healthcheck |
uint32 |
Service ports as a map from port name to port number. |
8081 |
| glooUi.prometheusUrl |
string |
Prometheus server address. |
|
| glooUi.readOnlyGeneratedResources |
bool |
If true, the deployment only reads Istio resource outputs that are created by Gloo Platform, and filters out Istio resource fields that Gloo Mesh cannot properly unmarshal. These other resource outputs are not visible in the Gloo UI. |
false |
| glooUi.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}} |
| glooUi.runAsUser |
uint32 |
Static user ID to run the containers as. Unused if floatingUserId is ‘true’. |
10101 |
| glooUi.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooUi.serviceOverrides |
struct |
Arbitrary overrides for the component's service template. |
|
| glooUi.serviceType |
string |
Kubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”. |
ClusterIP |
| glooUi.settingsName |
string |
Name of the UI settings object to use. |
settings |
| glooUi.sidecars |
map[string, struct] |
Optional configuration for the deployed containers. |
{“console”:{“image”:{“repository”:“gloo-mesh-ui”,“registry”:“gcr.io/gloo-mesh”,“pullPolicy”:“IfNotPresent”},“env”:null,“extraEnvs”:{},“resources”:{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}}},“envoy”:{“image”:{“repository”:“gloo-mesh-envoy”,“registry”:“gcr.io/gloo-mesh”,“pullPolicy”:“IfNotPresent”},“env”:[{“name”:“ENVOY_UID”,“value”:“0”}],“extraEnvs”:{},“resources”:{“requests”:{“cpu”:“500m”,“memory”:“256Mi”}}}} |
| glooUi.sidecars.<MAP_KEY> |
struct |
Optional configuration for the deployed containers. |
|
| glooUi.sidecars.<MAP_KEY>.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
|
| glooUi.sidecars.<MAP_KEY>.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooUi.sidecars.<MAP_KEY>.image |
struct |
Container image. |
|
| glooUi.sidecars.<MAP_KEY>.image.pullPolicy |
string |
Image pull policy. |
|
| glooUi.sidecars.<MAP_KEY>.image.pullSecret |
string |
Image pull secret. |
|
| glooUi.sidecars.<MAP_KEY>.image.registry |
string |
Image registry. |
|
| glooUi.sidecars.<MAP_KEY>.image.repository |
string |
Image name (repository). |
|
| glooUi.sidecars.<MAP_KEY>.image.tag |
string |
Version tag for the container image. |
|
| glooUi.sidecars.<MAP_KEY>.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
|
| glooUi.sidecars.<MAP_KEY>.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooUi.sidecars.console |
struct |
Optional configuration for the deployed containers. |
|
| glooUi.sidecars.console.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
null |
| glooUi.sidecars.console.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooUi.sidecars.console.image |
struct |
Container image. |
|
| glooUi.sidecars.console.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| glooUi.sidecars.console.image.pullSecret |
string |
Image pull secret. |
|
| glooUi.sidecars.console.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| glooUi.sidecars.console.image.repository |
string |
Image name (repository). |
gloo-mesh-ui |
| glooUi.sidecars.console.image.tag |
string |
Version tag for the container image. |
|
| glooUi.sidecars.console.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}} |
| glooUi.sidecars.console.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooUi.sidecars.envoy |
struct |
Optional configuration for the deployed containers. |
|
| glooUi.sidecars.envoy.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
[{“name”:“ENVOY_UID”,“value”:“0”}] |
| glooUi.sidecars.envoy.extraEnvs |
struct |
Extra environment variables for the container |
|
| glooUi.sidecars.envoy.image |
struct |
Container image. |
|
| glooUi.sidecars.envoy.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| glooUi.sidecars.envoy.image.pullSecret |
string |
Image pull secret. |
|
| glooUi.sidecars.envoy.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| glooUi.sidecars.envoy.image.repository |
string |
Image name (repository). |
gloo-mesh-envoy |
| glooUi.sidecars.envoy.image.tag |
string |
Version tag for the container image. |
|
| glooUi.sidecars.envoy.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
{“requests”:{“cpu”:“500m”,“memory”:“256Mi”}} |
| glooUi.sidecars.envoy.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| glooUi.verbose |
bool |
Enable verbose/debug logging. |
false |
| istioInstallations |
struct |
Configuration for deploying managed Istio control plane and gateway installations by using the Istio lifecycle manager. |
|
| istioInstallations.controlPlane |
struct |
Configuration for the managed Istio control plane instance. |
|
| istioInstallations.controlPlane.enabled |
bool |
Install the managed Istio control plane instance in the cluster. |
true |
| istioInstallations.controlPlane.installations[] |
[]struct |
List of Istio control plane installations. |
[{“revision”:“auto”,“clusters”:null,“istioOperatorSpec”:{}}] |
| istioInstallations.controlPlane.installations[].clusters[] |
[]ptr |
Clusters to install the Istio control planes in. |
|
| istioInstallations.controlPlane.installations[].clusters[].defaultRevision |
bool |
When set to true, the installation for this revision is applied as the active Istio installation in the cluster. Resources with the ‘istio-injection=true’ label entry use this revision. You might change this setting for Istio installations during a canary upgrade. For more info, see the upgrade docs. |
|
| istioInstallations.controlPlane.installations[].clusters[].name |
string |
Name of the cluster to install Istio into. Must match the registered cluster name. |
|
| istioInstallations.controlPlane.installations[].clusters[].trustDomain |
string |
Trust domain value for this cluster's Istio installation mesh config. Defaults to the cluster's name. |
|
| istioInstallations.controlPlane.installations[].istioOperatorSpec |
struct |
IstioOperator specification for the control plane. For more info, see the IstioOperatorSpec reference. |
|
| istioInstallations.controlPlane.installations[].revision |
string |
Istio revision for this installation, such as ‘1-17’. Label workload resources with ‘istio.io/rev=$REVISION’ to use this installation. Defaults to ‘AUTO’, which installs the default supported version of Gloo Istio. |
|
| istioInstallations.eastWestGateways[] |
[]struct |
Configuration for the managed east-west gateway. |
null |
| istioInstallations.eastWestGateways[].enabled |
bool |
Install the gateway in the cluster. |
|
| istioInstallations.eastWestGateways[].installations[] |
[]struct |
List of Istio gateway installations. For more info, see the GatewayInstallation reference. |
|
| istioInstallations.eastWestGateways[].installations[].clusters[] |
[]ptr |
Clusters to install the gateway in. |
|
| istioInstallations.eastWestGateways[].installations[].clusters[].activeGateway |
bool |
When set to true, the installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the upgrade docs. |
|
| istioInstallations.eastWestGateways[].installations[].clusters[].name |
string |
Name of the cluster to install the gateway into. Must match the registered cluster name. |
|
| istioInstallations.eastWestGateways[].installations[].clusters[].trustDomain |
string |
Trust domain value for this cluster's Istio installation mesh config. Defaults to the cluster's name. |
|
| istioInstallations.eastWestGateways[].installations[].controlPlaneRevision |
string |
Optional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created. |
|
| istioInstallations.eastWestGateways[].installations[].gatewayRevision |
string |
Istio revision for this installation, such as ‘1-17’. Defaults to ‘AUTO’, which installs the default supported version of Gloo Istio. |
|
| istioInstallations.eastWestGateways[].installations[].istioOperatorSpec |
struct |
IstioOperator specification for the gateway. For more info, see the IstioOperatorSpec reference. |
|
| istioInstallations.eastWestGateways[].name |
string |
Name of the gateway. Must be unique. |
|
| istioInstallations.enabled |
bool |
Enable managed Istio installations. |
false |
| istioInstallations.northSouthGateways[] |
[]struct |
Configuration for the managed north-south (ingress) gateway. Requires a Gloo Gateway license. |
[{“name”:“istio-ingressgateway”,“enabled”:true,“installations”:[{“gatewayRevision”:“auto”,“clusters”:null,“istioOperatorSpec”:{}}]}] |
| istioInstallations.northSouthGateways[].enabled |
bool |
Install the gateway in the cluster. |
|
| istioInstallations.northSouthGateways[].installations[] |
[]struct |
List of Istio gateway installations. For more info, see the GatewayInstallation reference. |
|
| istioInstallations.northSouthGateways[].installations[].clusters[] |
[]ptr |
Clusters to install the gateway in. |
|
| istioInstallations.northSouthGateways[].installations[].clusters[].activeGateway |
bool |
When set to true, the installation for this revision is applied as the active gateway through which primary service traffic is routed in the cluster. If the istioOperatorSpec defines a service, this field switches the service selectors to the revision specified in the gatewayRevsion. You might change this setting for gateway installations during a canary upgrade. For more info, see the upgrade docs. |
|
| istioInstallations.northSouthGateways[].installations[].clusters[].name |
string |
Name of the cluster to install the gateway into. Must match the registered cluster name. |
|
| istioInstallations.northSouthGateways[].installations[].clusters[].trustDomain |
string |
Trust domain value for this cluster's Istio installation mesh config. Defaults to the cluster's name. |
|
| istioInstallations.northSouthGateways[].installations[].controlPlaneRevision |
string |
Optional: The revision of an Istio control plane in the cluster that this gateway should also use. If a control plane installation of this revision is not found, no gateway is created. |
|
| istioInstallations.northSouthGateways[].installations[].gatewayRevision |
string |
Istio revision for this installation, such as ‘1-17’. Defaults to ‘AUTO’, which installs the default supported version of Gloo Istio. |
|
| istioInstallations.northSouthGateways[].installations[].istioOperatorSpec |
struct |
IstioOperator specification for the gateway. For more info, see the IstioOperatorSpec reference. |
|
| istioInstallations.northSouthGateways[].name |
string |
Name of the gateway. Must be unique. |
|
| legacyMetricsPipeline |
struct |
Configuration for the legacy metrics pipeline, which uses Gloo agents to propagate metrics to the management server. |
|
| legacyMetricsPipeline.enabled |
bool |
Set to false to disable the legacy telemetry pipeline. |
false |
| licensing |
struct |
Gloo Platform product licenses. |
|
| licensing.glooGatewayLicenseKey |
string |
Gloo Gateway license key. |
|
| licensing.glooMeshLicenseKey |
string |
Gloo Mesh Enterprise license key. |
|
| licensing.glooNetworkLicenseKey |
string |
Gloo Network license key. |
|
| licensing.glooTrialLicenseKey |
string |
Gloo trial license key, for a trial installation of all products. |
|
| licensing.licenseKey |
string |
Deprecated: Legacy Gloo Mesh Enterprise license key. Use individual product license fields, the trial license field, or a license secret instead. |
|
| licensing.licenseSecretName |
string |
Provide license keys in a secret in the adminNamespace of the management cluster, instead of in the license key fields. |
license-keys |
| prometheus |
map |
Helm values for configuring Prometheus. See the Prometheus Helm chart for the complete set of values. |
|
| rateLimiter |
struct |
Configuration for the Gloo rate limiting service. |
|
| rateLimiter.enabled |
bool |
Enable the Gloo rate limiting service. |
false |
| rateLimiter.extraLabels |
map[string, string] |
Extra key-value pairs to add to the labels data of the rate limiter deployment. |
null |
| rateLimiter.extraLabels.<MAP_KEY> |
string |
Extra key-value pairs to add to the labels data of the rate limiter deployment. |
|
| rateLimiter.extraTemplateAnnotations |
map[string, string] |
Extra annotations to add to the rate limiter service pods. |
{“proxy.istio.io/config”:"{ "holdApplicationUntilProxyStarts": true }"} |
| rateLimiter.extraTemplateAnnotations.<MAP_KEY> |
string |
Extra annotations to add to the rate limiter service pods. |
|
| rateLimiter.extraTemplateAnnotations.proxy.istio.io/config |
string |
Extra annotations to add to the rate limiter service pods. |
{ “holdApplicationUntilProxyStarts”: true } |
| rateLimiter.rateLimiter |
struct |
Configuration for the rate limiter. |
|
| rateLimiter.rateLimiter.image |
struct |
Values for the rate limiter image. |
|
| rateLimiter.rateLimiter.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| rateLimiter.rateLimiter.image.registry |
string |
Image registry. |
gcr.io/gloo-mesh |
| rateLimiter.rateLimiter.image.repository |
string |
Image name (repository). |
rate-limiter |
| rateLimiter.rateLimiter.image.tag |
string |
Version tag for the container. |
0.10.6 |
| rateLimiter.rateLimiter.installClusterRoles |
bool |
If true, use ClusterRoles. If false, use Roles. |
true |
| rateLimiter.rateLimiter.logLevel |
string |
Severity level to collect logs for. |
INFO |
| rateLimiter.rateLimiter.ports |
struct |
Ports for the rate limiter service. |
|
| rateLimiter.rateLimiter.ports.debug |
uint32 |
Port on the rate limiter to pull logs from. |
9091 |
| rateLimiter.rateLimiter.ports.grpc |
uint32 |
Port the rate limiter listens on for gRPC requests. |
8083 |
| rateLimiter.rateLimiter.ports.ready |
uint32 |
Port the rate limiter listens on for readiness checks. |
8084 |
| rateLimiter.rateLimiter.readyPath |
string |
Path for readiness checks. |
/ready |
| rateLimiter.rateLimiter.resources |
struct |
Values for the container resource requests. |
|
| rateLimiter.rateLimiter.resources.requests |
struct |
Minimum amount of compute resources required. For more info, see the Kubernetes documentation. |
|
| rateLimiter.rateLimiter.resources.requests.cpu |
string |
Amount of CPU resource. |
125m |
| rateLimiter.rateLimiter.resources.requests.memory |
string |
Amount of memory resource. |
256Mi |
| rateLimiter.rateLimiter.service |
struct |
Configuration for the deployed rate limiter service. |
|
| rateLimiter.rateLimiter.service.annotations |
map[string, string] |
Kubernetes service annotations. |
{} |
| rateLimiter.rateLimiter.service.annotations.<MAP_KEY> |
string |
Kubernetes service annotations. |
|
| rateLimiter.rateLimiter.watchNamespace |
string |
Namespaces to watch in your cluster. If omitted or empty, all namespaces are watched. |
|
| rateLimiter.redis |
struct |
Configuration for using a Redis instance for authentication. |
|
| rateLimiter.redis.auth |
struct |
Values for the authentication details. |
|
| rateLimiter.redis.auth.enabled |
bool |
Use the default Redis instance for authentication. |
false |
| rateLimiter.redis.auth.passwordKey |
string |
Key that contains the password. |
redis-password |
| rateLimiter.redis.auth.secretName |
string |
Name of the secret that contains the username and password. |
redis-secrets |
| rateLimiter.redis.auth.usernameKey |
string |
Key that contains the username. If Redis doesn't have an explicit username, specify ‘default’. |
redis-username |
| rateLimiter.redis.certs |
struct |
Provide a CA cert for the rate limiter and Redis instance (if enabled) to use. |
|
| rateLimiter.redis.certs.caCert |
string |
File name that contains the CA cert. |
redis.crt |
| rateLimiter.redis.certs.enabled |
bool |
Enable the rate limiter and Redis instance (if enabled) to use the CA cert you provide. |
false |
| rateLimiter.redis.certs.mountPoint |
string |
Mount path for the certs. |
/etc/tls |
| rateLimiter.redis.certs.secretName |
string |
Name of the secret for the CA cert. |
redis-certs-keys |
| rateLimiter.redis.certs.signingKey |
string |
File name that contains the signing key. Only relevant for the Redis instance. |
redis.key |
| rateLimiter.redis.clustered |
bool |
Set to true if your Redis instance runs in clustered mode. |
false |
| rateLimiter.redis.enabled |
bool |
Install the default Redis instance. |
true |
| rateLimiter.redis.floatingUserId |
bool |
Set to true to use a floating user ID. |
false |
| rateLimiter.redis.hostname |
string |
Hostname clients use to connect to the Redis instance. |
redis |
| rateLimiter.redis.image |
struct |
Values for the Redis image. |
|
| rateLimiter.redis.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| rateLimiter.redis.image.registry |
string |
Image registry. |
docker.io |
| rateLimiter.redis.image.repository |
string |
Image name (repository). |
redis |
| rateLimiter.redis.image.tag |
string |
Version tag for the container. |
7.2.4-alpine |
| rateLimiter.redis.resources |
struct |
Values for the container resource requests. |
|
| rateLimiter.redis.resources.requests |
struct |
Minimum amount of compute resources required. For more info, see the Kubernetes documentation. |
|
| rateLimiter.redis.resources.requests.cpu |
string |
Amount of CPU resource. |
125m |
| rateLimiter.redis.resources.requests.memory |
string |
Amount of memory resource. |
256Mi |
| rateLimiter.redis.runAsUser |
int |
User ID to run Redis as. |
999 |
| rateLimiter.redis.service |
struct |
Values for the Redis service. |
|
| rateLimiter.redis.service.db |
int |
Select the Redis logical database having the specified zero-based numeric index. |
0 |
| rateLimiter.redis.service.name |
string |
Name for the Redis service. |
redis |
| rateLimiter.redis.service.port |
int |
Port for the Redis service. |
6379 |
| rateLimiter.redis.service.socket |
string |
'unix’, ‘tcp’, or ‘tls’ are supported. |
tcp |
| redis |
struct |
Redis configuration options. |
|
| redis.address |
string |
Address to use when connecting to the Redis instance. To use the default Redis deployment, specify ‘redis.gloo-mesh.svc.cluster.local:6379’. |
gloo-mesh-redis.gloo-mesh:6379 |
| redis.auth |
struct |
Optional authentication values to use when connecting to the Redis instance |
|
| redis.auth.enabled |
bool |
Connect to the Redis instance with a password |
false |
| redis.auth.passwordKey |
string |
The secret key containing the password to use for authentication |
password |
| redis.auth.secretName |
string |
Name of the k8s secret that contains the password |
redis-auth-secrets |
| redis.auth.usernameKey |
string |
The secret key containing the username to use for authentication |
username |
| redis.certs |
struct |
Configuration for TLS verification when connecting to the Redis instance |
|
| redis.certs.caCertKey |
string |
The secret key containing the ca cert |
|
| redis.certs.enabled |
bool |
Enable a secure network connection to the Redis instance via TLS |
false |
| redis.certs.secretName |
string |
Name of the k8s secret that contains the certs |
redis-certs |
| redis.connection |
struct |
Optional connection parameters |
|
| redis.connection.dialTimeout |
string |
Dial timeout for establishing new connections. Default is 5 seconds. |
5s |
| redis.connection.idleCheckFrequency |
string |
Frequency of idle checks made by idle connections reaper. Default is 1 minute. -1 disables idle connections reaper, but idle connections are still discarded by the client if IdleTimeout is set. |
1m0s |
| redis.connection.idleTimeout |
string |
Amount of time after which client closes idle connections. Should be less than server's timeout. Default is 5 minutes. -1 disables idle timeout check. |
5m0s |
| redis.connection.maxConnAge |
string |
Connection age at which client retires (closes) the connection. Default is to not close aged connections. |
|
| redis.connection.maxRetries |
int |
Maximum number of retries before giving up. Default is 3. -1 disables retries. |
3 |
| redis.connection.maxRetryBackoff |
string |
Maximum backoff between each retry. Default is 512 milliseconds. -1 disables backoff. |
512ms |
| redis.connection.minIdleConns |
int |
Minimum number of idle connections which is useful when establishing new connection is slow. |
0 |
| redis.connection.minRetryBackoff |
string |
Minimum backoff between each retry. Default is 8 milliseconds. -1 disables backoff. |
8ms |
| redis.connection.poolFifo |
bool |
Type of connection pool. true for FIFO pool. false for LIFO pool. Note that FIFO has higher overhead compared to LIFO. |
false |
| redis.connection.poolSize |
int |
Maximum number of socket connections. Default is 10 connections per every available CPU as reported by runtime.GOMAXPROCS. |
0 |
| redis.connection.poolTimeout |
string |
Amount of time client waits for connection if all connections are busy before returning an error. Default is ReadTimeout + 1 second. |
|
| redis.connection.readTimeout |
string |
Timeout for socket reads. if reached, commands will fail with a timeout instead of blocking. Default is 3 seconds. -1 disables timeout. 0 uses the default value. |
3s |
| redis.connection.writeTimeout |
string |
Timeout for socket writes. If reached, commands will fail with a timeout instead of blocking. Default is ReadTimeout. |
|
| redis.db |
int |
DB to connect to |
0 |
| redis.deployment |
struct |
|
|
| redis.deployment |
struct |
Configuration for the deployment deployment. |
|
| redis.deployment.addr |
string |
Deprecated: Use ‘redis.address’ instead. |
|
| redis.deployment.deploymentOverrides |
struct |
Arbitrary overrides for the component's deployment template. |
|
| redis.deployment.enabled |
bool |
Deploy the default Redis instance. |
true |
| redis.deployment.enabled |
bool |
Enable creation of the deployment/service. |
true |
| redis.deployment.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
[{“name”:“MASTER”,“value”:“true”}] |
| redis.deployment.extraEnvs |
struct |
Extra environment variables for the container |
|
| redis.deployment.floatingUserId |
bool |
Allow the pod to be assigned a dynamic user ID. Required for OpenShift installations. |
false |
| redis.deployment.floatingUserId |
bool |
Set to true to use a floating user ID. |
false |
| redis.deployment.image |
struct |
Container image. |
|
| redis.deployment.image.pullPolicy |
string |
Image pull policy. |
IfNotPresent |
| redis.deployment.image.pullSecret |
string |
Image pull secret. |
|
| redis.deployment.image.registry |
string |
Image registry. |
docker.io |
| redis.deployment.image.repository |
string |
Image name (repository). |
redis |
| redis.deployment.image.tag |
string |
Version tag for the container image. |
|
| redis.deployment.ports |
map[string, uint32] |
Service ports as a map from port name to port number. |
{“redis”:6379} |
| redis.deployment.ports.<MAP_KEY> |
uint32 |
Service ports as a map from port name to port number. |
|
| redis.deployment.ports.redis |
uint32 |
Service ports as a map from port name to port number. |
6379 |
| redis.deployment.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
{“requests”:{“cpu”:“125m”,“memory”:“256Mi”}} |
| redis.deployment.runAsUser |
uint32 |
Static user ID to run the containers as. Unused if floatingUserId is ‘true’. |
10101 |
| redis.deployment.runAsUser |
int |
User ID to run Redis as. |
999 |
| redis.deployment.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
{“capabilities”:{“drop”:[“ALL”]},“runAsUser”:999,“runAsNonRoot”:true,“readOnlyRootFilesystem”:true,“allowPrivilegeEscalation”:false} |
| redis.deployment.serviceOverrides |
struct |
Arbitrary overrides for the component's service template. |
|
| redis.deployment.serviceType |
string |
Kubernetes service type. Can be either “ClusterIP”, “NodePort”, “LoadBalancer”, or “ExternalName”. |
ClusterIP |
| redis.deployment.sidecars |
map[string, struct] |
Optional configuration for the deployed containers. |
{} |
| redis.deployment.sidecars.<MAP_KEY> |
struct |
Optional configuration for the deployed containers. |
|
| redis.deployment.sidecars.<MAP_KEY>.env[] |
slice |
Environment variables for the container. For more info, see the Kubernetes documentation. |
|
| redis.deployment.sidecars.<MAP_KEY>.extraEnvs |
struct |
Extra environment variables for the container |
|
| redis.deployment.sidecars.<MAP_KEY>.image |
struct |
Container image. |
|
| redis.deployment.sidecars.<MAP_KEY>.image.pullPolicy |
string |
Image pull policy. |
|
| redis.deployment.sidecars.<MAP_KEY>.image.pullSecret |
string |
Image pull secret. |
|
| redis.deployment.sidecars.<MAP_KEY>.image.registry |
string |
Image registry. |
|
| redis.deployment.sidecars.<MAP_KEY>.image.repository |
string |
Image name (repository). |
|
| redis.deployment.sidecars.<MAP_KEY>.image.tag |
string |
Version tag for the container image. |
|
| redis.deployment.sidecars.<MAP_KEY>.resources |
struct |
Container resource requirements. For more info, see the Kubernetes documentation. |
|
| redis.deployment.sidecars.<MAP_KEY>.securityContext |
struct |
Container security context. Set to ‘false’ to omit the security context entirely. For more info, see the Kubernetes documentation. |
|
| telemetryCollector |
struct |
Configuration for the Gloo Platform Telemetry Collector. See the OpenTelemetry Helm chart for the complete set of values. |
|
| telemetryCollectorCustomization |
struct |
Optional customization for the Gloo Platform Telemetry Collector. |
|
| telemetryCollectorCustomization.disableDefaultPipeline |
bool |
Disables the default pipeline. Useful if you want to create a custom pipeline using ‘extraPipelines’ and to disable the default pipeline. |
false |
| telemetryCollectorCustomization.extraExporters |
map[string, interface] |
Configuration for extra exporters, such as to forward your data to a third-party provider. Exporters forward the data they get to a destination on the local or remote network. |
null |
| telemetryCollectorCustomization.extraExporters.<MAP_KEY> |
interface |
Configuration for extra exporters, such as to forward your data to a third-party provider. Exporters forward the data they get to a destination on the local or remote network. |
|
| telemetryCollectorCustomization.extraPipelines |
map[string, interface] |
Specify any added receivers, processors, or exporters in an extra pipeline. |
null |
| telemetryCollectorCustomization.extraPipelines.<MAP_KEY> |
interface |
Specify any added receivers, processors, or exporters in an extra pipeline. |
|
| telemetryCollectorCustomization.extraProcessors |
map[string, interface] |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
{“batch”:{“send_batch_max_size”:3000,“send_batch_size”:2000,“timeout”:“600ms”},“memory_limiter”:{“check_interval”:“1s”,“limit_percentage”:85,“spike_limit_percentage”:10}} |
| telemetryCollectorCustomization.extraProcessors.<MAP_KEY> |
interface |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
|
| telemetryCollectorCustomization.extraProcessors.batch |
interface |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
|
| telemetryCollectorCustomization.extraProcessors.memory_limiter |
interface |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
|
| telemetryCollectorCustomization.extraReceivers |
map[string, interface] |
Configuration for extra receivers, such as to scrape extra Prometheus targets. Receivers listen on a network port to receive telemetry data. |
null |
| telemetryCollectorCustomization.extraReceivers.<MAP_KEY> |
interface |
Configuration for extra receivers, such as to scrape extra Prometheus targets. Receivers listen on a network port to receive telemetry data. |
|
| telemetryCollectorCustomization.serverName |
string |
SNI and certificate subject alternative name used in the collector certificate. |
gloo-telemetry-gateway.gloo-mesh |
| telemetryCollectorCustomization.telemetry |
map[string, interface] |
Configure the service telemetry (logs and metrics) as described in the otel-collector docs. |
{“metrics”:{“address”:“0.0.0.0:8888”}} |
| telemetryCollectorCustomization.telemetry.<MAP_KEY> |
interface |
Configure the service telemetry (logs and metrics) as described in the otel-collector docs. |
|
| telemetryCollectorCustomization.telemetry.metrics |
interface |
Configure the service telemetry (logs and metrics) as described in the otel-collector docs. |
|
| telemetryGateway |
struct |
Configuration for the Gloo Platform Telemetry Gateway. See the OpenTelemetry Helm chart for the complete set of values. |
|
| telemetryGatewayCustomization |
struct |
Optional customization for the Gloo Platform Telemetry Gateway. |
|
| telemetryGatewayCustomization.disableCertGeneration |
bool |
Disable cert generation for the Gloo Platform Telemetry Gateway. |
false |
| telemetryGatewayCustomization.disableDefaultPipeline |
bool |
Disables the default pipeline. Useful if you want to create a custom pipeline using ‘extraPipelines’ and to disable the default pipeline. |
false |
| telemetryGatewayCustomization.extraExporters |
map[string, interface] |
Configuration for extra exporters, such as to forward your data to a third-party provider. Exporters forward the data they get to a destination on the local or remote network. |
null |
| telemetryGatewayCustomization.extraExporters.<MAP_KEY> |
interface |
Configuration for extra exporters, such as to forward your data to a third-party provider. Exporters forward the data they get to a destination on the local or remote network. |
|
| telemetryGatewayCustomization.extraPipelines |
map[string, interface] |
Specify any added receivers, processors, or exporters in an extra pipeline. |
null |
| telemetryGatewayCustomization.extraPipelines.<MAP_KEY> |
interface |
Specify any added receivers, processors, or exporters in an extra pipeline. |
|
| telemetryGatewayCustomization.extraProcessors |
map[string, interface] |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
{“batch”:{“send_batch_max_size”:3000,“send_batch_size”:2000,“timeout”:“600ms”},“memory_limiter”:{“check_interval”:“1s”,“limit_percentage”:85,“spike_limit_percentage”:10}} |
| telemetryGatewayCustomization.extraProcessors.<MAP_KEY> |
interface |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
|
| telemetryGatewayCustomization.extraProcessors.batch |
interface |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
|
| telemetryGatewayCustomization.extraProcessors.memory_limiter |
interface |
Configuration for extra processors to drop and generate new data. Processors can transform the data before it is forwarded to another processor and an exporter. |
|
| telemetryGatewayCustomization.extraReceivers |
map[string, interface] |
Configuration for extra receivers, such as to scrape extra Prometheus targets. Receivers listen on a network port to receive telemetry data. |
null |
| telemetryGatewayCustomization.extraReceivers.<MAP_KEY> |
interface |
Configuration for extra receivers, such as to scrape extra Prometheus targets. Receivers listen on a network port to receive telemetry data. |
|
| telemetryGatewayCustomization.reloadTlsCertificate |
struct |
Interval of time between reloading the TLS certificate of the telemetry gateway. |
|
| telemetryGatewayCustomization.reloadTlsCertificate.nanos |
int32 |
|
0 |
| telemetryGatewayCustomization.reloadTlsCertificate.seconds |
int64 |
|
0 |
| telemetryGatewayCustomization.serverName |
string |
SNI and certificate subject alternative name used in the telemetry gateway certificate. |
gloo-telemetry-gateway.gloo-mesh |
| telemetryGatewayCustomization.telemetry |
map[string, interface] |
Configure the service telemetry (logs and metrics) as described in the otel-collector docs. |
{“metrics”:{“address”:“0.0.0.0:8888”}} |
| telemetryGatewayCustomization.telemetry.<MAP_KEY> |
interface |
Configure the service telemetry (logs and metrics) as described in the otel-collector docs. |
|
| telemetryGatewayCustomization.telemetry.metrics |
interface |
Configure the service telemetry (logs and metrics) as described in the otel-collector docs. |
|
