kuma-cp configuration reference

Kuma CP configuration

  1. # Environment type. Available values are: "kubernetes" or "universal"
  2. environment: universal # ENV: KUMA_ENVIRONMENT
  3. # Mode in which Kuma CP is running. Available values are: "global", "zone", "standalone" (deprecated, use "zone")
  4. mode: zone # ENV: KUMA_MODE
  5. # Resource Store configuration
  6. store:
  7. # Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory"
  8. type: memory # ENV: KUMA_STORE_TYPE
  9. # Kubernetes Store configuration (used when store.type=kubernetes)
  10. kubernetes:
  11. # Namespace where Control Plane is installed to.
  12. systemNamespace: kuma-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
  13. # Postgres Store configuration (used when store.type=postgres)
  14. postgres:
  15. # Host of the Postgres DB
  16. host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST
  17. # Port of the Postgres DB
  18. port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT
  19. # User of the Postgres DB
  20. user: kuma # ENV: KUMA_STORE_POSTGRES_USER
  21. # Password of the Postgres DB
  22. password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD
  23. # Database name of the Postgres DB
  24. dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME
  25. # Driver to use, one of: pgx, postgres
  26. driverName: pgx # ENV: KUMA_STORE_POSTGRES_DRIVER_NAME
  27. # Connection Timeout to the DB in seconds
  28. connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT
  29. # MaxConnectionIdleTime (applied only when driverName=pgx) is the duration after which an idle connection will be automatically closed by the health check.
  30. maxConnectionIdleTime: "30m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_IDLE_TIME
  31. # MaxConnectionLifetime (applied only when driverName=pgx) is the duration since creation after which a connection will be automatically closed
  32. maxConnectionLifetime: "1h" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME
  33. # MaxConnectionLifetimeJitter (applied only when driverName=pgx) is the duration after maxConnectionLifetime to randomly decide to close a connection.
  34. # This helps prevent all connections from being closed at the exact same time, starving the pool.
  35. maxConnectionLifetimeJitter: "1m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME_JITTER
  36. # HealthCheckInterval (applied only when driverName=pgx) is the duration between checks of the health of idle connections.
  37. healthCheckInterval: "30s" # ENV: KUMA_STORE_POSTGRES_HEALTH_CHECK_INTERVAL
  38. # MinOpenConnections (applied only when driverName=pgx) is the minimum number of open connections to the database
  39. minOpenConnections: 0 # ENV: KUMA_STORE_POSTGRES_MIN_OPEN_CONNECTIONS
  40. # MaxOpenConnections is the maximum number of open connections to the database
  41. # `0` value means number of open connections is unlimited
  42. maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS
  43. # MaxIdleConnections is the maximum number of connections in the idle connection pool
  44. # <0 value means no idle connections and 0 means default max idle connections.
  45. maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS
  46. # MaxListQueryElements defines maximum number of changed elements before requesting full list of elements from the store.
  47. maxListQueryElements: 0 # ENV: KUMA_STORE_POSTGRES_MAX_LIST_QUERY_ELEMENTS
  48. # TLS settings
  49. tls:
  50. # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
  51. mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
  52. # Path to TLS Certificate of the client. Required when server has METHOD=cert
  53. certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH
  54. # Path to TLS Key of the client. Required when server has METHOD=cert
  55. keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH
  56. # Path to the root certificate. Used in verifyCa and verifyFull modes.
  57. caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH
  58. # ReadReplica is a setting for a DB replica used only for read queries
  59. readReplica:
  60. # Host of the Postgres DB read replica. If not set, read replica is not used.
  61. host: "" # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_HOST
  62. # Port of the Postgres DB read replica
  63. port: 5432 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_PORT
  64. # Ratio in [0-100] range. How many SELECT queries (out of 100) will use read replica.
  65. ratio: 100 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_RATIO
  66. # Cache for read only operations. This cache is local to the instance of the control plane.
  67. cache:
  68. # If true then cache is enabled
  69. enabled: true # ENV: KUMA_STORE_CACHE_ENABLED
  70. # Expiration time for elements in cache.
  71. expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME
  72. # Upsert (get and update) configuration
  73. upsert:
  74. # Base time for exponential backoff on upsert operations when retry is enabled
  75. conflictRetryBaseBackoff: 200ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF
  76. # Max retries on upsert (get and update) operation when retry is enabled
  77. conflictRetryMaxTimes: 10 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES
  78. # Percentage of jitter. For example: if backoff is 20s, and this value 10, the backoff will be between 18s and 22s.
  79. conflictRetryJitterPercent: 30 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_JITTER_PERCENT
  80. # If true, skips validation of resource delete.
  81. # For example you don't have to delete all Dataplane objects before you delete a Mesh
  82. unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE
  83. # Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes
  84. bootstrapServer:
  85. # Parameters of bootstrap configuration
  86. params:
  87. # Address of Envoy Admin
  88. adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS
  89. # Port of Envoy Admin
  90. adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT
  91. # Path to access log file of Envoy Admin
  92. adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH
  93. # Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane
  94. xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST
  95. # Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT
  96. xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT
  97. # Connection timeout to the XDS Server
  98. xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT
  99. # Monitoring Assignment Discovery Service (MADS) server configuration
  100. monitoringAssignmentServer:
  101. # Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS).
  102. port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT
  103. # Which MADS API versions to serve
  104. apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS
  105. # Interval for re-generating monitoring assignments for clients connected to the Control Plane.
  106. assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL
  107. # The default timeout for a single fetch-based discovery request, if not specified
  108. defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT
  109. # Path to TLS certificate file
  110. tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE
  111. # Path to TLS key file
  112. tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE
  113. # TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
  114. tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION
  115. # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
  116. tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION
  117. # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
  118. tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES
  119. # Envoy XDS server configuration
  120. xdsServer:
  121. # Interval for re-genarting configuration for Dataplanes connected to the Control Plane
  122. dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL
  123. # Interval for flushing status of Dataplanes connected to the Control Plane
  124. dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL
  125. # Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane
  126. nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF
  127. # A delay between proxy terminating a connection and the CP trying to deregister the proxy.
  128. # It is used only in universal mode when you use direct lifecycle.
  129. # Setting this setting to 0s disables the delay.
  130. # Disabling this may cause race conditions that one instance of CP removes proxy object
  131. # while proxy is connected to another instance of the CP.
  132. dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY
  133. # API Server configuration
  134. apiServer:
  135. # HTTP configuration of the API Server
  136. http:
  137. # If true then API Server will be served on HTTP
  138. enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED
  139. # Network interface on which HTTP API Server will be exposed
  140. interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE
  141. # Port of the API Server
  142. port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT
  143. # HTTPS configuration of the API Server
  144. https:
  145. # If true then API Server will be served on HTTPS
  146. enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED
  147. # Network interface on which HTTPS API Server will be exposed
  148. interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE
  149. # Port of the HTTPS API Server
  150. port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT
  151. # Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty
  152. tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
  153. # Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty
  154. tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE
  155. # Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates.
  156. tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE
  157. # TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
  158. tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION
  159. # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
  160. tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION
  161. # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
  162. tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES
  163. # If true, then HTTPS connection will require client cert.
  164. requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT
  165. # Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets
  166. auth:
  167. # Directory of authorized client certificates (only validate in HTTPS)
  168. clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR
  169. # Api Server Authentication configuration
  170. authn:
  171. # Type of authentication mechanism (available values: "adminClientCerts", "tokens")
  172. type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE
  173. # Localhost is authenticated as a user admin of group admin
  174. localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN
  175. # Configuration for tokens authentication
  176. tokens:
  177. # If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret
  178. bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN
  179. # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
  180. enableIssuer: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_ENABLE_ISSUER
  181. # Token validator configuration
  182. validator:
  183. # If true then Kuma secrets with prefix "user-token-signing-key" are considered as signing keys.
  184. useSecrets: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_VALIDATOR_USE_SECRETS
  185. # List of public keys used to validate the token. Example:
  186. # - kid: 1
  187. # key: |
  188. # -----BEGIN RSA PUBLIC KEY-----
  189. # MIIBCgKCAQEAq....
  190. # -----END RSA PUBLIC KEY-----
  191. # - kid: 2
  192. # keyFile: /keys/public.pem
  193. publicKeys: []
  194. # If true, then API Server will operate in read only mode (serving GET requests)
  195. readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY
  196. # Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp
  197. corsAllowedDomains:
  198. - ".*" # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS
  199. # Can be used if you use a reverse proxy
  200. rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL
  201. # The path to serve the API from
  202. basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH
  203. # configuration specific to the GUI
  204. gui:
  205. # Whether to serve the gui (if mode=zone this has no effect)
  206. enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED
  207. # Can be used if you use a reverse proxy or want to serve the gui from a different path
  208. rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL
  209. # The path to serve the GUI from
  210. basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH
  211. # Environment-specific configuration
  212. runtime:
  213. # Kubernetes-specific configuration
  214. kubernetes:
  215. # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL.
  216. controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME
  217. # Name of Service Account that is used to run the Control Plane
  218. serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
  219. # Taint controller that prevents applications from scheduling until CNI is ready.
  220. nodeTaintController:
  221. # If true enables the taint controller.
  222. enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED
  223. # Value of app label on CNI pod that indicates if node can be ready.
  224. cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
  225. # Value of CNI namespace.
  226. cniNamespace: "kube-system" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE
  227. # Admission WebHook Server configuration
  228. admissionServer:
  229. # Address the Admission WebHook Server should be listening on
  230. address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS
  231. # Port the Admission WebHook Server should be listening on
  232. port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT
  233. # Directory with a TLS cert and private key for the Admission WebHook Server.
  234. # TLS certificate file must be named `tls.crt`.
  235. # TLS key file must be named `tls.key`.
  236. certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir
  237. # Injector defines configuration of a Kuma Sidecar Injector.
  238. injector:
  239. # if true runs kuma-cp in CNI compatible mode
  240. cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED
  241. # list of exceptions for Kuma injection
  242. exceptions:
  243. # a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value.
  244. labels:
  245. openshift.io/build.name: "*"
  246. openshift.io/deployer-pod-for.name: "*"
  247. # VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. Virtual probe
  248. # serves on sub-path of insecure port 'virtualProbesPort',
  249. # i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort
  250. virtualProbesEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED
  251. # VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS
  252. virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT
  253. # CaCertFile is CA certificate which will be used to verify a connection to the control plane.
  254. caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE
  255. # SidecarContainer defines configuration of the Kuma sidecar container.
  256. sidecarContainer:
  257. # Image name.
  258. image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
  259. # Redirect port for inbound traffic.
  260. redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND
  261. # Redirect port for inbound traffic.
  262. # Deprecated: Use redirectPortInbound or ipFamilyMode instead.
  263. redirectPortInboundV6: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND_V6
  264. # IP family mode enabled for traffic redirection, can be 'dualstack' or 'ipv4'
  265. ipFamilyMode: dualstack # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IP_FAMILY_MODE
  266. # Redirect port for outbound traffic.
  267. redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND
  268. # User ID.
  269. uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID
  270. # Group ID.
  271. gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI
  272. # Drain time for listeners.
  273. drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME
  274. # Readiness probe.
  275. readinessProbe:
  276. # Number of seconds after the container has started before readiness probes are initiated.
  277. initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS
  278. # Number of seconds after which the probe times out.
  279. timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS
  280. # Number of seconds after which the probe times out.
  281. periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS
  282. # Minimum consecutive successes for the probe to be considered successful after having failed.
  283. successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD
  284. # Minimum consecutive failures for the probe to be considered failed after having succeeded.
  285. failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD
  286. # Liveness probe.
  287. livenessProbe:
  288. # Number of seconds after the container has started before liveness probes are initiated.
  289. initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS
  290. # Number of seconds after which the probe times out.
  291. timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS
  292. # How often (in seconds) to perform the probe.
  293. periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS
  294. # Minimum consecutive failures for the probe to be considered failed after having succeeded.
  295. failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD
  296. # Startup probe (if sidecar containers feature is enabled).
  297. startupProbe:
  298. # Number of seconds after the container has started before startup probes are initiated.
  299. initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_INITIAL_DELAY_SECONDS
  300. # Number of seconds after which the probe times out.
  301. timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_TIMEOUT_SECONDS
  302. # How often (in seconds) to perform the probe.
  303. periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_PERIOD_SECONDS
  304. # Minimum consecutive failures for the probe to be considered failed after having succeeded.
  305. failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_FAILURE_THRESHOLD
  306. # Compute resource requirements.
  307. resources:
  308. # Minimum amount of compute resources required.
  309. requests:
  310. # CPU, in cores. (500m = .5 cores)
  311. cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU
  312. # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
  313. memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY
  314. # Maximum amount of compute resources allowed.
  315. limits:
  316. # CPU, in cores. (500m = .5 cores)
  317. cpu: 1000m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU
  318. # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024)
  319. memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY
  320. # Additional environment variables that can be placed on Kuma DP sidecar
  321. envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS
  322. # If true, it enables a postStart script that waits until Envoy is ready.
  323. # With the current Kubernetes behavior, any other container in the Pod will wait until the script is complete.
  324. waitForDataplaneReady: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_WAIT_FOR_DATAPLANE_READY
  325. # InitContainer defines configuration of the Kuma init container
  326. initContainer:
  327. # Image name.
  328. image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE
  329. # ContainerPatches is an optional list of ContainerPatch names which will be applied
  330. # to init and sidecar containers if workload is not annotated with a patch list.
  331. containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES
  332. # Configuration for a traffic that is intercepted by sidecar
  333. sidecarTraffic:
  334. # List of inbound ports that will be excluded from interception.
  335. # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod.
  336. excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS
  337. # List of outbound ports that will be excluded from interception.
  338. # This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod.
  339. excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS
  340. builtinDNS:
  341. # Use the built-in DNS
  342. enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED
  343. # Redirect port for DNS
  344. port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT
  345. # Enable coredns query logging if true
  346. logging: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING
  347. # EBPF defines configuration for the ebpf, when transparent proxy is marked to be
  348. # installed using ebpf instead of iptables
  349. ebpf:
  350. # Install transparent proxy using ebpf
  351. enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
  352. # Name of the environmental variable which will include IP address of the pod
  353. instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME
  354. # Path where BPF file system will be mounted for pinning ebpf programs and maps
  355. bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH
  356. # Path of mounted cgroup2
  357. cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH
  358. # Name of the network interface which should be used to attach to it TC programs
  359. # when not specified, we will try to automatically determine it
  360. tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE
  361. # Path where compiled eBPF programs are placed
  362. programsSourcePath: /tmp/kuma-ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH
  363. # IgnoredServiceSelectorLabels defines a list ignored labels in Service selector.
  364. # If Pod matches a Service with ignored labels, but does not match it fully, it gets Ignored inbound.
  365. # It is useful when you change Service selector and expect traffic to be sent immediately.
  366. # An example of this is ArgoCD's BlueGreen deployment and "rollouts-pod-template-hash" selector.
  367. ignoredServiceSelectorLabels: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_IGNORED_SERVICE_SELECTOR_LABELS
  368. # nodeLabelsToCopy defines a list of node labels that should be copied to the Pod.
  369. nodeLabelsToCopy: ["topology.kubernetes.io/zone", "topology.kubernetes.io/region", "kubernetes.io/hostname"] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_NODE_LABELS_TO_COPY
  370. marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME
  371. # Kubernetes's resources reconciliation concurrency configuration
  372. controllersConcurrency:
  373. # PodController defines maximum concurrent reconciliations of Pod resources
  374. # Default value 10. If set to 0 kube controller-runtime default value of 1 will be used.
  375. podController: 10 # ENV: KUMA_RUNTIME_KUBERNETES_CONTROLLERS_CONCURRENCY_POD_CONTROLLER
  376. # Kubernetes client configuration
  377. clientConfig:
  378. # Qps defines maximum requests kubernetes client is allowed to make per second.
  379. # Default value 100. If set to 0 kube-client default value of 5 will be used.
  380. qps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_QPS
  381. # BurstQps defines maximum burst requests kubernetes client is allowed to make per second
  382. # Default value 100. If set to 0 kube-client default value of 10 will be used.
  383. burstQps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_BURST_QPS
  384. leaderElection:
  385. # LeaseDuration is the duration that non-leader candidates will
  386. # wait to force acquire leadership. This is measured against time of
  387. # last observed ack. Default is 15 seconds.
  388. leaseDuration: 15s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_LEASE_DURATION
  389. # RenewDeadline is the duration that the acting controlplane will retry
  390. # refreshing leadership before giving up. Default is 10 seconds.
  391. renewDeadline: 10s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_RENEW_DEADLINE
  392. # SkipMeshOwnerReference is a flag that allows to skip adding Mesh owner reference to resources.
  393. # If this is set to true, deleting a Mesh will not delete resources that belong to that Mesh.
  394. # This can be useful when resources are managed in Argo CD where creation/deletion is managed there.
  395. skipMeshOwnerReference: false # ENV: KUMA_RUNTIME_KUBERNETES_SKIP_MESH_OWNER_REFERENCE
  396. # If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
  397. # The downside is that control plane requires permission to read Secrets in all namespaces.
  398. supportGatewaySecretsInAllNamespaces: false # ENV: KUMA_RUNTIME_KUBERNETES_SUPPORT_GATEWAY_SECRETS_IN_ALL_NAMESPACES
  399. # Universal-specific configuration
  400. universal:
  401. # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC
  402. dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE
  403. # VIPRefreshInterval defines how often all meshes' VIPs should be recomputed
  404. vipRefreshInterval: 500ms # ENV: KUMA_RUNTIME_UNIVERSAL_VIP_REFRESH_INTERVAL
  405. # Default Kuma entities configuration
  406. defaults:
  407. # If true, it skips creating the default Mesh
  408. skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION
  409. # If true, it skips creating the default tenant resources
  410. skipTenantResources: false # ENV: KUMA_DEFAULTS_SKIP_TENANT_RESOURCES
  411. # If true, it creates the default routing (TrafficPermission and TrafficRoute) resources for a new Mesh
  412. createMeshRoutingResources: false # ENV: KUMA_DEFAULTS_CREATE_MESH_ROUTING_RESOURCES
  413. # Metrics configuration
  414. metrics:
  415. dataplane:
  416. # How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited
  417. subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT
  418. # How long data plane proxy can stay Online without active xDS connection
  419. idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT
  420. zone:
  421. # How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited
  422. subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT
  423. # How long zone can stay Online without active KDS connection
  424. idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT
  425. # Compact finished metrics (do not store config and details of KDS exchange).
  426. compactFinishedSubscriptions: false # ENV: KUMA_METRICS_ZONE_COMPACT_FINISHED_SUBSCRIPTIONS
  427. mesh:
  428. # Minimum time between 2 refresh of insights
  429. minResyncInterval: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_INTERVAL
  430. # time between triggering a full refresh of all the insights
  431. fullResyncInterval: 20s # ENV: KUMA_METRICS_MESH_FULL_RESYNC_INTERVAL
  432. # the size of the buffer between event creation and processing
  433. bufferSize: 1000 # ENV: KUMA_METRICS_MESH_BUFFER_SIZE
  434. # the number of workers that process metrics events
  435. eventProcessors: 1 # ENV: KUMA_METRICS_MESH_EVENT_PROCESSORS
  436. controlPlane:
  437. # If true metrics show number of resources in the system should be reported
  438. reportResourcesCount: true # ENV: KUMA_METRICS_CONTROL_PLANE_REPORT_RESOURCES_COUNT
  439. # Reports configuration
  440. reports:
  441. # If true then usage stats will be reported
  442. enabled: false # ENV: KUMA_REPORTS_ENABLED
  443. # General configuration
  444. general:
  445. # dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name
  446. dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL
  447. # TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers.
  448. tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE
  449. # TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers.
  450. tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE
  451. # TlsMinVersion the minimum version of TLS used across all the Kuma Servers.
  452. tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION
  453. # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers.
  454. tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION
  455. # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers.
  456. tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES
  457. # WorkDir defines a path to the working directory
  458. # Kuma stores in this directory autogenerated entities like certificates.
  459. # If empty then the working directory is $HOME/.kuma
  460. workDir: "" # ENV: KUMA_GENERAL_WORK_DIR
  461. # ResilientComponentBaseBackoff configures base backoff for restarting resilient components:
  462. # KDS sync, Insight resync, PostgresEventListener, etc.
  463. resilientComponentBaseBackoff: 5s # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_BASE_BACKOFF
  464. # ResilientComponentMaxBackoff configures max backoff for restarting resilient component:
  465. # KDS sync, Insight resync, PostgresEventListener, etc.
  466. resilientComponentMaxBackoff: 1m # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_MAX_BACKOFF
  467. # DNS Server configuration
  468. dnsServer:
  469. # The domain that the server will resolve the services for
  470. domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN
  471. # The CIDR range used to allocate
  472. CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR
  473. # Will create a service "<kuma.io/service>.mesh" dns entry for every service.
  474. serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED
  475. # The port to use along with the `<kuma.io/service>.mesh` dns entry
  476. serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT
  477. # Multizone mode
  478. multizone:
  479. global:
  480. kds:
  481. # Port of a gRPC server that serves Kuma Discovery Service (KDS).
  482. grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT
  483. # Interval for refreshing state of the world
  484. refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL
  485. # Interval for flushing Zone Insights (stats of multi-zone communication)
  486. zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL
  487. # TlsEnabled turns on TLS for KDS
  488. tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED
  489. # TlsCertFile defines a path to a file with PEM-encoded TLS cert.
  490. tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
  491. # TlsKeyFile defines a path to a file with PEM-encoded TLS key.
  492. tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
  493. # TlsMinVersion the minimum version of TLS
  494. tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION
  495. # TlsMaxVersion the maximum version of TLS
  496. tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION
  497. # TlsCipherSuites the list of cipher suites
  498. tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES
  499. # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
  500. # In practice this means a limit on full list of one resource type.
  501. maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE
  502. # MsgSendTimeout defines a timeout on sending a single KDS message.
  503. # KDS stream between control planes is terminated if the control plane hits this timeout.
  504. msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT
  505. # Backoff that is executed when the global control plane is sending the response that was previously rejected by zone control plane
  506. nackBackoff: 5s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_NACK_BACKOFF
  507. # DisableSOTW if true doesn't expose SOTW version of KDS. Default: false
  508. disableSOTW: false # ENV: KUMA_MULTIZONE_GLOBAL_KDS_DISABLE_SOTW
  509. # Response backoff is a time Global CP waits before sending ACK/NACK.
  510. # This is a way to slow down Zone CP from sending resources too often.
  511. responseBackoff: 0s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_RESPONSE_BACKOFF
  512. zone:
  513. # Kuma Zone name used to mark the zone dataplane resources
  514. name: "default" # ENV: KUMA_MULTIZONE_ZONE_NAME
  515. # GlobalAddress URL of Global Kuma CP
  516. globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
  517. kds:
  518. # Interval for refreshing state of the world
  519. refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL
  520. # RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it.
  521. rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
  522. # If true, TLS connection to the server won't be verified.
  523. tlsSkipVerify: false # ENV: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
  524. # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS.
  525. # In practice this means a limit on full list of one resource type.
  526. maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE
  527. # MsgSendTimeout defines a timeout on sending a single KDS message.
  528. # KDS stream between control planes is terminated if the control plane hits this timeout.
  529. msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT
  530. # Backoff that is executed when the zone control plane is sending the response that was previously rejected by global control plane
  531. nackBackoff: 5s # ENV: KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF
  532. # Response backoff is a time Zone CP waits before sending ACK/NACK.
  533. # This is a way to slow down Global CP from sending resources too often.
  534. responseBackoff: 0s # ENV: KUMA_MULTIZONE_ZONE_KDS_RESPONSE_BACKOFF
  535. # disableOriginLabelValidation disables validation of the origin label when applying resources on Zone CP
  536. disableOriginLabelValidation: false # ENV: KUMA_MULTIZONE_ZONE_DISABLE_ORIGIN_LABEL_VALIDATION
  537. # IngressUpdateInterval is the interval between the CP updating the list of
  538. # available services on ZoneIngress.
  539. ingressUpdateInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_INGRESS_UPDATE_INTERVAL
  540. # Diagnostics configuration
  541. diagnostics:
  542. # Port of Diagnostic Server for checking health and readiness of the Control Plane
  543. serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT
  544. # If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints
  545. debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS
  546. # Whether tls is enabled or not
  547. tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED
  548. # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
  549. tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE
  550. # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
  551. tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE
  552. # TlsMinVersion the minimum version of TLS
  553. tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION
  554. # TlsMaxVersion the maximum version of TLS
  555. tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION
  556. # TlsCipherSuites the list of cipher suites
  557. tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES
  558. # Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane.
  559. dpServer:
  560. # Port of the DP Server
  561. port: 5678 # ENV: KUMA_DP_SERVER_PORT
  562. # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile
  563. tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE
  564. # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile
  565. tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE
  566. # TlsMinVersion the minimum version of TLS
  567. tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION
  568. # TlsMaxVersion the maximum version of TLS
  569. tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION
  570. # TlsCipherSuites the list of cipher suites
  571. tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES
  572. # ReadHeaderTimeout defines the amount of time DP server will be allowed
  573. # to read request headers. The connection's read deadline is reset
  574. # after reading the headers and the Handler can decide what is considered
  575. # too slow for the body. If ReadHeaderTimeout is zero there is no timeout.
  576. # The timeout is configurable as in rare cases, when Kuma CP was restarting,
  577. # 1s which is explicitly set in other servers was insufficient and DPs
  578. # were failing to reconnect (we observed this in Projected Service Account
  579. # Tokens e2e tests, which started flaking a lot after introducing explicit
  580. # 1s timeout)
  581. readHeaderTimeout: 5s # ENV: KUMA_DP_SERVER_READ_HEADER_TIMEOUT
  582. # Authn defines an authentication configuration for the DP Server
  583. authn:
  584. # Configuration for data plane proxy authentication.
  585. dpProxy:
  586. # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none".
  587. # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal.
  588. type: ""
  589. # Configuration of dpToken authentication method
  590. dpToken:
  591. # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
  592. enableIssuer: true
  593. # DP Token validator configuration.
  594. validator:
  595. # If true then Kuma secrets with prefix "dataplane-token-signing-key-{mesh}" are considered as signing keys.
  596. useSecrets: true
  597. # List of public keys used to validate the token. Example:
  598. # - kid: 1
  599. # mesh: default
  600. # key: |
  601. # -----BEGIN RSA PUBLIC KEY-----
  602. # MIIBCgKCAQEAq....
  603. # -----END RSA PUBLIC KEY-----
  604. # - kid: 2
  605. # mesh: demo
  606. # keyFile: /keys/public.pem
  607. publicKeys: []
  608. # Configuration for zone proxy authentication.
  609. zoneProxy:
  610. # Type of authentication. Available values: "serviceAccountToken", "zoneToken", "none".
  611. # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "zoneToken" on Universal.
  612. type: ""
  613. # Configuration for zoneToken authentication method.
  614. zoneToken:
  615. # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline.
  616. enableIssuer: true
  617. # Zone Token validator configuration.
  618. validator:
  619. # If true then Kuma secrets with prefix "zone-token-signing-key" are considered as signing keys.
  620. useSecrets: true
  621. # List of public keys used to validate the token. Example:
  622. # - kid: 1
  623. # key: |
  624. # -----BEGIN RSA PUBLIC KEY-----
  625. # MIIBCgKCAQEAq....
  626. # -----END RSA PUBLIC KEY-----
  627. # - kid: 2
  628. # keyFile: /keys/public.pem
  629. publicKeys: []
  630. # If true then Envoy uses Google gRPC instead of Envoy gRPC which lets a proxy reload the auth data (service account token, dp token etc.) stored in the file without proxy restart.
  631. enableReloadableTokens: false # ENV: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS
  632. # Hds defines a Health Discovery Service configuration
  633. hds:
  634. # Enabled if true then Envoy will actively check application's ports, but only on Universal.
  635. # On Kubernetes this feature disabled for now regardless the flag value
  636. enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED
  637. # Interval for Envoy to send statuses for HealthChecks
  638. interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL
  639. # RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane
  640. refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL
  641. # Check defines a HealthCheck configuration
  642. checkDefaults:
  643. # Timeout is a time to wait for a health check response. If the timeout is reached the
  644. # health check attempt will be considered a failure
  645. timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT
  646. # Interval between health checks
  647. interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL
  648. # NoTrafficInterval is a special health check interval that is used when a cluster has
  649. # never had traffic routed to it
  650. noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL
  651. # HealthyThreshold is a number of healthy health checks required before a host is marked healthy
  652. healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD
  653. # UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy
  654. unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD
  655. # Intercommunication CP configuration
  656. interCp:
  657. # Catalog configuration. Catalog keeps a record of all live CP instances in the zone.
  658. catalog:
  659. # Indicates an address on which other control planes can communicate with this CP.
  660. # If empty then it's autoconfigured by taking the first IP of the nonloopback network interface.
  661. instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS
  662. # Interval on which CP will send heartbeat to a leader.
  663. heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL
  664. # Interval on which CP will write all instances to a catalog.
  665. writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL
  666. # Intercommunication CP server configuration
  667. server:
  668. # Port of the inter-cp server
  669. port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT
  670. # TlsMinVersion the minimum version of TLS
  671. tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION
  672. # TlsMaxVersion the maximum version of TLS
  673. tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION
  674. # TlsCipherSuites the list of cipher suites
  675. tlsCipherSuites: [] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES
  676. # Access Control configuration
  677. access:
  678. # Type of access strategy (available values: "static")
  679. type: static
  680. # Configuration of static access strategy
  681. static:
  682. # AdminResources defines an access to admin resources (Secret/GlobalSecret)
  683. adminResources:
  684. # List of users that are allowed to access admin resources
  685. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS
  686. # List of groups that are allowed to access admin resources
  687. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS
  688. # GenerateDPToken defines an access to generating dataplane token
  689. generateDpToken:
  690. # List of users that are allowed to generate dataplane token
  691. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS
  692. # List of groups that are allowed to generate dataplane token
  693. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS
  694. # GenerateUserToken defines an access to generating user token
  695. generateUserToken:
  696. # List of users that are allowed to generate user token
  697. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS
  698. # List of groups that are allowed to generate user token
  699. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS
  700. # GenerateZoneToken defines an access to generating zone token
  701. generateZoneToken:
  702. # List of users that are allowed to generate zone token
  703. users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS
  704. # List of groups that are allowed to generate zone token
  705. groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS
  706. viewConfigDump:
  707. # List of users that are allowed to get envoy config dump
  708. users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS
  709. # List of groups that are allowed to get envoy config dump
  710. groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS
  711. viewStats:
  712. # List of users that are allowed to get envoy stats
  713. users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS
  714. # List of groups that are allowed to get envoy stats
  715. groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS
  716. viewClusters:
  717. # List of users that are allowed to get envoy clusters
  718. users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS
  719. # List of groups that are allowed to get envoy clusters
  720. groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS
  721. controlPlaneMetadata:
  722. # List of users that are allowed to get control plane metadata
  723. users: [] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_USERS
  724. # List of groups that are allowed to get control plane metadata
  725. groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_GROUPS
  726. # Configuration of experimental features of Kuma
  727. experimental:
  728. # If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap
  729. # This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config
  730. kubeOutboundsAsVIPs: true # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS
  731. # Tag first virtual outbound model is compressed version of default Virtual Outbound model
  732. # It is recommended to use tag first model for deployments with more than 2k services
  733. # You can enable this flag on existing deployment. In order to downgrade cp with this flag enabled
  734. # you need to first disable this flag and redeploy cp, after config is rewritten to default
  735. # format you can downgrade your cp
  736. useTagFirstVirtualOutboundModel: false # ENV: KUMA_EXPERIMENTAL_USE_TAG_FIRST_VIRTUAL_OUTBOUND_MODEL
  737. # If true, KDS will sync using incremental xDS updates
  738. kdsDeltaEnabled: true # ENV: KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED
  739. # List of prefixes that will be used to filter out tags by keys from ingress' available services section.
  740. # This can trim the size of the ZoneIngress object significantly.
  741. # The drawback is that you cannot use filtered out tags for traffic routing.
  742. # If empty, no filter is applied.
  743. ingressTagFilters: [] # ENV: KUMA_EXPERIMENTAL_INGRESS_TAG_FILTERS
  744. # KDS event based watchdog settings. It is a more optimal way to generate KDS snapshot config.
  745. kdsEventBasedWatchdog:
  746. # If true, then experimental event based watchdog to generate KDS snapshot is used.
  747. enabled: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_ENABLED
  748. # How often we flush changes when experimental event based watchdog is used.
  749. flushInterval: 5s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FLUSH_INTERVAL
  750. # How often we schedule full KDS resync when experimental event based watchdog is used.
  751. fullResyncInterval: 60s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL
  752. # If true, then initial full resync is going to be delayed by 0 to FullResyncInterval.
  753. delayFullResync: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC
  754. # If true then control plane computes reachable services automatically based on MeshTrafficPermission.
  755. # Lack of MeshTrafficPermission is treated as Deny the traffic.
  756. autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES
  757. # Enables sidecar containers in Kubernetes if supported by the Kubernetes
  758. # environment.
  759. sidecarContainers: false # ENV: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS
  760. # If true then it generates MeshServices from Kubernetes Service.
  761. generateMeshServices: false # ENV: KUMA_EXPERIMENTAL_GENERATE_MESH_SERVICES
  762. # If true skips persisted VIPs. Change to true only if generateMeshServices is enabled.
  763. # Do not enable on production.
  764. skipPersistedVIPs: false # ENV: KUMA_EXPERIMENTAL_SKIP_PERSISTED_VIPS
  765. proxy:
  766. gateway:
  767. # Sets the envoy runtime value to limit maximum number of incoming
  768. # connections to a builtin gateway data plane proxy
  769. globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS
  770. tracing:
  771. openTelemetry:
  772. endpoint: "" # e.g. otel-collector:4317
  773. # Configuration of the event bus which is local to one instance of CP
  774. eventBus:
  775. # BufferSize controls the buffer for every single event listener.
  776. # If we go over buffer, additional delay may happen to various operation like insight recomputation or KDS.
  777. bufferSize: 100 # ENV: KUMA_EVENT_BUS_BUFFER_SIZE
  778. policies:
  779. # PluginPoliciesEnabled controls which policy plugins are enabled
  780. pluginPoliciesEnabled: # ENV: KUMA_PLUGIN_POLICIES_ENABLED
  781. - meshaccesslogs
  782. - meshcircuitbreakers
  783. - meshfaultinjections
  784. - meshhealthchecks
  785. - meshhttproutes
  786. - meshloadbalancingstrategies
  787. - meshmetrics
  788. - meshpassthroughs
  789. - meshproxypatches
  790. - meshratelimits
  791. - meshretries
  792. - meshtcproutes
  793. - meshtimeouts
  794. - meshtraces
  795. - meshtrafficpermissions
  796. coreResources:
  797. enabled: # ENV: KUMA_CORE_RESOURCES_ENABLED
  798. - hostnamegenerators
  799. - meshexternalservices
  800. - meshservices
  801. # IP address management configuration
  802. ipam:
  803. # MeshService address management
  804. meshService:
  805. # CIDR for MeshService IPs
  806. cidr: 241.0.0.0/8 # ENV: KUMA_IPAM_MESH_SERVICE_CIDR
  807. meshExternalService:
  808. # CIDR for MeshExternalService IPs
  809. cidr: 242.0.0.0/8 # ENV: KUMA_IPAM_MESH_EXTERNAL_SERVICE_CIDR
  810. # Interval on which Kuma will allocate new IPs for MeshServices and MeshExternalServices
  811. allocationInterval: 5s # ENV: KUMA_IPAM_ALLOCATION_INTERVAL

Helm values.yaml

  1. global:
  2. image:
  3. # -- Default registry for all Kuma Images
  4. registry: "docker.io/kumahq"
  5. # -- The default tag for all Kuma images, which itself defaults to .Chart.AppVersion
  6. tag:
  7. # -- Add `imagePullSecrets` to all the service accounts used for Kuma components
  8. imagePullSecrets: []
  9. # -- Whether to patch the target namespace with the system label
  10. patchSystemNamespace: true
  11. installCrdsOnUpgrade:
  12. # -- Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma)
  13. enabled: true
  14. # -- The `imagePullSecrets` to attach to the Service Account running CRD installation.
  15. # This field will be deprecated in a future release, please use .global.imagePullSecrets
  16. imagePullSecrets: []
  17. # -- Whether to disable all helm hooks
  18. noHelmHooks: false
  19. # -- Whether to restart control-plane by calculating a new checksum for the secret
  20. restartOnSecretChange: true
  21. controlPlane:
  22. # -- Environment that control plane is run in, useful when running universal global control plane on k8s
  23. environment: "kubernetes"
  24. # -- Labels to add to resources in addition to default labels
  25. extraLabels: {}
  26. # -- Kuma CP log level: one of off,info,debug
  27. logLevel: "info"
  28. # -- Kuma CP log output path: Defaults to /dev/stdout
  29. logOutputPath: ""
  30. # -- Kuma CP modes: one of zone,global
  31. mode: "zone"
  32. # -- (string) Kuma CP zone, if running multizone
  33. zone:
  34. # -- Only used in `zone` mode
  35. kdsGlobalAddress: ""
  36. # -- Number of replicas of the Kuma CP. Ignored when autoscaling is enabled
  37. replicas: 1
  38. # -- Minimum number of seconds for which a newly created pod should be ready for it to be considered available.
  39. minReadySeconds: 0
  40. # -- Annotations applied only to the `Deployment` resource
  41. deploymentAnnotations: {}
  42. # -- Annotations applied only to the `Pod` resource
  43. podAnnotations: {}
  44. # Horizontal Pod Autoscaling configuration
  45. autoscaling:
  46. # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
  47. enabled: false
  48. # -- The minimum CP pods to allow
  49. minReplicas: 2
  50. # -- The max CP pods to scale to
  51. maxReplicas: 5
  52. # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
  53. targetCPUUtilizationPercentage: 80
  54. # -- For clusters that do support autoscaling/v2, use metrics
  55. metrics:
  56. - type: Resource
  57. resource:
  58. name: cpu
  59. target:
  60. type: Utilization
  61. averageUtilization: 80
  62. # -- Node selector for the Kuma Control Plane pods
  63. nodeSelector:
  64. kubernetes.io/os: linux
  65. # -- Tolerations for the Kuma Control Plane pods
  66. tolerations: []
  67. podDisruptionBudget:
  68. # -- Whether to create a pod disruption budget
  69. enabled: false
  70. # -- The maximum number of unavailable pods allowed by the budget
  71. maxUnavailable: 1
  72. # -- Affinity placement rule for the Kuma Control Plane pods.
  73. # This is rendered as a template, so you can reference other helm variables or includes.
  74. affinity:
  75. podAntiAffinity:
  76. preferredDuringSchedulingIgnoredDuringExecution:
  77. - weight: 100
  78. podAffinityTerm:
  79. labelSelector:
  80. # These match the selector labels used on the deployment.
  81. matchExpressions:
  82. - key: app.kubernetes.io/name
  83. operator: In
  84. values:
  85. - '{{ include "kuma.name" . }}'
  86. - key: app.kubernetes.io/instance
  87. operator: In
  88. values:
  89. - '{{ .Release.Name }}'
  90. - key: app
  91. operator: In
  92. values:
  93. - '{{ include "kuma.name" . }}-control-plane'
  94. topologyKey: kubernetes.io/hostname
  95. # -- Topology spread constraints rule for the Kuma Control Plane pods.
  96. # This is rendered as a template, so you can use variables to generate match labels.
  97. topologySpreadConstraints:
  98. # -- Failure policy of the mutating webhook implemented by the Kuma Injector component
  99. injectorFailurePolicy: Fail
  100. service:
  101. apiServer:
  102. http:
  103. # -- Port on which Http api server Service is exposed on Node for service of type NodePort
  104. nodePort: 30681
  105. https:
  106. # -- Port on which Https api server Service is exposed on Node for service of type NodePort
  107. nodePort: 30682
  108. # -- Whether to create a service resource.
  109. enabled: true
  110. # -- (string) Optionally override of the Kuma Control Plane Service's name
  111. name:
  112. # -- Service type of the Kuma Control Plane
  113. type: ClusterIP
  114. # -- Annotations to put on the Kuma Control Plane
  115. annotations:
  116. prometheus.io/scrape: "true"
  117. prometheus.io/port: "5680"
  118. # Kuma API and GUI ingress settings. Useful if you want to expose the
  119. # API and GUI of Kuma outside the k8s cluster.
  120. ingress:
  121. # -- Install K8s Ingress resource that exposes GUI and API
  122. enabled: false
  123. # -- IngressClass defines which controller will implement the resource
  124. ingressClassName:
  125. # -- Ingress hostname
  126. hostname:
  127. # -- Map of ingress annotations.
  128. annotations: {}
  129. # -- Ingress path.
  130. path: /
  131. # -- Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
  132. pathType: ImplementationSpecific
  133. # -- Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port
  134. servicePort: 5681
  135. globalZoneSyncService:
  136. # -- Whether to create a k8s service for the global zone sync
  137. # service. It will only be created when enabled and deploying the global
  138. # control plane.
  139. enabled: true
  140. # -- Service type of the Global-zone sync
  141. type: LoadBalancer
  142. # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
  143. loadBalancerIP:
  144. # -- Optionally specify allowed source ranges that can access the load balancer
  145. loadBalancerSourceRanges: []
  146. # -- Additional annotations to put on the Global Zone Sync Service
  147. annotations: { }
  148. # -- Port on which Global Zone Sync Service is exposed on Node for service of type NodePort
  149. nodePort: 30685
  150. # -- Port on which Global Zone Sync Service is exposed
  151. port: 5685
  152. # -- Protocol of the Global Zone Sync service port
  153. protocol: grpc
  154. defaults:
  155. # -- Whether to skip creating the default Mesh
  156. skipMeshCreation: false
  157. # -- Whether to automountServiceAccountToken for cp. Optionally set to false
  158. automountServiceAccountToken: true
  159. # -- Optionally override the resource spec
  160. resources:
  161. requests:
  162. cpu: 500m
  163. memory: 256Mi
  164. limits:
  165. memory: 256Mi
  166. # -- Pod lifecycle settings (useful for adding a preStop hook, when
  167. # using AWS ALB or NLB)
  168. lifecycle: {}
  169. # -- Number of seconds to wait before force killing the pod. Make sure to
  170. # update this if you add a preStop hook.
  171. terminationGracePeriodSeconds: 30
  172. # TLS for various servers
  173. tls:
  174. general:
  175. # -- Secret that contains tls.crt, tls.key [and ca.crt when no
  176. # controlPlane.tls.general.caSecretName specified] for protecting
  177. # Kuma in-cluster communication
  178. secretName: ""
  179. # -- Secret that contains ca.crt that was used to sign cert for protecting
  180. # Kuma in-cluster communication (ca.crt present in this secret
  181. # have precedence over the one provided in the controlPlane.tls.general.secretName)
  182. caSecretName: ""
  183. # -- Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt)
  184. caBundle: ""
  185. apiServer:
  186. # -- Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS
  187. secretName: ""
  188. # -- Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS
  189. clientCertsSecretName: ""
  190. # - if not creating the global control plane, then do nothing
  191. # - if secretName is empty and create is false, then do nothing
  192. # - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
  193. # - if secretName is empty and create is true, then create a secret with a default name and use it
  194. # - if secretName is non-empty and create is true, then create the secret using the provided name
  195. kdsGlobalServer:
  196. # -- Name of the K8s TLS Secret resource. If you set this and don't set
  197. # create=true, you have to create the secret manually.
  198. secretName: ""
  199. # -- Whether to create the TLS secret in helm.
  200. create: false
  201. # -- The TLS certificate to offer.
  202. cert: ""
  203. # -- The TLS key to use.
  204. key: ""
  205. # - if not creating the zonal control plane, then do nothing
  206. # - if secretName is empty and create is false, then do nothing
  207. # - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
  208. # - if secretName is empty and create is true, then create a secret with a default name and use it
  209. # - if secretName is non-empty and create is true, then create the secret using the provided name
  210. kdsZoneClient:
  211. # -- Name of the K8s Secret resource that contains ca.crt which was
  212. # used to sign the certificate of KDS Global Server. If you set this
  213. # and don't set create=true, you have to create the secret manually.
  214. secretName: ""
  215. # -- Whether to create the TLS secret in helm.
  216. create: false
  217. # -- CA bundle that was used to sign the certificate of KDS Global Server.
  218. cert: ""
  219. # -- If true, TLS cert of the server is not verified.
  220. skipVerify: false
  221. # -- Annotations to add for Control Plane's Service Account
  222. serviceAccountAnnotations: { }
  223. image:
  224. # -- Kuma CP ImagePullPolicy
  225. pullPolicy: IfNotPresent
  226. # -- Kuma CP image repository
  227. repository: "kuma-cp"
  228. # -- Kuma CP Image tag. When not specified, the value is copied from global.tag
  229. tag:
  230. # -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables,
  231. # where `Env` is the name of the env variable,
  232. # `Secret` is the name of the Secret,
  233. # and `Key` is the key of the Secret value to use
  234. secrets:
  235. # someSecret:
  236. # Secret: some-secret
  237. # Key: secret_key
  238. # Env: SOME_SECRET
  239. # -- Additional environment variables that will be passed to the control plane
  240. envVars: { }
  241. # -- Additional config maps to mount into the control plane, with optional inline values
  242. extraConfigMaps: [ ]
  243. # - name: extra-config
  244. # mountPath: /etc/extra-config
  245. # readOnly: true
  246. # values:
  247. # extra-config-key: |
  248. # extra-config-value
  249. # -- (object with { name: string, mountPath: string, readOnly: string }) Additional secrets to mount into the control plane,
  250. # where `Env` is the name of the env variable,
  251. # `Secret` is the name of the Secret,
  252. # and `Key` is the key of the Secret value to use
  253. extraSecrets:
  254. # extraConfig:
  255. # name: extra-config
  256. # mountPath: /etc/extra-config
  257. # readOnly: true
  258. webhooks:
  259. validator:
  260. # -- Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma.
  261. additionalRules: ""
  262. ownerReference:
  263. # -- Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma.
  264. additionalRules: ""
  265. # -- Specifies if the deployment should be started in hostNetwork mode.
  266. hostNetwork: false
  267. # -- Define a new server port for the admission controller. Recommended to set in combination with
  268. # hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS).
  269. admissionServerPort: 5443
  270. # -- Security context at the pod level for control plane.
  271. podSecurityContext:
  272. runAsNonRoot: true
  273. # -- Security context at the container level for control plane.
  274. containerSecurityContext:
  275. readOnlyRootFilesystem: true
  276. # -- If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
  277. # The downside is that control plane requires permission to read Secrets in all namespaces.
  278. supportGatewaySecretsInAllNamespaces: false
  279. cni:
  280. # -- Install Kuma with CNI instead of proxy init container
  281. enabled: false
  282. # -- Install CNI in chained mode
  283. chained: false
  284. # -- Set the CNI install directory
  285. netDir: /etc/cni/multus/net.d
  286. # -- Set the CNI bin directory
  287. binDir: /var/lib/cni/bin
  288. # -- Set the CNI configuration name
  289. confName: kuma-cni.conf
  290. # -- CNI log level: one of off,info,debug
  291. logLevel: info
  292. # -- Node Selector for the CNI pods
  293. nodeSelector:
  294. kubernetes.io/os: linux
  295. # -- Tolerations for the CNI pods
  296. tolerations: []
  297. # -- Additional pod annotations
  298. podAnnotations: { }
  299. # -- Set the CNI namespace
  300. namespace: kube-system
  301. image:
  302. # -- CNI image repository
  303. repository: "kuma-cni"
  304. # -- CNI image tag - defaults to .Chart.AppVersion
  305. tag:
  306. # -- CNI image pull policy
  307. imagePullPolicy: IfNotPresent
  308. # -- it's only useful in tests to trigger a possible race condition
  309. delayStartupSeconds: 0
  310. # -- use new CNI (experimental)
  311. experimental:
  312. imageEbpf:
  313. # -- CNI experimental eBPF image registry
  314. registry: "docker.io/kumahq"
  315. # -- CNI experimental eBPF image repository
  316. repository: "merbridge"
  317. # -- CNI experimental eBPF image tag
  318. tag: "0.8.5"
  319. resources:
  320. requests:
  321. cpu: 100m
  322. memory: 100Mi
  323. limits:
  324. memory: 100Mi
  325. # -- Security context at the pod level for cni
  326. podSecurityContext: {}
  327. # -- Security context at the container level for cni
  328. containerSecurityContext:
  329. readOnlyRootFilesystem: true
  330. runAsNonRoot: false
  331. runAsUser: 0
  332. runAsGroup: 0
  333. dataPlane:
  334. # -- If true, then turn on CoreDNS query logging
  335. dnsLogging: false
  336. image:
  337. # -- The Kuma DP image repository
  338. repository: "kuma-dp"
  339. # -- Kuma DP ImagePullPolicy
  340. pullPolicy: IfNotPresent
  341. # -- Kuma DP Image Tag. When not specified, the value is copied from global.tag
  342. tag:
  343. initImage:
  344. # -- The Kuma DP init image repository
  345. repository: "kuma-init"
  346. # -- Kuma DP init image tag When not specified, the value is copied from global.tag
  347. tag:
  348. ingress:
  349. # -- If true, it deploys Ingress for cross cluster communication
  350. enabled: false
  351. # -- Labels to add to resources, in addition to default labels
  352. extraLabels: {}
  353. # -- Time for which old listener will still be active as draining
  354. drainTime: 30s
  355. # -- Number of replicas of the Ingress. Ignored when autoscaling is enabled.
  356. replicas: 1
  357. # -- Log level for ingress (available values: off|info|debug)
  358. logLevel: info
  359. # -- Define the resources to allocate to mesh ingress
  360. resources:
  361. requests:
  362. cpu: 50m
  363. memory: 64Mi
  364. limits:
  365. cpu: 1000m
  366. memory: 512Mi
  367. # -- Pod lifecycle settings (useful for adding a preStop hook, when
  368. # using AWS ALB or NLB)
  369. lifecycle: {}
  370. # -- Number of seconds to wait before force killing the pod. Make sure to
  371. # update this if you add a preStop hook.
  372. terminationGracePeriodSeconds: 40
  373. # Horizontal Pod Autoscaling configuration
  374. autoscaling:
  375. # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
  376. enabled: false
  377. # -- The minimum CP pods to allow
  378. minReplicas: 2
  379. # -- The max CP pods to scale to
  380. maxReplicas: 5
  381. # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
  382. targetCPUUtilizationPercentage: 80
  383. # -- For clusters that do support autoscaling/v2, use metrics
  384. metrics:
  385. - type: Resource
  386. resource:
  387. name: cpu
  388. target:
  389. type: Utilization
  390. averageUtilization: 80
  391. service:
  392. # -- Whether to create a Service resource.
  393. enabled: true
  394. # -- Service type of the Ingress
  395. type: LoadBalancer
  396. # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
  397. loadBalancerIP:
  398. # -- Additional annotations to put on the Ingress service
  399. annotations: { }
  400. # -- Port on which Ingress is exposed
  401. port: 10001
  402. # -- Port on which service is exposed on Node for service of type NodePort
  403. nodePort:
  404. # -- Additional pod annotations (deprecated favor `podAnnotations`)
  405. annotations: { }
  406. # -- Additional pod annotations
  407. podAnnotations: { }
  408. # -- Node Selector for the Ingress pods
  409. nodeSelector:
  410. kubernetes.io/os: linux
  411. # -- Tolerations for the Ingress pods
  412. tolerations: []
  413. podDisruptionBudget:
  414. # -- Whether to create a pod disruption budget
  415. enabled: false
  416. # -- The maximum number of unavailable pods allowed by the budget
  417. maxUnavailable: 1
  418. # -- Affinity placement rule for the Kuma Ingress pods
  419. # This is rendered as a template, so you can reference other helm variables
  420. # or includes.
  421. affinity:
  422. podAntiAffinity:
  423. preferredDuringSchedulingIgnoredDuringExecution:
  424. - weight: 100
  425. podAffinityTerm:
  426. labelSelector:
  427. # These match the selector labels used on the deployment.
  428. matchExpressions:
  429. - key: app.kubernetes.io/name
  430. operator: In
  431. values:
  432. - '{{ include "kuma.name" . }}'
  433. - key: app.kubernetes.io/instance
  434. operator: In
  435. values:
  436. - '{{ .Release.Name }}'
  437. - key: app
  438. operator: In
  439. values:
  440. - kuma-ingress
  441. topologyKey: kubernetes.io/hostname
  442. # -- Topology spread constraints rule for the Kuma Mesh Ingress pods.
  443. # This is rendered as a template, so you can use variables to generate match labels.
  444. topologySpreadConstraints:
  445. # -- Security context at the pod level for ingress
  446. podSecurityContext:
  447. runAsNonRoot: true
  448. runAsUser: 5678
  449. runAsGroup: 5678
  450. # -- Security context at the container level for ingress
  451. containerSecurityContext:
  452. readOnlyRootFilesystem: true
  453. # -- Annotations to add for Control Plane's Service Account
  454. serviceAccountAnnotations: { }
  455. # -- Whether to automountServiceAccountToken for cp. Optionally set to false
  456. automountServiceAccountToken: true
  457. egress:
  458. # -- If true, it deploys Egress for cross cluster communication
  459. enabled: false
  460. # -- Labels to add to resources, in addition to the default labels.
  461. extraLabels: {}
  462. # -- Time for which old listener will still be active as draining
  463. drainTime: 30s
  464. # -- Number of replicas of the Egress. Ignored when autoscaling is enabled.
  465. replicas: 1
  466. # -- Log level for egress (available values: off|info|debug)
  467. logLevel: info
  468. # Horizontal Pod Autoscaling configuration
  469. autoscaling:
  470. # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
  471. enabled: false
  472. # -- The minimum CP pods to allow
  473. minReplicas: 2
  474. # -- The max CP pods to scale to
  475. maxReplicas: 5
  476. # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
  477. targetCPUUtilizationPercentage: 80
  478. # -- For clusters that do support autoscaling/v2, use metrics
  479. metrics:
  480. - type: Resource
  481. resource:
  482. name: cpu
  483. target:
  484. type: Utilization
  485. averageUtilization: 80
  486. resources:
  487. requests:
  488. cpu: 50m
  489. memory: 64Mi
  490. limits:
  491. cpu: 1000m
  492. memory: 512Mi
  493. service:
  494. # -- Whether to create the service object
  495. enabled: true
  496. # -- Service type of the Egress
  497. type: ClusterIP
  498. # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
  499. loadBalancerIP:
  500. # -- Additional annotations to put on the Egress service
  501. annotations: { }
  502. # -- Port on which Egress is exposed
  503. port: 10002
  504. # -- Port on which service is exposed on Node for service of type NodePort
  505. nodePort:
  506. # -- Additional pod annotations (deprecated favor `podAnnotations`)
  507. annotations: { }
  508. # -- Additional pod annotations
  509. podAnnotations: { }
  510. # -- Node Selector for the Egress pods
  511. nodeSelector:
  512. kubernetes.io/os: linux
  513. # -- Tolerations for the Egress pods
  514. tolerations: []
  515. podDisruptionBudget:
  516. # -- Whether to create a pod disruption budget
  517. enabled: false
  518. # -- The maximum number of unavailable pods allowed by the budget
  519. maxUnavailable: 1
  520. # -- Affinity placement rule for the Kuma Egress pods.
  521. # This is rendered as a template, so you can reference other helm variables or includes.
  522. affinity:
  523. podAntiAffinity:
  524. preferredDuringSchedulingIgnoredDuringExecution:
  525. - weight: 100
  526. podAffinityTerm:
  527. labelSelector:
  528. # These match the selector labels used on the deployment.
  529. matchExpressions:
  530. - key: app.kubernetes.io/name
  531. operator: In
  532. values:
  533. - '{{ include "kuma.name" . }}'
  534. - key: app.kubernetes.io/instance
  535. operator: In
  536. values:
  537. - '{{ .Release.Name }}'
  538. - key: app
  539. operator: In
  540. values:
  541. - kuma-egress
  542. topologyKey: kubernetes.io/hostname
  543. # -- Topology spread constraints rule for the Kuma Egress pods.
  544. # This is rendered as a template, so you can use variables to generate match labels.
  545. topologySpreadConstraints:
  546. # -- Security context at the pod level for egress
  547. podSecurityContext:
  548. runAsNonRoot: true
  549. runAsUser: 5678
  550. runAsGroup: 5678
  551. # -- Security context at the container level for egress
  552. containerSecurityContext:
  553. readOnlyRootFilesystem: true
  554. # -- Annotations to add for Control Plane's Service Account
  555. serviceAccountAnnotations: { }
  556. # -- Whether to automountServiceAccountToken for cp. Optionally set to false
  557. automountServiceAccountToken: true
  558. kumactl:
  559. image:
  560. # -- The kumactl image repository
  561. repository: kumactl
  562. # -- The kumactl image tag. When not specified, the value is copied from global.tag
  563. tag:
  564. kubectl:
  565. image:
  566. # -- The kubectl image registry
  567. registry: docker.io
  568. # -- The kubectl image repository
  569. repository: bitnami/kubectl
  570. # -- The kubectl image tag
  571. tag: "1.27.5"
  572. hooks:
  573. # -- Node selector for the HELM hooks
  574. nodeSelector:
  575. kubernetes.io/os: linux
  576. # -- Tolerations for the HELM hooks
  577. tolerations: []
  578. # -- Security context at the pod level for crd/webhook/ns
  579. podSecurityContext:
  580. runAsNonRoot: true
  581. # -- Security context at the container level for crd/webhook/ns
  582. containerSecurityContext:
  583. readOnlyRootFilesystem: true
  584. # -- ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs
  585. # Changing below values will potentially break ebpf cleanup completely,
  586. # so be cautious when doing so.
  587. ebpfCleanup:
  588. # -- Security context at the pod level for crd/webhook/cleanup-ebpf
  589. podSecurityContext:
  590. runAsNonRoot: false
  591. # -- Security context at the container level for crd/webhook/cleanup-ebpf
  592. containerSecurityContext:
  593. readOnlyRootFilesystem: false
  594. experimental:
  595. # Configuration for the experimental ebpf mode for transparent proxy
  596. ebpf:
  597. # -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy
  598. enabled: false
  599. # -- Name of the environmental variable which will contain the IP address of a pod
  600. instanceIPEnvVarName: INSTANCE_IP
  601. # -- Path where BPF file system should be mounted
  602. bpffsPath: /sys/fs/bpf
  603. # -- Host's cgroup2 path
  604. cgroupPath: /sys/fs/cgroup
  605. # -- Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty
  606. tcAttachIface: ""
  607. # -- Path where compiled eBPF programs which will be installed can be found
  608. programsSourcePath: /tmp/kuma-ebpf
  609. # -- If false, it uses legacy API for resource synchronization
  610. deltaKds: true
  611. # -- If true, enable native Kubernetes sidecars. This requires at least
  612. # Kubernetes v1.29
  613. sidecarContainers: false
  614. # Postgres' settings for universal control plane on k8s
  615. postgres:
  616. # -- Postgres port, password should be provided as a secret reference in "controlPlane.secrets"
  617. # with the Env value "KUMA_STORE_POSTGRES_PASSWORD".
  618. # Example:
  619. # controlPlane:
  620. # secrets:
  621. # - Secret: postgres-postgresql
  622. # Key: postgresql-password
  623. # Env: KUMA_STORE_POSTGRES_PASSWORD
  624. port: "5432"
  625. # TLS settings
  626. tls:
  627. # -- Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
  628. mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
  629. # -- Whether to disable SNI the postgres `sslsni` option.
  630. disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI
  631. # -- Secret name that contains the ca.crt
  632. caSecretName:
  633. # -- Secret name that contains the client tls.crt, tls.key
  634. secretName:
  635. # @ignored for helm-docs
  636. plugins:
  637. resources:
  638. hostnamegenerators: true
  639. meshexternalservices: true
  640. meshservices: true
  641. policies:
  642. meshaccesslogs: true
  643. meshcircuitbreakers: true
  644. meshfaultinjections: true
  645. meshhealthchecks: true
  646. meshhttproutes: true
  647. meshloadbalancingstrategies: true
  648. meshmetrics: true
  649. meshpassthroughs: true
  650. meshproxypatches: true
  651. meshratelimits: true
  652. meshretries: true
  653. meshtcproutes: true
  654. meshtimeouts: true
  655. meshtraces: true
  656. meshtrafficpermissions: true