|
| 1 | +# Apache API7 ingress controller |
| 2 | + |
| 3 | +[API7 Ingress controller](https://github.com/api7/api7-ingress-controller/) for Kubernetes using Apache APISIX as a high performance reverse proxy and load balancer. |
| 4 | + |
| 5 | +If you have installed multiple ingress controller, add the `kubernetes.io/ingress.class: apisix` annotation to your Ingress resources. |
| 6 | + |
| 7 | +This chart bootstraps an apisix-ingress-controller deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. |
| 8 | + |
| 9 | +## Prerequisites |
| 10 | + |
| 11 | +Apisix ingress controller requires Kubernetes version 1.16+. |
| 12 | + |
| 13 | +## Get Repo Info |
| 14 | + |
| 15 | +```console |
| 16 | +helm repo add apisix https://charts.apiseven.com |
| 17 | +helm repo update |
| 18 | +``` |
| 19 | + |
| 20 | +## Install Chart |
| 21 | + |
| 22 | +**Important:** only helm3 is supported |
| 23 | + |
| 24 | +```console |
| 25 | +helm install [RELEASE_NAME] apisix/apisix-ingress-controller --namespace ingress-apisix --create-namespace |
| 26 | +``` |
| 27 | + |
| 28 | +The command deploys apisix-ingress-controller on the Kubernetes cluster in the default configuration. |
| 29 | + |
| 30 | +_See [configuration](#configuration) below._ |
| 31 | + |
| 32 | +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ |
| 33 | + |
| 34 | +## Uninstall Chart |
| 35 | + |
| 36 | +```console |
| 37 | +helm uninstall [RELEASE_NAME] --namespace ingress-apisix |
| 38 | +``` |
| 39 | + |
| 40 | +This removes all the Kubernetes components associated with the chart and deletes the release. |
| 41 | + |
| 42 | +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ |
| 43 | + |
| 44 | +## Upgrading Chart |
| 45 | + |
| 46 | +```console |
| 47 | +helm upgrade [RELEASE_NAME] [CHART] --install |
| 48 | +``` |
| 49 | + |
| 50 | +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ |
| 51 | + |
| 52 | +## Configuration |
| 53 | + |
| 54 | +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: |
| 55 | + |
| 56 | +```console |
| 57 | +helm show values apisix/apisix-ingress-controller |
| 58 | +``` |
| 59 | + |
| 60 | +### Pod priority |
| 61 | + |
| 62 | +`priorityClassName` field referenced a name of a created `PriorityClass` object. Check [here](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption) for more details. |
| 63 | + |
| 64 | +### Security context |
| 65 | + |
| 66 | +A security context provides us with a way to define privilege and access control for a Pod or even at the container level. |
| 67 | + |
| 68 | +Check [here](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core) to see the SecurityContext resource with more detail. |
| 69 | + |
| 70 | +Check also [here](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to see a full explanation and some examples to configure the security context. |
| 71 | + |
| 72 | +Right below you have an example of the security context configuration. In this case, we define that all the processes in the container will run with user ID 1000. |
| 73 | + |
| 74 | +```yaml |
| 75 | +... |
| 76 | + |
| 77 | +spec: |
| 78 | + securityContext: |
| 79 | + runAsUser: 1000 |
| 80 | + runAsGroup: 3000 |
| 81 | +... |
| 82 | +``` |
| 83 | + |
| 84 | +The same for the group definition, where we define the primary group of 3000 for all processes. |
| 85 | + |
| 86 | +**It's quite important to know, if the `runAsGroup` is omited, the primary group will be root(0)**, which in some cases goes against some security policies. |
| 87 | + |
| 88 | +To define this configuration at the **pod level**, you need to set: |
| 89 | + |
| 90 | +```yaml |
| 91 | + --set podSecurityContext.runAsUser=«VALUE» |
| 92 | + --set podSecurityContext.runAsGroup=«VALUE» |
| 93 | + ... |
| 94 | +``` |
| 95 | + |
| 96 | +The same for container level, you need to set: |
| 97 | + |
| 98 | +```yaml |
| 99 | + --set securityContext.runAsUser=«VALUE» |
| 100 | + --set SecurityContext.runAsGroup=«VALUE» |
| 101 | + ... |
| 102 | +``` |
| 103 | + |
| 104 | +## Values |
| 105 | + |
| 106 | +| Key | Type | Default | Description | |
| 107 | +|-----|------|---------|-------------| |
| 108 | +| affinity | object | `{}` | | |
| 109 | +| annotations | object | `{}` | Add annotations to Apache APISIX ingress controller resource | |
| 110 | +| autoscaling.enabled | bool | `false` | | |
| 111 | +| autoscaling.maxReplicas | int | `100` | | |
| 112 | +| autoscaling.minReplicas | int | `1` | | |
| 113 | +| autoscaling.targetCPUUtilizationPercentage | int | `80` | | |
| 114 | +| autoscaling.version | string | `"v2"` | HPA version, the value is "v2" or "v2beta1", default "v2" | |
| 115 | +| clusterDomain | string | `"cluster.local"` | | |
| 116 | +| config.apisix | object | `{"adminAPIVersion":"v2","adminKey":"edd1c9f034335f136f87ad84b625c8f1","clusterName":"default","existingSecret":"","existingSecretAdminKeyKey":"","serviceName":"apisix-admin","serviceNamespace":"ingress-apisix","servicePort":9180}` | APISIX related configurations. | |
| 117 | +| config.dashboard.adminAPIVersion | string | `"v2"` | the APISIX admin API version. can be "v2" or "v3", default is "v2". | |
| 118 | +| config.dashboard.existingSecret | string | `""` | The APISIX Helm chart supports storing user credentials in a secret. The secret needs to contain a single key for admin token with key adminKey by default. | |
| 119 | +| config.dashboard.existingSecretAdminKeyKey | string | `""` | Name of the admin token key in the secret, overrides the default key name "adminKey" | |
| 120 | +| config.dashboard.serviceName | string | `"apisix-admin"` | Enabling this value, overrides serviceName and serviceNamespace. serviceFullname: "apisix-admin.apisix.svc.local" | |
| 121 | +| config.apisixResourceSyncInterval | string | `"1h"` | Default interval for synchronizing Kubernetes resources to APISIX | |
| 122 | +| config.certFile | string | `"/etc/webhook/certs/cert.pem"` | the TLS certificate file path. | |
| 123 | +| config.enableProfiling | bool | `true` | enable profiling via web interfaces host:port/debug/pprof, default is true. | |
| 124 | +| config.httpListen | string | `":8080"` | the HTTP Server listen address, default is ":8080" | |
| 125 | +| config.httpsListen | string | `":8443"` | the HTTPS Server listen address, default is ":8443" | |
| 126 | +| config.ingressPublishService | string | `""` | the controller will use the Endpoint of this Service to update the status information of the Ingress resource. The format is "namespace/svc-name" to solve the situation that the data plane and the controller are not deployed in the same namespace. | |
| 127 | +| config.ingressStatusAddress | list | `[]` | | |
| 128 | +| config.keyFile | string | `"/etc/webhook/certs/key.pem"` | the TLS key file path. | |
| 129 | +| config.kubernetes | object | `{"apiVersion":"apisix.apache.org/v2","apisixRouteVersion":"apisix.apache.org/v2","electionId":"ingress-apisix-leader","enableGatewayAPI":false,"ingressClass":"apisix","ingressVersion":"networking/v1","kubeconfig":"","namespaceSelector":[""],"resyncInterval":"6h","watchEndpointSlices":false}` | Kubernetes related configurations. | |
| 130 | +| config.kubernetes.apiVersion | string | `"apisix.apache.org/v2"` | the resource API version, support "apisix.apache.org/v2beta3" and "apisix.apache.org/v2". default is "apisix.apache.org/v2" | |
| 131 | +| config.kubernetes.apisixRouteVersion | string | `"apisix.apache.org/v2"` | the supported apisixroute api group version, can be "apisix.apache.org/v2" "apisix.apache.org/v2beta3" or "apisix.apache.org/v2beta2" | |
| 132 | +| config.kubernetes.electionId | string | `"ingress-apisix-leader"` | the election id for the controller leader campaign, only the leader will watch and delivery resource changes, other instances (as candidates) stand by. | |
| 133 | +| config.kubernetes.enableGatewayAPI | bool | `false` | whether to enable support for Gateway API. Note: This feature is currently under development and may not work as expected. It is not recommended to use it in a production environment. Before we announce support for it to reach Beta level or GA. | |
| 134 | +| config.kubernetes.ingressClass | string | `"apisix"` | The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation "kubernetes.io/ingress.class" (deprecated). | |
| 135 | +| config.kubernetes.ingressVersion | string | `"networking/v1"` | the supported ingress api group version, can be "networking/v1beta1", "networking/v1" (for Kubernetes version v1.19.0 or higher), and "extensions/v1beta1", default is "networking/v1". | |
| 136 | +| config.kubernetes.kubeconfig | string | `""` | the Kubernetes configuration file path, default is "", so the in-cluster configuration will be used. | |
| 137 | +| config.kubernetes.namespaceSelector | list | `[""]` | namespace_selector represent basis for selecting managed namespaces. the field is support since version 1.4.0 For example, "apisix.ingress=watching", so ingress will watching the namespaces which labels "apisix.ingress=watching" | |
| 138 | +| config.kubernetes.resyncInterval | string | `"6h"` | how long should apisix-ingress-controller re-synchronizes with Kubernetes, default is 6h, | |
| 139 | +| config.kubernetes.watchEndpointSlices | bool | `false` | whether to watch EndpointSlices rather than Endpoints. | |
| 140 | +| config.logLevel | string | `"info"` | the error log level, default is info, optional values are: debug, info, warn, error, panic, fatal | |
| 141 | +| config.logOutput | string | `"stderr"` | the output file path of error log, default is stderr, when the file path is "stderr" or "stdout", logs are marshalled plainly, which is more readable for human; otherwise logs are marshalled in JSON format, which can be parsed by programs easily. | |
| 142 | +| config.pluginMetadataCM | string | `""` | Pluginmetadata in APISIX can be controlled through ConfigMap. default is "" | |
| 143 | +| fullnameOverride | string | `""` | | |
| 144 | +| gateway.externalIPs | list | `[]` | load balancer ips | |
| 145 | +| gateway.externalTrafficPolicy | string | `"Cluster"` | | |
| 146 | +| gateway.nginx.errorLog | string | `"stderr"` | Nginx error logs path | |
| 147 | +| gateway.nginx.errorLogLevel | string | `"warn"` | Nginx error logs level | |
| 148 | +| gateway.nginx.workerConnections | string | `"10620"` | Nginx worker connections | |
| 149 | +| gateway.nginx.workerProcesses | string | `"auto"` | Nginx worker processes | |
| 150 | +| gateway.nginx.workerRlimitNofile | string | `"20480"` | Nginx workerRlimitNoFile | |
| 151 | +| gateway.resources | object | `{}` | | |
| 152 | +| gateway.securityContext | object | `{}` | | |
| 153 | +| gateway.tls.additionalContainerPorts | list | `[]` | Support multiple https ports, See [Configuration](https://github.com/apache/apisix/blob/0bc65ea9acd726f79f80ae0abd8f50b7eb172e3d/conf/config-default.yaml#L99) | |
| 154 | +| gateway.tls.certCAFilename | string | `""` | Filename be used in the gateway.tls.existingCASecret | |
| 155 | +| gateway.tls.containerPort | int | `9443` | | |
| 156 | +| gateway.tls.enabled | bool | `false` | | |
| 157 | +| gateway.tls.existingCASecret | string | `""` | Specifies the name of Secret contains trusted CA certificates in the PEM format used to verify the certificate when APISIX needs to do SSL/TLS handshaking with external services (e.g. etcd) | |
| 158 | +| gateway.tls.fallbackSNI | string | `""` | Define SNI to fallback if none is presented by client | |
| 159 | +| gateway.tls.http2.enabled | bool | `true` | | |
| 160 | +| gateway.tls.servicePort | int | `443` | | |
| 161 | +| gateway.tls.sslProtocols | string | `"TLSv1.2 TLSv1.3"` | TLS protocols allowed to use. | |
| 162 | +| gateway.type | string | `"NodePort"` | Apache APISIX service type for user access itself | |
| 163 | +| image.pullPolicy | string | `"IfNotPresent"` | | |
| 164 | +| image.repository | string | `"apache/apisix-ingress-controller"` | | |
| 165 | +| image.tag | string | `"1.8.0"` | | |
| 166 | +| imagePullSecrets | list | `[]` | | |
| 167 | +| initContainer.image | string | `"busybox"` | | |
| 168 | +| initContainer.tag | float | `1.28` | | |
| 169 | +| labelsOverride | object | `{}` | Override default labels assigned to Apache APISIX ingress controller resource | |
| 170 | +| nameOverride | string | `""` | Default values for apisix-ingress-controller. This is a YAML-formatted file. Declare variables to be passed into your templates. | |
| 171 | +| nodeSelector | object | `{}` | | |
| 172 | +| podAnnotations | object | `{}` | | |
| 173 | +| podDisruptionBudget | object | `{"enabled":false,"maxUnavailable":1,"minAvailable":"90%"}` | See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details | |
| 174 | +| podDisruptionBudget.enabled | bool | `false` | Enable or disable podDisruptionBudget | |
| 175 | +| podDisruptionBudget.maxUnavailable | int | `1` | Set the maxUnavailable of podDisruptionBudget | |
| 176 | +| podDisruptionBudget.minAvailable | string | `"90%"` | Set the `minAvailable` of podDisruptionBudget. You can specify only one of `maxUnavailable` and `minAvailable` in a single PodDisruptionBudget. See [Specifying a Disruption Budget for your Application](https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget) for more details | |
| 177 | +| podSecurityContext | object | `{}` | | |
| 178 | +| priorityClassName | string | `""` | | |
| 179 | +| rbac.create | bool | `true` | Specifies whether RBAC resources should be created | |
| 180 | +| replicaCount | int | `1` | | |
| 181 | +| resources | object | `{}` | | |
| 182 | +| securityContext | object | `{}` | | |
| 183 | +| service.port | int | `80` | | |
| 184 | +| serviceAccount.automountServiceAccountToken | bool | `true` | Whether automounting API credentials for a service account | |
| 185 | +| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created | |
| 186 | +| serviceAccount.name | string | `""` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template | |
| 187 | +| serviceMonitor | object | `{"annotations":{},"enabled":false,"interval":"15s","labels":{},"metricRelabelings":{},"namespace":"monitoring"}` | Enable creating ServiceMonitor objects for Prometheus operator. Requires Prometheus operator v0.38.0 or higher. | |
| 188 | +| serviceMonitor.annotations | object | `{}` | @param serviceMonitor.annotations ServiceMonitor annotations | |
| 189 | +| serviceMonitor.labels | object | `{}` | @param serviceMonitor.labels ServiceMonitor extra labels | |
| 190 | +| serviceMonitor.metricRelabelings | object | `{}` | @param serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion. ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs | |
| 191 | +| tolerations | list | `[]` | | |
| 192 | +| topologySpreadConstraints | list | `[]` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods | |
| 193 | +| updateStrategy | object | `{}` | Update strategy for apisix ingress controller deployment | |
0 commit comments