contour

Helm Chart for Contour

A Helm chart for installing Contour.

This chart is a fork of Contour chart from the Bitnami charts project, which has since been discontinued.

Introduction

This chart bootstraps a Contour Ingress Controller Deployment and an Envoy Proxy DaemonSet on a Kubernetes cluster using the Helm package manager.

Prerequisites

• Kubernetes 1.23+
• Helm 3.8.0+
• An Operator for ServiceType: LoadBalancer like MetalLB

Installing the Chart

To install the chart with the release name my-release:

helm repo add contour https://projectcontour.github.io/helm-charts/
helm repo update
helm install my-release contour/contour

These commands deploy contour on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Tip: List all releases using helm list or helm ls --all-namespaces

Configuration and installation details

Resource requests and limits

The chart allows setting resource requests and limits for all containers inside the chart deployment. These are defined in the resources value (see the parameters table). Setting requests is essential for production workloads and these should be adapted to your specific use case.

To make this process easier, the chart contains the resourcesPreset values, which automatically sets the resources section according to different presets. However, in production workloads using resourcesPreset is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.

Prometheus metrics

This chart can be integrated with Prometheus by setting metrics.enabled to true. This will expose the Contour and Envoy (if envoy.service.exposeMetrics=true) native Prometheus ports in the containers. Additionally, it will deploy several metrics services. These metrics services will have the necessary annotations to be automatically scraped by Prometheus.

Prometheus requirements

It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work.

Integration with Prometheus Operator

The chart can deploy ServiceMonitor objects for integration with Prometheus Operator installations. To do so, set the value metrics.serviceMonitor.enabled=true. Ensure that the Prometheus Operator CustomResourceDefinitions are installed in the cluster or it will fail with the following error:

no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"

Rolling VS Immutable tags

It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

A new chart will be released updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.

To configure Contour please look into the configuration section Contour Configuration.

Example Quickstart Contour Configuration

configInline:
  # should contour expect to be running inside a k8s cluster
  # incluster: true
  #
  # path to kubeconfig (if not running inside a k8s cluster)
  # kubeconfig: /path/to/.kube/config
  #
  # Client request timeout to be passed to Envoy
  # as the connection manager request_timeout.
  # Defaults to 0, which Envoy interprets as disabled.
  # Note that this is the timeout for the whole request,
  # not an idle timeout.
  # request-timeout: 0s
  # disable ingressroute permitInsecure field
  disablePermitInsecure: false
  tls:
    #   minimum TLS version that Contour will negotiate
    #   minimum-protocol-version: "1.1"
    # Defines the Kubernetes name/namespace matching a secret to use
    # as the fallback certificate when requests which don't match the
    # SNI defined for a vhost.
    fallback-certificate:
  #   name: fallback-secret-name
  #   namespace: projectcontour
  # The following config shows the defaults for the leader election.
  # leaderelection:
  #   configmap-name: leader-elect
  #   configmap-namespace: projectcontour
  ### Logging options
  # Default setting
  accesslog-format: envoy
  # To enable JSON logging in Envoy
  # accesslog-format: json
  # The default fields that will be logged are specified below.
  # To customise this list, just add or remove entries.
  # The canonical list is available at
  # https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
  # json-fields:
  #   - "@timestamp"
  #   - "authority"
  #   - "bytes_received"
  #   - "bytes_sent"
  #   - "downstream_local_address"
  #   - "downstream_remote_address"
  #   - "duration"
  #   - "method"
  #   - "path"
  #   - "protocol"
  #   - "request_id"
  #   - "requested_server_name"
  #   - "response_code"
  #   - "response_flags"
  #   - "uber_trace_id"
  #   - "upstream_cluster"
  #   - "upstream_host"
  #   - "upstream_local_address"
  #   - "upstream_service_time"
  #   - "user_agent"
  #   - "x_forwarded_for"
  #
  # default-http-versions:
  # - "HTTP/2"
  # - "HTTP/1.1"
  #
  # The following shows the default proxy timeout settings.
  # timeouts:
  #   request-timeout: infinity
  #   connection-idle-timeout: 60s
  #   stream-idle-timeout: 5m
  #   max-connection-duration: infinity
  #   connection-shutdown-grace-period: 5s

Deploying Contour with an AWS NLB

By default, Contour is launched with an AWS Classic ELB. To launch contour backed by a NLB, please set these settings:

envoy:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX

  containerPorts:
    http: 80
    https: 80

Setting Pod's affinity

This chart allows you to set your custom affinity using the XXX.affinity parameter(s). Find more information about Pod's affinity in the kubernetes documentation.

As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity. To do so, set the XXX.podAffinityPreset, XXX.podAntiAffinityPreset, or XXX.nodeAffinityPreset parameters.

Parameters

Global parameters

Name	Description	Value
global.imageRegistry	Global Docker image registry	""
global.imagePullSecrets	Global Docker registry secret names as an array	[]
global.defaultStorageClass	Global default StorageClass for Persistent Volume(s)	""
global.storageClass	DEPRECATED: use global.defaultStorageClass instead	""
global.compatibility.openshift.adaptSecurityContext	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)	auto

Common parameters

Name	Description	Value
nameOverride	String to partially override contour.fullname include (will maintain the release name)	""
fullnameOverride	String to fully override contour.fullname template	""
namespaceOverride	String to fully override common.names.namespace	""
kubeVersion	Force target Kubernetes version (using Helm capabilities if not set)	""
extraDeploy	Array of extra objects to deploy with the release	[]
commonLabels	Labels to add to all deployed objects	{}
commonAnnotations	Annotations to add to all deployed objects	{}
diagnosticMode.enabled	Enable diagnostic mode (all probes will be disabled and the command will be overridden)	false
diagnosticMode.command	Command to override all containers in the deployment	[]
diagnosticMode.args	Args to override all containers in the deployment	[]

Contour parameters

Name	Description	Value
existingConfigMap	Specifies the name of an externally-defined ConfigMap to use as the configuration (this is mutually exclusive with configInline)	""
configInline	Specifies Contour's configuration directly in YAML format	{}
contour.enabled	Contour Deployment creation.	true
contour.image.registry	Contour image registry	REGISTRY_NAME
contour.image.repository	Contour image name	REPOSITORY_NAME/contour
contour.image.digest	Contour image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag	""
contour.image.pullPolicy	Contour Image pull policy	IfNotPresent
contour.image.pullSecrets	Contour Image pull secrets	[]
contour.image.debug	Enable image debug mode	false
contour.contourConfigName	Contour Deployment with ContourConfiguration CRD.	contour
contour.configPath	Contour Deployment with configmap.	true
contour.replicaCount	Number of Contour Pod replicas	1
contour.priorityClassName	Priority class assigned to the pods	""
contour.schedulerName	Name of the k8s scheduler (other than default)	""
contour.terminationGracePeriodSeconds	In seconds, time the given to the Contour pod needs to terminate gracefully	""
contour.topologySpreadConstraints	Topology Spread Constraints for pod assignment	[]
contour.containerPorts.xds	Set xds port inside Contour pod	8001
contour.containerPorts.metrics	Set metrics port inside Contour pod	8000
contour.automountServiceAccountToken	Mount Service Account token in pod	true
contour.hostAliases	Add deployment host aliases	[]
contour.updateStrategy	Strategy to use to update Pods	{}
contour.extraArgs	Extra arguments passed to Contour container	[]
contour.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if contour.resources is set (contour.resources is recommended for production).	nano
contour.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
contour.manageCRDs	Manage the creation, upgrade and deletion of Contour CRDs.	true
contour.envoyServiceNamespace	Namespace of the envoy service to inspect for Ingress status details.	""
contour.envoyServiceName	DEPRECATED: use envoy.service.name	""
contour.leaderElectionResourceName	Name of the contour (Lease) leader election will lease.	""
contour.ingressStatusAddress	Address to set in Ingress object status. It is exclusive with envoyServiceName and envoyServiceNamespace.	""
contour.podAffinityPreset	Contour Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
contour.podAntiAffinityPreset	Contour Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	soft
contour.podLabels	Extra labels for Contour pods	{}
contour.lifecycleHooks	lifecycleHooks for the container to automate configuration before or after startup.	{}
contour.customLivenessProbe	Override default liveness probe	{}
contour.customReadinessProbe	Override default readiness probe	{}
contour.customStartupProbe	Override default startup probe	{}
contour.nodeAffinityPreset.type	Contour Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
contour.nodeAffinityPreset.key	Contour Node label key to match Ignored if affinity is set.	""
contour.nodeAffinityPreset.values	Contour Node label values to match. Ignored if affinity is set.	[]
contour.command	Override default command	[]
contour.args	Override default args	[]
contour.affinity	Affinity for Contour pod assignment	{}
contour.nodeSelector	Node labels for Contour pod assignment	{}
contour.tolerations	Tolerations for Contour pod assignment	[]
contour.podAnnotations	Contour Pod annotations	{}
contour.serviceAccount.create	Create a serviceAccount for the Contour pod	true
contour.serviceAccount.name	Use the serviceAccount with the specified name, a name is generated using the fullname template	""
contour.serviceAccount.automountServiceAccountToken	Automount service account token for the server service account	false
contour.serviceAccount.annotations	Annotations for service account. Evaluated as a template. Only used if create is true.	{}
contour.podSecurityContext.enabled	Default backend Pod securityContext	true
contour.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
contour.podSecurityContext.sysctls	Set kernel settings using the sysctl interface	[]
contour.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
contour.podSecurityContext.fsGroup	Set Default backend Pod's Security Context fsGroup	1001
contour.containerSecurityContext.enabled	Enabled contour containers' Security Context	true
contour.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
contour.containerSecurityContext.runAsUser	Set contour containers' Security Context runAsUser	1001
contour.containerSecurityContext.runAsGroup	Set contour containers' Security Context runAsGroup	1001
contour.containerSecurityContext.runAsNonRoot	Set contour containers' Security Context runAsNonRoot	true
contour.containerSecurityContext.readOnlyRootFilesystem	Set read only root file system pod's Security Conte	true
contour.containerSecurityContext.privileged	Set contour container's Security Context privileged	false
contour.containerSecurityContext.allowPrivilegeEscalation	Set contour container's Security Context allowPrivilegeEscalation	false
contour.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
contour.containerSecurityContext.seccompProfile.type	Set container's Security Context seccomp profile	RuntimeDefault
contour.livenessProbe.enabled	Enable/disable the Liveness probe	true
contour.livenessProbe.initialDelaySeconds	Delay before liveness probe is initiated	120
contour.livenessProbe.periodSeconds	How often to perform the probe	20
contour.livenessProbe.timeoutSeconds	When the probe times out	5
contour.livenessProbe.failureThreshold	Minimum consecutive failures for the probe to be considered failed after having succeeded.	6
contour.livenessProbe.successThreshold	Minimum consecutive successes for the probe to be considered successful after having failed.	1
contour.readinessProbe.enabled	Enable/disable the readiness probe	true
contour.readinessProbe.initialDelaySeconds	Delay before readiness probe is initiated	15
contour.readinessProbe.periodSeconds	How often to perform the probe	10
contour.readinessProbe.timeoutSeconds	When the probe times out	5
contour.readinessProbe.failureThreshold	Minimum consecutive failures for the probe to be considered failed after having succeeded.	3
contour.readinessProbe.successThreshold	Minimum consecutive successes for the probe to be considered successful after having failed.	1
contour.startupProbe.enabled	Enable/disable the startup probe	false
contour.startupProbe.initialDelaySeconds	Delay before startup probe is initiated	15
contour.startupProbe.periodSeconds	How often to perform the probe	10
contour.startupProbe.timeoutSeconds	When the probe times out	5
contour.startupProbe.failureThreshold	Minimum consecutive failures for the probe to be considered failed after having succeeded.	3
contour.startupProbe.successThreshold	Minimum consecutive successes for the probe to be considered successful after having failed.	1
contour.certgen.serviceAccount.create	Create a serviceAccount for the Contour pod	true
contour.certgen.serviceAccount.name	Use the serviceAccount with the specified name, a name is generated using the fullname template	""
contour.certgen.serviceAccount.automountServiceAccountToken	Automount service account token for the server service account	false
contour.certgen.serviceAccount.annotations	Annotations for service account. Evaluated as a template. Only used if create is true.	{}
contour.certgen.certificateLifetime	Generated certificate lifetime (in days).	365
contour.certgen.automountServiceAccountToken	Mount Service Account token in pod	true
contour.certgen.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
contour.certgen.networkPolicy.allowExternal	Don't require server label for connections	true
contour.certgen.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
contour.certgen.networkPolicy.kubeAPIServerPorts	List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)	[]
contour.certgen.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
contour.certgen.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
contour.certgen.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
contour.certgen.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}
contour.tlsExistingSecret	Name of the existingSecret to be use in Contour deployment. If it is not nil contour.certgen will be disabled.	""
contour.service.type	Service type	ClusterIP
contour.service.ports.xds	Contour service xds port	8001
contour.service.ports.metrics	Contour service xds port	8000
contour.service.nodePorts.xds	Node port for HTTP	""
contour.service.clusterIP	Contour service Cluster IP	""
contour.service.loadBalancerIP	Contour service Load Balancer IP	""
contour.service.loadBalancerSourceRanges	Contour service Load Balancer sources	[]
contour.service.loadBalancerClass	Contour service Load Balancer Class	""
contour.service.externalTrafficPolicy	Contour service external traffic policy	Cluster
contour.service.annotations	Additional custom annotations for Contour service	{}
contour.service.extraPorts	Extra port to expose on Contour service	[]
contour.service.sessionAffinity	Session Affinity for Kubernetes service, can be "None" or "ClientIP"	None
contour.service.sessionAffinityConfig	Additional settings for the sessionAffinity	{}
contour.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
contour.networkPolicy.allowExternal	Don't require server label for connections	true
contour.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
contour.networkPolicy.kubeAPIServerPorts	List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)	[]
contour.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
contour.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
contour.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
contour.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}
contour.initContainers	Attach additional init containers to Contour pods	[]
contour.sidecars	Add additional sidecar containers to the Contour pods	[]
contour.extraVolumes	Array to add extra volumes	[]
contour.extraVolumeMounts	Array to add extra mounts (normally used with extraVolumes)	[]
contour.extraEnvVars	Array containing extra env vars to be added to all Contour containers	[]
contour.extraEnvVarsCM	ConfigMap containing extra env vars to be added to all Contour containers	""
contour.extraEnvVarsSecret	Secret containing extra env vars to be added to all Contour containers	""
contour.ingressClass.name	Name of the ingress class to route through this controller.	""
contour.ingressClass.create	Whether to create or not the IngressClass resource	true
contour.ingressClass.default	Mark IngressClass resource as default for cluster	true
contour.debug	Enable Contour debug log level	false
contour.logFormat	Set contour log-format. Default text, either text or json.	text
contour.kubernetesDebug	Contour kubernetes debug log level, Default 0, minimum 0, maximum 9.	0
contour.rootNamespaces	Restrict Contour to searching these namespaces for root ingress routes.	""
contour.overloadManager.enabled	Enable Overload Manager	false
contour.overloadManager.maxHeapBytes	Overload Manager's maximum heap size in bytes	2147483648
contour.pdb.create	Enable Pod Disruption Budget configuration	true
contour.pdb.minAvailable	Minimum number/percentage of Default backend pods that should remain scheduled	""
contour.pdb.maxUnavailable	Maximum number/percentage of Default backend pods that should remain scheduled	""

Envoy parameters

Name	Description	Value
envoy.enabled	Envoy Proxy creation	true
envoy.image.registry	Envoy Proxy image registry	REGISTRY_NAME
envoy.image.repository	Envoy Proxy image repository	REPOSITORY_NAME/envoy
envoy.image.digest	Envoy Proxy image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag	""
envoy.image.pullPolicy	Envoy image pull policy	IfNotPresent
envoy.image.pullSecrets	Envoy image pull secrets	[]
envoy.priorityClassName	Priority class assigned to the pods	""
envoy.schedulerName	Name of the k8s scheduler (other than default)	""
envoy.topologySpreadConstraints	Topology Spread Constraints for pod assignment	[]
envoy.extraArgs	Extra arguments passed to Envoy container	[]
envoy.automountServiceAccountToken	Mount Service Account token in pod	false
envoy.hostAliases	Add deployment host aliases	[]
envoy.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.resources is set (envoy.resources is recommended for production).	nano
envoy.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
envoy.command	Override default command	[]
envoy.args	Override default args	[]
envoy.shutdownManager.enabled	Contour shutdownManager sidecar	true
envoy.shutdownManager.extraArgs	Extra arguments passed to shutdown container	[]
envoy.shutdownManager.resourcesPreset	Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.shutdownManager.resources is set (envoy.shutdownManager.resources is recommended for production).	nano
envoy.shutdownManager.resources	Set container requests and limits for different resources like CPU or memory (essential for production workloads)	{}
envoy.shutdownManager.containerPorts.http	Specify Port for shutdown container	8090
envoy.shutdownManager.lifecycleHooks	lifecycleHooks for the container to automate configuration before or after startup.	{}
envoy.shutdownManager.containerSecurityContext.enabled	Enabled envoy shutdownManager containers' Security Context	true
envoy.shutdownManager.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
envoy.shutdownManager.containerSecurityContext.runAsUser	Set envoy shutdownManager containers' Security Context runAsUser	1001
envoy.shutdownManager.containerSecurityContext.runAsGroup	Set contour containers' Security Context runAsGroup	1001
envoy.shutdownManager.containerSecurityContext.runAsNonRoot	Set envoy shutdownManager containers' Security Context runAsNonRoot	true
envoy.shutdownManager.containerSecurityContext.readOnlyRootFilesystem	Set read only root file system pod's Security Conte	true
envoy.shutdownManager.containerSecurityContext.privileged	Set envoy.shutdownManager container's Security Context privileged	false
envoy.shutdownManager.containerSecurityContext.allowPrivilegeEscalation	Set envoy shutdownManager container's Security Context allowPrivilegeEscalation	false
envoy.shutdownManager.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
envoy.shutdownManager.containerSecurityContext.seccompProfile.type	Set container's Security Context seccomp profile	RuntimeDefault
envoy.shutdownManager.livenessProbe.enabled	Enable livenessProbe	true
envoy.shutdownManager.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	120
envoy.shutdownManager.livenessProbe.periodSeconds	Period seconds for livenessProbe	20
envoy.shutdownManager.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
envoy.shutdownManager.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
envoy.shutdownManager.livenessProbe.successThreshold	Success threshold for livenessProbe	1
envoy.shutdownManager.readinessProbe.enabled	Enable/disable the readiness probe	true
envoy.shutdownManager.readinessProbe.initialDelaySeconds	Delay before readiness probe is initiated	10
envoy.shutdownManager.readinessProbe.periodSeconds	How often to perform the probe	3
envoy.shutdownManager.readinessProbe.timeoutSeconds	When the probe times out	1
envoy.shutdownManager.readinessProbe.failureThreshold	Minimum consecutive failures for the probe to be considered failed after having succeeded.	3
envoy.shutdownManager.readinessProbe.successThreshold	Minimum consecutive successes for the probe to be considered successful after having failed.	1
envoy.shutdownManager.startupProbe.enabled	Enable/disable the startup probe	false
envoy.shutdownManager.startupProbe.initialDelaySeconds	Delay before startup probe is initiated	15
envoy.shutdownManager.startupProbe.periodSeconds	How often to perform the probe	10
envoy.shutdownManager.startupProbe.timeoutSeconds	When the probe times out	5
envoy.shutdownManager.startupProbe.failureThreshold	Minimum consecutive failures for the probe to be considered failed after having succeeded.	3
envoy.shutdownManager.startupProbe.successThreshold	Minimum consecutive successes for the probe to be considered successful after having failed.	1
envoy.shutdownManager.customLivenessProbe	Override default liveness probe	{}
envoy.shutdownManager.customReadinessProbe	Override default readiness probe	{}
envoy.shutdownManager.customStartupProbe	Override default startup probe	{}
envoy.kind	Install as deployment or daemonset	daemonset
envoy.replicaCount	Desired number of Controller pods	1
envoy.lifecycleHooks	lifecycleHooks for the container to automate configuration before or after startup.	{}
envoy.updateStrategy	Strategy to use to update Pods	{}
envoy.minReadySeconds	The minimum number of seconds for which a newly created Pod should be ready	0
envoy.revisionHistoryLimit	The number of old history to retain to allow rollback	10
envoy.autoscaling.enabled	Enable autoscaling for Controller	false
envoy.autoscaling.minReplicas	Minimum number of Controller replicas	1
envoy.autoscaling.maxReplicas	Maximum number of Controller replicas	11
envoy.autoscaling.targetCPU	Target CPU utilization percentage	""
envoy.autoscaling.targetMemory	Target Memory utilization percentage	""
envoy.autoscaling.behavior	HPA Behavior	{}
envoy.podAffinityPreset	Envoy Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
envoy.podAntiAffinityPreset	Envoy Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard	""
envoy.nodeAffinityPreset.type	Envoy Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard	""
envoy.nodeAffinityPreset.key	Envoy Node label key to match Ignored if affinity is set.	""
envoy.nodeAffinityPreset.values	Envoy Node label values to match. Ignored if affinity is set.	[]
envoy.affinity	Affinity for Envoy pod assignment	{}
envoy.nodeSelector	Node labels for Envoy pod assignment	{}
envoy.tolerations	Tolerations for Envoy pod assignment	[]
envoy.podAnnotations	Envoy Pod annotations	{}
envoy.podLabels	Extra labels for Envoy pods	{}
envoy.podSecurityContext.enabled	Envoy Pod securityContext	true
envoy.podSecurityContext.fsGroupChangePolicy	Set filesystem group change policy	Always
envoy.podSecurityContext.supplementalGroups	Set filesystem extra groups	[]
envoy.podSecurityContext.fsGroup	User ID for the for the mounted volumes	0
envoy.podSecurityContext.sysctls	Array of sysctl options to allow	[]
envoy.containerSecurityContext.enabled	Enabled envoy containers' Security Context	true
envoy.containerSecurityContext.seLinuxOptions	Set SELinux options in container	{}
envoy.containerSecurityContext.runAsUser	Set envoy containers' Security Context runAsUser	1001
envoy.containerSecurityContext.runAsGroup	Set envoy containers' Security Context runAsGroup	1001
envoy.containerSecurityContext.runAsNonRoot	Set envoy containers' Security Context runAsNonRoot	true
envoy.containerSecurityContext.readOnlyRootFilesystem	Set read only root file system pod's Security Conte	true
envoy.containerSecurityContext.privileged	Set envoy container's Security Context privileged	false
envoy.containerSecurityContext.allowPrivilegeEscalation	Set envoy container's Security Context allowPrivilegeEscalation	false
envoy.containerSecurityContext.capabilities.drop	List of capabilities to be dropped	["ALL"]
envoy.containerSecurityContext.seccompProfile.type	Set container's Security Context seccomp profile	RuntimeDefault
envoy.hostNetwork	Envoy Pod host network access	false
envoy.dnsPolicy	Envoy Pod Dns Policy's DNS Policy	ClusterFirst
envoy.tlsExistingSecret	Name of the existingSecret to be use in Envoy deployment	""
envoy.serviceAccount.create	Specifies whether a ServiceAccount should be created	true
envoy.serviceAccount.name	The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template	""
envoy.serviceAccount.automountServiceAccountToken	Whether to auto mount API credentials for a service account	false
envoy.serviceAccount.annotations	Annotations for service account. Evaluated as a template. Only used if create is true.	{}
envoy.livenessProbe.enabled	Enable livenessProbe	true
envoy.livenessProbe.port	LivenessProbe port	8002
envoy.livenessProbe.initialDelaySeconds	Initial delay seconds for livenessProbe	120
envoy.livenessProbe.periodSeconds	Period seconds for livenessProbe	20
envoy.livenessProbe.timeoutSeconds	Timeout seconds for livenessProbe	5
envoy.livenessProbe.failureThreshold	Failure threshold for livenessProbe	6
envoy.livenessProbe.successThreshold	Success threshold for livenessProbe	1
envoy.readinessProbe.enabled	Enable/disable the readiness probe	true
envoy.readinessProbe.port	ReadinessProbe port	8002
envoy.readinessProbe.initialDelaySeconds	Delay before readiness probe is initiated	10
envoy.readinessProbe.periodSeconds	How often to perform the probe	3
envoy.readinessProbe.timeoutSeconds	When the probe times out	1
envoy.readinessProbe.failureThreshold	Minimum consecutive failures for the probe to be considered failed after having succeeded.	3
envoy.readinessProbe.successThreshold	Minimum consecutive successes for the probe to be considered successful after having failed.	1
envoy.startupProbe.enabled	Enable/disable the startup probe	false
envoy.startupProbe.port	StartupProbe port	8002
envoy.startupProbe.initialDelaySeconds	Delay before startup probe is initiated	15
envoy.startupProbe.periodSeconds	How often to perform the probe	10
envoy.startupProbe.timeoutSeconds	When the probe times out	5
envoy.startupProbe.failureThreshold	Minimum consecutive failures for the probe to be considered failed after having succeeded.	3
envoy.startupProbe.successThreshold	Minimum consecutive successes for the probe to be considered successful after having failed.	1
envoy.customLivenessProbe	Override default liveness probe	{}
envoy.customReadinessProbe	Override default readiness probe	{}
envoy.customStartupProbe	Override default startup probe	{}
envoy.terminationGracePeriodSeconds	Envoy termination grace period in seconds	300
envoy.logLevel	Envoy log level	info
envoy.service.name	envoy service name	""
envoy.service.multiAz.enabled	enables the rendering of the multiple services	false
envoy.service.multiAz.zones	defines different zones their annotations and loadBalancerIPs	[]
envoy.service.targetPorts	Map the controller service HTTP/HTTPS port	{}
envoy.service.type	Type of Envoy service to create	LoadBalancer
envoy.service.externalTrafficPolicy	Envoy Service external cluster policy. If envoy.service.type is NodePort or LoadBalancer	Local
envoy.service.labels	Labels to add to te envoy service	{}
envoy.service.clusterIP	Internal envoy cluster service IP	""
envoy.service.externalIPs	Envoy service external IP addresses	[]
envoy.service.loadBalancerIP	IP address to assign to load balancer (if supported)	""
envoy.service.loadBalancerSourceRanges	List of IP CIDRs allowed access to load balancer (if supported)	[]
envoy.service.loadBalancerClass	Envoy service Load Balancer Class	""
envoy.service.ipFamilyPolicy	, support SingleStack, PreferDualStack and RequireDualStack	""
envoy.service.ipFamilies	List of IP families (e.g. IPv4, IPv6) assigned to the service.	[]
envoy.service.annotations	Annotations for Envoy service	{}
envoy.service.ports.http	Sets service http port	80
envoy.service.ports.https	Sets service https port	443
envoy.service.ports.metrics	Sets service metrics port	8002
envoy.service.nodePorts.http	HTTP Port. If envoy.service.type is NodePort and this is non-empty	""
envoy.service.nodePorts.https	HTTPS Port. If envoy.service.type is NodePort and this is non-empty	""
envoy.service.nodePorts.metrics	Metrics Port. If envoy.service.type is NodePort and this is non-empty	""
envoy.service.extraPorts	Extra ports to expose (normally used with the sidecar value)	[]
envoy.service.sessionAffinity	Session Affinity for Kubernetes service, can be "None" or "ClientIP"	None
envoy.service.sessionAffinityConfig	Additional settings for the sessionAffinity	{}
envoy.service.exposeMetrics	Setting to expose the metrics port in the service	false
envoy.networkPolicy.enabled	Specifies whether a NetworkPolicy should be created	true
envoy.networkPolicy.allowExternal	Don't require server label for connections	true
envoy.networkPolicy.allowExternalEgress	Allow the pod to access any range of port and all destinations.	true
envoy.networkPolicy.extraIngress	Add extra ingress rules to the NetworkPolicy	[]
envoy.networkPolicy.extraEgress	Add extra ingress rules to the NetworkPolicy	[]
envoy.networkPolicy.ingressNSMatchLabels	Labels to match to allow traffic from other namespaces	{}
envoy.networkPolicy.ingressNSPodMatchLabels	Pod labels to match to allow traffic from other namespaces	{}
envoy.useHostPort.http	Enable/disable hostPort for TCP/80	false
envoy.useHostPort.https	Enable/disable hostPort TCP/443	false
envoy.useHostPort.metrics	Enable/disable hostPort for TCP/8002	false
envoy.useHostIP	Enable/disable hostIP	false
envoy.hostPorts.http	Sets hostPort http port	80
envoy.hostPorts.https	Sets hostPort https port	443
envoy.hostPorts.metrics	Sets hostPort metrics port	8002
envoy.hostIPs.http	Sets hostIP http IP	127.0.0.1
envoy.hostIPs.https	Sets hostIP https IP	127.0.0.1
envoy.hostIPs.metrics	Sets hostIP metrics IP	127.0.0.1
envoy.containerPorts.http	Sets http port inside Envoy pod (change this to >1024 to run envoy as a non-root user)	8080
envoy.containerPorts.https	Sets https port inside Envoy pod (change this to >1024 to run envoy as a non-root user)	8443
envoy.containerPorts.metrics	Sets metrics port inside Envoy pod (change this to >1024 to run envoy as a non-root user)	8002
envoy.initContainers	Attach additional init containers to Envoy pods	[]
envoy.sidecars	Add additional sidecar containers to the Envoy pods	[]
envoy.extraVolumes	Array to add extra volumes	[]
envoy.extraVolumeMounts	Array to add extra mounts (normally used with extraVolumes)	[]
envoy.extraEnvVars	Array containing extra env vars to be added to all Envoy containers	[]
envoy.extraEnvVarsCM	ConfigMap containing extra env vars to be added to all Envoy containers	""
envoy.extraEnvVarsSecret	Secret containing extra env vars to be added to all Envoy containers	""
envoy.pdb.create	Enable Pod Disruption Budget configuration	true
envoy.pdb.minAvailable	Minimum number/percentage of Default backend pods that should remain scheduled	""
envoy.pdb.maxUnavailable	Maximum number/percentage of Default backend pods that should remain scheduled	""
envoy.defaultInitContainers.initConfig.containerSecurityContext.enabled	Enabled "init-config" init-containers' Security Context	true
envoy.defaultInitContainers.initConfig.containerSecurityContext.seLinuxOptions	Set SELinux options in "init-config" init-containers	{}
envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsUser	Set runAsUser in "init-config" init-containers' Security Context	1001
envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsGroup	Set runAsGroup in "init-config" init-containers' Security Context	1001
envoy.defaultInitContainers.initConfig.containerSecurityContext.runAsNonRoot	Set runAsNonRoot in "init-config" init-containers' Security Context	true
envoy.defaultInitContainers.initConfig.containerSecurityContext.privileged	Set privileged in "init-config" init-containers' Security Context	false
envoy.defaultInitContainers.initConfig.containerSecurityContext.readOnlyRootFilesystem	Set readOnlyRootFilesystem in "init-config" init-containers' Security Context	true
envoy.defaultInitContainers.initConfig.containerSecurityContext.allowPrivilegeEscalation	Set allowPrivilegeEscalation in "init-config" init-containers' Security Context	false
envoy.defaultInitContainers.initConfig.containerSecurityContext.capabilities.drop	List of capabilities to be dropped in "init-config" init-containers	["ALL"]
envoy.defaultInitContainers.initConfig.containerSecurityContext.seccompProfile.type	Set seccomp profile in "init-config" init-containers	RuntimeDefault
envoy.defaultInitContainers.initConfig.resourcesPreset	Set Envoy "init-config" init container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if envoy.defaultInitContainers.initConfig.resources is set (envoy.defaultInitContainers.initConfig.resources is recommended for production).	nano
envoy.defaultInitContainers.initConfig.resources	Set Envoy "init-config" init container requests and limits for different resources like CPU or memory (essential for production workloads)	{}

Gateway API parameters

Name	Description	Value
gatewayAPI.manageCRDs	Manage the creation, upgrade and deletion of Gateway API CRDs.	false

Metrics parameters

Name	Description	Value
metrics.serviceMonitor.namespace	Specify if the servicemonitors will be deployed into a different namespace (blank deploys into same namespace as chart)	""
metrics.serviceMonitor.enabled	Specify if a servicemonitor will be deployed for prometheus-operator.	false
metrics.serviceMonitor.jobLabel	Specify the jobLabel to use for the prometheus-operator	app.kubernetes.io/name
metrics.serviceMonitor.interval	Specify the scrape interval if not specified use default prometheus scrapeIntervall, the Prometheus default scrape interval is used.	""
metrics.serviceMonitor.metricRelabelings	Specify additional relabeling of metrics.	[]
metrics.serviceMonitor.relabelings	Specify general relabeling.	[]
metrics.serviceMonitor.honorLabels	Specify honorLabels parameter to add the scrape endpoint	false
metrics.serviceMonitor.scrapeTimeout	The timeout after which the scrape is ended	""
metrics.serviceMonitor.selector	Specify honorLabels parameter to add the scrape endpoint	{}
metrics.serviceMonitor.labels	Extra labels for the ServiceMonitor	{}
metrics.prometheusRule.enabled	Creates a Prometheus Operator prometheusRule	false
metrics.prometheusRule.namespace	Namespace for the prometheusRule Resource (defaults to the Release Namespace)	""
metrics.prometheusRule.additionalLabels	Additional labels that can be used so prometheusRule will be discovered by Prometheus	{}
metrics.prometheusRule.rules	Prometheus Rule definitions	[]

Other parameters

Name	Description	Value
rbac.create	Create the RBAC roles for API accessibility	true
rbac.rules	Custom RBAC rules to set	[]
tlsExistingSecret	Name of the existingSecret to be use in both contour and envoy. If it is not nil contour.certgen will be disabled.	""
useCertManager	Use Cert-manager instead of Contour certgen to issue certificates for TLS connection between Contour and Envoy.	false

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-release \
  --set envoy.readinessProbe.successThreshold=5 \
    contour/contour

The above command sets the envoy.readinessProbe.successThreshold to 5.