enabled: true
image:
repository: harbor.onlineops.lenovo.com/onlineops/kong-ingress-controller
tag: "3.4.3"
# Optionally set a semantic version for version-gated features. This can normally
# be left unset. You only need to set this if your tag is not a semver string,
# such as when you are using a "next" tag. Set this to the effective semantic
# version of your tag: for example if using a "next" image for an unreleased 3.1.0
# version, set this to "3.1.0".
effectiveSemver:
args: []
gatewayDiscovery:
enabled: false
generateAdminApiService: false
adminApiService:
namespace: ""
name: ""
# Specify individual namespaces to watch for ingress configuration. By default,
# when no namespaces are set, the controller watches all namespaces and uses a
# ClusterRole to grant access to Kubernetes resources. When you list specific
# namespaces, the controller will watch those namespaces only and will create
# namespaced-scoped Roles for each of them. The controller will still use a
# ClusterRole for cluster-scoped resources.
# Requires controller 2.0.0 or newer.
watchNamespaces: []
# Specify Kong Ingress Controller configuration via environment variables
env:
# The controller disables TLS verification by default because Kong
# generates self-signed certificates by default. Set this to false once you
# have installed CA-signed certificates.
kong_admin_tls_skip_verify: true
dump_config: "true"
dump_sensitive_config: "true"
log_format: "json"
kong_admin_url: http://kong-gateway-admin:8001
# If using Kong Enterprise with RBAC enabled, uncomment the section below
# and specify the secret/key containing your admin token.
# kong_admin_token:
# valueFrom:
# secretKeyRef:
# name: CHANGEME-admin-token-secret
# key: CHANGEME-admin-token-key
# This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix.
# Example as below, uncomment if required and add additional attributes as required.
# customEnv:
# TZ: "Europe/Berlin"
# Load all ConfigMap or Secret keys as environment variables:
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
envFrom: []
admissionWebhook:
matchPolicy: Equivalent
enabled: true
# Limit the `secrets.plugins.validation.ingress-controller.konghq.com` webhook
# to only Secrets with the appropriate KIC "konghq.com/validate" label.
filterSecrets: false
failurePolicy: Ignore
port: 8080
certificate:
provided: false
# namespaceSelector specifies namespaces in which the resources are validated by the `*.validations.kong.konghq.com` webhooks.
# For example, the `kube-system` namespace contains objects created by the Kubernetes system, like `kube-dns` service.
# You can exclude the kube-system namespace from being intercepted using below namespaceSelector:
# namespaceSelector:
# matchExpressions:
# - key: kubernetes.io/metadata.name
# operator: NotIn
# values:
# - kube-system
namespaceSelector: {}
# ObjectSelector specifies which objects to match against validations.kong.konghq.com webhook webhook
objectSelector:
matchExpressions:
- key: owner
operator: NotIn
values:
- helm
# Specifiy the secretName when the certificate is provided via a TLS secret
# secretName: ""
# Specifiy the CA bundle of the provided certificate.
# This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used.
# caBundle:
# | Add the CA bundle content here.
service:
# Specify custom labels for the validation webhook service.
labels: {}
# Tune the default Kubernetes timeoutSeconds of 10 seconds
# timeoutSeconds: 10
ingressClass: kong
# annotations for IngressClass resource (Kubernetes 1.18+)
ingressClassAnnotations: {}
## Define any volumes and mounts you want present in the ingress controller container
## Volumes are defined above in deployment.userDefinedVolumes
# userDefinedVolumeMounts:
# - name: "volumeName"
# mountPath: "/opt/user/dir/mount"
rbac:
create: true
enableClusterRoles: true
livenessProbe:
httpGet:
path: "/healthz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: "/readyz"
port: 10254
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
resources: {}
konnect:
enabled: false
# Deprecated: Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to.
runtimeGroupID: ""
# Specifies a Konnect Control Plane's ID that the controller will push its data-plane config to.
controlPlaneID: ""
# Specifies a Konnect API hostname that the controller will use to push its data-plane config to.
# By default, this is set to US region's production API hostname.
# If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com").
apiHostname: "us.kic.api.konghq.com"
# Specifies a secret that contains a client TLS certificate that the controller
# will use to authenticate against Konnect APIs.
tlsClientCertSecretName: "konnect-client-tls"
license:
# Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways.
enabled: false
adminApi:
tls:
client:
# Enable TLS client authentication for the Admin API.
enabled: false
# If set to false, Helm will generate certificates for you.
# If set to true, you are expected to provide your own secret (see secretName, caSecretName).
certProvided: false
# Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
secretName: ""
# CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
# If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use
# a specific secret name).
caSecretName: "" ```
--------
### Expected Behavior
```shell
KIC should sync the rules when kong gateway pod restart
Is there an existing issue for this?
Current Behavior
kic helm config is below:
Steps To Reproduce
Kong Ingress Controller version
Kubernetes version
Anything else?
No response