diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml new file mode 100644 index 000000000..5111f83ef --- /dev/null +++ b/.github/workflows/helm-docs.yaml @@ -0,0 +1,35 @@ +name: "Helm Docs" + +on: + pull_request: + branches: + - "*" + + push: + +jobs: + + helm: + name: Helm Docs + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version: '1.22.9' + + - name: Run helm-docs + run: | + GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.14.2 + ./helm-docs -c ${GITHUB_WORKSPACE}/helm/higress -f ../core/values.yaml + DIFF=$(git diff ${GITHUB_WORKSPACE}/helm/higress/*md) + if [ ! -z "$DIFF" ]; then + echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart." + fi + git diff --exit-code + rm -f ./helm-docs \ No newline at end of file diff --git a/helm/core/values.yaml b/helm/core/values.yaml index fb03a2f85..e0b818bb1 100644 --- a/helm/core/values.yaml +++ b/helm/core/values.yaml @@ -10,7 +10,7 @@ global: onDemandRDS: false hostRDSMergeSubset: false onlyPushRouteCluster: true - # IngressClass filters which ingress resources the higress controller watches. + # -- IngressClass filters which ingress resources the higress controller watches. # The default ingress class is higress. # There are some special cases for special ingress class. # 1. When the ingress class is set as nginx, the higress controller will watch ingress @@ -18,28 +18,40 @@ global: # 2. When the ingress class is set empty, the higress controller will watch all ingress # resources in the k8s cluster. ingressClass: "higress" + # -- If not empty, Higress Controller will only watch resources in the specified namespace. + # When isolating different business systems using K8s namespace, + # if each namespace requires a standalone gateway instance, + # this parameter can be used to confine the Ingress watching of Higress within the given namespace. watchNamespace: "" + # -- Whether to disable HTTP/2 in ALPN disableAlpnH2: false + # -- If true, Higress Controller will update the status field of Ingress resources. + # When migrating from Nginx Ingress, in order to avoid status field of Ingress objects being overwritten, + # this parameter needs to be set to false, + # so Higress won't write the entry IP to the status field of the corresponding Ingress object. enableStatus: true - # whether to use autoscaling/v2 template for HPA settings + # -- whether to use autoscaling/v2 template for HPA settings # for internal usage only, not to be configured by users. autoscalingv2API: true - local: false # When deploying to a local cluster (e.g.: kind cluster), set this to true. + # -- When deploying to a local cluster (e.g.: kind cluster), set this to true. + local: false kind: false # Deprecated. Please use "global.local" instead. Will be removed later. + # -- If true, Higress Controller will monitor istio resources as well enableIstioAPI: true + # -- If true, Higress Controller will monitor Gateway API resources as well enableGatewayAPI: false # Deprecated enableHigressIstio: false - # Used to locate istiod. + # -- Used to locate istiod. istioNamespace: istio-system - # enable pod disruption budget for the control plane, which is used to + # -- enable pod disruption budget for the control plane, which is used to # ensure Istio control plane components are gradually upgraded or recovered. defaultPodDisruptionBudget: enabled: false # The values aren't mutable due to a current PodDisruptionBudget limitation # minAvailable: 1 - # A minimal set of requested resources to applied to all deployments so that + # -- A minimal set of requested resources to applied to all deployments so that # Horizontal Pod Autoscaler will be able to function (if set). # Each component can overwrite these default values by adding its own resources # block in the relevant section below and setting the desired resources values. @@ -51,16 +63,16 @@ global: # cpu: 100m # memory: 128Mi - # Default hub for Istio images. + # -- Default hub for Istio images. # Releases are published to docker hub under 'istio' project. # Dev builds from prow are on gcr.io hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress - # Specify image pull policy if default behavior isn't desired. + # -- Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. imagePullPolicy: "" - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # -- ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace # to use for pulling any images in pods that reference this ServiceAccount. # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. @@ -68,14 +80,14 @@ global: imagePullSecrets: [] # - private-registry-key - # Enabled by default in master for maximising testing. + # -- Enabled by default in master for maximising testing. istiod: enableAnalysis: false - # To output all istio components logs in json format by adding --log_as_json argument to each container argument + # -- To output all istio components logs in json format by adding --log_as_json argument to each container argument logAsJson: false - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # -- Comma-separated minimum per-scope logging level of messages to output, in the form of :,: # The control plane has different scopes depending on component, but can configure default log level across all components # If empty, default scope and level will be used as configured in code logging: @@ -83,11 +95,11 @@ global: omitSidecarInjectorConfigMap: false - # Whether to restrict the applications namespace the controller manages; + # -- Whether to restrict the applications namespace the controller manages; # If not set, controller watches all namespaces oneNamespace: false - # Configure whether Operator manages webhook configurations. The current behavior + # -- Configure whether Operator manages webhook configurations. The current behavior # of Istiod is to manage its own webhook configurations. # When this option is set as true, Istio Operator, instead of webhooks, manages the # webhook configurations. When this option is set as false, webhooks manage their @@ -106,7 +118,7 @@ global: #- global #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # -- Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and # system-node-critical, it is better to configure this in order to make sure your Istio pods # will not be killed because of low priority class. # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass @@ -116,18 +128,18 @@ global: proxy: image: proxyv2 - # This controls the 'policy' in the sidecar injector. + # -- This controls the 'policy' in the sidecar injector. autoInject: enabled - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # -- CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value # cluster domain. Default value is "cluster.local". clusterDomain: "cluster.local" - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # -- Per Component log level for proxy, applies to gateways and sidecars. If a component level is # not set, then the global "logLevel" will be used. componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. + # -- If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false # istio ingress capture allowlist @@ -136,7 +148,7 @@ global: excludeInboundPorts: "" includeInboundPorts: "*" - # istio egress capture allowlist + # -- istio egress capture allowlist # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" # would only capture egress traffic on those two IP Ranges, all other outbound traffic would @@ -146,29 +158,29 @@ global: includeOutboundPorts: "" excludeOutboundPorts: "" - # Log level for proxy, applies to gateways and sidecars. + # -- Log level for proxy, applies to gateways and sidecars. # Expected values are: trace|debug|info|warning|error|critical|off logLevel: warning - #If set to true, istio-proxy container will have privileged securityContext + # -- If set to true, istio-proxy container will have privileged securityContext privileged: false - # The number of successive failed probes before indicating readiness failure. + # -- The number of successive failed probes before indicating readiness failure. readinessFailureThreshold: 30 - # The number of successive successed probes before indicating readiness success. + # -- The number of successive successed probes before indicating readiness success. readinessSuccessThreshold: 30 - # The initial delay for readiness probes in seconds. + # -- The initial delay for readiness probes in seconds. readinessInitialDelaySeconds: 1 - # The period between readiness probes. + # -- The period between readiness probes. readinessPeriodSeconds: 2 - # The readiness timeout seconds + # -- The readiness timeout seconds readinessTimeoutSeconds: 3 - # Resources for the sidecar. + # -- Resources for the sidecar. resources: requests: cpu: 100m @@ -177,18 +189,18 @@ global: cpu: 2000m memory: 1024Mi - # Default port for Pilot agent health checks. A value of 0 will disable health checking. + # -- Default port for Pilot agent health checks. A value of 0 will disable health checking. statusPort: 15020 - # Specify which tracer to use. One of: lightstep, datadog, stackdriver. + # -- Specify which tracer to use. One of: lightstep, datadog, stackdriver. # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. tracer: "" - # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + # -- Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready holdApplicationUntilProxyStarts: false proxy_init: - # Base name for the proxy_init container, used to configure iptables. + # -- Base name for the proxy_init container, used to configure iptables. image: proxyv2 resources: limits: @@ -198,7 +210,7 @@ global: cpu: 10m memory: 10Mi - # configure remote pilot and istiod service and endpoint + # -- configure remote pilot and istiod service and endpoint remotePilotAddress: "" ############################################################################################## @@ -206,20 +218,20 @@ global: # make sure they are consistent across your Istio helm charts # ############################################################################################## - # The customized CA address to retrieve certificates for the pods in the cluster. + # -- The customized CA address to retrieve certificates for the pods in the cluster. # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. # If not set explicitly, default to the Istio discovery address. caAddress: "" - # Configure a remote cluster data plane controlled by an external istiod. + # -- Configure a remote cluster data plane controlled by an external istiod. # When set to true, istiod is not deployed locally and only a subset of the other # discovery charts are enabled. externalIstiod: false - # Configure a remote cluster as the config cluster for an external istiod. + # -- Configure a remote cluster as the config cluster for an external istiod. configCluster: false - # Configure the policy for validating JWT. + # -- Configure the policy for validating JWT. # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". jwtPolicy: "third-party-jwt" @@ -241,7 +253,7 @@ global: # of migration TBD, and it may be a disruptive operation to change the Mesh # ID post-install. # - # If the mesh admin does not specify a value, Istio will use the value of the + # -- If the mesh admin does not specify a value, Istio will use the value of the # mesh's Trust Domain. The best practice is to select a proper Trust Domain # value. meshID: "" @@ -275,68 +287,69 @@ global: # meshNetworks: {} - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + # -- Use the user-specified, secret volume mounted key and certs for Pilot and workloads. mountMtlsCerts: false multiCluster: - # Set to true to connect two kubernetes clusters via their respective + # -- Set to true to connect two kubernetes clusters via their respective # ingressgateway services when pods in each cluster cannot directly # talk to one another. All clusters should be using Istio mTLS and must # have a shared root CA for this model to work. enabled: true - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # -- Should be set to the name of the cluster this installation will run in. This is required for sidecar injection # to properly label proxies clusterName: "" - # Network defines the network this cluster belong to. This name + # -- Network defines the network this cluster belong to. This name # corresponds to the networks in the map of mesh networks. network: "" - # Configure the certificate provider for control plane communication. + # -- Configure the certificate provider for control plane communication. # Currently, two providers are supported: "kubernetes" and "istiod". # As some platforms may not have kubernetes signing APIs, # Istiod is the default pilotCertProvider: istiod sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # -- The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the # JWT is intended for the CA. token: aud: istio-ca sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. + # -- The service port used by Security Token Service (STS) server to handle token exchange requests. # Setting this port to a non-zero value enables STS server. servicePort: 0 - # Configuration for each of the supported tracers + # -- Configuration for each of the supported tracers tracer: - # Configuration for envoy to send trace data to LightStep. + # -- Configuration for envoy to send trace data to LightStep. # Disabled by default. # address: the : of the satellite pool # accessToken: required for sending data to the pool # datadog: - # Host:Port for submitting traces to the Datadog agent. + # -- Host:Port for submitting traces to the Datadog agent. address: "$(HOST_IP):8126" lightstep: - address: "" # example: lightstep-satellite:443 - accessToken: "" # example: abcdefg1234567 + # -- example: lightstep-satellite:443 + address: "" + # -- example: abcdefg1234567 + accessToken: "" stackdriver: - # enables trace output to stdout. + # -- enables trace output to stdout. debug: false - # The global default max number of message events per span. + # -- The global default max number of message events per span. maxNumberOfMessageEvents: 200 - # The global default max number of annotation events per span. + # -- The global default max number of annotation events per span. maxNumberOfAnnotations: 200 - # The global default max number of attributes per span. + # -- The global default max number of attributes per span. maxNumberOfAttributes: 200 - # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. - + # -- Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. useMCP: false - # Observability (o11y) configurations + # -- Observability (o11y) configurations o11y: enabled: false promtail: @@ -350,7 +363,7 @@ global: memory: 2Gi securityContext: {} - # The name of the CA for workload certificates. + # -- The name of the CA for workload certificates. # For example, when caName=GkeWorkloadCertificate, GKE workload certificates # will be used as the certificates for workloads. # The default value is "" and when caName="", the CA will be configured by other @@ -359,7 +372,7 @@ global: hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress clusterName: "" -# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# -- meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options meshConfig: enablePrometheusMerge: true @@ -370,14 +383,13 @@ meshConfig: # and gradual adoption by setting capture only on specific workloads. It also allows # VMs to use other DNS options, like dnsmasq or unbound. - # The namespace to treat as the administrative root namespace for Istio configuration. + # -- The namespace to treat as the administrative root namespace for Istio configuration. # When processing a leaf namespace Istio will search for declarations in that namespace first # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace # is processed as if it were declared in the leaf namespace. - rootNamespace: - # The trust domain corresponds to the trust root of a system + # -- The trust domain corresponds to the trust root of a system # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain trustDomain: "cluster.local" @@ -391,56 +403,57 @@ meshConfig: gateway: name: "higress-gateway" + # -- Number of Higress Gateway pods replicas: 2 image: gateway # -- Use a `DaemonSet` or `Deployment` kind: Deployment - # The number of successive failed probes before indicating readiness failure. + # -- The number of successive failed probes before indicating readiness failure. readinessFailureThreshold: 30 - # The number of successive successed probes before indicating readiness success. + # -- The number of successive successed probes before indicating readiness success. readinessSuccessThreshold: 1 - # The initial delay for readiness probes in seconds. + # -- The initial delay for readiness probes in seconds. readinessInitialDelaySeconds: 1 - # The period between readiness probes. + # -- The period between readiness probes. readinessPeriodSeconds: 2 - # The readiness timeout seconds + # -- The readiness timeout seconds readinessTimeoutSeconds: 3 hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress tag: "" - # revision declares which revision this gateway is a part of + # -- revision declares which revision this gateway is a part of revision: "" rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # -- If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed # when using http://gateway-api.org/. enabled: true serviceAccount: - # If set, a service account will be created. Otherwise, the default is used + # -- If set, a service account will be created. Otherwise, the default is used create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. + # -- The name of the service account to use. # If not set, the release name is used name: "" - # Pod environment variables + # -- Pod environment variables env: {} httpPort: 80 httpsPort: 443 hostNetwork: false - # Labels to apply to all resources + # -- Labels to apply to all resources labels: {} - # Annotations to apply to all resources + # -- Annotations to apply to all resources annotations: {} podAnnotations: @@ -449,14 +462,14 @@ gateway: prometheus.io/path: "/stats/prometheus" sidecar.istio.io/inject: "false" - # Define the security context for the pod. + # -- Define the security context for the pod. # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. securityContext: ~ containerSecurityContext: ~ service: - # Type of service. Set to "None" to disable the service entirely + # -- Type of service. Set to "None" to disable the service entirely type: LoadBalancer ports: - name: http2 @@ -496,28 +509,29 @@ gateway: affinity: {} - # If specified, the gateway will act as a network gateway for the given network. + # -- If specified, the gateway will act as a network gateway for the given network. networkGateway: "" metrics: - # If true, create PodMonitor or VMPodScrape for gateway + # -- If true, create PodMonitor or VMPodScrape for gateway enabled: false - # provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com + # -- provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com provider: monitoring.coreos.com interval: "" scrapeTimeout: "" honorLabels: false - # for monitoring.coreos.com/v1.PodMonitor + # -- for monitoring.coreos.com/v1.PodMonitor metricRelabelings: [] relabelings: [] - # for operator.victoriametrics.com/v1beta1.VMPodScrape + # -- for operator.victoriametrics.com/v1beta1.VMPodScrape metricRelabelConfigs: [] relabelConfigs: [] - # some more raw podMetricsEndpoints spec + # -- some more raw podMetricsEndpoints spec rawSpec: {} controller: name: "higress-controller" + # -- Number of Higress Controller pods replicas: 1 image: higress @@ -541,12 +555,12 @@ controller: create: true serviceAccount: - # Specifies whether a service account should be created + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + # -- The name of the service account to use. + # -- If not set and create is true, a name is generated using the fullname template name: "" podAnnotations: {} @@ -602,7 +616,7 @@ controller: enabled: true email: "" -## Discovery Settings +## -- Discovery Settings pilot: autoscaleEnabled: false autoscaleMin: 1 @@ -614,11 +628,11 @@ pilot: hub: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress tag: "" - # Can be a full hub/image:tag + # -- Can be a full hub/image:tag image: pilot traceSampling: 1.0 - # Resources for a small pilot install + # -- Resources for a small pilot install resources: requests: cpu: 500m @@ -633,21 +647,21 @@ pilot: cpu: targetAverageUtilization: 80 - # if protocol sniffing is enabled for outbound + # -- if protocol sniffing is enabled for outbound enableProtocolSniffingForOutbound: true - # if protocol sniffing is enabled for inbound + # -- if protocol sniffing is enabled for inbound enableProtocolSniffingForInbound: true nodeSelector: {} podAnnotations: {} serviceAnnotations: {} - # You can use jwksResolverExtraRootCA to provide a root certificate + # -- You can use jwksResolverExtraRootCA to provide a root certificate # in PEM format. This will then be trusted by pilot when resolving # JWKS URIs. jwksResolverExtraRootCA: "" - # This is used to set the source of configuration for + # -- This is used to set the source of configuration for # the associated address in configSource, if nothing is specified # the default MCP is assumed. configSource: @@ -655,21 +669,21 @@ pilot: plugins: [] - # The following is used to limit how long a sidecar can be connected + # -- The following is used to limit how long a sidecar can be connected # to a pilot. It balances out load across pilot instances at the cost of # increasing system churn. keepaliveMaxServerConnectionAge: 30m - # Additional labels to apply to the deployment. + # -- Additional labels to apply to the deployment. deploymentLabels: {} ## Mesh config settings - # Install the mesh config map, generated from values.yaml. + # -- Install the mesh config map, generated from values.yaml. # If false, pilot wil use default values (by default) or user-supplied values. configMap: true - # Additional labels to apply on the pod level for monitoring and logging configuration. + # -- Additional labels to apply on the pod level for monitoring and logging configuration. podLabels: {} # Tracing config settings @@ -685,7 +699,7 @@ tracing: # service: "" # port: 9411 -# Downstream config settings +# -- Downstream config settings downstream: idleTimeout: 180 maxRequestHeadersKb: 60 @@ -696,7 +710,7 @@ downstream: initialConnectionWindowSize: 1048576 routeTimeout: 0 -# Upstream config settings +# -- Upstream config settings upstream: idleTimeout: 10 connectionBufferLimits: 10485760 diff --git a/helm/higress/README.md b/helm/higress/README.md index 6204b7a1e..45afff63d 100644 --- a/helm/higress/README.md +++ b/helm/higress/README.md @@ -1,57 +1,276 @@ -# Higress Helm Chart - -Installs the cloud-native gateway [Higress](http://higress.io/) - -## Get Repo Info - -```console -helm repo add higress.io https://higress.io/helm-charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `higress`: - -```console -helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes -``` - -## Uninstalling the Chart - -To uninstall/delete the higress deployment: - -```console -helm delete higress -n higress-system -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -| **Parameter** | **Description** | **Default** | -|---|---|---| -| **Global Parameters** | | | -| global.local | Set to `true` if installing to a local K8s cluster (e.g.: Kind, Rancher Desktop, etc.) | false | -| global.ingressClass | [IngressClass](https://kubernetes.io/zh-cn/docs/concepts/services-networking/ingress/#ingress-class) which is used to filter Ingress resources Higress Controller watches.
If there are multiple gateway instances deployed in the cluster, this parameter can be used to distinguish the scope of each gateway instance.
There are some special cases for special IngressClass values:
1. If set to "nginx", Higress Controller will watch Ingress resources with the `nginx` IngressClass or without any Ingress class.
2. If set to empty, Higress Controller will watch all Ingress resources in the K8s cluster. | higress | -| global.watchNamespace | If not empty, Higress Controller will only watch resources in the specified namespace. When isolating different business systems using K8s namespace, if each namespace requires a standalone gateway instance, this parameter can be used to confine the Ingress watching of Higress within the given namespace. | "" | -| global.disableAlpnH2 | Whether to disable HTTP/2 in ALPN | true | -| global.enableStatus | If `true`, Higress Controller will update the `status` field of Ingress resources.
When migrating from Nginx Ingress, in order to avoid `status` field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the `status` field of the corresponding Ingress object. | true | -| global.enableIstioAPI | If `true`, Higress Controller will monitor istio resources as well | false | -| global.enableGatewayAPI | If `true`, Higress Controller will monitor Gateway API resources as well | false | -| global.istioNamespace | The namespace istio is installed to | istio-system | -| **Core Paramters** | | | -| higress-core.gateway.replicas | Number of Higress Gateway pods | 2 | -| higress-core.controller.replicas | Number of Higress Controller pods | 1 | -| **Console Paramters** | | | -| higress-console.replicaCount | Number of Higress Console pods | 1 | -| higress-console.service.type | K8s service type used by Higress Console | ClusterIP | -| higress-console.domain | Domain used to access Higress Console | console.higress.io | -| higress-console.tlsSecretName | Name of Secret resource used by TLS connections. | "" | -| higress-console.web.login.prompt | Prompt message to be displayed on the login page | "" | -| higress-console.admin.password.value | If not empty, the admin password will be configured to the specified value. | "" | -| higress-console.admin.password.length | The length of random admin password generated during installation. Only works when `higress-console.admin.password.value` is not set. | 8 | -| higress-console.o11y.enabled | If `true`, o11y suite (Grafana + Promethues) will be installed. | false | -| higress-console.pvc.rwxSupported | Set to `false` when installing to a standard K8s cluster and the target cluster doesn't support the ReadWriteMany access mode of PersistentVolumeClaim. | true | +## Higress for Kubernetes + +Higress is a cloud-native api gateway based on Alibaba's internal gateway practices. + +Powered by Istio and Envoy, Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance. + +## Setup Repo Info + +```console +helm repo add higress.io https://higress.io/helm-charts +helm repo update +``` + +## Install + +To install the chart with the release name `higress`: + +```console +helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes +``` + +## Uninstall + +To uninstall/delete the higress deployment: + +```console +helm delete higress -n higress-system +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterName | string | `""` | | +| controller.affinity | object | `{}` | | +| controller.automaticHttps.email | string | `""` | | +| controller.automaticHttps.enabled | bool | `true` | | +| controller.autoscaling.enabled | bool | `false` | | +| controller.autoscaling.maxReplicas | int | `5` | | +| controller.autoscaling.minReplicas | int | `1` | | +| controller.autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| controller.env | object | `{}` | | +| controller.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | | +| controller.image | string | `"higress"` | | +| controller.imagePullSecrets | list | `[]` | | +| controller.labels | object | `{}` | | +| controller.name | string | `"higress-controller"` | | +| controller.nodeSelector | object | `{}` | | +| controller.podAnnotations | object | `{}` | | +| controller.podSecurityContext | object | `{}` | | +| controller.ports[0].name | string | `"http"` | | +| controller.ports[0].port | int | `8888` | | +| controller.ports[0].protocol | string | `"TCP"` | | +| controller.ports[0].targetPort | int | `8888` | | +| controller.ports[1].name | string | `"http-solver"` | | +| controller.ports[1].port | int | `8889` | | +| controller.ports[1].protocol | string | `"TCP"` | | +| controller.ports[1].targetPort | int | `8889` | | +| controller.ports[2].name | string | `"grpc"` | | +| controller.ports[2].port | int | `15051` | | +| controller.ports[2].protocol | string | `"TCP"` | | +| controller.ports[2].targetPort | int | `15051` | | +| controller.probe.httpGet.path | string | `"/ready"` | | +| controller.probe.httpGet.port | int | `8888` | | +| controller.probe.initialDelaySeconds | int | `1` | | +| controller.probe.periodSeconds | int | `3` | | +| controller.probe.timeoutSeconds | int | `5` | | +| controller.rbac.create | bool | `true` | | +| controller.replicas | int | `1` | Number of Higress Controller pods | +| controller.resources.limits.cpu | string | `"1000m"` | | +| controller.resources.limits.memory | string | `"2048Mi"` | | +| controller.resources.requests.cpu | string | `"500m"` | | +| controller.resources.requests.memory | string | `"2048Mi"` | | +| controller.securityContext | object | `{}` | | +| controller.service.type | string | `"ClusterIP"` | | +| controller.serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| controller.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | +| controller.serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the fullname template | +| controller.tag | string | `""` | | +| controller.tolerations | list | `[]` | | +| downstream | object | `{"connectionBufferLimits":32768,"http2":{"initialConnectionWindowSize":1048576,"initialStreamWindowSize":65535,"maxConcurrentStreams":100},"idleTimeout":180,"maxRequestHeadersKb":60,"routeTimeout":0}` | Downstream config settings | +| gateway.affinity | object | `{}` | | +| gateway.annotations | object | `{}` | Annotations to apply to all resources | +| gateway.autoscaling.enabled | bool | `false` | | +| gateway.autoscaling.maxReplicas | int | `5` | | +| gateway.autoscaling.minReplicas | int | `1` | | +| gateway.autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| gateway.containerSecurityContext | string | `nil` | | +| gateway.env | object | `{}` | Pod environment variables | +| gateway.hostNetwork | bool | `false` | | +| gateway.httpPort | int | `80` | | +| gateway.httpsPort | int | `443` | | +| gateway.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | | +| gateway.image | string | `"gateway"` | | +| gateway.kind | string | `"Deployment"` | Use a `DaemonSet` or `Deployment` | +| gateway.labels | object | `{}` | Labels to apply to all resources | +| gateway.metrics.enabled | bool | `false` | If true, create PodMonitor or VMPodScrape for gateway | +| gateway.metrics.honorLabels | bool | `false` | | +| gateway.metrics.interval | string | `""` | | +| gateway.metrics.metricRelabelConfigs | list | `[]` | for operator.victoriametrics.com/v1beta1.VMPodScrape | +| gateway.metrics.metricRelabelings | list | `[]` | for monitoring.coreos.com/v1.PodMonitor | +| gateway.metrics.provider | string | `"monitoring.coreos.com"` | provider group name for CustomResourceDefinition, can be monitoring.coreos.com or operator.victoriametrics.com | +| gateway.metrics.rawSpec | object | `{}` | some more raw podMetricsEndpoints spec | +| gateway.metrics.relabelConfigs | list | `[]` | | +| gateway.metrics.relabelings | list | `[]` | | +| gateway.metrics.scrapeTimeout | string | `""` | | +| gateway.name | string | `"higress-gateway"` | | +| gateway.networkGateway | string | `""` | If specified, the gateway will act as a network gateway for the given network. | +| gateway.nodeSelector | object | `{}` | | +| gateway.podAnnotations."prometheus.io/path" | string | `"/stats/prometheus"` | | +| gateway.podAnnotations."prometheus.io/port" | string | `"15020"` | | +| gateway.podAnnotations."prometheus.io/scrape" | string | `"true"` | | +| gateway.podAnnotations."sidecar.istio.io/inject" | string | `"false"` | | +| gateway.rbac.enabled | bool | `true` | If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed when using http://gateway-api.org/. | +| gateway.readinessFailureThreshold | int | `30` | The number of successive failed probes before indicating readiness failure. | +| gateway.readinessInitialDelaySeconds | int | `1` | The initial delay for readiness probes in seconds. | +| gateway.readinessPeriodSeconds | int | `2` | The period between readiness probes. | +| gateway.readinessSuccessThreshold | int | `1` | The number of successive successed probes before indicating readiness success. | +| gateway.readinessTimeoutSeconds | int | `3` | The readiness timeout seconds | +| gateway.replicas | int | `2` | Number of Higress Gateway pods | +| gateway.resources.limits.cpu | string | `"2000m"` | | +| gateway.resources.limits.memory | string | `"2048Mi"` | | +| gateway.resources.requests.cpu | string | `"2000m"` | | +| gateway.resources.requests.memory | string | `"2048Mi"` | | +| gateway.revision | string | `""` | revision declares which revision this gateway is a part of | +| gateway.rollingMaxSurge | string | `"100%"` | | +| gateway.rollingMaxUnavailable | string | `"25%"` | | +| gateway.securityContext | string | `nil` | Define the security context for the pod. If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. | +| gateway.service.annotations | object | `{}` | | +| gateway.service.externalTrafficPolicy | string | `""` | | +| gateway.service.loadBalancerClass | string | `""` | | +| gateway.service.loadBalancerIP | string | `""` | | +| gateway.service.loadBalancerSourceRanges | list | `[]` | | +| gateway.service.ports[0].name | string | `"http2"` | | +| gateway.service.ports[0].port | int | `80` | | +| gateway.service.ports[0].protocol | string | `"TCP"` | | +| gateway.service.ports[0].targetPort | int | `80` | | +| gateway.service.ports[1].name | string | `"https"` | | +| gateway.service.ports[1].port | int | `443` | | +| gateway.service.ports[1].protocol | string | `"TCP"` | | +| gateway.service.ports[1].targetPort | int | `443` | | +| gateway.service.type | string | `"LoadBalancer"` | Type of service. Set to "None" to disable the service entirely | +| gateway.serviceAccount.annotations | object | `{}` | Annotations to add to the service account | +| gateway.serviceAccount.create | bool | `true` | If set, a service account will be created. Otherwise, the default is used | +| gateway.serviceAccount.name | string | `""` | The name of the service account to use. If not set, the release name is used | +| gateway.tag | string | `""` | | +| gateway.tolerations | list | `[]` | | +| global.autoscalingv2API | bool | `true` | whether to use autoscaling/v2 template for HPA settings for internal usage only, not to be configured by users. | +| global.caAddress | string | `""` | The customized CA address to retrieve certificates for the pods in the cluster. CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. If not set explicitly, default to the Istio discovery address. | +| global.caName | string | `""` | The name of the CA for workload certificates. For example, when caName=GkeWorkloadCertificate, GKE workload certificates will be used as the certificates for workloads. The default value is "" and when caName="", the CA will be configured by other mechanisms (e.g., environmental variable CA_PROVIDER). | +| global.configCluster | bool | `false` | Configure a remote cluster as the config cluster for an external istiod. | +| global.defaultPodDisruptionBudget | object | `{"enabled":false}` | enable pod disruption budget for the control plane, which is used to ensure Istio control plane components are gradually upgraded or recovered. | +| global.defaultResources | object | `{"requests":{"cpu":"10m"}}` | A minimal set of requested resources to applied to all deployments so that Horizontal Pod Autoscaler will be able to function (if set). Each component can overwrite these default values by adding its own resources block in the relevant section below and setting the desired resources values. | +| global.defaultUpstreamConcurrencyThreshold | int | `10000` | | +| global.disableAlpnH2 | bool | `false` | Whether to disable HTTP/2 in ALPN | +| global.enableGatewayAPI | bool | `false` | If true, Higress Controller will monitor Gateway API resources as well | +| global.enableH3 | bool | `false` | | +| global.enableHigressIstio | bool | `false` | | +| global.enableIPv6 | bool | `false` | | +| global.enableIstioAPI | bool | `true` | If true, Higress Controller will monitor istio resources as well | +| global.enableProxyProtocol | bool | `false` | | +| global.enableSRDS | bool | `true` | | +| global.enableStatus | bool | `true` | If true, Higress Controller will update the status field of Ingress resources. When migrating from Nginx Ingress, in order to avoid status field of Ingress objects being overwritten, this parameter needs to be set to false, so Higress won't write the entry IP to the status field of the corresponding Ingress object. | +| global.externalIstiod | bool | `false` | Configure a remote cluster data plane controlled by an external istiod. When set to true, istiod is not deployed locally and only a subset of the other discovery charts are enabled. | +| global.hostRDSMergeSubset | bool | `false` | | +| global.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | Default hub for Istio images. Releases are published to docker hub under 'istio' project. Dev builds from prow are on gcr.io | +| global.imagePullPolicy | string | `""` | Specify image pull policy if default behavior isn't desired. Default behavior: latest images will be Always else IfNotPresent. | +| global.imagePullSecrets | list | `[]` | ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. Must be set for any cluster configured with private docker registry. | +| global.ingressClass | string | `"higress"` | IngressClass filters which ingress resources the higress controller watches. The default ingress class is higress. There are some special cases for special ingress class. 1. When the ingress class is set as nginx, the higress controller will watch ingress resources with the nginx ingress class or without any ingress class. 2. When the ingress class is set empty, the higress controller will watch all ingress resources in the k8s cluster. | +| global.istioNamespace | string | `"istio-system"` | Used to locate istiod. | +| global.istiod | object | `{"enableAnalysis":false}` | Enabled by default in master for maximising testing. | +| global.jwtPolicy | string | `"third-party-jwt"` | Configure the policy for validating JWT. Currently, two options are supported: "third-party-jwt" and "first-party-jwt". | +| global.kind | bool | `false` | | +| global.liteMetrics | bool | `true` | | +| global.local | bool | `false` | When deploying to a local cluster (e.g.: kind cluster), set this to true. | +| global.logAsJson | bool | `false` | | +| global.logging | object | `{"level":"default:info"}` | Comma-separated minimum per-scope logging level of messages to output, in the form of :,: The control plane has different scopes depending on component, but can configure default log level across all components If empty, default scope and level will be used as configured in code | +| global.meshID | string | `""` | If the mesh admin does not specify a value, Istio will use the value of the mesh's Trust Domain. The best practice is to select a proper Trust Domain value. | +| global.meshNetworks | object | `{}` | | +| global.mountMtlsCerts | bool | `false` | Use the user-specified, secret volume mounted key and certs for Pilot and workloads. | +| global.multiCluster.clusterName | string | `""` | Should be set to the name of the cluster this installation will run in. This is required for sidecar injection to properly label proxies | +| global.multiCluster.enabled | bool | `true` | Set to true to connect two kubernetes clusters via their respective ingressgateway services when pods in each cluster cannot directly talk to one another. All clusters should be using Istio mTLS and must have a shared root CA for this model to work. | +| global.network | string | `""` | Network defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks. | +| global.o11y | object | `{"enabled":false,"promtail":{"image":{"repository":"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/promtail","tag":"2.9.4"},"port":3101,"resources":{"limits":{"cpu":"500m","memory":"2Gi"}},"securityContext":{}}}` | Observability (o11y) configurations | +| global.omitSidecarInjectorConfigMap | bool | `false` | | +| global.onDemandRDS | bool | `false` | | +| global.oneNamespace | bool | `false` | Whether to restrict the applications namespace the controller manages; If not set, controller watches all namespaces | +| global.onlyPushRouteCluster | bool | `true` | | +| global.operatorManageWebhooks | bool | `false` | Configure whether Operator manages webhook configurations. The current behavior of Istiod is to manage its own webhook configurations. When this option is set as true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations. | +| global.pilotCertProvider | string | `"istiod"` | Configure the certificate provider for control plane communication. Currently, two providers are supported: "kubernetes" and "istiod". As some platforms may not have kubernetes signing APIs, Istiod is the default | +| global.priorityClassName | string | `""` | Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and system-node-critical, it is better to configure this in order to make sure your Istio pods will not be killed because of low priority class. Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass for more detail. | +| global.proxy.autoInject | string | `"enabled"` | This controls the 'policy' in the sidecar injector. | +| global.proxy.clusterDomain | string | `"cluster.local"` | CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value cluster domain. Default value is "cluster.local". | +| global.proxy.componentLogLevel | string | `"misc:error"` | Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. | +| global.proxy.enableCoreDump | bool | `false` | If set, newly injected sidecars will have core dumps enabled. | +| global.proxy.excludeIPRanges | string | `""` | | +| global.proxy.excludeInboundPorts | string | `""` | | +| global.proxy.excludeOutboundPorts | string | `""` | | +| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready | +| global.proxy.image | string | `"proxyv2"` | | +| global.proxy.includeIPRanges | string | `"*"` | istio egress capture allowlist https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" would only capture egress traffic on those two IP Ranges, all other outbound traffic would be allowed by the sidecar | +| global.proxy.includeInboundPorts | string | `"*"` | | +| global.proxy.includeOutboundPorts | string | `""` | | +| global.proxy.logLevel | string | `"warning"` | Log level for proxy, applies to gateways and sidecars. Expected values are: trace|debug|info|warning|error|critical|off | +| global.proxy.privileged | bool | `false` | If set to true, istio-proxy container will have privileged securityContext | +| global.proxy.readinessFailureThreshold | int | `30` | The number of successive failed probes before indicating readiness failure. | +| global.proxy.readinessInitialDelaySeconds | int | `1` | The initial delay for readiness probes in seconds. | +| global.proxy.readinessPeriodSeconds | int | `2` | The period between readiness probes. | +| global.proxy.readinessSuccessThreshold | int | `30` | The number of successive successed probes before indicating readiness success. | +| global.proxy.readinessTimeoutSeconds | int | `3` | The readiness timeout seconds | +| global.proxy.resources | object | `{"limits":{"cpu":"2000m","memory":"1024Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Resources for the sidecar. | +| global.proxy.statusPort | int | `15020` | Default port for Pilot agent health checks. A value of 0 will disable health checking. | +| global.proxy.tracer | string | `""` | Specify which tracer to use. One of: lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. | +| global.proxy_init.image | string | `"proxyv2"` | Base name for the proxy_init container, used to configure iptables. | +| global.proxy_init.resources.limits.cpu | string | `"2000m"` | | +| global.proxy_init.resources.limits.memory | string | `"1024Mi"` | | +| global.proxy_init.resources.requests.cpu | string | `"10m"` | | +| global.proxy_init.resources.requests.memory | string | `"10Mi"` | | +| global.remotePilotAddress | string | `""` | configure remote pilot and istiod service and endpoint | +| global.sds.token | object | `{"aud":"istio-ca"}` | The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the JWT is intended for the CA. | +| global.sts.servicePort | int | `0` | The service port used by Security Token Service (STS) server to handle token exchange requests. Setting this port to a non-zero value enables STS server. | +| global.tracer | object | `{"datadog":{"address":"$(HOST_IP):8126"},"lightstep":{"accessToken":"","address":""},"stackdriver":{"debug":false,"maxNumberOfAnnotations":200,"maxNumberOfAttributes":200,"maxNumberOfMessageEvents":200}}` | Configuration for each of the supported tracers | +| global.tracer.datadog | object | `{"address":"$(HOST_IP):8126"}` | Configuration for envoy to send trace data to LightStep. Disabled by default. address: the : of the satellite pool accessToken: required for sending data to the pool | +| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | Host:Port for submitting traces to the Datadog agent. | +| global.tracer.lightstep.accessToken | string | `""` | example: abcdefg1234567 | +| global.tracer.lightstep.address | string | `""` | example: lightstep-satellite:443 | +| global.tracer.stackdriver.debug | bool | `false` | enables trace output to stdout. | +| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | The global default max number of annotation events per span. | +| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | The global default max number of attributes per span. | +| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | The global default max number of message events per span. | +| global.useMCP | bool | `false` | Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. | +| global.watchNamespace | string | `""` | If not empty, Higress Controller will only watch resources in the specified namespace. When isolating different business systems using K8s namespace, if each namespace requires a standalone gateway instance, this parameter can be used to confine the Ingress watching of Higress within the given namespace. | +| global.xdsMaxRecvMsgSize | string | `"104857600"` | | +| hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | | +| meshConfig | object | `{"enablePrometheusMerge":true,"rootNamespace":null,"trustDomain":"cluster.local"}` | meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options | +| meshConfig.rootNamespace | string | `nil` | The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. | +| meshConfig.trustDomain | string | `"cluster.local"` | The trust domain corresponds to the trust root of a system Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain | +| pilot.autoscaleEnabled | bool | `false` | | +| pilot.autoscaleMax | int | `5` | | +| pilot.autoscaleMin | int | `1` | | +| pilot.configMap | bool | `true` | Install the mesh config map, generated from values.yaml. If false, pilot wil use default values (by default) or user-supplied values. | +| pilot.configSource | object | `{"subscribedResources":[]}` | This is used to set the source of configuration for the associated address in configSource, if nothing is specified the default MCP is assumed. | +| pilot.cpu.targetAverageUtilization | int | `80` | | +| pilot.deploymentLabels | object | `{}` | Additional labels to apply to the deployment. | +| pilot.enableProtocolSniffingForInbound | bool | `true` | if protocol sniffing is enabled for inbound | +| pilot.enableProtocolSniffingForOutbound | bool | `true` | if protocol sniffing is enabled for outbound | +| pilot.env.PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY | string | `"false"` | | +| pilot.env.PILOT_ENABLE_METADATA_EXCHANGE | string | `"false"` | | +| pilot.env.PILOT_SCOPE_GATEWAY_TO_NAMESPACE | string | `"false"` | | +| pilot.env.VALIDATION_ENABLED | string | `"false"` | | +| pilot.hub | string | `"higress-registry.cn-hangzhou.cr.aliyuncs.com/higress"` | | +| pilot.image | string | `"pilot"` | Can be a full hub/image:tag | +| pilot.jwksResolverExtraRootCA | string | `""` | You can use jwksResolverExtraRootCA to provide a root certificate in PEM format. This will then be trusted by pilot when resolving JWKS URIs. | +| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | The following is used to limit how long a sidecar can be connected to a pilot. It balances out load across pilot instances at the cost of increasing system churn. | +| pilot.nodeSelector | object | `{}` | | +| pilot.plugins | list | `[]` | | +| pilot.podAnnotations | object | `{}` | | +| pilot.podLabels | object | `{}` | Additional labels to apply on the pod level for monitoring and logging configuration. | +| pilot.replicaCount | int | `1` | | +| pilot.resources | object | `{"requests":{"cpu":"500m","memory":"2048Mi"}}` | Resources for a small pilot install | +| pilot.rollingMaxSurge | string | `"100%"` | | +| pilot.rollingMaxUnavailable | string | `"25%"` | | +| pilot.serviceAnnotations | object | `{}` | | +| pilot.tag | string | `""` | | +| pilot.traceSampling | float | `1` | | +| revision | string | `""` | | +| tracing.enable | bool | `false` | | +| tracing.sampling | int | `100` | | +| tracing.skywalking.port | int | `11800` | | +| tracing.skywalking.service | string | `""` | | +| tracing.timeout | int | `500` | | +| upstream | object | `{"connectionBufferLimits":10485760,"idleTimeout":10}` | Upstream config settings | \ No newline at end of file diff --git a/helm/higress/README.md.gotmpl b/helm/higress/README.md.gotmpl new file mode 100644 index 000000000..4fbd8dd22 --- /dev/null +++ b/helm/higress/README.md.gotmpl @@ -0,0 +1,34 @@ +## Higress for Kubernetes + +Higress is a cloud-native api gateway based on Alibaba's internal gateway practices. + +Powered by Istio and Envoy, Higress realizes the integration of the triple gateway architecture of traffic gateway, microservice gateway and security gateway, thereby greatly reducing the costs of deployment, operation and maintenance. + +## Setup Repo Info + +```console +helm repo add higress.io https://higress.io/helm-charts +helm repo update +``` + +## Install + +To install the chart with the release name `higress`: + +```console +helm install higress -n higress-system higress.io/higress --create-namespace --render-subchart-notes +``` + +## Uninstall + +To uninstall/delete the higress deployment: + +```console +helm delete higress -n higress-system +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +{{ template "chart.valuesSection" . }} \ No newline at end of file