APISIX Ingress controller for Kubernetes using Apache APISIX as a high performance reverse proxy and load balancer.
If you have installed multiple ingress controller, add the kubernetes.io/ingress.class: apisix annotation to your Ingress resources.
This chart bootstraps an apisix-ingress-controller deployment on a Kubernetes cluster using the Helm package manager.
Apisix ingress controller requires Kubernetes version 1.16+.
helm repo add apisix https://apache.github.io/apisix-helm-chart helm repo update
Important: only helm3 is supported
helm install [RELEASE_NAME] apisix/apisix-ingress-controller --namespace ingress-apisix --create-namespace
The command deploys apisix-ingress-controller on the Kubernetes cluster in the default configuration.
See configuration below.
See helm install for command documentation.
helm uninstall [RELEASE_NAME] --namespace ingress-apisix
This removes all the Kubernetes components associated with the chart and deletes the release.
See helm uninstall for command documentation.
helm upgrade [RELEASE_NAME] [CHART] --install
See helm upgrade for command documentation.
See Customizing the Chart Before Installing. To see all configurable options with detailed comments, visit the chart's values.yaml, or run these configuration commands:
helm show values apisix/apisix-ingress-controller
priorityClassName field referenced a name of a created PriorityClass object. Check here for more details.
A security context provides us with a way to define privilege and access control for a Pod or even at the container level.
Check here to see the SecurityContext resource with more detail.
Check also here to see a full explanation and some examples to configure the security context.
Right below you have an example of the security context configuration. In this case, we define that all the processes in the container will run with user ID 1000.
... spec: securityContext: runAsUser: 1000 runAsGroup: 3000 ...
The same for the group definition, where we define the primary group of 3000 for all processes.
It's quite important to know, if the runAsGroup is omited, the primary group will be root(0), which in some cases goes against some security policies.
To define this configuration at the pod level, you need to set:
--set podSecurityContext.runAsUser=«VALUE» --set podSecurityContext.runAsGroup=«VALUE» ...
The same for container level, you need to set:
--set securityContext.runAsUser=«VALUE» --set SecurityContext.runAsGroup=«VALUE» ...
| Key | Type | Default | Description |
|---|---|---|---|
| apisix.adminService.name | string | "apisix-admin" | |
| apisix.adminService.namespace | string | "apisix-ingress" | |
| apisix.adminService.port | int | 9180 | |
| autoscaling.enabled | bool | false | |
| autoscaling.minReplicas | int | 1 | |
| config.controllerName | string | "apisix.apache.org/apisix-ingress-controller" | |
| config.enableHTTP2 | bool | false | |
| config.execADCTimeout | string | "15s" | |
| config.kubernetes.defaultIngressClass | bool | false | |
| config.kubernetes.ingressClass | string | "apisix" | |
| config.leaderElection.disable | bool | false | |
| config.leaderElection.id | string | "apisix-ingress-controller-leader" | |
| config.leaderElection.leaseDuration | string | "15s" | |
| config.leaderElection.renewDeadline | string | "10s" | |
| config.leaderElection.retryPeriod | string | "2s" | |
| config.logLevel | string | "info" | |
| config.metricsAddr | string | ":8080" | |
| config.probeAddr | string | ":8081" | |
| config.provider.initSyncDelay | string | "20m" | |
| config.provider.syncPeriod | string | "1m" | |
| config.provider.type | string | "apisix" | |
| config.secureMetrics | bool | false | |
| deployment.adcContainer | object | {"config":{"logLevel":"info"},"image":{"repository":"ghcr.io/api7/adc","tag":"0.21.2"}} | Set adc sidecar container configuration |
| deployment.affinity | object | {} | |
| deployment.annotations | object | {} | Add annotations to Apache APISIX ingress controller resource |
| deployment.image.pullPolicy | string | "IfNotPresent" | |
| deployment.image.repository | string | "apache/apisix-ingress-controller" | |
| deployment.image.tag | string | "2.0.0-rc5" | |
| deployment.nodeSelector | object | {} | |
| deployment.podAnnotations | object | {} | |
| deployment.podSecurityContext | object | {"fsGroup":2000} | Set security context for the pod fsGroup: 2000 ensures containers can share Unix socket files via a common group. |
| deployment.replicas | int | 1 | |
| deployment.resources | object | {} | Set pod resource requests & limits |
| deployment.tolerations | list | [] | |
| deployment.topologySpreadConstraints | list | [] | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods |
| fullnameOverride | string | "" | |
| gatewayProxy.createDefault | bool | false | Controls whether to create a default GatewayProxy custom resource. |
| gatewayProxy.provider | object | {"controlPlane":{"auth":{"adminKey":{"value":"edd1c9f034335f136f87ad84b625c8f1","valueFrom":{}},"type":"AdminKey"},"endpoints":[],"service":{"name":"","port":9180}},"pluginMetadata":{},"plugins":[],"type":"ControlPlane"} | Configuration for the GatewayProxy provider connection |
| gatewayProxy.provider.controlPlane | object | {"auth":{"adminKey":{"value":"edd1c9f034335f136f87ad84b625c8f1","valueFrom":{}},"type":"AdminKey"},"endpoints":[],"service":{"name":"","port":9180}} | ControlPlane provider specific configuration Either endpoints or service must be specified, but not both. |
| gatewayProxy.provider.controlPlane.auth | object | {"adminKey":{"value":"edd1c9f034335f136f87ad84b625c8f1","valueFrom":{}},"type":"AdminKey"} | Authentication configuration for control plane connection |
| gatewayProxy.provider.controlPlane.auth.adminKey | object | {"value":"edd1c9f034335f136f87ad84b625c8f1","valueFrom":{}} | AdminKey authentication configuration. Either value or valueFrom must be specified, but not both. |
| gatewayProxy.provider.controlPlane.auth.adminKey.value | string | "edd1c9f034335f136f87ad84b625c8f1" | The admin key value for authentication. |
| gatewayProxy.provider.controlPlane.auth.adminKey.valueFrom | object | {} | Reference to admin key stored in a Kubernetes Secret |
| gatewayProxy.provider.controlPlane.auth.type | string | AdminKey | Authentication type. Only AdminKey is currently supported. |
| gatewayProxy.provider.controlPlane.endpoints | list | [] | List of APISIX control plane Admin API endpoints. example: [“http://apisix-admin.default.svc.cluster.local:9180”] |
| gatewayProxy.provider.controlPlane.service | object | {"name":"","port":9180} | Alternatively, reference a Kubernetes Service for the APISIX Admin API. |
| gatewayProxy.provider.pluginMetadata | object | {} | Global plugin metadata shared by all instances of the same plugin. |
| gatewayProxy.provider.plugins | list | [] | List of global plugins to be enabled on the GatewayProxy. |
| gatewayProxy.provider.type | string | "ControlPlane" | Specifies the provider type for the GatewayProxy. |
| labelsOverride | object | {} | Override default labels assigned to Apache APISIX ingress controller resource |
| nameOverride | string | "" | Default values for apisix-ingress-controller. This is a YAML-formatted file. Declare variables to be passed into your templates. |
| podDisruptionBudget | object | {"enabled":false,"maxUnavailable":1,"minAvailable":"90%"} | See https://kubernetes.io/docs/tasks/run-application/configure-pdb/ for more details |
| podDisruptionBudget.enabled | bool | false | Enable or disable podDisruptionBudget |
| podDisruptionBudget.maxUnavailable | int | 1 | Set the maxUnavailable of podDisruptionBudget |
| podDisruptionBudget.minAvailable | string | "90%" | Set the minAvailable of podDisruptionBudget. You can specify only one of maxUnavailable and minAvailable in a single PodDisruptionBudget. See Specifying a Disruption Budget for your Application for more details |
| serviceMonitor.annotations | object | {} | @param serviceMonitor.annotations ServiceMonitor annotations |
| serviceMonitor.enabled | bool | false | Enable or disable ServiceMonitor |
| serviceMonitor.interval | string | "15s" | @param serviceMonitor.interval Interval at which metrics should be scraped |
| serviceMonitor.labels | object | {} | @param serviceMonitor.labels ServiceMonitor extra labels |
| serviceMonitor.metricRelabelings | object | {} | @param serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion. ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs |
| serviceMonitor.namespace | string | "monitoring" | @param serviceMonitor.namespace Namespace in which to create the ServiceMonitor |
| webhook.certificate.provided | bool | false | Set to true if you want to provide your own certificate |
| webhook.enabled | bool | true | Enable or disable admission webhook |
| webhook.failurePolicy | string | "Fail" | Failure policy for the webhook (Fail or Ignore) |
| webhook.port | int | 9443 | The port for the webhook server to listen on |
| webhook.timeoutSeconds | int | 10 | Timeout in seconds for the webhook |