components/tyk-gateway/values.yaml

## Default values for tyk-gateway chart.
## This is a YAML-formatted file.
## Declare variables to be passed into your templates.
## See Tyk Helm documentation for installation details:
## https://tyk.io/docs/tyk-oss/ce-helm-chart/
## Registry for all Tyk images - https://hub.docker.com/u/tykio

# nameOverride overrides the Chart name. It is truncated to 63 characters.
# Default value: tyk-gateway.name
nameOverride: ""

# fullnameOverride overrides App name. It is truncated to 63 characters.
# Default value: tyk-gateway.fullname
fullnameOverride: ""

global:
  servicePorts:
    # The port at which the gateway service can be found
    gateway: 8080

  tls:
    # When true, sets the gateway protocol to HTTPS.
    gateway: false

    # When true, it will install the certificate present in the templates folder, set to false when using
    # a custom TLS certificate to avoid overwriting yours
    useDefaultTykCertificate: true

  secrets:
    # APISecret sets node_secret and secret in tyk.conf
    APISecret: CHANGEME
    # useSecretName can be used if you don't want to store plaintext secrets in the Helm value file and would
    # rather provide the k8s Secret externally.
    # You can set following fields in the secret
    # - APISecret - Sets node_secret and secret in tyk.conf
    useSecretName: ""

  imageRegistry: ""

  redis:
    # The addrs value will allow you to set your Redis addresses.
    #
    # If you are using Redis (e.g. Bitnami Redis at bitnami/redis) then enter single
    # endpoint. If using sentinel connection mode for Redis, please update the port number (typically 26379).
    #
    # If using a Redis Cluster (e.g. bitnami/redis-cluster), you can list
    # the endpoints of the redis instances or use the cluster configuration endpoint.
    #
    # Default value: redis.{{ .Release.Namespace }}.svc:6379
    # addrs:
    #   Example using tyk simple redis chart
    #   - redis.tyk.svc:6379
    #   Example using bitnami/redis
    #   - tyk-redis-master.tyk.svc:6379
    #   Example using bitnami/redis with sentinel
    #   - tyk-redis.tyk.svc:26379
    #   Example using bitnami/redis-cluster
    #   - tyk-redis-redis-cluster.tyk.svc:6379

    # Redis password
    # If you're using Bitnami Redis chart (e.g. bitnami/redis) please input
    # your password in the field below
    # pass: ""

    # Redis password can also be provided via a secret. Provide the name of the secret and key below.
    # passSecret:
    #   name: ""
    #   keyName: ""

    # Enables SSL for Redis connection. Redis instance will have to support that.
    # Default value: false
    useSSL: false

    # Set this to `true` to tell Gateway to ignore database's cert validation.
    # This should also be set to true if you're using a self signed certificate.
    # Default value: true
    # sslInsecureSkipVerify: true

    # The Volume mount path
    # Default value: /tls 
    # certificatesMountPath: "/tls"  

    # Path to the CA file.
    # caFile: "/tls/ca.crt"  

    # Path to the cert file.
    # certFile: "/tls/redis.crt"  

    # Path to the key file.
    # keyFile: "/tls/redis.key"

    # Name of the tls secret. A secret needs to be created for this manually using the name as specified here
    # Default value: gw-tls-secret 
    # secretName: "gw-tls-secret"

    # Name of the volume where the secret will be mounted
    # Default value: gw-tls-secret-volume 
    # volumeName: "gw-tls-secret-volume"

    # Maximum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
    # Default value: 1.3
    # tlsMaxVersion: "1.3"

    # Minimum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
    # Default value: 1.2
    # tlsMinVersion: "1.2"

    # If using "Redis Cluster" set enableCluster to true
    # (e.g. if using bitnami/redis-cluster)
    # enableCluster: true

    # Enables sentinel connection mode for Redis. If enabled, provide both
    # mandatory values for sentinelPass and masterName.
    # enableSentinel: false

    # Redis sentinel master name, only required while enableSentinel is true.
    # masterName: ""

    # By default, the database index is 0. Setting the database index is not
    # supported with redis cluster. As such, if you have enableCluster: true,
    # then this value should be omitted or explicitly set to 0.
    storage:
      database: 0

  remoteControlPlane:
    # useSecretName can be used if you don't want to store plaintext values for remote control plane configurations in
    # the Helm value file and would rather provide the k8s Secret externally.
    # You should set following fields in the secret
    # - orgId - Sets slave_options.rpc_key of Tyk Gateway
    # - userApiKey - Sets slave_options.api_key of Tyk Gateway
    # - groupID - Sets slave_options.group_id of Tyk Gateway
    useSecretName: ""

    enabled: false
    # connection string used to connect to an MDCB deployment. For Tyk Cloud users, you can get it from Tyk Cloud Console and retrieve the MDCB connection string.
    connectionString: ""
    # orgID of your dashboard user
    orgId: ""
    # API key of your dashboard user
    userApiKey: ""
    # needed in case you want to have multiple data-planes connected to the same redis instance
    groupID: ""
    # enable/disable ssl
    useSSL: true
    # Disables SSL certificate verification
    sslInsecureSkipVerify: true

  # Enables validation of examples in the OAS spec. Defaults to false.
  # It is used to set TYK_GW_OAS_VALIDATE_EXAMPLES
  oasValidateExamples: false
  # Enables validation of schema defaults in the OAS spec. Defaults to false.
  # It is used to set TYK_GW_OAS_VALIDATE_SCHEMA_DEFAULTS
  oasValidateSchemaDefaults: false
  # hashKeys is used to enable/disable key hashing.
  # It is used to set TYK_GW_HASHKEYS
  hashKeys: true

  # streaming configures Tyk Streams
  streaming:
    # enabled configures whether Tyk Streams is enabled or not.
    # It is used to set TYK_GW_STREAMING_ENABLED
    enabled: true

gateway:
  # The hostname to bind the Gateway to.
  hostName: tyk-gw.local

  # EnableFixedWindowRateLimiter enables fixed window rate limiting.
  # FixedWindow will allow requests up to the configured rate limit,
  # and then block traffic for the remainder of the window duration.
  # It has minimal impact on redis, however it will not protect against
  # traffic spikes, it does not have spike arrest behaviour.
  enableFixedWindowRateLimiter: false

  # If this option is set to true, it will enable polling the Tyk Dashboard service for API definitions
  useDashboardAppConfig:
    enabled: false
    # Set it to the URL to your Dashboard instance (or a load balanced instance)
    # The URL needs to be formatted as: http://dashboard_host:port
    # It is used to set TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRING
    dashboardConnectionString: ""

    # This option is required if Policy source is set to Tyk Dashboard (`service`).
    # Set this to the URL of your Tyk Dashboard installation.
    # The URL needs to be formatted as: http://dashboard_host:port.
    # It is used to set TYK_GW_POLICIES_POLICYCONNECTIONSTRING
    policyConnectionString: ""

  tls:
    # The name of the secret which should contain the TLS certificate you want to use with the gateway deployment
    secretName: tyk-default-tls-secret
    # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
    insecureSkipVerify: false

    # certificatesMountPath corresponds to the mount path of the secret.
    certificatesMountPath: "/etc/certs/tyk-gateway"
    # certificates is an array of strings, used to set TYK_GW_HTTPSERVEROPTIONS_CERTIFICATES
    certificates:
    - domain_name: "*"
      cert_file: "/etc/certs/tyk-gateway/tls.crt"
      key_file: "/etc/certs/tyk-gateway/tls.key"

  # kind is type of k8s object to be created for gateway.
  kind: Deployment

  # annotations be added to the Deployment / Statefulset of Tyk Gateway
  annotations: {}

  # podAnnotations is annotations to be added to Tyk Gateway pod.
  # It takes key-value pairs.
  # There are no required annotation field for Tyk Gateway.
  #
  # podAnnotations:
  #   yourkey: value
  #   image: yourhub
  podAnnotations: {}

  # podLabels specifies labels to be added in gateway Pod
  podLabels: {}

  # replicaCount specifies number of replicas to be created if kind is Deployment.
  replicaCount: 1

  # PodDisruptionBudget configuration
  pdb:
    enabled: false
    # minAvailable and maxUnavailable configure thresholds for PodDisruptionBudget resource
    # per PodDisruptionBudget spec they are mutually exclusive, but this chart allows
    # setting them both, in which case minAvailable will take precedence
    minAvailable: ""
    maxUnavailable: ""

  # autoscaling configuration if kind IS NOT DaemonSet
  autoscaling: {}
  #  enabled: true
  #  minReplicas: 1
  #  maxReplicas: 3
  #  averageCpuUtilization: 60
  #  averageMemoryUtilization: null
  #  autoscalingTemplate:
  #   Custom or additional autoscaling metrics
  #   ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
  #    - type: Pods
  #      pods:
  #        metric:
  #          name: nginx_ingress_controller_nginx_process_requests_total
  #        target:
  #          type: AverageValue
  #          averageValue: 10000m
  #  behavior:
  #    scaleDown:
  #      stabilizationWindowSeconds: 300
  #      policies:
  #        - type: Percent
  #          value: 100
  #          periodSeconds: 15
  #    scaleUp:
  #      stabilizationWindowSeconds: 0
  #      policies:
  #        - type: Percent
  #          value: 100
  #          periodSeconds: 15
  #        - type: Pods
  #          value: 4
  #          periodSeconds: 15
  #      selectPolicy: Max

  image:
    # image repository for Tyk Gateway
    repository: docker.tyk.io/tyk-gateway/tyk-gateway

    # image tag for Tyk Gateway
    tag: v5.3.8

    # image pull policy for Tyk Gateway
    pullPolicy: IfNotPresent

  initContainers:
    # image configuration for the initContainer that setups up the tyk directory structure
    setupDirectories:
      repository: busybox
      tag: 1.32
      resources: {}
      # If you do want to specify resources, uncomment the following
      # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
      # limits:
      #   cpu: 100m
      #   memory: 128Mi
      # requests:
      #   cpu: 100m
      #   memory: 128Mi

  # image pull secrets to use when pulling images from repository
  imagePullSecrets: []

  # The port which will be exposed on the container for tyk-gateway
  containerPort: 8080

  service:
    # type of service
    type: ClusterIP

    # external traffic policy of the service. Set it only if you are using LoadBalancer service type
    externalTrafficPolicy: Local

    # specify loadBalancerIP if the service type is load balancer
    loadBalancerIP: ""

    # Sets the firewall rule's source parameter to the IP addresses in the list
    loadBalancerSourceRanges: []
    # - 0.0.0.0/0

    # annotations for service
    annotations: {}

    # Name for the service Port
    portName: ""    

  control:
    # If enabled, exposes control port of the gateway
    enabled: false

    # control port of gateway
    containerPort: 9696

    # Name for the service Port
    name: ""

    # port number for control port service
    port: 9696

    # service type for control port service
    type: ClusterIP

    # annotations for control port service
    annotations: {}

    # control ingress
    ingress: 
      # if enabled, creates an ingress resource for the gateway control
      enabled: false

      # specify ingress controller class name
      className: ""

      # annotations for ingress
      annotations: {}

      # ingress rules
      hosts:
        - host: chart-example-control-api-domain.local
          paths:
            - path: /
              pathType: ImplementationSpecific
                
      # tls configuration for ingress
      #  - secretName: chart-example-tls
      #    hosts:
      #      - chart-example-different-domain-possible.local
      tls: []

  # Creates an ingress object in k8s. Will require an ingress-controller and
  # annotation to that ingress controller.
  ingress:
    # if enabled, creates an ingress resource for the gateway
    enabled: false

    # specify ingress controller class name
    className: ""

    # annotations for ingress
    annotations: {}

    # ingress rules
    hosts:
      - host: chart-example.local
        paths:
          - path: /
            pathType: ImplementationSpecific

    # tls configuration for ingress
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
    tls: []

  # hashKeyFunction specifies hashing function used in Tyk Gateway.
  # It is used to set TYK_GW_HASHKEYFUNCTION
  hashKeyFunction: murmur128

  # Sharding gateway allows you to selectively load APIs to specific gateways.
  # If enabled make sure you have at least one gateway that is not sharded.
  # Also be sure to match API segmentation tags with the tags selected below.
  sharding:
    enabled: false
    # tags is used when filtering (sharding) Tyk Gateway nodes.
    # It sets TYK_GW_DBAPPCONFOPTIONS_TAGS
    tags: ""

  # We usually recommend not to specify default resources and to leave this
  # as a conscious choice for the user. This also increases chances charts
  # run on environments with little resources, such as Minikube. If you do
  # want to specify resources, uncomment the following lines, adjust them
  # as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
  #  memory: 128Mi
  resources: {}

  # livenessProbe values for gateway pod. All fields from PodLivenessProbe object can be added here.
  # If set to empty or nil, the default health check on /health will be performed.
  # livenessProbe:
  #   httpGet:
  #     scheme: HTTP
  #     path: /hello
  #     port: 8080
  #   initialDelaySeconds: 5
  #   periodSeconds: 2
  #   timeoutSeconds: 3
  #   failureThreshold: 2
  #   successThreshold: 2
  livenessProbe: {}

  # readinessProbe values for gateway pod. All fields from PodReadinessProbe object can be added here.
  # If set to empty or nil, the default health check on /health will be performed.
  # readinessProbe:
  #   httpGet:
  #     scheme: HTTP
  #     path: /hello
  #     port: 8080
  #  initialDelaySeconds: 1
  #  periodSeconds: 10
  #  timeoutSeconds: 3
  #  failureThreshold: 3
  readinessProbe: {}

  # securityContext values for gateway pod. All fields from PodSecurityContext object can be added here.
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
    runAsNonRoot: true

  # containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
  containerSecurityContext:
    runAsNonRoot: true
    runAsUser: 1000
    allowPrivilegeEscalation: false
    privileged: false
    readOnlyRootFilesystem: true
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
        - ALL

  # node labels for gateway pod assignment
  nodeSelector: {}

  # tolerations for gateway pod assignment
  tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule

  # affinity for gateway pod assignment
  affinity: {}

  # extraContainers is a list of containers to be added to the pod
  # - name: sidecar
  #   image: sidecar:latest
  extraContainers: []

  # extraEnvs is used to set gateway env variables
  # - name: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
  #   value: "true"
  extraEnvs: []

  # extraVolumes is a list of volumes to be added to the pod
  # extraVolumes:
  #   - name: ca-certs
  #     secret:
  #       defaultMode: 420
  #       secretName: ca-certs
  extraVolumes: []

  # extraVolumeMounts is a list of volume mounts to be added to the pod
  # extraVolumeMounts:
  #   - name: ca-certs
  #     mountPath: /etc/ssl/certs/ca-certs.crt
  #     readOnly: true
  extraVolumeMounts: []

  # analyticsEnabled property is used to enable/disable analytics.
  # If set to empty or nil, analytics will be enabled/disabled based on `global.components.pump`.
  analyticsEnabled: ""

  # used to decide whether to send the results back directly to Tyk without a hybrid pump
  # if you want to send analytics to control plane instead of pump, change analyticsConfigType to "rpc"
  analyticsConfigType: ""

  # opentelemetry is used to configure opentelemetry for Tyk Gateway
  opentelemetry:
    # Used to enable/disable opentelemetry
    enabled: false
    # exporter is used to define the type of the exporter to sending data in OTLP protocol
    # Valid values are "grpc" or "http"
    exporter: grpc
    # endpoint defines OpenTelemetry collector endpoint to connect to.
    endpoint: localhost:4317
    # A map of headers that will be sent with HTTP requests to the collector.
    # The headers can be specified in two ways:
    #
    # 1. Direct string values:
    #    headers:
    #      X-Custom-Header: "my-value"
    #      Another-Header: "another-value"
    #
    #   The headers will be formatted as "Another-Header:another-value,X-Custom-Header:my-value"
    #
    # 2. Values from Kubernetes Secrets:
    #    headers:
    #      Authorization:
    #        fromSecret:
    #          name: "my-secret-name"    # Name of the Kubernetes Secret
    #          key: "my-secret-key"      # Key in the Secret containing the value
    #
    #   The headers will be formatted as "Authorization:<YOURTOKENHERE>"
    #
    # 3. You can mix both approaches in the same headers map:
    #    headers:
    #      X-Custom-Header: "direct-value"
    #      Authorization:
    #        fromSecret:
    #          name: "auth-secret"
    #          key: "auth-token"
    #
    # The headers will be formatted as "Authorization:<YOURTOKENHERE>,X-Custom-Header:direct-value" in the final output
    headers: {}
    # Timeout for establishing a connection to the collector
    connectionTimeout: 1
    # Name of the resource that will be used to identify the resource.
    resourceName: tyk
    # Type of the span processor to use. Valid values are “simple” or “batch”.
    spanProcessorType: batch
    # Type of the context propagator to use. Valid values are "tracecontext" and "b3".
    contextPropagation: tracecontext
    # TLS configuration for the exporter.
    tls:
      # Flag that can be used to enable TLS
      enabled: false
      # Flag that can be used to skip TLS verification if TLS is enabled
      insecureSkipVerify: true
     # Maximum TLS version that is supported.
      maxVersion: 1.3
      # Minimum TLS version that is supported
      minVersion: 1.2
      # Path to the cert file
      certFileName: ""
      # Path to the key file
      keyFileName: ""
      # Path to CA file
      caFileName: ""
      # Existing secret that stores TLS and CA Certificate
      certificateSecretName: ""
      # Mount path on which certificate secret should be mounted
      secretMountPath: ""
    sampling:
      # Refers to the policy used by OpenTelemetry to determine whether a particular trace should be sampled or not.
      type: "AlwaysOn"
      # Parameter for the TraceIDRatioBased sampler type and represents the percentage of traces to be sampled.
      rate: 0.5
      # Rule that ensures that if we decide to record data for a particular operation, we’ll also record data for
      # all the subsequent work that operation causes
      parentBased: false

  # log is used to configure the log system events
  log:
    # level is used to set the log verbosity. It is used to set TYK_GW_LOGLEVEL
    level: "info"
    # format is used to set the log format. It is used to set TYK_GW_LOGFORMAT
    format: "default"

  # EnablePathPrefixMatching changes the URL matching from wildcard mode to prefix mode.
  # If prefix matching is enabled, the match will be performed
  # - as a prefix match (/json*).
  # - against the full listen path and versioning URL (/listen-path/v4/json)
  # - the stripped listen path URL (/v4/json), and the stripped version information (/json).
  enablePathPrefixMatching: true
  # EnablePathSuffixMatching changes the URL matching to match as a suffix.
  # For example, /json is matched as /json$ against
  # - the full listen path and versioning URL (/listen-path/v4/json)
  # - the stripped listen path URL (/v4/json)
  # - the stripped version information (/json)
  enablePathSuffixMatching: true
  # EnableStrictRoutes changes the routing to avoid nearest-neighbour requests on overlapping routes
  # - if disabled, `/apple` will route to `/app`, the current default behavior,
  # - if enabled, `/app` only responds to `/app`, `/app/` and `/app/*` but not `/apple`
  # Regular expressions and parameterized routes will be left alone regardless of this setting.
  enableStrictRoutes: true

  # serviceAccountName field indicates the name of the Service Account that is going to be used by the Pods.
  # If a service account is to be used for Tyk Gateway, it should be manually created
  serviceAccountName: ""