Skip to content

Latest commit

 

History

History

server

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
conf
conf
 
 
templates
templates
 
 
.helmignore
.helmignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Chart.lock
Chart.lock
 
 
Chart.yaml
Chart.yaml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
values.yaml
values.yaml
 
 

README.md

Aqua Security Server Helm Chart

These are Helm charts for installation and maintenance of Aqua Container Security Platform: Console Server, Gateway & Database.

Contents

Prerequisites

Container Registry Credentials

Link

Service Account

By default, the chart will create a SA named aqua-sa, and will deploy the resources using it.

There are 3 scenarios for the service account usage:

  1. Using the default SA aqua-sa, this is the default option, no additional values need to be provided.

  2. Using a custom name for SA, in this scenario the following values need to be provided: serviceAccount.name and gateway.serviceAccount.name containing the desired name.

  3. Using an existing SA or imperatively created one: For example the SA can be created and patched with these commands:

    # Create the ServiceAccount
kubectl create serviceaccount aqua-custom-sa -n aqua
# Patch the ServiceAccount with the pull secret
kubectl patch serviceaccount aqua-custom-sa -n aqua -p '{"imagePullSecrets": [{"name": "aqua-registry-secret"}]}'

    and the values that need to be provided are:

    • serviceAccount.name and gateway.serviceAccount.name containing the value aqua-custom-sa.
    • serviceAccount.create with the valuefalse

PostgreSQL database

Aqua Security recommends implementing a highly-available PostgreSQL database. By default, the console chart will install a PostgreSQL database and attach it to persistent storage for POC usage and testing. For production use, one may override this default behavior and specify an existing PostgreSQL database by setting the following variables in values.yaml:

global:
  db:
    external:
      enabled: true
      name: example-aquasec
      host: aquasec-db
      port: 5432
      user: aquasec-db-username
      password: verysecret

Installing the Chart

Follow the steps in this section for production grade deployments. You can either clone aqua-helm git repository, or you can add our helm private repository (https://helm.aquasec.com)

Installing Aqua Web from Helm Private Repository

  • Add Aqua Helm Repository
helm repo add aqua-helm https://helm.aquasec.com
helm repo update
  • Check for available chart versions either from Changelog or by running the below command
helm search repo aqua-helm/server --versions
  • Install Aqua
helm upgrade --install --namespace aqua <RELEASE_NAME> aqua-helm/server --set imageCredentials.username=<>,imageCredentials.password=<>,global.platform=<>

Advanced Configuration

Envoy

In order to support L7 / gRPC communication between gateway and enforcers Aqua recommends that customers use the Envoy load balancer. Following are the detailed steps to enable and deploy a secure envoy based load balancer.

  1. Generate TLS certificates signed by a public CA or Self-Signed CA

    # Self-Signed Root CA (Optional)
#####################################################################################

# Create Root Key
# If you want a non password protected key just remove the -des3 option
openssl genrsa -des3 -out rootCA.key 4096

# Create and self sign the Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

#####################################################################################
# Create a certificate
#####################################################################################

# Create the certificate key
openssl genrsa -out myDomain.com.key 2048
# Create the signing (csr)
openssl req -new -key myDomain.com.key -out myDomain.com.csr
# Verify the csr content
openssl req -in myDomain.com.csr -noout -text

#####################################################################################
# Generate the certificate using the myDomain csr and key along with the CA Root key
#####################################################################################

openssl x509 -req -in myDomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out myDomain.com.crt -days 500 -sha256

#####################################################################################
# If you wish to use a Public CA like GoDaddy or LetsEncrypt please
# submit the myDomain csr to the respective CA to generate myDomain crt

  2. Create TLS cert secret

    kubectl create secret generic aqua-lb-tls --from-file=myDomain.com.crt --from-file=myDomain.com.key --from-file=rootCA.crt -n aqua

  3. Edit the values.yaml file to include above secret

        TLS:
      listener:
         secretName: "aqua-lb-tls"
         publicKey_fileName: "myDomain.com.crt"
         privateKey_fileName: "myDomain.com.key"
         rootCA_fileName: "rootCA.crt"

  4. [Optional] If Gateway requires client certificate authentication edit the values.yaml to include those secrets as well:

        TLS:
      ...
      cluster:
         enabled: true
         secretName: "aqua-lb-tls-custer"
         publicKey_fileName: "envoy.crt"
         privateKey_fileName: "envoy.key"
         rootCA_fileName: "rootCA.crt"

  5. For more customizations please refer to Configurable Variables

Database

  1. By default, the Aqua helm chart will deploy a database container. If you wish to use an external database please set global.db.external.enabled to true and the following with appropriate values. 
    global.db.external.name
global.db.external.host
global.db.external.port
global.db.external.user
global.db.external.password
  2. By default, the same database (Packaged DB Container | Managed DB like AWS RDS) will be used to host both main DB and Audit DB. If you want to use a different database for audit db then set following variables in the values.yaml file 
    global.db.external.auditName
global.db.external.auditHost
global.db.external.auditPort
global.db.external.auditUser
global.db.external.auditPassword
  3. If you are using packaged DB container then
    1. The AQUA_ENV_SIZE variable can be used to define the sizing of your DB container in terms of number of connections and optimized configuration but not the PV size. Please choose appropriate PV size as per your requirements.
    2. By default, AQUA_ENV_SIZE is set to "S" and the possible values are "M", "L"

Configuring HTTPS for Aqua's server

By default, Aqua will generate a self-signed cert and will use the same for HTTPS communication. If you wish to use your own SSL/TLS certs you can do this in two different ways

  1. Ingress(optional): Kubernetes ingress controller can be used to publicly expose aqua web UI over an HTTPS connection

  2. LoadBalancer(Default):

    1. Create Kubernetes secrets for server component using the respective SSL certificates.

      kubectl create secret generic aqua-web-certs --from-file aqua_web.key --from-file aqua_web.crt --from-file rootCA.crt -n aqua

here: aqua_web.key    = privateKey
      aqua_web.crt    = publicKey
      rootCA.crt      = rootCA
      aqua-web-certs  = secret Name

    2. Enable web.TLS.enable to true in values.yaml

    3. Add the certificate's secret name web.TLS.secretName in values.yaml

    4. Add respective certificate file names to web.TLS.publicKey_fileName, web.TLS.privateKey_fileName and web.TLS.rootCA_fileName(Add rootCA if certs are self-signed) in values.yaml

    5. Proceed with the deployment.

Configuring mTLS/TLS for Aqua Server and Aqua Gateway

By default, deploying Aqua Enterprise configures TLS-based encrypted communication, using self-signed certificates, between Aqua components. If you want to use self-signed certificates to establish mTLS between aqua components use the below instructions to generate rootCA and component certificates

Note: * mTLS communication and setup is only supported for self-hosted Aqua. It is not supported for Aqua ESE and Aqua SAAS*

Create Root CA (Done once)

Important: Optional, If you have already the existing rootCA certs you can skip to generating [component certificates] step.(#create-the-certificate-key-for-aqua-server-gateway)

1. Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

  • Generating rootCA key 
    openssl genrsa -des3 -out rootCA.key 4096

If you want a non-password-protected key just remove the -des3 option

2. Create and self sign the Root Certificate

  • Creating rootCA certificate 
    openssl req -new -x509 -days 365 -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Create the certificate key for Aqua server, gateway

After creating rootCA certs start generating component certificates.

3. Create keys and signing (csr):

The certificate signing request is where you specify the details for the certificate you want to generate. This request will be processed by the owner of the Root key (you in this case since you create it earlier) to generate the certificate.

Important: Please mind that while creating the signing request is important to specify the Common Name providing the IP address or domain name for the service, otherwise the certificate cannot be verified.

Important for multi-cluster: When using a multi-cluster setup like enforcer/kube-enforcers from various clusters or connecting over the internet with gateway/envoy, then SAN(subjectAltName) section should contain alternate domain/IP addresses of the component.

  1. Creating aqua_web key and csr:

    openssl req -newkey rsa:2048 -nodes -keyout aqua_web.key -subj "/C=US/ST=CA/O=MyOrg/CN=aqua-console-svc" -out aqua_web.csr

  2. Creating aqua_gateway key and csr:

    openssl req -newkey rsa:2048 -nodes -keyout aqua_gateway.key -subj "/C=US/ST=CA/O=MyOrg/CN=aqua-gateway-svc" -out aqua_gateway.csr

here, change the subjectAltName accordingly to your domain.

4. Verify the CSR's content:

  • verify the generated component csr content(optional) 
    openssl req -in aqua_web.csr -noout -text
openssl req -in aqua_gateway.csr -noout -text

5. Generate the certificate using the component CSR's and key along with the CA Root key:

  1. Creating aqua_web certificate

    openssl x509 -req \
   -extfile <(printf "subjectAltName=DNS:aqua-console-svc.aqua,DNS:aqua-console-svc,DNS:my-domain.com") \
   -days 365 -in aqua_web.csr \
   -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
   -out aqua_web.crt

    here, change the subjectAltName accordingly to your domain.

  2. Creating aqua_gateway certificate

    openssl x509 -req \
   -extfile <(printf "subjectAltName=DNS:aqua-gateway-svc.aqua,DNS:aqua-gateway-svc,DNS:my-domain.com") \
   -days 365 -in aqua_gateway.csr \
   -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
   -out aqua_gateway.crt

    here, change the subjectAltName accordingly to your domain.

6. Verify the certificate's content:

  • verify the generated component certificate content(optional) 
    openssl x509 -in aqua_web.crt -text -noout
openssl x509 -in aqua_gateway.crt -text -noout

Create secrets with generated certs and change values.yaml as mentioned below

  1. Create Kubernetes secrets for server and gateway components using the generated SSL certificates.

    # Example:
# Change < certificate filenames > respectively
kubectl create secret generic aqua-web-certs --from-file aqua_web.key --from-file aqua_web.crt --from-file rootCA.crt -n aqua
kubectl create secret generic aqua-gateway-certs --from-file aqua_gateway.key --from-file aqua_gateway.crt --from-file rootCA.crt -n aqua

  2. Enable web.TLS.enable and gate.TLS.enable to true in values.yaml

  3. Add the certificates secret name web.TLS.secretName and gateway.TLS.secretName in values.yaml

  4. Add respective certificate file names to web.TLS.publicKey_fileName, web.TLS.privateKey_fileName, web.TLS.rootCA_fileName(Add rootCA if certs are self-signed), gate.TLS.publicKey_fileName, gate.TLS.privateKey_fileName and gate.TLS.rootCA_fileName(Add rootCA if certs are self-signed) in values.yaml

  5. For enabling mTLS/TLS connection with self-signed or CA certificates between gateway and enforcers please set up mTLS/TLS config for enforcer chart and kube-enforcer

Configure mTLS between server/gateway and external DB

  1. Add the external DB values under global.db.external section
  2. Change global.db.ssl and global.db.auditssl to true
  3. Create secret with external DB public certificate 
    kubectl create secret generic <<dbcert_secret_name>> --from-file <<db_certificate.pem_file_path>> -n aqua
  4. Set the following variables 
    global.db.externalDBCerts.enable: true
global.db.externalDBCerts.certSecretName: <<dbcert_secret_name>>
  5. Select ssl mode for external databases 
    sslmode: require          # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)
auditsslmode: require     # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)
  6. Note: In Active-Active mode set respective values to pubsub variables

Setting active-active mode

  1. Set activeactive to true in values.yaml
  2. Also set following configurable variables 
    global.db.external.pubsubName
global.db.external.pubsubHost
global.db.external.pubsubPort
global.db.external.pubsubUser
global.db.external.pubsubPassword

Configurable Variables

Parameter Description Default Mandatory
imageCredentials.create Set if to create new pull image secret true YES
imageCredentials.name Your Docker pull image secret name aqua-registry-secret YES
imageCredentials.repositoryUriPrefix Repository uri prefix for dockerhub set docker.io registry.aquasec.com YES
imageCredentials.registry Set the registry url for dockerhub set index.docker.io/v1/ registry.aquasec.com YES
imageCredentials.username Your Docker registry (DockerHub, etc.) username aqua-registry-secret YES
imageCredentials.password Your Docker registry (DockerHub, etc.) password unset YES
global.platform Specify the Kubernetes (k8s) platform acronym, allowed values are: aks, eks, gke, openshift, tkg, tkgi, k8s, rancher, gs, k3s, mke. unset YES
openshift_route.create To create openshift routes for web and gateway false NO
rbac.create To create default cluster-role and cluster-role bindings according to the platform true NO
serviceAccount.create Enable to true to create serviceAccount true YES
serviceAccount.name Mention the existing service-account name to overwrite the default serviceAccount name. The default is {{ .Release.Namespace }}-sa
unset NO
clusterRole.roleRef Cluster role reference name for cluster roleBinding unset NO
activeactive Set for HA Active-Active cluster mode false
clustermode Set for HA Active-Passive cluster mode
To be deprecated, use Active-Active instead		 false
admin.createSecret Set if to create web secret unset NO
admin.secretName Web secret name unset NO
admin.token Use this Aqua license token unset NO
admin.password Use this Aqua admin password unset NO
dockerSocket.mount Boolean parameter if to mount docker socket unset NO
dockerSocket.path Docker socket path /var/run/docker.sock NO
podSecurityPolicy.create Enable Pod Security Policies with the required Server capabilities false NO
podSecurityPolicy.privileged Enable privileged permissions to the Server true if podSecurityPolicy.create is true NO
docker Scanning mode direct or docker link - NO
global.db.external.enabled Avoid installing a Postgres container and use an external database instead false YES
global.db.external.name PostgreSQL DB name unset YES
if db.external.enabled is set to true
global.db.external.host PostgreSQL DB hostname unset YES
if db.external.enabled is set to true
global.db.external.port PostgreSQL DB port unset YES
if db.external.enabled is set to true
global.db.external.user PostgreSQL DB username unset YES
if db.external.enabled is set to true
global.db.external.password PostgreSQL DB password unset YES
if db.external.enabled is set to true
global.db.external.auditName PostgreSQL DB audit name unset NO
global.db.external.auditHost PostgreSQL DB audit hostname unset NO
global.db.external.auditPort PostgreSQL DB audit port unset NO
global.db.external.auditUser PostgreSQL DB audit username unset NO
global.db.external.auditPassword PostgreSQL DB audit password unset NO
global.db.external.pubsubName PostgreSQL DB pubsub name unset NO
global.db.external.pubsubHost PostgreSQL DB pubsub hostname unset NO
global.db.external.pubsubPort PostgreSQL DB pubsub port unset NO
global.db.external.pubsubUser PostgreSQL DB pubsub username unset NO
global.db.external.pubsubPassword PostgreSQL DB pubsub password unset NO
global.db.passwordFromSecret.enabled Enable to load DB passwords from Secrets false YES
global.db.passwordFromSecret.dbPasswordName Password secret name null NO
global.db.passwordFromSecret.dbPasswordKey Password secret key null NO
global.db.passwordFromSecret.dbAuditPasswordName Audit password secret name null NO
global.db.passwordFromSecret.dbAuditPasswordKey Audit password secret key null NO
global.db.passwordFromSecret.dbPubsubPasswordName Pubsub password secret name null NO
global.db.passwordFromSecret.dbPubsubPasswordKey Pubsub password secret key null NO
global.db.ssl If require an SSL-encrypted connection to the Postgres configuration database. false NO
global.db.sslmode If ssl is true, select the type of SSL mode between db and console/gateway accepts: allow, prefer, require, verify-ca, verify-full (Default: Require) require NO
global.db.auditssl If require an SSL-encrypted connection to the Postgres configuration audit database. false NO
global.db.auditsslmode If auditssl is true, select the type of SSL mode between db and console/gateway accepts: allow, prefer, require, verify-ca, verify-full (Default: Require) require NO
global.db.pubsubssl If require an SSL-encrypted connection to the Postgres configuration pubsub database. false NO
global.db.pubsubsslmode If pubsubssl is true, select the type of SSL mode between db and console/gateway accepts: allow, prefer, require, verify-ca, verify-full (Default: Require) require NO
global.db.externalDbCerts.enable If true, external db can connect with mTLS i.e.., verify-ca/verify-full ssl mode by mounting the ca cert to console & gateway false NO
global.db.externalDbCerts.certSecretName If global.db.externalDbCerts.enable true, Secret name which holds external db ca certificate files null NO
global.db.persistence.database.enabled If true, Persistent Volume Claim will be created true NO
global.db.persistence.database.accessModes Persistent Volume access mode ReadWriteOnce NO
global.db.persistence.database.size Persistent Volume size 30Gi NO
global.db.persistence.database.storageClass Persistent Volume Storage Class unset NO
global.db.persistence.audit_database.enabled If true, Persistent Volume Claim will be created for audit database true NO
global.db.persistence.audit_database.accessModes Persistent Volume access mode for audit database ReadWriteOnce NO
global.db.persistence.audit_database.size Persistent Volume size for audit database 30Gi NO
global.db.persistence.audit_database.storageClass Persistent Volume Storage Class for audit database unset NO
global.db.env_size Set this to tune DB parameters S YES
Possible values: “S” (default), “M”, “L”
global.db.image.repository The docker image name to use database NO
global.db.image.tag The image tag to use. 2022.4 NO
global.db.image.pullPolicy The kubernetes image pull policy. IfNotPresent NO
global.db.service.type Kubernetes service type ClusterIP NO
global.db.resources Resource requests and limits {} NO
global.db.nodeSelector Kubernetes node selector {} NO
global.db.tolerations Kubernetes node tolerations [] NO
global.db.affinity Kubernetes node affinity {} NO
global.db.podAnnotations Kubernetes pod annotations {} NO
global.db.securityContext Set of security context for the container nil NO
global.db.extraEnvironmentVars Is a list of extra environment variables to set in the database deployments. {} NO
global.db.extraSecretEnvironmentVars Is a list of extra environment variables to set in the database deployments, these variables take value from existing Secret objects. [] NO
gateway.image.repository The docker image name to use gateway NO
gateway.enabled Deploy gateway chart with server chart True NO
gateway.image.tag The image tag to use. 2022.4 NO
gateway.image.pullPolicy The kubernetes image pull policy. IfNotPresent NO
gateway.service.type Kubernetes service type ClusterIP NO
gateway.service.loadbalancerIP Can specify loadBalancerIP address for aqua-web in AKS platform null NO
gateway.service.annotations Service annotations {} NO
gateway.service.ports Array of ports settings array NO
gateway.service.loadBalancerSourceRanges In order to limit which client IP's can access the Network Load Balancer, specify a list of CIDRs null NO
gateway.serviceAccount.name The name of the SA to deploy the gateway aqua-sa NO
gateway.serviceAccount.annotations The annotations of the SA to deploy the gateway `` NO
gateway.publicIP Gateway public ip aqua-gateway NO
gateway.replicaCount Replica count 1 NO
gateway.resources Resource requests and limits {} NO
gateway.nodeSelector Kubernetes node selector {} NO
gateway.tolerations Kubernetes node tolerations [] NO
gateway.affinity Kubernetes node affinity {} NO
gateway.podAnnotations Kubernetes pod annotations {} NO
gateway.securityContext Set of security context for the container nil NO
gateway.pdb.minAvailable Set minimum available value for gate pod PDB 1 NO
gateway.pdb.apiVersion Override the API version of the PodDisruptionBudget `` NO
gateway.TLS.enabled If require secure channel communication false NO
gateway.TLS.secretName Certificates secret name nil YES
if gate.TLS.enabled is set to true
gateway.TLS.publicKey_fileName Filename of the public key eg: aqua_gateway.crt nil YES
if gate.TLS.enabled is set to true
gateway.TLS.privateKey_fileName Filename of the private key eg: aqua_gateway.key nil YES
if gate.TLS.enabled is set to true
gateway.TLS.rootCA_fileName Filename of the rootCA, if using self-signed certificates eg: rootCA.crt nil NO
if gate.TLS.enabled is set to true and using self-signed certificates for TLS/mTLS
gateway.TLS.aqua_verify_enforcer Change it to "1" or "0" for enabling/disabling mTLS between enforcer and gateway/envoy 0 YES
if gate.TLS.enabled is set to true
gateway.extraEnvironmentVars Is a list of extra environment variables to set in the gateway deployments. {} NO
gateway.extraSecretEnvironmentVars Is a list of extra environment variables to set in the gateway deployments, these variables take value from existing Secret objects. [] NO
gateway.headlessService Create headless service for envoy true NO
web.image.repository The docker image name to use console NO
web.image.tag The image tag to use. 2022.4 NO
web.image.pullPolicy The kubernetes image pull policy. IfNotPresent NO
web.service.type Kubernetes service type LoadBalancer NO
web.service.loadbalancerIP Can specify loadBalancerIP address for aqua-web in AKS platform null NO
web.service.annotations Service annotations {} NO
web.service.ports Array of ports settings array NO
web.replicaCount Replica count 1 NO
web.resources Resource requests and limits {} NO
web.nodeSelector Kubernetes node selector {} NO
web.tolerations Kubernetes node tolerations [] NO
web.affinity Kubernetes node affinity {} NO
web.podAnnotations Kubernetes pod annotations {} NO
web.pdbApiVersion Override the API version of the PodDisruptionBudget false NO
web.ingress.enabled If true, Ingress will be created false NO
web.ingress.apiVersion Override the API version of the Ingress false NO
web.ingress.annotations Ingress annotations [] NO
web.ingress.hosts Ingress hostnames [] NO
web.ingress.path Ingress Path / NO
web.ingress.tls Ingress TLS configuration (YAML) [] NO
web.securityContext Set of security context for the container nil NO
web.pdb.minAvailable Set minimum available value for web pod PDB 1 NO
web.TLS.enabled If require secure channel communication false NO
web.TLS.secretName Certificates secret name nil NO
web.TLS.publicKey_fileName Filename of the public key eg: aqua_web.crt nil YES
if gate.TLS.enabled is set to true
web.TLS.privateKey_fileName Filename of the private key eg: aqua_web.key nil YES
if gate.TLS.enabled is set to true
web.TLS.rootCA_fileName Filename of the rootCA, if using self-signed certificates eg: rootCA.crt nil NO
if gate.TLS.enabled is set to true and using self-signed certificates for TLS/mTLS
web.maintenance_db.name If Configured to use custom maintenance DB specify the DB name unset NO
web.extraEnvironmentVars Is a list of extra environment variables to set in the web deployments. {} NO
web.extraSecretEnvironmentVars Is a list of extra environment variables to set in the web deployments, these variables take value from existing Secret objects. [] NO
envoy.enabled Enabled envoy deployment. false NO
envoy.replicaCount Replica count 1 NO
envoy.image.repository The docker image name to use envoyproxy/envoy-alpine NO
envoy.image.tag The image tag to use. v1.14.1 NO
envoy.image.pullPolicy The kubernetes image pull policy. IfNotPresent NO
envoy.service.type Kubernetes service type LoadBalancer NO
envoy.service.loadbalancerIP Can specify loadBalancerIP address for aqua-web in AKS platform null NO
envoy.service.annotations Use this field to pass additional annotations for the service, useful to drive Cloud providers behavior in creating the LB resource. E.g. service.beta.kubernetes.io/aws-load-balancer-type: nlb {} NO
envoy.service.ports Array of ports settings array NO
envoy.pdb.minAvailable Set minimum available value for envoy pod PDB 1 NO
envoy.pdb.apiVersion Override the API version of the PodDisruptionBudget false NO
envoy.TLS.listener.enabled Enable to load custom self-signed or CA certs false NO
if envoy.enabled is set to true
envoy.TLS.listener.secretName Certificates secret name nil NO
if envoy.enabled is set to true
envoy.TLS.listener.publicKey_fileName Filename of the public key eg: aqua-lb.fqdn.crt nil YES
if envoy.enabled is set to true
envoy.TLS.listener.privateKey_fileName Filename of the private key eg: aqua-lb.fqdn.key nil YES
if envoy.enabled is set to true
envoy.TLS.listener.rootCA_fileName Filename of the rootCA, if using self-signed certificates eg: rootCA.crt nil NO
envoy.TLS.cluster.enabled If require secure channel communication between Envoy and Gateway false NO
envoy.TLS.cluster.secretName Certificates secret name nil NO
envoy.TLS.cluster.publicKey_fileName Filename of the public key eg: aqua-lb.crt nil NO
envoy.TLS.cluster.privateKey_fileName Filename of the private key eg: aqua-lb.key nil NO
envoy.TLS.cluster.rootCA_fileName Filename of the rootCA, if using self-signed certificates eg: rootCA.crt nil NO
envoy.livenessProbe Liveness probes configuration for envoy {} NO
envoy.readinessProbe Readiness probes configuration for envoy {} NO
envoy.resources Resource requests and limits {} NO
envoy.nodeSelector Kubernetes node selector {} NO
envoy.tolerations Kubernetes node tolerations [] NO
envoy.podAnnotations Kubernetes pod annotations {} NO
envoy.affinity Kubernetes node affinity {} NO
envoy.securityContext Set of security context for the container nil NO
envoy.files.envoy.yaml Content of a full envoy configuration file as documented in https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration check values.yaml
initContainers.enabled If true, init container definitions will take effect Fasle NO
initContainers.ContainersDefinitions Container definitions for init containers nil NO
sidecarContainers.enabled If true, init sidecar containers definitions will take effect Fasle NO
sidecarContainers.ContainersDefinitions Container definitions for sidecar containers nil NO

Issues and feedback

If you encounter any problems or would like to give us feedback on deployments, we encourage you to raise issues here on GitHub.