charts/cilium/values.yaml

# upgradeCompatibility helps users upgrading to ensure that the configMap for
# Cilium will not change critical values to ensure continued operation
# This is flag is not required for new installations.
# For example: 1.7, 1.8, 1.9
# upgradeCompatibility: '1.8'

debug:
  # -- Enable debug logging
  enabled: false
  # verbose:

rbac:
  # -- Enable creation of Resource-Based Access Control configuration.
  create: true

# -- Configure image pull secrets for pulling container images
imagePullSecrets:
# - name: "image-pull-secret"

# kubeConfigPath: ~/.kube/config
# k8sServiceHost:
# k8sServicePort:

cluster:
  # -- Name of the cluster. Only required for Cluster Mesh.
  name: default
  # -- (int) Unique ID of the cluster. Must be unique across all connected
  # clusters and in the range of 1 to 255. Only required for Cluster Mesh.
  id:

# -- Define serviceAccount names for components.
# @default -- Component's fully qualified name.
serviceAccounts:
  cilium:
    create: true
    name: cilium
    annotations: {}
  etcd:
    create: true
    name: cilium-etcd-operator
    annotations: {}
  operator:
    create: true
    name: cilium-operator
    annotations: {}
  preflight:
    create: true
    name: cilium-pre-flight 
    annotations: {}
  relay:
    create: true
    name: hubble-relay
    annotations: {}
  ui:
    create: true
    name: hubble-ui
    annotations: {}
  clustermeshApiserver:
    create: true
    name: clustermesh-apiserver
    annotations: {}
  # -- Clustermeshcertgen is used if clustermesh.apiserver.tls.auto.method=cronJob
  clustermeshcertgen:
    create: true
    name: clustermesh-apiserver-generate-certs
    annotations: {}
  # -- Hubblecertgen is used if hubble.tls.auto.method=cronJob
  hubblecertgen:
    create: true
    name: hubble-generate-certs
    annotations: {}

# -- Install the cilium agent resources.
agent: true

# -- Agent container name.
name: cilium

# -- Roll out cilium agent pods automatically when configmap is updated.
rollOutCiliumPods: false

# -- Agent container image.
image:
  repository: quay.io/cilium/cilium
  tag: v1.10.7
  pullPolicy: IfNotPresent
  # cilium-digest
  digest: "sha256:e23f55e80e1988db083397987a89967aa204ad6fc32da243b9160fbcea29b0ca"
  useDigest: true

# -- Pod affinity for cilium-agent.
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
        - matchExpressions:
            - key: kubernetes.io/os
              operator: In
              values:
                - linux
        # Compatible with Kubernetes 1.12.x and 1.13.x
        - matchExpressions:
            - key: beta.kubernetes.io/os
              operator: In
              values:
                - linux
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    - labelSelector:
        matchExpressions:
        - key: k8s-app
          operator: In
          values:
          - cilium
      topologyKey: kubernetes.io/hostname

# -- The priority class to use for cilium-agent.
priorityClassName: ""

# -- Additional agent container arguments.
extraArgs: []

# -- Additional agent container environment variables.
extraEnv: {}

# -- Additional InitContainers to initialize the pod.
extraInitContainers: []

# -- Additional agent hostPath mounts.
extraHostPathMounts: []
  # - name: host-mnt-data
  #   mountPath: /host/mnt/data
  #   hostPath: /mnt/data
  #   hostPathType: Directory
  #   readOnly: true
  #   mountPropagation: HostToContainer

# -- Additional agent ConfigMap mounts.
extraConfigmapMounts: []
  # - name: certs-configmap
  #   mountPath: /certs
  #   configMap: certs-configmap
  #   readOnly: true

# -- extraConfig allows you to specify additional configuration parameters to be
# included in the cilium-config configmap.
extraConfig: {}
#  my-config-a: "1234"
#  my-config-b: |-
#    test 1
#    test 2
#    test 3

# -- Node tolerations for agent scheduling to nodes with taints
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
tolerations:
- operator: Exists
  # - key: "key"
  #   operator: "Equal|Exists"
  #   value: "value"
  #   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"

# -- Annotations to be added to agent pods
podAnnotations: {}

# -- Labels to be added to agent pods
podLabels: {}

# -- PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
  enabled: true
  maxUnavailable: 2

# -- Agent resource limits & requests
# ref: https://kubernetes.io/docs/user-guide/compute-resources/
resources: {}
  # limits:
  #   cpu: 4000m
  #   memory: 4Gi
  # requests:
  #   cpu: 100m
  #   memory: 512Mi

# -- Security context to be added to agent pods
securityContext: {}
  # runAsUser: 0

# -- Cilium agent update strategy
updateStrategy:
  rollingUpdate:
    maxUnavailable: 2
  type: RollingUpdate

# Configuration Values for cilium-agent

# -- Enable installation of PodCIDR routes between worker
# nodes if worker nodes share a common L2 network segment.
autoDirectNodeRoutes: false

azure:
  # -- Enable Azure integration
  enabled: false
  # resourceGroup: group1
  # subscriptionID: 00000000-0000-0000-0000-000000000000
  # tenantID: 00000000-0000-0000-0000-000000000000
  # clientID: 00000000-0000-0000-0000-000000000000
  # clientSecret: 00000000-0000-0000-0000-000000000000
  # userAssignedIdentityID: 00000000-0000-0000-0000-000000000000

alibabacloud:
  # -- Enable AlibabaCloud ENI integration
  enabled: false

# -- Optimize TCP and UDP workloads and enable rate-limiting traffic from
# individual Pods with EDT (Earliest Departure Time)
# through the "kubernetes.io/egress-bandwidth" Pod annotation.
bandwidthManager: false

# -- Configure BGP
bgp:
  # -- Enable BGP support inside Cilium; embeds a new ConfigMap for BGP inside
  # cilium-agent and cilium-operator
  enabled: false
  announce:
    # -- Enable allocation and announcement of service LoadBalancer IPs
    loadbalancerIP: false

bpf:
  # -- Enable BPF clock source probing for more efficient tick retrieval.
  clockProbe: false

  # -- Enables pre-allocation of eBPF map values. This increases
  # memory usage but can reduce latency.
  preallocateMaps: false

  # -- Configure the maximum number of entries in the TCP connection tracking
  # table.
  # ctTcpMax: '524288'

  # -- Configure the maximum number of entries for the non-TCP connection
  # tracking table.
  # ctAnyMax: '262144'

  # -- Configure the maximum number of service entries in the
  # load balancer maps.
  lbMapMax: 65536

  # -- Configure the maximum number of entries for the NAT table.
  # natMax: 524288

  # -- Configure the maximum number of entries for the neighbor table.
  # neighMax: 524288

  # -- Configure the maximum number of entries in endpoint policy map (per endpoint).
  policyMapMax: 16384

  # -- Configure auto-sizing for all BPF maps based on available memory.
  # ref: https://docs.cilium.io/en/stable/concepts/ebpf/maps/#ebpf-maps
  #mapDynamicSizeRatio: 0.0025

  # -- Configure the level of aggregation for monitor notifications.
  # Valid options are none, low, medium, maximum.
  monitorAggregation: medium

  # -- Configure the typical time between monitor notifications for
  # active connections.
  monitorInterval: "5s"

  # -- Configure which TCP flags trigger notifications when seen for the
  # first time in a connection.
  monitorFlags: "all"

  # -- Allow cluster external access to ClusterIP services.
  lbExternalClusterIP: false

  # -- Enable native IP masquerade support in eBPF
  #masquerade: false

  # -- Configure whether direct routing mode should route traffic via
  # host stack (true) or directly and more efficiently out of BPF (false) if
  # the kernel supports it. The latter has the implication that it will also
  # bypass netfilter in the host namespace.
  #hostRouting: true

  # -- Configure the eBPF-based TPROXY to reduce reliance on iptables rules
  # for implementing Layer 7 policy.
  # tproxy: true

  # -- Configure the FIB lookup bypass optimization for nodeport reverse
  # NAT handling.
  # lbBypassFIBLookup: true

# -- Clean all eBPF datapath state from the initContainer of the cilium-agent
# DaemonSet.
#
# WARNING: Use with care!
cleanBpfState: false

# -- Clean all local Cilium state from the initContainer of the cilium-agent
# DaemonSet. Implies cleanBpfState: true.
#
# WARNING: Use with care!
cleanState: false

cni:
  # -- Install the CNI configuration and binary files into the filesystem.
  install: true

  # -- Configure chaining on top of other CNI plugins. Possible values:
  #  - none
  #  - generic-veth
  #  - aws-cni
  #  - portmap
  chainingMode: none

  # -- Make Cilium take ownership over the `/etc/cni/net.d` directory on the
  # node, renaming all non-Cilium CNI configurations to `*.cilium_bak`.
  # This ensures no Pods can be scheduled using other CNI plugins during Cilium
  # agent downtime.
  exclusive: true

  # -- Skip writing of the CNI configuration. This can be used if
  # writing of the CNI configuration is performed by external automation.
  customConf: false

  # -- Configure the path to the CNI configuration directory on the host.
  confPath: /etc/cni/net.d

  # -- Configure the path to the CNI binary directory on the host.
  binPath: /opt/cni/bin

  # -- Specify the path to a CNI config to read from on agent start.
  # This can be useful if you want to manage your CNI
  # configuration outside of a Kubernetes environment. This parameter is
  # mutually exclusive with the 'cni.configMap' parameter.
  # readCniConf: /host/etc/cni/net.d/05-cilium.conf

  # -- When defined, configMap will mount the provided value as ConfigMap and
  # interpret the cniConf variable as CNI configuration file and write it
  # when the agent starts up
  # configMap: cni-configuration

  # -- Configure the key in the CNI ConfigMap to read the contents of
  # the CNI configuration from.
  configMapKey: cni-config

  # -- Configure the path to where to mount the ConfigMap inside the agent pod.
  confFileMountPath: /tmp/cni-configuration

  # -- Configure the path to where the CNI configuration directory is mounted
  # inside the agent pod.
  hostConfDirMountPath: /host/etc/cni/net.d

# -- Configure how frequently garbage collection should occur for the datapath
# connection tracking table.
# conntrackGCInterval: "0s"

# -- Configure container runtime specific integration.
containerRuntime:
  # -- Enables specific integrations for container runtimes.
  # Supported values:
  # - containerd
  # - crio
  # - docker
  # - none
  # - auto (automatically detect the container runtime)
  integration: none
  # -- Configure the path to the container runtime control socket.
  # socketPath: /path/to/runtime.sock

# crdWaitTimeout: ""

# -- Tail call hooks for custom eBPF programs.
customCalls:
  # -- Enable tail call hooks for custom eBPF programs.
  enabled: false

# -- Configure which datapath mode should be used for configuring container
# connectivity. Valid options are "veth" or "ipvlan".
datapathMode: veth

daemon:
  # -- Configure where Cilium runtime state should be stored.
  runPath: "/var/run/cilium"

# -- Specify which network interfaces can run the eBPF datapath. This means
# that a packet sent from a pod to a destination outside the cluster will be
# masqueraded (to an output device IPv4 address), if the output device runs the
# program. When not specified, probing will automatically detect devices.
# devices: ""

# -- Chains to ignore when installing feeder rules.
# disableIptablesFeederRules: ""

# -- Limit egress masquerading to interface selector.
# egressMasqueradeInterfaces: ""

# -- Whether to enable CNP status updates.
enableCnpStatusUpdates: false

# -- Configures the use of the KVStore to optimize Kubernetes event handling by
# mirroring it into the KVstore for reduced overhead in large clusters.
enableK8sEventHandover: false

# TODO: Add documentation
# enableIdentityMark: false

# enableK8sEndpointSlice: false

# -- Enables the fallback compatibility solution for when the xt_socket kernel
# module is missing and it is needed for the datapath L7 redirection to work
# properly. See documentation for details on when this can be disabled:
# http://docs.cilium.io/en/stable/install/system_requirements/#admin-kernel-version.
enableXTSocketFallback: true

encryption:
  # -- Enable transparent network encryption.
  enabled: false

  # -- Encryption method. Can be either ipsec or wireguard.
  type: ipsec

  # -- Enable encryption for pure node to node traffic.
  # This option is only effective when encryption.type is set to ipsec.
  nodeEncryption: false

  ipsec:
    # -- Name of the key file inside the Kubernetes secret configured via secretName.
    keyFile: ""

    # -- Path to mount the secret inside the Cilium pod.
    mountPath: ""

    # -- Name of the Kubernetes secret containing the encryption keys.
    secretName: ""

    # -- The interface to use for encrypted traffic.
    interface: ""

  # -- Deprecated in favor of encryption.ipsec.keyFile.
  # Name of the key file inside the Kubernetes secret configured via secretName.
  # This option is only effective when encryption.type is set to ipsec.
  keyFile: keys

  # -- Deprecated in favor of encryption.ipsec.mountPath.
  # Path to mount the secret inside the Cilium pod.
  # This option is only effective when encryption.type is set to ipsec.
  mountPath: /etc/ipsec

  # -- Deprecated in favor of encryption.ipsec.secretName.
  # Name of the Kubernetes secret containing the encryption keys.
  # This option is only effective when encryption.type is set to ipsec.
  secretName: cilium-ipsec-keys

  # -- Deprecated in favor of encryption.ipsec.interface.
  # The interface to use for encrypted traffic.
  # This option is only effective when encryption.type is set to ipsec.
  interface: ""

endpointHealthChecking:
  # -- Enable connectivity health checking between virtual endpoints.
  enabled: true

# -- Enable endpoint status.
# Status can be: policy, health, controllers, logs and / or state. For 2 or more options use a comma.
endpointStatus:
  enabled: false
  status: ""

endpointRoutes:
  # -- Enable use of per endpoint routes instead of routing via
  # the cilium_host interface.
  enabled: false

eni:
  # -- Enable Elastic Network Interface (ENI) integration.
  enabled: false
  # -- Update ENI Adapter limits from the EC2 API
  updateEC2AdapterLimitViaAPI: false
  # -- Release IPs not used from the ENI
  awsReleaseExcessIPs: false
  # -- EC2 API endpoint to use
  ec2APIEndpoint: ""
  # -- Tags to apply to the newly created ENIs
  eniTags: {}
  # -- If using IAM role for Service Accounts will not try to
  # inject identity values from cilium-aws kubernetes secret.
  # Adds annotation to service account if managed by Helm.
  # See https://github.com/aws/amazon-eks-pod-identity-webhook
  iamRole: ""
  # -- Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs
  subnetIDsFilter: ""
  # -- Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs
  subnetTagsFilter: ""

externalIPs:
  # -- Enable ExternalIPs service support.
  enabled: false

# fragmentTracking enables IPv4 fragment tracking support in the datapath.
# fragmentTracking: true

gke:
  # -- Enable Google Kubernetes Engine integration
  enabled: false

# -- Enable connectivity health checking.
healthChecking: true

# -- TCP port for the agent health API. This is not the port for cilium-health.
healthPort: 9876

# -- Enables the enforcement of host policies in the eBPF datapath.
hostFirewall: false

hostPort:
  # -- Enable hostPort service support.
  enabled: false

# -- Configure ClusterIP service handling in the host namespace (the node).
hostServices:
  # -- Enable host reachable services.
  enabled: false

  # -- Supported list of protocols to apply ClusterIP translation to.
  protocols: tcp,udp

  # -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.
  # hostNamespaceOnly: false

# -- Configure certificate generation for Hubble integration.
# If hubble.tls.auto.method=cronJob, these values are used
# for the Kubernetes CronJob which will be scheduled regularly to
# (re)generate any certificates not provided manually.
certgen:
  image:
    repository: quay.io/cilium/certgen
    tag: v0.1.5
    pullPolicy: IfNotPresent
  # -- Seconds after which the completed job pod will be deleted
  ttlSecondsAfterFinished: 1800
  # -- Labels to be added to hubble-certgen pods
  podLabels: {}

hubble:
  # -- Enable Hubble (true by default).
  enabled: true

  # -- Buffer size of the channel Hubble uses to receive monitor events. If this
  # value is not set, the queue size is set to the default monitor queue size.
  # eventQueueSize: ""

  # -- Number of recent flows for Hubble to cache. Defaults to 4095.
  # Possible values are:
  #   1, 3, 7, 15, 31, 63, 127, 255, 511, 1023,
  #   2047, 4095, 8191, 16383, 32767, 65535
  # eventBufferCapacity: "4095"

  # -- Hubble metrics configuration.
  # See https://docs.cilium.io/en/stable/configuration/metrics/#hubble-metrics
  # for more comprehensive documentation about Hubble metrics.
  metrics:
    # -- Configures the list of metrics to collect. If empty or null, metrics
    # are disabled.
    # Example:
    #
    #   enabled:
    #   - dns:query;ignoreAAAA
    #   - drop
    #   - tcp
    #   - flow
    #   - icmp
    #   - http
    #
    # You can specify the list of metrics from the helm CLI:
    #
    #   --set metrics.enabled="{dns:query;ignoreAAAA,drop,tcp,flow,icmp,http}"
    #
    enabled: ~
    # -- Configure the port the hubble metric server listens on.
    port: 9091
    serviceMonitor:
      # -- Create ServiceMonitor resources for Prometheus Operator.
      # This requires the prometheus CRDs to be available.
      # ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
      enabled: false
      # -- Labels to add to ServiceMonitor hubble
      labels: {}

  # -- Unix domain socket path to listen to when Hubble is enabled.
  socketPath: /var/run/cilium/hubble.sock

  # -- An additional address for Hubble to listen to.
  # Set this field ":4244" if you are enabling Hubble Relay, as it assumes that
  # Hubble is listening on port 4244.
  listenAddress: ":4244"

  # -- TLS configuration for Hubble
  tls:
    # -- Enable mutual TLS for listenAddress. Setting this value to false is
    # highly discouraged as the Hubble API provides access to potentially
    # sensitive network flow metadata and is exposed on the host network.
    enabled: true
    # -- Configure automatic TLS certificates generation.
    auto:
      # -- Auto-generate certificates.
      # When set to true, automatically generate a CA and certificates to
      # enable mTLS between Hubble server and Hubble Relay instances. If set to
      # false, the certs for Hubble server need to be provided by setting
      # appropriate values below.
      enabled: true
      # -- Set the method to auto-generate certificates. Supported values:
      # - helm:      This method uses Helm to generate all certificates.
      # - cronJob:   This method uses a Kubernetes CronJob the generate any
      #              certificates not provided by the user at installation
      #              time.
      method: helm
      # -- Generated certificates validity duration in days.
      certValidityDuration: 1095
      # -- Schedule for certificates regeneration (regardless of their expiration date).
      # Only used if method is "cronJob". If nil, then no recurring job will be created.
      # Instead, only the one-shot job is deployed to generate the certificates at
      # installation time.
      #
      # Defaults to midnight of the first day of every fourth month. For syntax, see
      # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule
      schedule: "0 0 1 */4 *"
    # -- base64 encoded PEM values for the Hubble CA certificate and private key.
    ca:
      cert: ""
      # -- The CA private key (optional). If it is provided, then it will be
      # used by hubble.tls.auto.method=cronJob to generate all other certificates.
      # Otherwise, a ephemeral CA is generated if hubble.tls.auto.enabled=true.
      key: ""
    # -- base64 encoded PEM values for the Hubble server certificate and private key
    server:
      cert: ""
      key: ""

  relay:
    # -- Enable Hubble Relay (requires hubble.enabled=true)
    enabled: false

    # -- Roll out Hubble Relay pods automatically when configmap is updated.
    rollOutPods: false

    # -- Hubble-relay container image.
    image:
      repository: quay.io/cilium/hubble-relay
      tag: v1.10.7
       # hubble-relay-digest
      digest: "sha256:385fcc4fa315eb6b66626c3e5f607b6b6514c8c3a863c47c2b2dbc97790acb47"
      useDigest: true
      pullPolicy: IfNotPresent

    # -- Specifies the resources for the hubble-relay pods
    resources: {}

    # -- Number of replicas run for the hubble-relay deployment.
    replicas: 1

    # -- Node labels for pod assignment
    # ref: https://kubernetes.io/docs/user-guide/node-selection/
    nodeSelector: {}

    # -- Annotations to be added to hubble-relay pods
    podAnnotations: {}

    # -- Labels to be added to hubble-relay pods
    podLabels: {}

    # -- Node tolerations for pod assignment on nodes with taints
    # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
    #
    tolerations: []

    # -- hubble-relay update strategy
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
      type: RollingUpdate

    # -- Host to listen to. Specify an empty string to bind to all the interfaces.
    listenHost: ""

    # -- Port to listen to.
    listenPort: "4245"

    # -- TLS configuration for Hubble Relay
    tls:
      # -- base64 encoded PEM values for the hubble-relay client certificate and private key
      # This keypair is presented to Hubble server instances for mTLS
      # authentication and is required when hubble.tls.enabled is true.
      # These values need to be set manually if hubble.tls.auto.enabled is false.
      client:
        cert: ""
        key: ""
      # -- base64 encoded PEM values for the hubble-relay server certificate and private key
      server:
        # When set to true, enable TLS on for Hubble Relay server
        # (ie: for clients connecting to the Hubble Relay API).
        enabled: false
        # These values need to be set manually if hubble.tls.auto.enabled is false.
        cert: ""
        key: ""

    # -- Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s").
    dialTimeout: ~

    # -- Backoff duration to retry connecting to the local hubble instance in case of failure (e.g. "30s").
    retryTimeout: ~

    # -- Max number of flows that can be buffered for sorting before being sent to the
    # client (per request) (e.g. 100).
    sortBufferLenMax: ~

    # -- When the per-request flows sort buffer is not full, a flow is drained every
    # time this timeout is reached (only affects requests in follow-mode) (e.g. "1s").
    sortBufferDrainTimeout: ~

    # -- Port to use for the k8s service backed by hubble-relay pods.
    # If not set, it is dynamically assigned to port 443 if TLS is enabled and to
    # port 80 if not.
    # servicePort: 80

  ui:
    # -- Whether to enable the Hubble UI.
    enabled: false

    # -- Roll out Hubble-ui pods automatically when configmap is updated.
    rollOutPods: false

    backend:
      # -- Hubble-ui backend image.
      image:
        repository: quay.io/cilium/hubble-ui-backend
        tag: v0.8.5@sha256:2bce50cf6c32719d072706f7ceccad654bfa907b2745a496da99610776fe31ed
        pullPolicy: IfNotPresent
      # [Example]
      # resources:
      #   limits:
      #     cpu: 1000m
      #     memory: 1024M
      #   requests:
      #     cpu: 100m
      #     memory: 64Mi
      # -- Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment.
      resources: {}

    frontend:
      # -- Hubble-ui frontend image.
      image:
        repository: quay.io/cilium/hubble-ui
        tag: v0.8.5@sha256:4eaca1ec1741043cfba6066a165b3bf251590cf4ac66371c4f63fbed2224ebb4
        pullPolicy: IfNotPresent
      # [Example]
      # resources:
      #   limits:
      #     cpu: 1000m
      #     memory: 1024M
      #   requests:
      #     cpu: 100m
      #     memory: 64Mi
      # -- Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment.
      resources: {}

    proxy:
      # -- Hubble-ui ingress proxy image.
      image:
        repository: docker.io/envoyproxy/envoy
        tag: v1.18.4@sha256:e5c2bb2870d0e59ce917a5100311813b4ede96ce4eb0c6bfa879e3fbe3e83935
        pullPolicy: IfNotPresent
      # [Example]
      # resources:
      #   limits:
      #     cpu: 1000m
      #     memory: 1024M
      #   requests:
      #     cpu: 100m
      #     memory: 64Mi
      # -- Resource requests and limits for the 'proxy' container of the 'hubble-ui' deployment.
      resources: {}

    # -- The number of replicas of Hubble UI to deploy.
    replicas: 1

    # -- Annotations to be added to hubble-ui pods
    podAnnotations: {}

    # -- Labels to be added to hubble-ui pods
    podLabels: {}

    # -- Node labels for pod assignment
    # ref: https://kubernetes.io/docs/user-guide/node-selection/
    nodeSelector: {}

    # -- Node tolerations for pod assignment on nodes with taints
    # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
    #
    tolerations: []

    # -- hubble-ui update strategy.
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
      type: RollingUpdate

    securityContext:
      # -- Whether to set the security context on the Hubble UI pods.
      enabled: true

    # -- hubble-ui ingress configuration.
    ingress:
      enabled: false
      annotations: {}
        # kubernetes.io/ingress.class: nginx
        # kubernetes.io/tls-acme: "true"
      hosts:
        - chart-example.local
      tls: []
      #  - secretName: chart-example-tls
      #    hosts:
      #      - chart-example.local


# -- Method to use for identity allocation (`crd` or `kvstore`).
identityAllocationMode: "crd"

# TODO: Add documentation
# identityChangeGracePeriod: "5s"

# TODO: Add documentation
# identityGCInterval:

# TODO: Add documentation
# identityHeartbeatTimeout: ""


# -- Configure whether to install iptables rules to allow for TPROXY
# (L7 proxy injection), iptables-based masquerading and compatibility
# with kube-proxy.
installIptablesRules: true

# -- Install Iptables rules to skip netfilter connection tracking on all pod
# traffic. This option is only effective when Cilium is running in direct
# routing and full KPR mode. Moreover, this option cannot be enabled when Cilium
# is running in a managed Kubernetes environment or in a chained CNI setup.
installNoConntrackIptablesRules: false

ipam:
  # -- Configure IP Address Management mode.
  # ref: https://docs.cilium.io/en/stable/concepts/networking/ipam/
  mode: "cluster-pool"
  operator:
    # -- IPv4 CIDR range to delegate to individual nodes for IPAM.
    clusterPoolIPv4PodCIDR: "10.0.0.0/8"
    # -- IPv4 CIDR mask size to delegate to individual nodes for IPAM.
    clusterPoolIPv4MaskSize: 24
    # -- IPv6 CIDR range to delegate to individual nodes for IPAM.
    clusterPoolIPv6PodCIDR: "fd00::/104"
    # -- IPv6 CIDR mask size to delegate to individual nodes for IPAM.
    clusterPoolIPv6MaskSize: 120

# -- Configure the eBPF-based ip-masq-agent
ipMasqAgent:
  enabled: false

# iptablesLockTimeout defines the iptables "--wait" option when invoked from Cilium.
# iptablesLockTimeout: "5s"

ipv4:
  # -- Enable IPv4 support.
  enabled: true

ipv6:
  # -- Enable IPv6 support.
  enabled: false

ipvlan:
  # -- Enable the IPVLAN datapath
  enabled: false

  # -- masterDevice is the name of the device to use to attach secondary IPVLAN
  # devices
  # masterDevice: eth0

# -- Configure Kubernetes specific configuration
k8s: {}
  # -- requireIPv4PodCIDR enables waiting for Kubernetes to provide the PodCIDR
  # range via the Kubernetes node resource
  # requireIPv4PodCIDR: false

  # -- requireIPv6PodCIDR enables waiting for Kubernetes to provide the PodCIDR
  # range via the Kubernetes node resource
  # requireIPv6PodCIDR: false

# -- Keep the deprecated selector labels when deploying Cilium DaemonSet.
keepDeprecatedLabels: false

# -- Keep the deprecated probes when deploying Cilium DaemonSet
keepDeprecatedProbes: false

startupProbe:
  # -- failure threshold of startup probe.
  # 105 x 2s translates to the old behaviour of the readiness probe (120s delay + 30 x 3s)
  failureThreshold: 105
  # -- interval between checks of the startup probe
  periodSeconds: 2
livenessProbe:
  # -- failure threshold of liveness probe
  failureThreshold: 10
  # -- interval between checks of the liveness probe
  periodSeconds: 30
readinessProbe:
  # -- failure threshold of readiness probe
  failureThreshold: 3
  # -- interval between checks of the readiness probe
  periodSeconds: 30

# -- Configure the kube-proxy replacement in Cilium BPF datapath
# Valid options are "disabled", "probe", "partial", "strict".
# ref: https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/
#kubeProxyReplacement: "disabled"

# -- healthz server bind address for the kube-proxy replacement.
# To enable set the value to '0.0.0.0:10256' for all ipv4
# addresses and this '[::]:10256' for all ipv6 addresses.
# By default it is disabled.
kubeProxyReplacementHealthzBindAddr: ""

l2NeighDiscovery:
  # -- Enable L2 neighbour discovery in the agent
  enabled: true
  # -- Set period for arping
  arping-refresh-period: "5m"

# -- Enable Layer 7 network policy.
l7Proxy: true

# -- Enable Local Redirect Policy.
localRedirectPolicy: false

# To include or exclude matched resources from cilium identity evaluation
# labels: ""

# logOptions allows you to define logging options. eg:
# logOptions:
#   format: json

# -- Enables periodic logging of system load
logSystemLoad: false


# -- Configure maglev consistent hashing
maglev: {}
  # -- tableSize is the size (parameter M) for the backend table of one
  # service entry
  # tableSize:

  # -- hashSeed is the cluster-wide base64 encoded seed for the hashing
  # hashSeed:

# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
enableIPv4Masquerade: true

# -- Enables masquerading of IPv6 traffic leaving the node from endpoints.
enableIPv6Masquerade: true

# -- Enables egress gateway (beta) to redirect and SNAT the traffic that
# leaves the cluster.
egressGateway:
  enabled: false

# -- Specify the CIDR for native routing (ie to avoid IP masquerade for).
# This value corresponds to the configured cluster-cidr.
# nativeRoutingCIDR:

monitor:
  # -- Enable the cilium-monitor sidecar.
  enabled: false

# -- Configure service load balancing
# loadBalancer:
  # -- standalone enables the standalone L4LB which does not connect to
  # kube-apiserver.
  # standalone: false

  # -- algorithm is the name of the load balancing algorithm for backend
  # selection e.g. random or maglev
  # algorithm: random

  # -- mode is the operation mode of load balancing for remote backends
  # e.g. snat, dsr, hybrid
  # mode: snat

  # -- acceleration is the option to accelerate service handling via XDP
  # e.g. native, disabled
  # acceleration: disabled

  # -- dsrDispatch configures whether IP option or IPIP encapsulation is
  # used to pass a service IP and port to remote backend
  # dsrDispatch: opt

# -- Configure N-S k8s service loadbalancing
nodePort:
  # -- Enable the Cilium NodePort service implementation.
  enabled: false

  # -- Port range to use for NodePort services.
  # range: "30000,32767"

  # -- Set to true to prevent applications binding to service ports.
  bindProtection: true

  # -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral
  # ports is detected.
  autoProtectPortRange: true

  # -- Enable healthcheck nodePort server for NodePort services
  enableHealthCheck: true

# policyAuditMode: false

# -- The agent can be put into one of the three policy enforcement modes:
# default, always and never.
# ref: https://docs.cilium.io/en/stable/policy/intro/#policy-enforcement-modes
policyEnforcementMode: "default"

pprof:
  # -- Enable Go pprof debugging
  enabled: false

# -- Configure prometheus metrics on the configured port at /metrics
prometheus:
  enabled: false
  port: 9090
  serviceMonitor:
    # -- Enable service monitors.
    # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
    #
    enabled: false
    # -- Labels to add to ServiceMonitor cilium-agent
    labels: {}
    # -- Specify the Kubernetes namespace where Prometheus expects to find
    # service monitors configured.
    # namespace: ""
  # -- Metrics that should be enabled or disabled from the default metric
  # list. (+metric_foo to enable metric_foo , -metric_bar to disable
  # metric_bar).
  # ref: https://docs.cilium.io/en/stable/operations/metrics/#exported-metrics
  metrics: ~

# -- Configure Istio proxy options.
proxy:
  prometheus:
    enabled: true
    port: "9095"
  # -- Regular expression matching compatible Istio sidecar istio-proxy
  # container image names
  sidecarImageRegex: "cilium/istio_proxy"

# -- Enable use of the remote node identity.
# ref: https://docs.cilium.io/en/v1.7/install/upgrade/#configmap-remote-node-identity
remoteNodeIdentity: true

# -- Enable resource quotas for priority classes used in the cluster.
resourceQuotas:
  enabled: false
  cilium:
    hard:
      # 5k nodes * 2 DaemonSets (Cilium and cilium node init)
      pods: "10k"
  operator:
    hard:
      # 15 "clusterwide" Cilium Operator pods for HA
      pods: "15"

# Need to document default
##################
#sessionAffinity: false

# -- Do not run Cilium agent when running with clean mode. Useful to completely
# uninstall Cilium as it will stop Cilium from starting and create artifacts
# in the node.
sleepAfterInit: false

# -- Configure BPF socket operations configuration
sockops:
  # enabled enables installation of socket options acceleration.
  enabled: false

# TODO: Add documentation, default value
# svcSourceRangeCheck:

# synchronizeK8sNodes: true

# -- Configure TLS configuration in the agent.
tls:
  enabled: true
  secretsBackend: local

# -- Configure the encapsulation configuration for communication between nodes.
# Possible values:
#   - disabled
#   - vxlan (default)
#   - geneve
tunnel: "vxlan"

wellKnownIdentities:
  # -- Enable the use of well-known identities.
  enabled: false


etcd:
  # -- Enable etcd mode for the agent.
  enabled: false

  # -- cilium-etcd-operator image.
  image:
    repository: quay.io/cilium/cilium-etcd-operator
    tag: v2.0.7
    pullPolicy: IfNotPresent

  # -- cilium-etcd-operator priorityClassName
  priorityClassName: ""

  # -- Additional cilium-etcd-operator container arguments.
  extraArgs: []

  # -- Additional InitContainers to initialize the pod.
  extraInitContainers: []

  # -- Additional cilium-etcd-operator hostPath mounts.
  extraHostPathMounts: []
    # - name: textfile-dir
    #   mountPath: /srv/txt_collector
    #   hostPath: /var/lib/cilium-etcd-operator
    #   readOnly: true
    #   mountPropagation: HostToContainer

  # -- Additional cilium-etcd-operator ConfigMap mounts.
  extraConfigmapMounts: []
    # - name: certs-configmap
    #   mountPath: /certs
    #   configMap: certs-configmap
    #   readOnly: true

  # -- Node tolerations for cilium-etcd-operator scheduling to nodes with taints
  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  tolerations:
  - operator: Exists
    # - key: "key"
    #   operator: "Equal|Exists"
    #   value: "value"
    #   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"

  # -- Node labels for cilium-etcd-operator pod assignment
  # ref: https://kubernetes.io/docs/user-guide/node-selection/
  nodeSelector: {}

  # -- Annotations to be added to cilium-etcd-operator pods
  podAnnotations: {}

  # -- Labels to be added to cilium-etcd-operator pods
  podLabels: {}

  # -- PodDisruptionBudget settings
  # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  podDisruptionBudget:
    enabled: true
    maxUnavailable: 2

  # -- cilium-etcd-operator resource limits & requests
  # ref: https://kubernetes.io/docs/user-guide/compute-resources/
  #
  resources: {}
    # limits:
    #   cpu: 4000m
    #   memory: 4Gi
    # requests:
    #   cpu: 100m
    #   memory: 512Mi

  # -- Security context to be added to cilium-etcd-operator pods
  #
  securityContext: {}
    # runAsUser: 0

  # -- cilium-etcd-operator update strategy
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate

  # -- If etcd is behind a k8s service set this option to true so that Cilium
  # does the service translation automatically without requiring a DNS to be
  # running.
  k8sService: false

  # -- Cluster domain for cilium-etcd-operator.
  clusterDomain: cluster.local

  # -- List of etcd endpoints (not needed when using managed=true).
  endpoints:
    - https://CHANGE-ME:2379

  # -- Enable use of TLS/SSL for connectivity to etcd. (auto-enabled if
  # managed=true)
  ssl: false

operator:
  # -- Enable the cilium-operator component (required).
  enabled: true

  # -- Roll out cilium-operator pods automatically when configmap is updated.
  rollOutPods: false

  # -- cilium-operator image.
  image:
    repository: quay.io/cilium/operator
    tag: v1.10.7
    # operator-generic-digest
    genericDigest: "sha256:d0b491d8d8cb45862ed7f0410f65e7c141832f0f95262643fa5ff1edfcddcafe"
    # operator-azure-digest
    azureDigest: "sha256:556d692b2f08822101c159d9d6f731efe6c437d2b80f0ef96813e8745203c852"
    # operator-aws-digest
    awsDigest: "sha256:97b378e0e3b6b5ade6ae1706024c7a25fe6fc48e00102b65a6b7ac51d6327f40"
    # operator-alibabacloud-digest
    alibabacloudDigest: "sha256:7a6ccc99195ae6a8216d2a1e1e0cc05d49c2d263b194895da264899fe9d0f45a"
    useDigest: true
    pullPolicy: IfNotPresent
    suffix: ""

  # -- Number of replicas to run for the cilium-operator deployment
  replicas: 2

  # -- For using with an existing serviceAccount.
  serviceAccountName: cilium-operator
 
  # -- cilium-operator priorityClassName
  priorityClassName: ""

  # -- cilium-operator update strategy
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate

  # -- cilium-operator affinity
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: io.cilium/app
            operator: In
            values:
            - operator
        topologyKey: kubernetes.io/hostname


  # -- Additional cilium-operator container arguments.
  extraArgs: []

  # -- Additional cilium-operator environment variables.
  extraEnv: {}

  # -- Additional InitContainers to initialize the pod.
  extraInitContainers: []

  # -- Additional cilium-operator hostPath mounts.
  extraHostPathMounts: []
    # - name: host-mnt-data
    #   mountPath: /host/mnt/data
    #   hostPath: /mnt/data
    #   hostPathType: Directory
    #   readOnly: true
    #   mountPropagation: HostToContainer

  # -- Additional cilium-operator ConfigMap mounts.
  extraConfigmapMounts: []
    # - name: certs-configmap
    #   mountPath: /certs
    #   configMap: certs-configmap
    #   readOnly: true

  # -- Node tolerations for cilium-operator scheduling to nodes with taints
  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  tolerations:
  - operator: Exists
    # - key: "key"
    #   operator: "Equal|Exists"
    #   value: "value"
    #   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"

  # -- Node labels for cilium-operator pod assignment
  # ref: https://kubernetes.io/docs/user-guide/node-selection/
  #
  nodeSelector: {}

  # -- Annotations to be added to cilium-operator pods
  podAnnotations: {}

  # -- Labels to be added to cilium-operator pods
  podLabels: {}

  # -- PodDisruptionBudget settings
  # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  podDisruptionBudget:
    enabled: false
    maxUnavailable: 1

  # -- cilium-operator resource limits & requests
  # ref: https://kubernetes.io/docs/user-guide/compute-resources/
  #
  resources: {}
    # limits:
    #   cpu: 1000m
    #   memory: 1Gi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi

  # -- Security context to be added to cilium-operator pods
  #
  securityContext: {}
    # runAsUser: 0

  # -- Interval for endpoint garbage collection.
  endpointGCInterval: "5m0s"

  # -- Interval for identity garbage collection.
  identityGCInterval: "15m0s"

  # -- Timeout for identity heartbeats.
  identityHeartbeatTimeout: "30m0s"

  # -- Enable prometheus metrics for cilium-operator on the configured port at
  # /metrics
  prometheus:
    enabled: false
    port: 6942
    serviceMonitor:
      # -- Enable service monitors.
      # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/master/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
      ##
      enabled: false
      # -- Labels to add to ServiceMonitor cilium-operator
      labels: {}

  # -- Skip CRDs creation for cilium-operator
  skipCRDCreation: false


nodeinit:
  # -- Enable the node initialization DaemonSet
  enabled: false

  # -- node-init image.
  image:
    repository: quay.io/cilium/startup-script
    tag: 62bfbe88c17778aad7bef9fa57ff9e2d4a9ba0d8
    pullPolicy: IfNotPresent

  # -- The priority class to use for the nodeinit pod.
  priorityClassName: ""

  # -- node-init update strategy
  updateStrategy:
    type: RollingUpdate

  # -- Additional nodeinit environment variables.
  extraEnv: {}

  # -- Additional nodeinit init containers.
  extraInitContainers: []

  # -- Additional nodeinit host path mounts.
  extraHostPathMounts: []
    # - name: textfile-dir
    #   mountPath: /srv/txt_collector
    #   hostPath: /var/lib/nodeinit
    #   readOnly: true
    #   mountPropagation: HostToContainer

  # -- Additional nodeinit ConfigMap mounts.
  extraConfigmapMounts: []
    # - name: certs-configmap
    #   mountPath: /certs
    #   configMap: certs-configmap
    #   readOnly: true

  # -- Node tolerations for nodeinit scheduling to nodes with taints
  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  #
  tolerations:
  - operator: Exists
    # - key: "key"
    #   operator: "Equal|Exists"
    #   value: "value"
    #   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"

  # -- Node labels for nodeinit pod assignment
  # ref: https://kubernetes.io/docs/user-guide/node-selection/
  #
  nodeSelector: {}

  # -- Annotations to be added to node-init pods.
  podAnnotations: {}

  # -- Labels to be added to node-init pods.
  podLabels: {}

  # -- PodDisruptionBudget settings
  # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  podDisruptionBudget:
    enabled: true
    maxUnavailable: 2

  # -- nodeinit resource limits & requests
  # ref: https://kubernetes.io/docs/user-guide/compute-resources/
  #
  resources:
    requests:
      cpu: 100m
      memory: 100Mi

  # -- Security context to be added to nodeinit pods.
  #
  securityContext: {}
    # runAsUser: 0

  # -- bootstrapFile is the location of the file where the bootstrap timestamp is
  # written by the node-init DaemonSet
  bootstrapFile: "/tmp/cilium-bootstrap-time"

preflight:
  # -- Enable Cilium pre-flight resources (required for upgrade)
  enabled: false

  # -- Cilium pre-flight image.
  image:
    repository: quay.io/cilium/cilium
    tag: v1.10.7
    # cilium-digest
    digest: "sha256:e23f55e80e1988db083397987a89967aa204ad6fc32da243b9160fbcea29b0ca"
    useDigest: true
    pullPolicy: IfNotPresent

  # -- The priority class to use for the preflight pod.
  priorityClassName: ""

  # -- preflight update strategy
  updateStrategy:
    type: RollingUpdate

  # -- Additional preflight environment variables.
  extraEnv: {}

  # -- Additional preflight init containers.
  extraInitContainers: []

  # -- Additional preflight host path mounts.
  extraHostPathMounts: []
    # - name: textfile-dir
    #   mountPath: /srv/txt_collector
    #   hostPath: /var/lib/preflight
    #   readOnly: true
    #   mountPropagation: HostToContainer

  # -- Additional preflight ConfigMap mounts.
  extraConfigmapMounts: []
    # - name: certs-configmap
    #   mountPath: /certs
    #   configMap: certs-configmap
    #   readOnly: true

  # -- Node tolerations for preflight scheduling to nodes with taints
  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  #
  tolerations:
  - effect: NoSchedule
    key: node.kubernetes.io/not-ready
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
  - effect: NoSchedule
    key: node.cloudprovider.kubernetes.io/uninitialized
    value: "true"
  - key: CriticalAddonsOnly
    operator: "Exists"
    # - key: "key"
    #   operator: "Equal|Exists"
    #   value: "value"
    #   effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"

  # -- Node labels for preflight pod assignment
  # ref: https://kubernetes.io/docs/user-guide/node-selection/
  #
  nodeSelector: {}

  # -- Annotations to be added to preflight pods
  podAnnotations: {}

  # -- Labels to be added to the preflight pod.
  podLabels: {}

  # -- PodDisruptionBudget settings
  # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  podDisruptionBudget:
    enabled: true
    maxUnavailable: 2

  # -- preflight resource limits & requests
  # ref: https://kubernetes.io/docs/user-guide/compute-resources/
  #
  resources: {}
    # limits:
    #   cpu: 4000m
    #   memory: 4Gi
    # requests:
    #   cpu: 100m
    #   memory: 512Mi

  # -- Security context to be added to preflight pods
  #
  securityContext: {}
    # runAsUser: 0

  # -- Path to write the `--tofqdns-pre-cache` file to.
  tofqdnsPreCache: ""
  # -- By default we should always validate the installed CNPs before upgrading
  # Cilium. This will make sure the user will have the policies deployed in the
  # cluster with the right schema.
  validateCNPs: true

# -- Explicitly enable or disable priority class.
# .Capabilities.KubeVersion is unsettable in `helm template` calls,
# it depends on k8s libraries version that Helm was compiled against.
# This option allows to explicitly disable setting the priority class, which
# is useful for rendering charts for gke clusters in advance.
enableCriticalPriorityClass: true

# disableEnvoyVersionCheck removes the check for Envoy, which can be useful
# on AArch64 as the images do not currently ship a version of Envoy.
#disableEnvoyVersionCheck: false

clustermesh:
  # -- Deploy clustermesh-apiserver for clustermesh
  useAPIServer: false

  apiserver:
    # -- Clustermesh API server image.
    image:
      repository: quay.io/cilium/clustermesh-apiserver
      tag: v1.10.7
      # clustermesh-apiserver-digest
      digest: "sha256:9afb0a15afffdf84812c8174df9de86e35239fb87a6ffd9539877a9e643d8132"
      useDigest: true
      pullPolicy: IfNotPresent

    etcd:
      # -- Clustermesh API server etcd image.
      image:
        repository: quay.io/coreos/etcd
        tag: v3.4.13
        pullPolicy: IfNotPresent

    service:
      # -- The type of service used for apiserver access.
      type: NodePort
      # -- Optional port to use as the node port for apiserver access.
      nodePort: 32379
      # -- Optional loadBalancer IP address to use with type LoadBalancer.
      # loadBalancerIP:

      # -- Annotations for the clustermesh-apiserver
      # For GKE LoadBalancer, use annotation cloud.google.com/load-balancer-type: "Internal"
      # For EKS LoadBalancer, use annotation service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      annotations: {}

    # -- Number of replicas run for the clustermesh-apiserver deployment.
    replicas: 1

    # -- Node labels for pod assignment
    # ref: https://kubernetes.io/docs/user-guide/node-selection/
    nodeSelector: {}

    # -- Annotations to be added to clustermesh-apiserver pods
    podAnnotations: {}

    # -- Labels to be added to clustermesh-apiserver pods
    podLabels: {}

    # -- Resource requests and limits for the clustermesh-apiserver container of the clustermesh-apiserver deployment, such as
    #     resources:
    #       limits:
    #         cpu: 1000m
    #         memory: 1024M
    #       requests:
    #         cpu: 100m
    #         memory: 64Mi
    resources: {}

    # -- Node tolerations for pod assignment on nodes with taints
    # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
    tolerations: []

    # -- clustermesh-apiserver update strategy
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
      type: RollingUpdate

    tls:
      # -- Configure automatic TLS certificates generation.
      # A Kubernetes CronJob is used the generate any
      # certificates not provided by the user at installation
      # time.
      auto:
        # -- When set to true, automatically generate a CA and certificates to
        # enable mTLS between clustermesh-apiserver and external workload instances.
        # If set to false, the certs to be provided by setting appropriate values below.
        enabled: true
        # Sets the method to auto-generate certificates. Supported values:
        # - helm:      This method uses Helm to generate all certificates.
        # - cronJob:   This method uses a Kubernetes CronJob the generate any
        #              certificates not provided by the user at installation
        #              time.
        method: helm
        # -- Generated certificates validity duration in days.
        certValidityDuration: 1095
        # -- Schedule for certificates regeneration (regardless of their expiration date).
        # Only used if method is "cronJob". If nil, then no recurring job will be created.
        # Instead, only the one-shot job is deployed to generate the certificates at
        # installation time.
        #
        # Due to the out-of-band distribution of client certs to external workloads the
        # CA is (re)regenerated only if it is not provided as a helm value and the k8s
        # secret is manually deleted.
        #
        # Defaults to none. Commented syntax gives midnight of the first day of every
        # fourth month. For syntax, see
        # https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#schedule
        # schedule: "0 0 1 */4 *"
      # -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key.
      ca:
        # -- Optional CA cert. If it is provided, it will be used by the 'cronJob' method to
        # generate all other certificates. Otherwise, an ephemeral CA is generated.
        cert: ""
        # -- Optional CA private key. If it is provided, it will be used by the 'cronJob' method to
        # generate all other certificates. Otherwise, an ephemeral CA is generated.
        key: ""
      # -- base64 encoded PEM values for the clustermesh-apiserver server certificate and private key.
      # Used if 'auto' is not enabled.
      server:
        cert: ""
        key: ""
      # -- base64 encoded PEM values for the clustermesh-apiserver admin certificate and private key.
      # Used if 'auto' is not enabled.
      admin:
        cert: ""
        key: ""
      # -- base64 encoded PEM values for the clustermesh-apiserver client certificate and private key.
      # Used if 'auto' is not enabled.
      client:
        cert: ""
        key: ""
      # -- base64 encoded PEM values for the clustermesh-apiserver remote cluster certificate and private key.
      # Used if 'auto' is not enabled.
      remote:
        cert: ""
        key: ""

# -- Configure external workloads support
externalWorkloads:
  # -- Enable support for external workloads, such as VMs (false by default).
  enabled: false

# -- Configure cgroup related configuration
cgroup:
  autoMount:
    # -- Enable auto mount of cgroup2 filesystem.
    # When `autoMount` is enabled, cgroup2 filesystem is mounted at
    # `cgroup.hostRoot` path on the underlying host and inside the cilium agent pod.
    # If users disable `autoMount`, it's expected that users have mounted
    # cgroup2 filesystem at the specified `cgroup.hostRoot` volume, and then the
    # volume will be mounted inside the cilium agent pod at the same path.
    enabled: true
  # -- Configure cgroup root where cgroup2 filesystem is mounted on the host (see also: `cgroup.autoMount`)
  hostRoot: /run/cilium/cgroupv2