diff --git a/charts/gateway-helm/README.md b/charts/gateway-helm/README.md index d6e89907e0..b2c967b8b3 100644 --- a/charts/gateway-helm/README.md +++ b/charts/gateway-helm/README.md @@ -59,7 +59,7 @@ To uninstall the chart: | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. | | createNamespace | bool | `false` | | | deployment.envoyGateway.image.repository | string | `""` | | diff --git a/charts/gateway-helm/values.tmpl.yaml b/charts/gateway-helm/values.tmpl.yaml index a0da618d4a..0e906d181b 100644 --- a/charts/gateway-helm/values.tmpl.yaml +++ b/charts/gateway-helm/values.tmpl.yaml @@ -126,8 +126,8 @@ certgen: privileged: false readOnlyRootFilesystem: true runAsNonRoot: true - runAsGroup: 65534 - runAsUser: 65534 + runAsGroup: 65532 + runAsUser: 65532 seccompProfile: type: RuntimeDefault rbac: diff --git a/site/content/en/latest/install/gateway-helm-api.md b/site/content/en/latest/install/gateway-helm-api.md index 7ba5e5140c..851ed4b483 100644 --- a/site/content/en/latest/install/gateway-helm-api.md +++ b/site/content/en/latest/install/gateway-helm-api.md @@ -23,7 +23,7 @@ The Helm chart for Envoy Gateway | Key | Type | Default | Description | |-----|------|---------|-------------| -| certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | +| certgen | object | `{"job":{"affinity":{},"annotations":{},"args":[],"nodeSelector":{},"resources":{},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"tolerations":[],"ttlSecondsAfterFinished":30},"rbac":{"annotations":{},"labels":{}}}` | Certgen is used to generate the certificates required by EnvoyGateway. If you want to construct a custom certificate, you can generate a custom certificate through Cert-Manager before installing EnvoyGateway. Certgen will not overwrite the custom certificate. Please do not manually modify `values.yaml` to disable certgen, it may cause EnvoyGateway OIDC,OAuth2,etc. to not work as expected. | | config.envoyGateway | object | `{"extensionApis":{},"gateway":{"controllerName":"gateway.envoyproxy.io/gatewayclass-controller"},"logging":{"level":{"default":"info"}},"provider":{"type":"Kubernetes"}}` | EnvoyGateway configuration. Visit https://gateway.envoyproxy.io/docs/api/extension_types/#envoygateway to view all options. | | createNamespace | bool | `false` | | | deployment.envoyGateway.image.repository | string | `""` | | diff --git a/test/helm/gateway-helm/certgen-args.out.yaml b/test/helm/gateway-helm/certgen-args.out.yaml index 166e1b85e3..522535614e 100644 --- a/test/helm/gateway-helm/certgen-args.out.yaml +++ b/test/helm/gateway-helm/certgen-args.out.yaml @@ -566,9 +566,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index 7be6626330..3449d7f574 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -564,9 +564,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index b59dfb5b79..0a116813bf 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -579,9 +579,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 4ebb13c564..8e26834df0 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -564,9 +564,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 4d30304444..6320e3e562 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -592,9 +592,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 307abf9ee7..4293135b83 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -566,9 +566,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 389e070beb..ed6efd113c 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -565,9 +565,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml index c4e9d0ef80..5eda190b66 100644 --- a/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml +++ b/test/helm/gateway-helm/deployment-repo-no-registry.out.yaml @@ -564,9 +564,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index 5a85a78ee5..5daf257e9e 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -566,9 +566,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index cdbf6a72e0..4b16e72fd8 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -570,9 +570,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: diff --git a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml index a4e0af0c41..1608b5d669 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-deployment.out.yaml @@ -570,9 +570,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: diff --git a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml index b9541ddf71..e8c80cfec5 100644 --- a/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml +++ b/test/helm/gateway-helm/global-pullsecrets-override-global.out.yaml @@ -570,9 +570,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: diff --git a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml index 8d748f296d..bdb0b09872 100644 --- a/test/helm/gateway-helm/global-registry-override-deployment.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-deployment.out.yaml @@ -564,9 +564,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/global-registry-override-global.out.yaml b/test/helm/gateway-helm/global-registry-override-global.out.yaml index 11ccd7d315..2982fadf1f 100644 --- a/test/helm/gateway-helm/global-registry-override-global.out.yaml +++ b/test/helm/gateway-helm/global-registry-override-global.out.yaml @@ -564,9 +564,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml index 5f4a42ef05..86857ac398 100644 --- a/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml +++ b/test/helm/gateway-helm/horizontal-pod-autoscaler.out.yaml @@ -595,9 +595,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: [] diff --git a/test/helm/gateway-helm/service-customization.out.yaml b/test/helm/gateway-helm/service-customization.out.yaml index bec59b8914..872289ab7f 100644 --- a/test/helm/gateway-helm/service-customization.out.yaml +++ b/test/helm/gateway-helm/service-customization.out.yaml @@ -567,9 +567,9 @@ spec: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 65534 + runAsGroup: 65532 runAsNonRoot: true - runAsUser: 65534 + runAsUser: 65532 seccompProfile: type: RuntimeDefault imagePullSecrets: []