Installation with Helm#
Introduction#
This chart deploys the Angie Ingress Controller (ANIC) in a Kubernetes cluster.
Prerequisites#
Note
All documentation should only be used with the latest stable version of ANIC.
Kubernetes 1.22+
Helm 3.0+
Download the ANIC image and push it to your personal registry.
Update the
controller.image.repository
field in thevalues.yaml
file accordingly.
Custom Resource Definitions#
By default, ANIC requires several Custom Resource Definitions (CRDs) to be installed in the cluster. The Helm client will install these definitions. If they are not installed, ANIC pods will not be ready
.
Downloading the Chart#
You can install the charts for ANIC from our repository. For access, please contact .
If you are not using custom resources that require these definitions (which corresponds to the controller.enableCustomResources
parameter set to false
), you can skip the installation of definitions by specifying --skip-crds
in the helm install
command.
Upgrading Definitions#
To upgrade the definitions, download the chart source files as described in the Downloading the Chart section, and then run:
kubectl apply -f crds/
Note
You may see the following warning, which can be ignored:
Warning: kubectl apply should be used on resources created by either
kubectl create --save-config or kubectl apply
(Warning: kubectl apply should be used for a resource created with kubectl create --save-config or kubectl apply).
Removing Definitions#
To remove the definitions, download the chart source files as described in the Downloading the Chart section, and then run:
kubectl delete -f crds/
Note
This command will remove all corresponding custom resources in your cluster across all namespaces. Make sure there are no custom resources in the cluster that you want to keep, and that no other ANIC releases are running.
Managing the Chart via Registry#
Installing the Chart#
To install the chart with the release name my-release (where my-release is a name you choose, myregistry.host.ru/angie-ingress should be changed to the path in your personal registry):
helm repo add anic https://git.angie.software/api/packages/web-server/helm
helm install my-release anic/anic --set controller.image.repository=myregistry.host.ru/angie-ingress
This will install the latest edge
version of ANIC from the container registry.
Updating the Chart#
Helm does not upgrade definitions during release upgrades. Before upgrading the release, refer to the Upgrading Definitions section.
To upgrade the release my-release
:
helm upgrade my-release anic/anic --version 0.5.0
Removing the Chart#
To remove the release my-release
:
helm uninstall my-release
This command removes all Kubernetes components associated with the release and the release itself.
Removing the release does not remove the definitions. To remove the definitions, see the Removing Definitions section.
Configuration#
The following table lists the configurable parameters of the Ingress Controller chart and their default values.
Parameter |
Description |
Default |
---|---|---|
controller.name |
Name of the daemon set or deployment for ANIC. |
Automatically generated |
controller.kind |
Type of ANIC installation - deployment or daemonset. |
deployment |
controller.annotations |
Allows setting annotations for the deployment or daemon set. |
{} |
controller.angiePro |
Deploys ANIC for Angie PRO. |
false |
controller.reloadTimeout |
Timeout in milliseconds for which ANIC will wait for a successful reload of Angie after a change or at initial startup. |
60000 |
controller.hostNetwork |
Allows ANIC pods to use the host network namespace. |
false |
controller.dnsPolicy |
DNS policy for ANIC pods. |
ClusterFirst |
controller.debug |
Enables debugging for Angie. Requires setting error-log-level: debug in ConfigMap via controller.config.entries. |
false |
controller.logLevel |
Log level for ANIC. |
1 |
controller.image.digest |
Digest of the ANIC image. |
None |
controller.image.repository |
Repository for ANIC images. |
myregistry.host.ru/angie-ingress |
controller.image.tag |
Tag for the ANIC image. |
0.1.2 |
controller.image.pullPolicy |
Pull policy for the ANIC image. |
IfNotPresent |
controller.lifecycle |
Lifecycle of ANIC pods. |
{} |
controller.customConfigMap |
Name of the custom ConfigMap used by ANIC. If a name is specified, the default configuration is ignored. |
"" |
controller.config.name |
Name of the ConfigMap used by ANIC. |
Automatically generated |
controller.config.annotations |
Annotations for the ConfigMap in ANIC. |
{} |
controller.config.entries |
Entries in the ConfigMap for configuring Angie. |
{} |
controller.customPorts |
List of custom ports that should be available in the ANIC pod. Follows standard Kubernetes YAML syntax for container ports. |
[] |
controller.defaultTLS.cert |
TLS certificate in base64 encoding for the default HTTPS server. Note It is recommended to specify your own certificate. An alternative solution: skipping the default server secret entirely will cause Angie to reject TLS connections to the server by default. |
None |
controller.defaultTLS.key |
TLS key in base64 encoding for the default HTTPS server. Note It is recommended to specify your own key. An alternative solution: skipping the default server secret entirely will cause Angie to reject TLS connections to the server by default. |
None |
controller.defaultTLS.secret |
Secret with the TLS certificate and key for the default HTTPS server. The value should follow the format: <namespace>/<name>. Used as an alternative to specifying the certificate and key via controller.defaultTLS.cert and controller.defaultTLS.key. Note An alternative solution: skipping the default server secret entirely will cause Angie to reject TLS connections to the server by default. |
None |
controller.wildcardTLS.cert |
TLS certificate in base64 encoding for each Ingress or VirtualServer node that has TLS enabled but no secret specified. If not specified, Angie will reject any attempt to establish a TLS connection for such Ingress or VirtualServer nodes. |
None |
controller.wildcardTLS.key |
TLS key in base64 encoding for each Ingress or VirtualServer node that has TLS enabled but no secret specified. If not specified, Angie will reject any attempt to establish a TLS connection for such Ingress or VirtualServer nodes. |
None |
controller.wildcardTLS.secret |
Secret with the TLS certificate and key for each Ingress or VirtualServer node that has TLS enabled but no secret specified. The value should follow the format: <namespace>/<name>. Used as an alternative to specifying the certificate and key via controller.wildcardTLS.cert and controller.wildcardTLS.key. |
None |
controller.nodeSelector |
Node selector for assigning ANIC pods. |
{} |
controller.terminationGracePeriodSeconds |
Graceful termination period for ANIC pods. |
30 |
controller.tolerations |
Tolerations for ANIC pods. |
[] |
controller.affinity |
Affinity for ANIC pods. |
{} |
controller.topologySpreadConstraints |
Topology spread constraints for ANIC pods. |
{} |
controller.env |
Additional environment variables to be set on ANIC pods. |
[] |
controller.volumes |
Volumes for ANIC pods. |
[] |
controller.volumeMounts |
Volume mounts for ANIC pods. |
[] |
controller.initContainers |
Init containers for ANIC pods. |
[] |
controller.extraContainers |
Additional containers (e.g., sidecar) for Ingress Controller pods. |
[] |
controller.resources |
Resources for ANIC pods. |
requests: cpu=100m,memory=128Mi |
controller.replicaCount |
Number of replicas for the ANIC deployment. |
1 |
controller.ingressClass |
ANIC class. An IngressClass resource with a name matching this class must be deployed. Otherwise, ANIC will not start. ANIC only processes resources that belong to its class, i.e., their resource field "ingressClassName" matches the class. ANIC processes all VirtualServer, VirtualServerRoute, and TransportServer resources that do not have the "ingressClassName" field in all Kubernetes versions. |
angie |
controller.setAsDefaultIngress |
New Ingress without the specified "ingressClassName" field will be assigned the class specified in controller.ingressClass. |
false |
controller.watchNamespace |
Comma-separated list of namespaces that ANIC should watch for resources. By default, ANIC watches all namespaces. Mutually exclusive with controller.watchNamespaceLabel. Note that when configuring multiple namespaces using the Helm CLI --set option, the string must be enclosed in double quotes, and commas escaped with a backslash - for example, --set controller.watchNamespace="default,anic". |
"" |
controller.watchNamespaceLabel |
Configures ANIC to watch only namespaces with the label foo=bar. By default, ANIC watches all namespaces. Mutually exclusive with controller.watchNamespace setting. |
"" |
controller.watchSecretNamespace |
Comma-separated list of namespaces that the Ingress Controller should watch for Secret type resources. If this parameter is not set, ANIC watches the same namespaces for all resources. See also controller.watchNamespace and controller.watchNamespaceLabel. Note that when configuring multiple namespaces using the Helm CLI --set option, the string must be enclosed in double quotes, and commas escaped with a backslash - for example, --set controller.watchSecretNamespace="default,angie-ingress". |
"" |
controller.enableCustomResources |
Enables custom resources. |
true |
controller.enableTLSPassthrough |
Enables TLS passthrough on port 443. Requires controller.enableCustomResources. |
false |
controller.enableCertManager |
Enables automatic management of x509 certificates for VirtualServer resources using cert-manager (cert-manager.io). Requires controller.enableCustomResources. |
false |
controller.enableExternalDNS |
Enables integration with ExternalDNS for configuring public DNS records for VirtualServer resources using ExternalDNS. Requires controller.enableCustomResources. |
false |
controller.globalConfiguration.create |
Creates a custom GlobalConfiguration resource. Requires controller.enableCustomResources. |
false |
controller.globalConfiguration.spec |
Specification of GlobalConfiguration to define global configuration parameters for ANIC. |
{} |
controller.enableSnippets |
Enables custom configuration snippets for Angie in Ingress, VirtualServer, VirtualServerRoute, and TransportServer resources. |
false |
controller.healthStatus |
Adds the "/angie-health" location on the default server. The location responds with a status code of 200 to any request. This is useful for external health checks of ANIC. |
false |
controller.healthStatusURI |
Sets the URI for the health status location on the default server. Requires controller.healthStatus. |
"/angie-health" |
controller.angieStatus.enable |
Enables the Angie API. |
true |
controller.angieStatus.port |
Sets the port on which the Angie API is accessible. |
8080 |
controller.angieStatus.allowCidrs |
Adds IP or CIDR blocks to the allowed list for the Angie API. Multiple IPs or CIDRs are separated by commas. |
127.0.0.1,::1 |
controller.priorityClassName |
Priority class for ANIC pods. |
None |
controller.service.create |
Creates a service to provide access to ANIC pods. |
true |
controller.service.type |
Type of service to create for ANIC. |
LoadBalancer |
controller.service.externalTrafficPolicy |
External traffic policy for the service. Local value preserves the original client IP address. |
Local |
controller.service.annotations |
Annotations for the ANIC service. |
{} |
controller.service.extraLabels |
Extra labels for the service. |
{} |
controller.service.loadBalancerIP |
Static IP address for the load balancer. The controller.service.type must be set to LoadBalancer. The cloud provider must support this feature. |
"" |
controller.service.externalIPs |
List of external IP addresses for the ANIC service. |
[] |
controller.service.loadBalancerSourceRanges |
IP address ranges (CIDR) that are allowed to access the load balancer. The controller.service.type must be set to LoadBalancer. The cloud provider must support this feature. |
[] |
controller.service.name |
Name of the service. |
Automatically generated |
controller.service.customPorts |
List of custom ports that will be available through the ANIC service. Follows standard Kubernetes YAML syntax for service ports. |
[] |
controller.service.httpPort.enable |
Enables the HTTP port for the ANIC service. |
true |
controller.service.httpPort.port |
HTTP port for the ANIC service. |
80 |
controller.service.httpPort.nodePort |
Custom NodePort for the HTTP port. The controller.service.type must be set to NodePort. |
"" |
controller.service.httpPort.targetPort |
Target value for the HTTP port of the ANIC service. |
80 |
controller.service.httpsPort.enable |
Enables the HTTPS port for the ANIC service. |
true |
controller.service.httpsPort.port |
HTTPS port for the ANIC service. |
443 |
controller.service.httpsPort.nodePort |
Custom NodePort for the HTTPS port. The controller.service.type must be set to NodePort. |
"" |
controller.service.httpsPort.targetPort |
Target port for the HTTPS port of the ANIC service. |
443 |
controller.serviceAccount.annotations |
Annotations for the ANIC service account. |
{} |
controller.serviceAccount.name |
Name of the service account for ANIC pods. Used for RBAC. |
Automatically generated |
controller.serviceAccount.imagePullSecretName |
Name of the secret containing Docker registry credentials. The secret must be in the same namespace as the Helm release. |
"" |
controller.serviceMonitor.name |
Name of the serviceMonitor. |
Automatically generated |
controller.serviceMonitor.create |
Creates a custom ServiceMonitor resource. |
false |
controller.serviceMonitor.labels |
Kubernetes object labels to apply to the serviceMonitor object. |
"" |
controller.serviceMonitor.selectorMatchLabels |
Set of labels that allow selecting endpoints for the serviceMonitor. |
"" |
controller.serviceMonitor.endpoints |
List of endpoints allowed in this serviceMonitor. |
"" |
controller.reportIngressStatus.enable |
Adds the external address of the Ingress Controller to the address field in the status of Ingress resources. You also need to specify the source of the external address via an external service through controller.reportIngressStatus.externalService, or via controller.reportIngressStatus.ingressLink, or through the external-status-address entry in ConfigMap via controller.config.entries. Note The value of controller.config.entries.external-status-address takes precedence over the others. |
true |
controller.reportIngressStatus.externalService |
Specifies the name of the LoadBalancer type service through which the Ingress Controller will be accessible externally. The external address of the service is used for reporting the status of Ingress, VirtualServer, and VirtualServerRoute resources. The value of controller.reportIngressStatus.enable must be set to true. The default value is automatically created and enabled when controller.service.create is true and controller.service.type is LoadBalancer. |
Automatically generated |
controller.reportIngressStatus.ingressLink |
Specifies the name of the IngressLink resource that provides access to ANIC pods through the BIG-IP system. The IP address of the BIG-IP system is used for reporting the status of Ingress, VirtualServer, and VirtualServerRoute resources. The value of controller.reportIngressStatus.enable must be set to true. |
"" |
controller.reportIngressStatus.enableLeaderElection |
Enables leader election to avoid situations where multiple replicas of the controller report the status of Ingress resources. The value of controller.reportIngressStatus.enable must be set to true. |
true |
controller.reportIngressStatus.leaderElectionLockName |
Specifies the name of the ConfigMap in the same namespace as the controller that is used for leader election locking. The value of controller.reportIngressStatus.enableLeaderElection must be set to true. |
Automatically generated |
controller.reportIngressStatus.annotations |
Annotations for the leader election ConfigMap. |
{} |
controller.pod.annotations |
Annotations for the ANIC pod. |
{} |
controller.pod.extraLabels |
Additional extra labels for the ANIC pod. |
{} |
controller.readyStatus.enable |
Enables the readiness endpoint "/angie-ready". The endpoint returns a successful exit code if Angie has loaded all configuration after startup. This also sets up the readiness check for ANIC pods, which uses the readiness endpoint. |
true |
controller.readyStatus.port |
HTTP port for the readiness endpoint. |
8081 |
controller.readyStatus.initialDelaySeconds |
Number of seconds from the start of the ANIC pod until readiness checks are initiated. |
0 |
controller.enableLatencyMetrics |
Enables latency metrics collection for upstreams. Requires prometheus.create. |
false |
controller.minReadySeconds |
Sets the minimum number of seconds that a newly created pod must be ready without failing any of its containers to be considered available; see documentation here. |
0 |
controller.autoscaling.enabled |
Enables HorizontalPodAutoscaling. |
false |
controller.autoscaling.annotations |
Annotations for the HorizontalPodAutoscaler for ANIC. |
{} |
controller.autoscaling.minReplicas |
Minimum number of replicas for HPA. |
1 |
controller.autoscaling.maxReplicas |
Maximum number of replicas for HPA. |
3 |
controller.autoscaling.targetCPUUtilizationPercentage |
Target CPU utilization percentage. |
50 |
controller.autoscaling.targetMemoryUtilizationPercentage |
Target memory utilization percentage. |
50 |
controller.podDisruptionBudget.enabled |
Enables PodDisruptionBudget. |
false |
controller.podDisruptionBudget.annotations |
Annotations for the ANIC pod disruption budget. |
{} |
controller.podDisruptionBudget.minAvailable |
Number of ANIC pods that must be available. Mutually exclusive with "maxUnavailable" setting. |
0 |
controller.podDisruptionBudget.maxUnavailable |
Number of ANIC pods that may be unavailable. Mutually exclusive with "minAvailable" setting. |
0 |
controller.strategy |
Sets the strategy for replacing old pods with new ones. Documentation on deployment update strategy and daemon set update strategy. |
{} |
controller.disableIPV6 |
Explicitly disables IPV6 listeners for nodes that do not support the IPV6 stack. |
false |
controller.readOnlyRootFilesystem |
Configures the root filesystem as read-only and adds volumes for temporary data. |
false |
rbac.create |
Configures RBAC. |
true |
prometheus.create |
Publishes Angie metrics in Prometheus format. |
true |
prometheus.port |
Configures the port for receiving metrics. |
9113 |
prometheus.scheme |
Configures the HTTP scheme used for connections to the Prometheus endpoint. |
http |
prometheus.secret |
Namespace or name of the Kubernetes TLS secret. If a secret is specified, it is used to secure the Prometheus endpoint with TLS connections. |
"" |