k8s/apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vaultwarden restructure

Browse Source
This commit is contained in:
Philip Haupt
2025-08-27 00:15:12 +02:00
parent 2384144cd6
commit 56db75f1c4
5 changed files with 965 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

811
vaultwarden/src/values.yaml Normal file
View File

@@ -0,0 +1,811 @@
## Instruction: when adding a new value, follow https://github.com/dani-garcia/vaultwarden/blob/main/.env.template as much as possible.
## @section Kubernetes settings
##
image:
## @param image.registry Vaultwarden image registry
##
registry: docker.io
## @param image.repository Vaultwarden image repository
##
repository: vaultwarden/server
##
## @param image.tag Vaultwarden image tag
## Ref: https://hub.docker.com/r/vaultwarden/server/tags
##
tag: "1.34.3-alpine"
## @param image.pullPolicy Vaultwarden image pull policy
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## @param image.pullSecrets Specify docker-registry secrets
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - name: myRegistryKeySecretName
##
pullSecrets: []
## @param image.extraSecrets Vaultwarden image extra secrets
## Example:
## extraSecrets:
## - key: SSO_CLIENT_SECRET
## value: secretStuff
##
extraSecrets: []
## @param image.extraVars Vaultwarden image extra vars
## Example:
## extraVars:
## - key: SSO_AUTHORITY
## value: https://bananaguy.com/auth
##
extraVars: []
## @param image.extraVarsCM Vaultwarden image extra vars ConfigMap
## Example:
## extraVarsCM: "vaultwarden-extra-vars"
extraVarsCM: ""
## @param image.extraVarsSecret Vaultwarden image extra vars Secret
## Example:
## extraVarsSecret: "vaultwarden-extra-vars"
extraVarsSecret: ""
## @param replicas Number of deployment replicas
##
replicas: 1
## @param fullnameOverride String to override the application name.
##
fullnameOverride: ""
## @param resourceType Can be either Deployment or StatefulSet
## Overwrite automatic resource type detection by specifying the resource type
##
resourceType: ""
## @param commonAnnotations Annotations for the deployment or statefulset
##
commonAnnotations: {}
## @param configMapAnnotations Add extra annotations to the configmap
##
configMapAnnotations: {}
## @param podAnnotations Add extra annotations to the pod
##
podAnnotations: {}
## @param commonLabels Additional labels for the deployment or statefulset
##
commonLabels: {}
## @param podLabels Add extra labels to the pod
##
podLabels: {}
## @param initContainers extra init containers for initializing the vaultwarden instance
##
initContainers: []
## @param sidecars extra containers running alongside the vaultwarden instance
##
sidecars: []
## @param extraVolumes Optionally specify extra list of additional volumes
##
extraVolumes: []
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts
##
extraVolumeMounts: []
## @param nodeSelector Node labels for pod assignment
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
##
nodeSelector: {}
## @param affinity Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## @param tolerations Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param serviceAccount.create Create a service account
## @param serviceAccount.name Name of the service account to create
##
serviceAccount:
create: true
name: "vaultwarden-svc"
## @param podSecurityContext Pod security options
##
podSecurityContext:
{}
# fsGroup: 1001
# supplementalGroups:
# - 1001
## @param securityContext Default security options to run vault as read only container without privilege escalation
securityContext:
{}
# allowPrivilegeEscalation: false
# privileged: false
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsGroup: 1001
# runAsUser: 1001
# capabilities:
# drop:
# - ALL
## @param dnsConfig Pod DNS options
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
dnsConfig: {}
## @param enableServiceLinks Enable service links, Kubernetes default is true
## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
##
enableServiceLinks: true
## Extra objects
extraObjects: []
## @param extraObjects List of extra Kubernetes objects to create
## This can be used to add additional Kubernetes objects such as ConfigMaps, Secrets, or Custom Resources.
## Example:
## - apiVersion: isindir.github.com/v1alpha3
## kind: SopsSecret
## metadata:
## name: "{{ .Release.Name }}-sops-secret"
## spec:
## data:
## DB_STRING: ENC[AES256_GCM,data:******,iv:***,tag:***,type:str]
## sops: ...
## @section Reliability configuration
##
## Liveness probe configuration
##
livenessProbe:
## @param livenessProbe.enabled Enable liveness probe
##
enabled: true
## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated
##
initialDelaySeconds: 5
## @param livenessProbe.timeoutSeconds How long to wait for the probe to succeed
##
timeoutSeconds: 1
## @param livenessProbe.periodSeconds How often to perform the probe
##
periodSeconds: 10
## @param livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful
##
successThreshold: 1
## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed
##
failureThreshold: 10
## @param livenessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment
##
path: /alive
## Readiness probe configuration
##
readinessProbe:
## @param readinessProbe.enabled Enable readiness probe
##
enabled: true
## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
##
initialDelaySeconds: 5
## @param readinessProbe.timeoutSeconds How long to wait for the probe to succeed
##
timeoutSeconds: 1
## @param readinessProbe.periodSeconds How often to perform the probe
##
periodSeconds: 10
## @param readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful
##
successThreshold: 1
## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed
##
failureThreshold: 3
## @param readinessProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment
##
path: /alive
## Startup probe configuration
##
startupProbe:
## @param startupProbe.enabled Enable startup probe
##
enabled: false
## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated
##
initialDelaySeconds: 5
## @param startupProbe.timeoutSeconds How long to wait for the probe to succeed
##
timeoutSeconds: 1
## @param startupProbe.periodSeconds How often to perform the probe
##
periodSeconds: 10
## @param startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful
##
successThreshold: 1
## @param startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed
##
failureThreshold: 10
## @param startupProbe.path Path on which the probe is exposed, default is "/alive". Replace when using non-root path deployment
##
path: /alive
## @param resources Resource configurations
##
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 300m
# memory: 1Gi
# requests:
# cpu: 50m
# memory: 256Mi
## @param strategy Resource configurations
##
strategy:
{}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
podDisruptionBudget:
## @param podDisruptionBudget.enabled Enable PodDisruptionBudget settings
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
enabled: false
## @param podDisruptionBudget.minAvailable Minimum number/percentage of pods that should remain scheduled.
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
minAvailable: 1
## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable
maxUnavailable: null
## @section Persistent data configuration
##
storage:
## @param storage.existingVolumeClaim If defined, the values here will be used for the data and
## attachments PV's. The custom values for data and attachments will be ignored if
## a value is set here
##
existingVolumeClaim:
{}
# claimName: "vaultwarden-pvc"
# dataPath: "/data"
# attachmentsPath: /data/attachments
## @param storage.data Data directory configuration, refer to values.yaml for parameters.
##
data:
{}
# name: "vaultwarden-data"
# size: "15Gi"
# class: ""
# path: "/data"
# keepPvc: false
# accessMode: "ReadWriteOnce"
## @param storage.attachments Attachments directory configuration, refer to values.yaml for parameters.
## By default, attachments/ is located inside the data directory.
##
attachments:
{}
# name: "vaultwarden-files"
# size: "100Gi"
# class: ""
# path: /files
# keepPvc: false
# accessMode: "ReadWriteOnce"
## @param webVaultEnabled Enable Web Vault
##
webVaultEnabled: "true"
## @section Database settings
##
database:
## @param database.type Database type, either mysql or postgresql
## Default is a sqlite database.
##
type: "default"
## @param database.host Database hostname or IP address
##
host: ""
## @param database.port Database port
## Default for MySQL is 3306, default for PostgreSQL is 5432
port: ""
## @param database.username Database username
##
username: ""
## @param database.password Database password
##
password: ""
## @param database.dbName Database name
##
dbName: ""
## @param database.uriOverride Manually specify the DB connection string
##
uriOverride: ""
## @param database.existingSecret Name of an existing secret containing either a single key with the database uri, or a separate key for username and password
##
existingSecret: ""
## @param database.existingSecretKey Key in the existing secret
##
existingSecretKey: ""
## @param database.existingSecretUserKey Key in the existing secret
##
existingSecretUserKey: username
## @param database.existingSecretPasswordKey Key in the existing secret
##
existingSecretPasswordKey: password
## @param database.connectionRetries Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely.
##
connectionRetries: 15
## @param database.maxConnections Define the size of the connection pool used for connecting to the database.
##
maxConnections: 10
## @section Push Notifications
## Supported since 1.29.0.
## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
##
pushNotifications:
## @param pushNotifications.enabled Enable the push notification service
##
enabled: false
## @param pushNotifications.existingSecret Name of an existing secret containing the Bitwarden installation id and key
##
existingSecret: ""
installationId:
## @param pushNotifications.installationId.value Bitwarden installation id string
## Example: installationIdGoesHere
##
value: ""
## @param pushNotifications.installationId.existingSecretKey When using an existing secret, specify the key which contains the installation id.
## Example: INSTALLATION_ID
##
existingSecretKey: ""
installationKey:
## @param pushNotifications.installationKey.value Bitwarden installation key string
## Example: superSecretInstallationKey
##
value: ""
## @param pushNotifications.installationKey.existingSecretKey When using an existing secret, specify the key which contains the installation key.
## Example: INSTALLATION_KEY
##
existingSecretKey: ""
## @param pushNotifications.relayUri Change Bitwarden relay uri.
## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
##
relayUri: "https://push.bitwarden.com"
## @param pushNotifications.identityUri Change Bitwarden identity uri.
## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
##
identityUri: "https://identity.bitwarden.com"
## @section Scheduled jobs
##
## @param emergencyNotifReminderSched Cron schedule of the job that sends expiration reminders to emergency access grantors.
## Set to blank to disable this job.
##
emergencyNotifReminderSched: "0 3 * * * *"
## @param emergencyRqstTimeoutSched Cron schedule of the job that grants emergency access requests that have met the required wait time.
## Set to blank to disable this job.
##
emergencyRqstTimeoutSched: "0 7 * * * *"
## @param eventCleanupSched Cron schedule of the job that cleans old events from the event table.
## Set to blank to disable this job. Also without eventsDayRetain set, this job will not start.
##
eventCleanupSched: "0 10 0 * * *"
## @param eventsDayRetain Number of days to retain events stored in the database.
## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
##
eventsDayRetain: ""
## @section General settings
##
## @param domain Domain name where the application is accessed
## Example: https://warden.contoso.com:8443
##
domain: ""
## @param sendsAllowed Controls whether users are allowed to create Bitwarden Sends.
##
sendsAllowed: "true"
## @param hibpApiKey HaveIBeenPwned API Key
##
hibpApiKey: ""
## @param orgAttachmentLimit Max Kilobytes of attachment storage allowed per organization.
## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
##
orgAttachmentLimit: ""
## @param userAttachmentLimit Max kilobytes of attachment storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further attachments.
##
userAttachmentLimit: ""
## @param userSendLimit Max kilobytes of send storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further sends.
##
userSendLimit: ""
## @param trashAutoDeleteDays Number of days to wait before auto-deleting a trashed item.
## If unset (the default), trashed items are not auto-deleted.
## This setting applies globally, so make sure to inform all users of any changes to this setting.
##
trashAutoDeleteDays: ""
## @param signupsAllowed By default, anyone who can access your instance can register for a new account.
## To disable this, set this parameter to false. Even when signupsAllowed=false, an existing user who is
## an organization owner or admin can still invite new users. If you want to disable this as well, set
## invitationsAllowed to false. The vaultwarden admin can invite anyone via the admin page, regardless
## of any of the restrictions above
##
## If signupDomains is set, then the value of signupsAllowed is ignored
signupsAllowed: true
## @param signupsVerify Whether to require account verification for newly-registered users.
##
signupsVerify: "true"
## @param signupDomains List of domain names for users allowed to register. For example:
## example.com,example.net,example.org.
##
signupDomains: ""
## @param orgEventsEnabled Controls whether event logging is enabled for organizations
##
orgEventsEnabled: "false"
## @param orgCreationUsers Controls which users can create new orgs.
## Blank or 'all' means all users can create orgs.
## 'none' means no users can create orgs.
## A comma-separated list means only those users can create orgs.
##
orgCreationUsers: ""
## @param invitationsAllowed Even when registration is disabled, organization administrators or owners can
## invite users to join organization. After they are invited, they can register with the invited email even
## if signupsAllowed is actually set to false. You can disable this functionality completely by setting
## invitationsAllowed env variable to false
##
invitationsAllowed: true
## @param invitationOrgName String Name shown in the invitation emails that don't come from a specific organization
##
invitationOrgName: "Vaultwarden"
## @param invitationExpirationHours The number of hours after which an organization invite token, emergency access invite token,
## email verification token and deletion request token will expire (must be at least 1)
##
invitationExpirationHours: "120"
## @param emergencyAccessAllowed Controls whether users can enable emergency access to their accounts.
##
emergencyAccessAllowed: "true"
## @param emailChangeAllowed Controls whether users can change their email.
## This setting applies globally to all users
##
emailChangeAllowed: "true"
## @param showPassHint Controls whether a password hint should be shown directly in the web page if
## SMTP service is not configured. Not recommended for publicly-accessible instances
## as this provides unauthenticated access to potentially sensitive data.
##
showPassHint: "false"
## @section Advanced settings
##
## @param ipHeader Client IP Header, used to identify the IP of the client
##
ipHeader: "X-Real-IP"
## @param iconService The predefined icon services are: internal, bitwarden, duckduckgo, google.
##
iconService: "internal"
## @param iconRedirectCode Icon redirect code
##
iconRedirectCode: "302"
## @param iconBlacklistNonGlobalIps Whether block non-global IPs.
## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
##
iconBlacklistNonGlobalIps: "true"
## @param experimentalClientFeatureFlags Comma separated list of experimental features to enable in clients, make sure to check which features are already enabled by default (.env.template)
## Possible values:
## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
## - "autofill-v2": Use the new autofill implementation.
## - "browser-fileless-import": Directly import credentials from other providers without a file.
## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
##
experimentalClientFeatureFlags: null
## @param requireDeviceEmail Require new device emails. When a user logs in an email is required to be sent.
##
requireDeviceEmail: "false"
## @param extendedLogging Enable extended logging, which shows timestamps and targets in the logs
##
extendedLogging: "true"
## @param logTimestampFormat Timestamp format used in extended logging.
##
logTimestampFormat: "%Y-%m-%d %H:%M:%S.%3f"
logging:
## @param logging.logLevel Specify the log level
##
logLevel: ""
## @param logging.logFile Log to a file
##
logFile: ""
## Token for the admin interface, preferably an Argon2 PCH string
adminToken:
## @param adminToken.existingSecret Specify an existing Kubernetes secret containing the admin token. Also set adminToken.existingSecretKey.
## Example: admincreds_secret
##
existingSecret: ""
## @param adminToken.existingSecretKey When using adminToken.existingSecret, specify the key containing the token.
## Example: ADMIN_TOKEN
##
existingSecretKey: ""
## @param adminToken.value Plain or argon2 string containing the admin token.
## This example is the argon2 has of "R@ndomTokenString" (no quotes).
##
value: "$argon2id$v=19$m=19456,t=2,p=1$Vkx1VkE4RmhDMUhwNm9YVlhPQkVOZk1Yc1duSDdGRVYzd0Y5ZkgwaVg0Yz0$PK+h1ANCbzzmEKaiQfCjWw+hWFaMKvLhG2PjRanH5Kk"
## @param adminRateLimitSeconds Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
##
adminRateLimitSeconds: "300"
## @param adminRateLimitMaxBurst Allow a burst of requests of up to this size, while maintaining the average indicated by adminRateLimitSeconds.
##
adminRateLimitMaxBurst: "3"
## @param timeZone Specify timezone different from the default (UTC).
## For example: "Europe/Berlin"
##
timeZone: ""
## @section BETA Features
##
## @param orgGroupsEnabled Controls whether group support is enabled for organizations
orgGroupsEnabled: "false"
## @section MFA/2FA settings
##
## Yubico (Yubikey) settings
## Reference: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
##
yubico:
## @param yubico.clientId Yubico client ID
##
clientId: ""
## @param yubico.existingSecret Name of an existing secret containing the Yubico secret key. Also set yubico.secretKey.existingSecretKey.
##
existingSecret: ""
## Yubico secret key
##
secretKey:
## @param yubico.secretKey.value secretKey plain text
## Example: ABCDEABCDEABCDEABCDE=
##
value: ""
## @param yubico.secretKey.existingSecretKey When using an existing secret, specify the key which contains the secretKey.
## Example: YUBICO_SECRET_KEY
##
existingSecretKey: ""
## @param yubico.server Specify a Yubico server, otherwise the default servers will be used
##
server: ""
## Duo settings
## Reference: https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
##
duo:
## @param duo.iKey Duo Integration Key
##
iKey: ""
## @param duo.existingSecret Name of an existing secret containing the Duo skey. Also set duo.sKey.existingSecretKey.
##
existingSecret: ""
## Duo secret key
##
sKey:
## @param duo.sKey.value sKey plain text
## Example: ABCDEABCDEABCDEABCDE=
##
value: ""
## @param duo.sKey.existingSecretKey When using an existing secret, specify the key which contains the sKey.
## Example: DUO_SKEY
##
existingSecretKey: ""
## @param duo.hostname Duo API hostname
##
hostname: ""
## @section SMTP Configuration
##
smtp:
## @param smtp.existingSecret Name of an existing secret containing the SMTP username and password. Also set smtp.username.existingSecretKey and smtp.password.existingSecretKey.
##
existingSecret: ""
## @param smtp.host SMTP host
##
host: ""
## @param smtp.security SMTP Encryption method
## Possible values:
## - starttls: explicit TLS using ports 587 or 25
## - force_tls: implicit TLS using port 465
## - off: no encryption, using port 25, unless using STARTTLS
##
security: "starttls"
## @param smtp.port SMTP port
##
port: 25
## @param smtp.from SMTP sender email address
## Example: juan.delacruz@gmail.com
##
from: ""
## @param smtp.fromName SMTP sender FROM
##
fromName: ""
## Username for SMTP authentication.
##
username:
## @param smtp.username.value Username string for the SMTP authentication.
## Example: juan
##
value: ""
## @param smtp.username.existingSecretKey When using an existing secret, specify the key which contains the username.
## Example: SMTP_USERNAME
##
existingSecretKey: ""
## Password for SMTP authentication.
##
password:
## @param smtp.password.value Password string for the SMTP authentication.
## Example: Sup3rsecurepa$$word
##
value: ""
## @param smtp.password.existingSecretKey When using an existing secret, specify the key which contains the password.
## Example: SMTP_PASSWORD
##
existingSecretKey: ""
## @param smtp.authMechanism SMTP authentication mechanism
## Possible values: "Plain", "Login", "Xoauth2"
## Multiple options need to be separated by a comma. (not tested)
##
authMechanism: "Plain"
## @param smtp.acceptInvalidHostnames Accept Invalid Hostnames
##
acceptInvalidHostnames: "false"
## @param smtp.acceptInvalidCerts Accept Invalid Certificates
##
acceptInvalidCerts: "false"
## @param smtp.debug SMTP debugging
##
debug: false
## @section Exposure settings
##
## @param rocket.address Address to bind to
## @param rocket.port Rocket port
## @param rocket.workers Rocket number of workers
##
rocket:
address: "0.0.0.0"
port: "8080"
workers: "10"
## Service configuration
service:
## @param service.type Service type
##
type: "ClusterIP"
## @param service.annotations Additional annotations for the vaultwarden service
##
annotations: {}
## @param service.labels Additional labels for the service
##
labels: {}
## @param service.ipFamilyPolicy IP family policy for the service
##
ipFamilyPolicy: "SingleStack"
## @param service.sessionAffinity Session affinity
##
# sessionAffinity: ClientIP
sessionAffinity: ""
## @param service.sessionAffinityConfig Session affinity configuration
##
sessionAffinityConfig: {}
# sessionAffinityConfig:
# clientIP:
# timeoutSeconds: 10800
## Ingress configuration
## Refer to the README for some examples
##
ingress:
## @param ingress.enabled Deploy an ingress resource.
##
enabled: false
## @param ingress.class Ingress resource class
## The Ingress class to use, e. g. "nginx" for a nginx ingress controller or "alb" for a AWS LB controller.
#
class: "nginx"
## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations
## These annotations only make sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/)
##
nginxIngressAnnotations: true
## @param ingress.additionalAnnotations Additional annotations for the ingress resource.
##
additionalAnnotations: {}
## @param ingress.labels Additional labels for the ingress resource.
##
labels: {}
## @param ingress.tls Enable TLS on the ingress resource.
##
tls: true
## @param ingress.hostname Hostname for the ingress.
##
hostname: "warden.contoso.com"
## @param ingress.additionalHostnames Additional hostnames for the ingress.
##
additionalHostnames: []
## @param ingress.path Default application path for the ingress
##
path: "/"
## @param ingress.pathType Path type for the ingress
## Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
pathType: "Prefix"
## @param ingress.tlsSecret Kubernetes secret containing the SSL certificate when using the "nginx" class.
##
tlsSecret: ""
## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow.
##
nginxAllowList: ""
## @param ingress.customHeadersConfigMap ConfigMap containing custom headers to be added to the ingress.
## Requirement: First define the allowed response headers in global-allowed-response-headers.
## Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-headers
##
customHeadersConfigMap: {}
## TODO:
## - Add support for using cert-manager.
## - Support for multiple TLS hostnames.
##