Merge c61ebc7880 into a647bc1b7a

.github/workflows/ci.yaml

@@ -64,6 +64,7 @@ jobs:
               - 'NGINX_BASE'
             charts:
               - 'charts/ingress-nginx/Chart.yaml'
+              - 'charts/ingress-nginx/values.schema.json'
               - 'charts/ingress-nginx/**/*'
               - 'NGINX_BASE'
             baseimage:
@@ -227,13 +228,24 @@ jobs:
       - name: Run chart-testing (lint)
         run: ct lint --config ./.ct.yaml
 
+      - name: Run helm-schema
+        run: |
+          GOBIN=$PWD GO111MODULE=on go install github.com/dadav/helm-schema/cmd/helm-schema@0.12.0
+          ./helm-schema --chart-search-root=${GITHUB_WORKSPACE}/charts --skip-auto-generation title,description,required,default,additionalProperties
+          DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/values.schema.json)
+          if [ ! -z "$DIFF" ]; then
+            echo "Please use dadav/helm-schema in your clone, of your fork, of the project, and commit a updated values.schema.json for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/MANUAL_RELEASE.md#d-edit-the-valuesyaml-and-run-helm-schema-and-helm-docs"
+          fi
+          git diff --exit-code
+          rm -f ./helm-schema
+
       - name: Run helm-docs
         run: |
           GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
           ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
           DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
           if [ ! -z "$DIFF" ]; then
-            echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs"
+            echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/MANUAL_RELEASE.md#d-edit-the-valuesyaml-and-run-helm-schema-and-helm-docs"
           fi
           git diff --exit-code
           rm -f ./helm-docs

MANUAL_RELEASE.md

@@ -225,20 +225,22 @@ Promoting the images basically means that images, that were pushed to staging co
           prlist_to_changelog.sh ~/Downloads/prlist.txt | tee ~/Downloads//changelog_content.txt
           ```
 
-### d. Edit the values.yaml and run helm-docs
+### d. Edit the values.yaml and run helm-schema and helm-docs
   - [Fields to edit in values.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml)
 
     - tag
     - digest
 
-  - [helm-docs](https://github.com/norwoodj/helm-docs) is a tool that generates the README.md for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs is used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs manually, and check in the resulting autogenerated README.md at the path /charts/ingress-nginx/README.md 
+  - [helm-docs](https://github.com/norwoodj/helm-docs) and [helm-schema](https://github.com/dadav/helm-schema) are tools that generates the README.md and values.schema.json for a helm-chart automatically. In the CI pipeline workflow of github actions (/.github/workflows/ci.yaml), you can see how helm-docs and helm-schema are used. But the CI pipeline is not designed to make commits back into the project. So we need to run helm-docs and helm-schema manually, and check in the resulting autogenerated README.md and values.schema.json files located at the path /charts/ingress-nginx/
     ```
           GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
+          GOBIN=$PWD GO111MODULE=on go install github.com/dadav/helm-schema/cmd/helm-schema@0.12.0
+          ./helm-schema --chart-search-root=${GITHUB_WORKSPACE}/charts --skip-auto-generation title,description,required,default,additionalProperties
           ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
           git diff --exit-code
-          rm -f ./helm-docs
+          rm -f ./helm-docs ./helm-schema
     ```
-    Watchout for mistakes like leaving the helm-docs executable in your clone workspace or not checking the new README.md manually etc.
+    Watchout for mistakes like leaving the executables in your clone workspace or not checking the updated files manually etc.
 
 ### e. Edit the static manifests
 

charts/ingress-nginx/README.md

@@ -322,7 +322,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
 | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
 | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
-| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
+| controller.hostname | string | `""` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
 | controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` |  |
@@ -453,8 +453,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
 | controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
-| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.http | int | `0` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
-| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.https | int | `0` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
 | controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
 | controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
 | controller.service.internal.ports | object | `{}` |  |
@@ -467,13 +467,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
 | controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
 | controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. |
-| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.http | int | `0` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
-| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.https | int | `0` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
 | controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
 | controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
 | controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. |
 | controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. |
-| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
+| controller.service.sessionAffinity | string | `"None"` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
 | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
 | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
 | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |

charts/ingress-nginx/values.yaml

@@ -29,6 +29,9 @@ controller:
     tag: "v1.11.2"
     digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
     digestChroot: sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
+    # @schema
+    # enum: [IfNotPresent, Always, Never]
+    # @schema
     pullPolicy: IfNotPresent
     runAsNonRoot: true
     # -- This value must not be changed using the official image.
@@ -39,6 +42,9 @@ controller:
     runAsGroup: 82
     allowPrivilegeEscalation: false
     seccompProfile:
+      # @schema
+      # enum: [RuntimeDefault, Localhost, Unconfined]
+      # @schema
       type: RuntimeDefault
     readOnlyRootFilesystem: false
   # -- Use an existing PSP instead of creating one
@@ -60,6 +66,18 @@ controller:
   addHeaders: {}
   # -- Optionally customize the pod dnsConfig.
   dnsConfig: {}
+  # @schema
+  # type: array
+  # items:
+  #   type: object
+  #   properties:
+  #     ip:
+  #       type: string
+  #     hostnames:
+  #       type: array
+  #       items:
+  #         type: string
+  # @schema
   # -- Optionally customize the pod hostAliases.
   hostAliases: []
   # - ip: 127.0.0.1
@@ -71,7 +89,10 @@ controller:
   #   - foo.remote
   #   - bar.remote
   # -- Optionally customize the pod hostname.
-  hostname: {}
+  hostname: ""
+  # @schema
+  # enum: [ClusterFirst, ClusterFirstWithHostNet, Default, None]
+  # @schema
   # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
   # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
   # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
@@ -142,6 +163,17 @@ controller:
     # aliases:
     # - nginx-alias-1
     # - nginx-alias-2
+    # @schema
+    # type: object
+    # additionalProperties: false
+    # properties:
+    #   apiGroup:
+    #     type: string
+    #   kind:
+    #     type: string
+    #   name:
+    #     type: string
+    # @schema
     # -- A link to a custom resource containing additional configuration for the controller.
     # This is optional if the controller consuming this IngressClass does not require additional parameters.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
@@ -157,6 +189,9 @@ controller:
   podLabels: {}
   #  key: value
 
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext
+  # @schema
   # -- Security context for controller pods
   podSecurityContext: {}
   # -- sysctls for controller pods
@@ -164,6 +199,9 @@ controller:
   sysctls: {}
   # sysctls:
   #   "net.core.somaxconn": "8192"
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext
+  # @schema
   # -- Security context for controller containers
   containerSecurityContext: {}
   # -- Allows customization of the source of the IP address or FQDN to report
@@ -209,6 +247,11 @@ controller:
   ##   length-buckets: "10,20,30,40,50,60,70,80,90,100"
   ##   size-buckets: "10,100,1000,10000,100000,1e+06,1e+07"
 
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar
+  # @schema
   # -- Additional environment variables to set
   extraEnvs: []
   # extraEnvs:
@@ -218,6 +261,9 @@ controller:
   #         key: FOO
   #         name: secret-resource
 
+  # @schema
+  # enum: [Deployment, DaemonSet]
+  # @schema
   # -- Use a `DaemonSet` or `Deployment`
   kind: Deployment
   # -- Annotations to be added to the controller Deployment or DaemonSet
@@ -231,6 +277,21 @@ controller:
   #  keel.sh/policy: patch
   #  keel.sh/trigger: poll
 
+  # @schema
+  # type: object
+  # additionalProperties: false
+  # properties:
+  #   type:
+  #     enum: [Recreate, RollingUpdate, OnDelete]
+  #   rollingUpdate:
+  #     type: object
+  #     additionalProperties: false
+  #     properties:
+  #       maxSurge:
+  #         type: [string, integer]
+  #       maxUnavailable:
+  #         type: [string, integer]
+  # @schema
   # -- The update strategy to apply to the Deployment or DaemonSet
   ##
   updateStrategy: {}
@@ -241,6 +302,23 @@ controller:
   # -- `minReadySeconds` to avoid killing pods before we are ready
   ##
   minReadySeconds: 0
+  # @schema
+  # type: array
+  # items:
+  #   additionalProperties: false
+  #   type: object
+  #   properties:
+  #     effect:
+  #       enum: [NoSchedule, PreferNoSchedule, NoExecute]
+  #     key:
+  #       type: string
+  #     operator:
+  #       enum: [Equal, Exists]
+  #     tolerationSeconds:
+  #       type: integer
+  #     value:
+  #       type: string
+  # @schema
   # -- Node tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
@@ -250,6 +328,9 @@ controller:
   #    value: "value"
   #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
 
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity
+  # @schema
   # -- Affinity and anti-affinity rules for server scheduling to nodes
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
   ##
@@ -294,6 +375,11 @@ controller:
   #         - controller
   #     topologyKey: kubernetes.io/hostname
 
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint
+  # @schema
   # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   ##
@@ -324,6 +410,9 @@ controller:
   ##
   nodeSelector:
     kubernetes.io/os: linux
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Probe
+  # @schema
   ## Liveness and readiness probe values
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
   ##
@@ -349,6 +438,9 @@ controller:
     timeoutSeconds: 1
     successThreshold: 1
     failureThreshold: 5
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Probe
+  # @schema
   readinessProbe:
     httpGet:
       # should match container.healthCheckPath
@@ -381,6 +473,17 @@ controller:
   ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
   ## Ideally, there should be no limits.
   ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
+  # @schema
+  # type: object
+  # additionalProperties: false
+  # properties: {}
+  # patternProperties:
+  #   "(^limits$)|(^requests$)":
+  #     additionalProperties: false
+  #     type: object
+  #     patternProperties:
+  #       "(^cpu$)|(^memory$)|(ephemeral-storage$)|(hugepages-.+$)": { type: [string, integer] }
+  # @schema
   resources:
     ##  limits:
     ##    cpu: 100m
@@ -479,6 +582,9 @@ controller:
     annotations: {}
     # -- Labels to be added to both controller services.
     labels: {}
+    # @schema
+    # enum: [ClusterIP, NodePort, LoadBalancer]
+    # @schema
     # -- Type of the external controller service.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
     type: LoadBalancer
@@ -492,6 +598,11 @@ controller:
     # -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
     loadBalancerIP: ""
+    # @schema
+    # type: array
+    # items:
+    #   type: string
+    # @schema
     # -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default.
     loadBalancerSourceRanges: []
     # -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
@@ -501,21 +612,35 @@ controller:
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
     # allocateLoadBalancerNodePorts: true
 
+    # @schema
+    # enum: [Cluster, Local, ""]
+    # @schema
     # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
     # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
     externalTrafficPolicy: ""
+    # @schema
+    # enum: [ClientIP, None]
+    # @schema
     # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
     # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
-    sessionAffinity: ""
+    sessionAffinity: "None"
     # -- Specifies the health check node port (numeric port number) for the external controller service.
     # If not specified, the service controller allocates a port from your cluster's node port range.
     # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
     # healthCheckNodePort: 0
 
+    # @schema
+    # enum: [SingleStack, PreferDualStack, RequireDualStack]
+    # @schema
     # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
     # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
     ipFamilyPolicy: SingleStack
+    # @schema
+    # type: array
+    # items:
+    #   enum: [IPv4, IPv6]
+    # @schema
     # -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
     ipFamilies:
@@ -530,8 +655,14 @@ controller:
       # -- Port the external HTTPS listener is published with.
       https: 443
     targetPorts:
+      # @schema
+      # type: [integer, string]
+      # @schema
       # -- Port of the ingress controller the external HTTP listener is mapped to.
       http: http
+      # @schema
+      # type: [integer, string]
+      # @schema
       # -- Port of the ingress controller the external HTTPS listener is mapped to.
       https: https
     # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
@@ -539,9 +670,9 @@ controller:
     appProtocol: true
     nodePorts:
       # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
-      http: ""
+      http: 0
       # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
-      https: ""
+      https: 0
       # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range.
       # Example:
       # tcp:
@@ -558,6 +689,9 @@ controller:
       # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
       annotations: {}
+      # @schema
+      # enum: [ClusterIP, NodePort, LoadBalancer, ""]
+      # @schema
       # -- Type of the internal controller service.
       # Defaults to the value of `controller.service.type`.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
@@ -581,9 +715,15 @@ controller:
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
       # allocateLoadBalancerNodePorts: true
 
+      # @schema
+      # enum: [Cluster, Local, ""]
+      # @schema
       # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
       # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
       externalTrafficPolicy: ""
+      # @schema
+      # enum: [ClientIP, None, ""]
+      # @schema
       # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
       # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
       sessionAffinity: ""
@@ -592,14 +732,30 @@ controller:
       # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
       # healthCheckNodePort: 0
 
+      # @schema
+      # enum: [SingleStack, PreferDualStack, RequireDualStack]
+      # @schema
       # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
       # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
       ipFamilyPolicy: SingleStack
+      # @schema
+      # type: array
+      # items:
+      #   enum: [IPv4, IPv6]
+      # @schema
       # -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
       ipFamilies:
         - IPv4
+      # @schema
+      # type: object
+      # properties:
+      #   http:
+      #     type: integer
+      #   https:
+      #     type: integer
+      # @schema
       ports: {}
       # -- Port the internal HTTP listener is published with.
       # Defaults to the value of `controller.service.ports.http`.
@@ -608,6 +764,14 @@ controller:
       # Defaults to the value of `controller.service.ports.https`.
       # https: 443
 
+      # @schema
+      # type: object
+      # properties:
+      #   http:
+      #     type: [integer, string]
+      #   https:
+      #     type: [integer, string]
+      # @schema
       targetPorts: {}
       # -- Port of the ingress controller the internal HTTP listener is mapped to.
       # Defaults to the value of `controller.service.targetPorts.http`.
@@ -621,9 +785,9 @@ controller:
       appProtocol: true
       nodePorts:
         # -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range.
-        http: ""
+        http: 0
         # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
-        https: ""
+        https: 0
         # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range.
         # Example:
         # tcp:
@@ -637,6 +801,11 @@ controller:
   # shareProcessNamespace enables process namespace sharing within the pod.
   # This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
   shareProcessNamespace: false
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container
+  # @schema
   # -- Additional containers to be added to the controller pod.
   # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
   extraContainers: []
@@ -671,6 +840,11 @@ controller:
   #  - name: copy-portal-skins
   #    emptyDir: {}
 
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Container
+  # @schema
   # -- Containers, which are run before the app containers are started.
   extraInitContainers: []
   # - name: init-myservice
@@ -718,6 +892,9 @@ controller:
       tag: v20240813-b933310d
       digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
       distroless: true
+    # @schema
+    # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext
+    # @schema
     containerSecurityContext:
       runAsNonRoot: true
       # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
@@ -730,6 +907,17 @@ controller:
         drop:
           - ALL
       readOnlyRootFilesystem: true
+    # @schema
+    # type: object
+    # additionalProperties: false
+    # properties: {}
+    # patternProperties:
+    #   "(^limits$)|(^requests$)":
+    #     additionalProperties: false
+    #     type: object
+    #     patternProperties:
+    #       "(^cpu$)|(^memory$)|(ephemeral-storage$)|(hugepages-.+$)": { type: [string, integer] }
+    # @schema
     resources: {}
   admissionWebhooks:
     name: admission
@@ -740,6 +928,11 @@ controller:
     ## These annotations will be added to the ValidatingWebhookConfiguration and
     ## the Jobs Spec of the admission webhooks.
     enabled: true
+    # @schema
+    # type: array
+    # items:
+    #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar
+    # @schema
     # -- Additional environment variables to set
     extraEnvs: []
     # extraEnvs:
@@ -748,13 +941,30 @@ controller:
     #       secretKeyRef:
     #         key: FOO
     #         name: secret-resource
+    # @schema
+    # enum: [Fail, Ignore]
+    # @schema
     # -- Admission Webhook failure policy to use
     failurePolicy: Fail
     # timeoutSeconds: 10
     port: 8443
     certificate: "/usr/local/certificates/cert"
     key: "/usr/local/certificates/key"
+    # @schema
+    # anyOf:
+    # - $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
+    # - type: object
+    #   additionalProperties: false
+    #   properties: {}
+    # @schema
     namespaceSelector: {}
+    # @schema
+    # anyOf:
+    # - $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector
+    # - type: object
+    #   additionalProperties: false
+    #   properties: {}
+    # @schema
     objectSelector: {}
     # -- Labels to be added to admission webhooks
     labels: {}
@@ -767,9 +977,15 @@ controller:
       # loadBalancerIP: ""
       loadBalancerSourceRanges: []
       servicePort: 443
+      # @schema
+      # enum: [ClusterIP, NodePort, LoadBalancer]
+      # @schema
       type: ClusterIP
     createSecretJob:
       name: create
+      # @schema
+      # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext
+      # @schema
       # -- Security context for secret creation containers
       securityContext:
         runAsNonRoot: true
@@ -782,6 +998,17 @@ controller:
           drop:
             - ALL
         readOnlyRootFilesystem: true
+      # @schema
+      # type: object
+      # additionalProperties: false
+      # properties: {}
+      # patternProperties:
+      #   "(^limits$)|(^requests$)":
+      #     additionalProperties: false
+      #     type: object
+      #     patternProperties:
+      #       "(^cpu$)|(^memory$)|(ephemeral-storage$)|(hugepages-.+$)": { type: [string, integer] }
+      # @schema
       resources: {}
       # limits:
       #   cpu: 10m
@@ -791,6 +1018,9 @@ controller:
       #   memory: 20Mi
     patchWebhookJob:
       name: patch
+      # @schema
+      # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext
+      # @schema
       # -- Security context for webhook patch containers
       securityContext:
         runAsNonRoot: true
@@ -803,6 +1033,17 @@ controller:
           drop:
             - ALL
         readOnlyRootFilesystem: true
+      # @schema
+      # type: object
+      # additionalProperties: false
+      # properties: {}
+      # patternProperties:
+      #   "(^limits$)|(^requests$)":
+      #     additionalProperties: false
+      #     type: object
+      #     patternProperties:
+      #       "(^cpu$)|(^memory$)|(ephemeral-storage$)|(hugepages-.+$)": { type: [string, integer] }
+      # @schema
       resources: {}
     patch:
       enabled: true
@@ -814,6 +1055,9 @@ controller:
         ## repository:
         tag: v1.4.3
         digest: sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
+        # @schema
+        # enum: [IfNotPresent, Always, Never]
+        # @schema
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##
@@ -825,9 +1069,29 @@ controller:
         enabled: false
       nodeSelector:
         kubernetes.io/os: linux
+      # @schema
+      # type: array
+      # items:
+      #   additionalProperties: false
+      #   type: object
+      #   properties:
+      #     effect:
+      #       enum: [NoSchedule, PreferNoSchedule, NoExecute]
+      #     key:
+      #       type: string
+      #     operator:
+      #       enum: [Equal, Exists]
+      #     tolerationSeconds:
+      #       type: integer
+      #     value:
+      #       type: string
+      # @schema
       tolerations: []
       # -- Labels to be added to patch job resources
       labels: {}
+      # @schema
+      # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext
+      # @schema
       # -- Security context for secret creation & webhook patch pods
       securityContext: {}
       # -- Admission webhook patch job RBAC
@@ -875,6 +1139,9 @@ controller:
       # loadBalancerIP: ""
       loadBalancerSourceRanges: []
       servicePort: 10254
+      # @schema
+      # enum: [ClusterIP, NodePort, LoadBalancer]
+      # @schema
       type: ClusterIP
       # externalTrafficPolicy: ""
       # nodePort: ""
@@ -970,6 +1237,9 @@ defaultBackend:
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
     tag: "1.5"
+    # @schema
+    # enum: [IfNotPresent, Always, Never]
+    # @schema
     pullPolicy: IfNotPresent
     runAsNonRoot: true
     # nobody user -> uid 65534
@@ -986,9 +1256,17 @@ defaultBackend:
     create: true
     name: ""
     automountServiceAccountToken: true
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar
+  # @schema
   # -- Additional environment variables to set for defaultBackend pods
   extraEnvs: []
   port: 8080
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Probe
+  # @schema
   ## Readiness and liveness probes for default backend
   ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
   ##
@@ -998,12 +1276,30 @@ defaultBackend:
     periodSeconds: 10
     successThreshold: 1
     timeoutSeconds: 5
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Probe
+  # @schema
   readinessProbe:
     failureThreshold: 6
     initialDelaySeconds: 0
     periodSeconds: 5
     successThreshold: 1
     timeoutSeconds: 5
+  # @schema
+  # type: object
+  # additionalProperties: false
+  # properties:
+  #   type:
+  #     enum: [Recreate, RollingUpdate, OnDelete]
+  #   rollingUpdate:
+  #     type: object
+  #     additionalProperties: false
+  #     properties:
+  #       maxSurge:
+  #         type: [string, integer]
+  #       maxUnavailable:
+  #         type: [string, integer]
+  # @schema
   # -- The update strategy to apply to the Deployment or DaemonSet
   ##
   updateStrategy: {}
@@ -1014,6 +1310,23 @@ defaultBackend:
   # -- `minReadySeconds` to avoid killing pods before we are ready
   ##
   minReadySeconds: 0
+  # @schema
+  # type: array
+  # items:
+  #   additionalProperties: false
+  #   type: object
+  #   properties:
+  #     effect:
+  #       enum: [NoSchedule, PreferNoSchedule, NoExecute]
+  #     key:
+  #       type: string
+  #     operator:
+  #       enum: [Equal, Exists]
+  #     tolerationSeconds:
+  #       type: integer
+  #     value:
+  #       type: string
+  # @schema
   # -- Node tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
@@ -1023,6 +1336,9 @@ defaultBackend:
   #    value: "value"
   #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
 
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity
+  # @schema
   # -- Affinity and anti-affinity rules for server scheduling to nodes
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
   affinity: {}
@@ -1066,6 +1382,11 @@ defaultBackend:
   #         - default-backend
   #     topologyKey: kubernetes.io/hostname
 
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.TopologySpreadConstraint
+  # @schema
   # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
   # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   topologySpreadConstraints: []
@@ -1085,8 +1406,14 @@ defaultBackend:
   #   topologyKey: kubernetes.io/hostname
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext
+  # @schema
   # -- Security context for default backend pods
   podSecurityContext: {}
+  # @schema
+  # $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext
+  # @schema
   # -- Security context for default backend containers
   containerSecurityContext: {}
   # -- Labels to add to the pod container metadata
@@ -1103,6 +1430,17 @@ defaultBackend:
   podAnnotations: {}
   replicaCount: 1
   minAvailable: 1
+  # @schema
+  # type: object
+  # additionalProperties: false
+  # properties: {}
+  # patternProperties:
+  #   "(^limits$)|(^requests$)":
+  #     additionalProperties: false
+  #     type: object
+  #     patternProperties:
+  #       "(^cpu$)|(^memory$)|(ephemeral-storage$)|(hugepages-.+$)": { type: [string, integer] }
+  # @schema
   resources: {}
   # limits:
   #   cpu: 10m
@@ -1111,16 +1449,43 @@ defaultBackend:
   #   cpu: 10m
   #   memory: 20Mi
 
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount
+  # @schema
   extraVolumeMounts: []
   ## Additional volumeMounts to the default backend container.
   #  - name: copy-portal-skins
   #    mountPath: /var/lib/lemonldap-ng/portal/skins
 
+  # @schema
+  # type: array
+  # items:
+  #   $ref: https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.29.3/_definitions.json#/definitions/io.k8s.api.core.v1.Volume
+  # @schema
   extraVolumes: []
   ## Additional volumes to the default backend pod.
   #  - name: copy-portal-skins
   #    emptyDir: {}
 
+  # @schema
+  # type: array
+  # items:
+  #   type: object
+  #   additionalProperties: false
+  #   properties:
+  #     name:
+  #       type: string
+  #     labels:
+  #       type: object
+  #       additionalProperties:
+  #         type: string
+  #     data:
+  #       type: object
+  #       additionalProperties:
+  #         type: string
+  # @schema
   extraConfigMaps: []
   ## Additional configmaps to the default backend pod.
   #  - name: my-extra-configmap-1
@@ -1158,6 +1523,9 @@ defaultBackend:
     # loadBalancerIP: ""
     loadBalancerSourceRanges: []
     servicePort: 80
+    # @schema
+    # enum: [ClusterIP, NodePort, LoadBalancer]
+    # @schema
     type: ClusterIP
   priorityClassName: ""
   # -- Labels to be added to the default backend resources
@@ -1176,6 +1544,15 @@ serviceAccount:
   automountServiceAccountToken: true
   # -- Annotations for the controller service account
   annotations: {}
+# @schema
+# type: array
+# items:
+#   additionalProperties: false
+#   type: object
+#   properties:
+#     name:
+#       type: string
+# @schema
 # -- Optional array of imagePullSecrets containing private registry credentials
 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []

test/e2e-image/namespace-overlays/admission/values.yaml

@@ -8,8 +8,8 @@ controller:
     digest:
     digestChroot:
   containerPort:
-    http: "1080"
+    http: 1080
-    https: "1443"
+    https: 1443
 
   extraArgs:
     http-port: "1080"

test/e2e-image/namespace-overlays/forwarded-port-headers/values.yaml

@@ -8,8 +8,8 @@ controller:
     digest:
     digestChroot:
   containerPort:
-    http: "1080"
+    http: 1080
-    https: "1443"
+    https: 1443
 
   extraArgs:
     http-port: "1080"

test/e2e-image/namespace-overlays/namespace-selector/values.yaml

@@ -8,8 +8,8 @@ controller:
     digest:
     digestChroot:
   containerPort:
-    http: "1080"
+    http: 1080
-    https: "1443"
+    https: 1443
 
   extraArgs:
     http-port: "1080"

test/e2e-image/namespace-overlays/validations/values.yaml

@@ -8,8 +8,8 @@ controller:
     digest:
     digestChroot:
   containerPort:
-    http: "1080"
+    http: 1080
-    https: "1443"
+    https: 1443
 
   extraArgs:
     http-port: "1080"