diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 1f912ea09..91f4213c7 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -233,7 +233,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | Key | Type | Default | Description | |-----|------|---------|-------------| +| baseDomain | string | `""` | Domain of the service's FQDN. This value is set automatically. Do not overwrite it. | | commonLabels | object | `{}` | | +| configmap | object | `{}` | Deprecated, use `controller.config` instead. | | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.admissionWebhooks.annotations | object | `{}` | | | controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | @@ -253,13 +255,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334"` | | -| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | +| controller.admissionWebhooks.patch.image.digest | string | `""` | | +| controller.admissionWebhooks.patch.image.image | string | `"giantswarm/ingress-nginx-kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | -| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | | controller.admissionWebhooks.patch.image.tag | string | `"v1.4.0"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | -| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | +| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | @@ -279,13 +280,15 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.behavior | object | `{}` | | -| controller.autoscaling.enabled | bool | `false` | | -| controller.autoscaling.maxReplicas | int | `11` | | -| controller.autoscaling.minReplicas | int | `1` | | -| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | | -| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | +| controller.autoscaling.enabled | bool | `true` | | +| controller.autoscaling.maxReplicas | int | `20` | | +| controller.autoscaling.minReplicas | int | `2` | | +| controller.autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| controller.autoscaling.targetMemoryUtilizationPercentage | int | `80` | | | controller.autoscalingTemplate | list | `[]` | | -| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | +| controller.config | object | `{"hsts":"false","strict-validate-path-type":"true"}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | +| controller.config.hsts | string | `"false"` | Enable HSTS or not. Disabled by default due to possible serious consequences. Ref: https://github.com/kubernetes/ingress-nginx/issues/549 | +| controller.config.strict-validate-path-type | string | `"true"` | Enable strict path type validation or not. Enabled by default for security reasons. Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type | | controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.containerName | string | `"controller"` | Configures the controller container name | @@ -297,7 +300,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | -| controller.enableAnnotationValidations | bool | `false` | | +| controller.enableAnnotationValidations | bool | `true` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | @@ -318,12 +321,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c"` | | -| controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` | | -| controller.image.image | string | `"ingress-nginx/controller"` | | +| controller.image.digest | string | `""` | | +| controller.image.digestChroot | string | `""` | | +| controller.image.image | string | `"giantswarm/ingress-nginx-controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.readOnlyRootFilesystem | bool | `false` | | -| controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | @@ -358,8 +360,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.livenessProbe.periodSeconds | int | `10` | | | controller.livenessProbe.successThreshold | int | `1` | | | controller.livenessProbe.timeoutSeconds | int | `1` | | +| controller.maxUnavailable | string | `"25%"` | Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. | | controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases | -| controller.metrics.enabled | bool | `false` | | +| controller.metrics.enabled | bool | `true` | | | controller.metrics.port | int | `10254` | | | controller.metrics.portName | string | `"metrics"` | | | controller.metrics.prometheusRule.additionalLabels | object | `{}` | | @@ -373,17 +376,18 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | | controller.metrics.serviceMonitor.annotations | object | `{}` | | -| controller.metrics.serviceMonitor.enabled | bool | `false` | | -| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | +| controller.metrics.serviceMonitor.enabled | bool | `true` | | +| controller.metrics.serviceMonitor.metricRelabelings[0].action | string | `"drop"` | | +| controller.metrics.serviceMonitor.metricRelabelings[0].regex | string | `"nginx_ingress_controller_(bytes_sent_bucket|request_size_bucket|response_duration_seconds_bucket|response_size_bucket|request_duration_seconds_count|connect_duration_seconds_bucket|header_duration_seconds_bucket|bytes_sent_count|request_duration_seconds_sum|bytes_sent_sum|request_size_count|response_size_count|response_duration_seconds_sum|response_duration_seconds_count|ingress_upstream_latency_seconds|ingress_upstream_latency_seconds_sum|ingress_upstream_latency_seconds_count)"` | | +| controller.metrics.serviceMonitor.metricRelabelings[0].sourceLabels[0] | string | `"__name__"` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | | controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | | | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | -| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | -| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | +| controller.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | @@ -392,10 +396,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.image.digest | string | `""` | | | controller.opentelemetry.image.distroless | bool | `true` | | -| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | -| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | +| controller.opentelemetry.image.image | string | `"giantswarm/ingress-nginx-opentelemetry"` | | | controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | | | controller.opentelemetry.name | string | `"opentelemetry"` | | | controller.opentelemetry.resources | object | `{}` | | @@ -415,10 +418,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.readinessProbe.periodSeconds | int | `10` | | | controller.readinessProbe.successThreshold | int | `1` | | | controller.readinessProbe.timeoutSeconds | int | `1` | | -| controller.replicaCount | int | `1` | | +| controller.replicaCount | int | `2` | | | controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | -| controller.resources.requests.cpu | string | `"100m"` | | -| controller.resources.requests.memory | string | `"90Mi"` | | +| controller.resources.requests.cpu | string | `"250m"` | | +| controller.resources.requests.memory | string | `"500Mi"` | | | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | @@ -429,14 +432,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | | controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | | controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | +| controller.service.externalDNS.annotation | string | `"giantswarm.io/external-dns: managed"` | Annotation used so assign the external controller service to a specific ExternalDNS instance. | +| controller.service.externalDNS.enabled | bool | `true` | Add ExternalDNS annotations or not. | | controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | -| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.externalTrafficPolicy | string | `"Local"` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | | controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | | controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | | controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | -| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.externalTrafficPolicy | string | `"Local"` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | @@ -448,6 +453,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | | controller.service.internal.ports | object | `{}` | | | controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.internal.subdomain | string | `"ingress-internal"` | Defines the sub-domain prepended to the base domain in the FQDN of the internal controller service reconciled by ExternalDNS. | | controller.service.internal.targetPorts | object | `{}` | | | controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | @@ -462,7 +468,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | | controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. | | controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. | +| controller.service.public | bool | `true` | Makes the external controller service public or not. Adds annotations for making it internal if disabled. | | controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.subdomain | string | `"ingress"` | Defines the sub-domain prepended to the base domain in the FQDN of the external controller service reconciled by ExternalDNS. | | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | @@ -472,7 +480,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # | | controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | -| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | +| controller.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"{{ .Release.Name }}","app.kubernetes.io/name":"{{ include \"ingress-nginx.name\" . }}"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"{{ .Release.Name }}","app.kubernetes.io/name":"{{ include \"ingress-nginx.name\" . }}"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap | | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | @@ -493,10 +501,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.extraVolumeMounts | list | `[]` | | | defaultBackend.extraVolumes | list | `[]` | | | defaultBackend.image.allowPrivilegeEscalation | bool | `false` | | -| defaultBackend.image.image | string | `"defaultbackend-amd64"` | | +| defaultBackend.image.image | string | `"giantswarm/defaultbackend"` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | | defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | -| defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | @@ -510,7 +517,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.minAvailable | int | `1` | | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | -| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | +| defaultBackend.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | @@ -535,10 +542,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | +| global.podSecurityStandards.enforced | bool | `false` | Wether Pod Security Standards are being used or not. This value is set automatically. Do not overwrite it. | +| image.registry | string | `"gsoci.azurecr.io"` | Registry host to pull images from. This value is set automatically. Do not overwrite it. | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | -| podSecurityPolicy.enabled | bool | `false` | | +| podSecurityPolicy.enabled | bool | `true` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | +| provider | string | `"aws"` | Provider the cluster is running on. This value is set automatically. Do not overwrite it. | | rbac.create | bool | `true` | | | rbac.scope | bool | `false` | | | revisionHistoryLimit | int | `10` | Rollback limit # | diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 9ac2dc569..90c81a0b4 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -135,6 +135,8 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} +giantswarm.io/service-type: managed +application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }} {{- if .Values.commonLabels}} {{ toYaml .Values.commonLabels }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 8271dc404..daa2e2e12 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -20,7 +20,7 @@ rules: verbs: - get - update -{{- if .Values.podSecurityPolicy.enabled }} +{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) }} - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 0a21f856a..411ec1d67 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: create - {{- with .Values.controller.admissionWebhooks.patch.image }} + {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index ce9985aa5..3bb39db11 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -42,7 +42,7 @@ spec: {{- end }} containers: - name: patch - {{- with .Values.controller.admissionWebhooks.patch.image }} + {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml index 8e5dc72ac..7bc71eb07 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -1,5 +1,5 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index 662a16204..94deb9eb5 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -23,6 +23,9 @@ data: {{- if .Values.dhParam }} ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }} {{- end }} -{{- range $key, $value := .Values.controller.config }} +{{- range $key, $value := merge .Values.controller.config .Values.configmap }} {{- $key | nindent 2 }}: {{ $value | quote }} {{- end }} +{{- if and (or (eq .Values.provider "aws") (eq .Values.provider "capa")) (not (index .Values.controller.config "use-proxy-protocol")) }} + use-proxy-protocol: "true" +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 718e20c52..a2d389ee0 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -6,6 +6,7 @@ metadata: labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller + giantswarm.io/monitoring_basic_sli: "true" {{- with .Values.controller.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -76,7 +77,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} + {{- with (merge .Values.controller.image .Values.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -183,13 +184,13 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled }} {{- with .Values.controller.opentelemetry }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 879802779..bcd327add 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -6,6 +6,7 @@ metadata: labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller + giantswarm.io/monitoring_basic_sli: "true" {{- with .Values.controller.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -79,7 +80,7 @@ spec: {{- end }} containers: - name: {{ .Values.controller.containerName }} - {{- with .Values.controller.image }} + {{- with (merge .Values.controller.image .Values.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} @@ -186,13 +187,13 @@ spec: {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled }} {{- with .Values.controller.opentelemetry }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml index aad1d2736..18221ca85 100644 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -1,5 +1,5 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) (empty .Values.controller.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index a94b39978..b9e4c50c4 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -91,7 +91,7 @@ rules: - list - watch - get -{{- if .Values.podSecurityPolicy.enabled }} +{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) }} - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] verbs: ['use'] diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml index 950eb8f05..faae1e39f 100644 --- a/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}} +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled -}} apiVersion: v1 kind: Service metadata: @@ -6,6 +6,25 @@ metadata: {{- range $key, $value := .Values.controller.service.internal.annotations }} {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} + {{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }} + external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.internal.subdomain }}.{{ .Values.baseDomain }}" + {{- if .Values.controller.service.externalDNS.annotation }} + {{ .Values.controller.service.externalDNS.annotation }} + {{- end }} + {{- end }} + {{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }} + service.beta.kubernetes.io/aws-load-balancer-internal: "true" + {{- if ne (index (merge .Values.controller.config .Values.configmap) "use-proxy-protocol") "false" }} + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + {{- end }} + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + {{- else if or (eq .Values.provider "azure") (eq .Values.provider "capz") }} + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + {{- else if eq .Values.provider "cloud-director" }} + service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true" + {{- end }} + {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index 74f608536..054b6be4c 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -6,6 +6,29 @@ metadata: {{- range $key, $value := .Values.controller.service.annotations }} {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} + {{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }} + external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.subdomain }}.{{ .Values.baseDomain }}" + {{- if .Values.controller.service.externalDNS.annotation }} + {{ .Values.controller.service.externalDNS.annotation }} + {{- end }} + {{- end }} + {{- if eq .Values.controller.service.type "LoadBalancer" }} + {{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }} + {{- if not .Values.controller.service.public }} + service.beta.kubernetes.io/aws-load-balancer-internal: "true" + {{- end }} + {{- if ne (index (merge .Values.controller.config .Values.configmap) "use-proxy-protocol") "false" }} + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + {{- end }} + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + {{- else if or (eq .Values.provider "azure") (eq .Values.provider "capz") }} + {{- if not .Values.controller.service.public }} + service.beta.kubernetes.io/azure-load-balancer-internal: "true" + {{- end }} + {{- else if eq .Values.provider "cloud-director" }} + service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true" + {{- end }} + {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index d342c8c35..569f6e3c7 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -50,7 +50,7 @@ spec: {{- end }} containers: - name: {{ template "ingress-nginx.name" . }}-default-backend - {{- with .Values.defaultBackend.image }} + {{- with (merge .Values.defaultBackend.image .Values.image) }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml index 424109109..b4c9ef854 100644 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -1,5 +1,5 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml index dd7868aa0..b15af1316 100644 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml index 3203b6f57..aa3448ab9 100644 --- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 5be9519df..7aeb2bacf 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -17,18 +17,18 @@ commonLabels: {} controller: name: controller - enableAnnotationValidations: false + enableAnnotationValidations: true image: ## Keep false as default for now! chroot: false - registry: registry.k8s.io - image: ingress-nginx/controller + # registry: registry.k8s.io + image: giantswarm/ingress-nginx-controller ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: tag: "v1.10.0" - digest: sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c - digestChroot: sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096 + digest: "" + digestChroot: "" pullPolicy: IfNotPresent runAsNonRoot: true # www-data -> uid 101 @@ -46,7 +46,13 @@ controller: http: 80 https: 443 # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ - config: {} + config: + # -- Enable HSTS or not. Disabled by default due to possible serious consequences. + # Ref: https://github.com/kubernetes/ingress-nginx/issues/549 + hsts: "false" + # -- Enable strict path type validation or not. Enabled by default for security reasons. + # Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type + strict-validate-path-type: "true" # -- Annotations to be added to the controller config configuration configmap. configAnnotations: {} # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers @@ -107,7 +113,7 @@ controller: # NetworkPolicy for controller component. networkPolicy: # -- Enable 'networkPolicy' or not - enabled: false + enabled: true # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' electionID: "" # -- This section refers to the creation of the IngressClass resource. @@ -288,23 +294,23 @@ controller: # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## - topologySpreadConstraints: [] - # - labelSelector: - # matchLabels: - # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' - # app.kubernetes.io/instance: '{{ .Release.Name }}' - # app.kubernetes.io/component: controller - # topologyKey: topology.kubernetes.io/zone - # maxSkew: 1 - # whenUnsatisfiable: ScheduleAnyway - # - labelSelector: - # matchLabels: - # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' - # app.kubernetes.io/instance: '{{ .Release.Name }}' - # app.kubernetes.io/component: controller - # topologyKey: kubernetes.io/hostname - # maxSkew: 1 - # whenUnsatisfiable: ScheduleAnyway + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready ## wait up to five minutes for the drain of connections @@ -361,12 +367,12 @@ controller: # -- Annotations to be added to controller pods ## podAnnotations: {} - replicaCount: 1 + replicaCount: 2 # -- Minimum available pods set in PodDisruptionBudget. # Define either 'minAvailable' or 'maxUnavailable', never both. - minAvailable: 1 + # minAvailable: 1 # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. - # maxUnavailable: 1 + maxUnavailable: "25%" ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 @@ -377,16 +383,16 @@ controller: ## cpu: 100m ## memory: 90Mi requests: - cpu: 100m - memory: 90Mi + cpu: 250m + memory: 500Mi # Mutually exclusive with keda autoscaling autoscaling: - enabled: false + enabled: true annotations: {} - minReplicas: 1 - maxReplicas: 11 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 + minReplicas: 2 + maxReplicas: 20 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: 80 behavior: {} # scaleDown: # stabilizationWindowSeconds: 300 @@ -470,6 +476,15 @@ controller: annotations: {} # -- Labels to be added to both controller services. labels: {} + externalDNS: + # -- Add ExternalDNS annotations or not. + enabled: true + # -- Annotation used so assign the external controller service to a specific ExternalDNS instance. + annotation: "giantswarm.io/external-dns: managed" + # -- Defines the sub-domain prepended to the base domain in the FQDN of the external controller service reconciled by ExternalDNS. + subdomain: ingress + # -- Makes the external controller service public or not. Adds annotations for making it internal if disabled. + public: true # -- Type of the external controller service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: LoadBalancer @@ -494,7 +509,7 @@ controller: # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - externalTrafficPolicy: "" + externalTrafficPolicy: Local # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity sessionAffinity: "" @@ -549,6 +564,8 @@ controller: # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} + # -- Defines the sub-domain prepended to the base domain in the FQDN of the internal controller service reconciled by ExternalDNS. + subdomain: ingress-internal # -- Type of the internal controller service. # Defaults to the value of `controller.service.type`. # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types @@ -574,7 +591,7 @@ controller: # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - externalTrafficPolicy: "" + externalTrafficPolicy: Local # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity sessionAffinity: "" @@ -700,13 +717,13 @@ controller: enabled: false name: opentelemetry image: - registry: registry.k8s.io - image: ingress-nginx/opentelemetry + # registry: registry.k8s.io + image: giantswarm/ingress-nginx-opentelemetry ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: tag: "v20230721-3e2062ee5" - digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 + digest: "" distroless: true containerSecurityContext: runAsNonRoot: true @@ -794,13 +811,13 @@ controller: patch: enabled: true image: - registry: registry.k8s.io - image: ingress-nginx/kube-webhook-certgen + # registry: registry.k8s.io + image: giantswarm/ingress-nginx-kube-webhook-certgen ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: tag: v1.4.0 - digest: sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334 + digest: "" pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## @@ -809,7 +826,7 @@ controller: # NetworkPolicy for webhook patch networkPolicy: # -- Enable 'networkPolicy' or not - enabled: false + enabled: true nodeSelector: kubernetes.io/os: linux tolerations: [] @@ -834,7 +851,7 @@ controller: port: 10254 portName: metrics # if this port is changed, change healthz-port: in extraArgs: accordingly - enabled: false + enabled: true service: annotations: {} # prometheus.io/scrape: "true" @@ -854,7 +871,7 @@ controller: # externalTrafficPolicy: "" # nodePort: "" serviceMonitor: - enabled: false + enabled: true additionalLabels: {} annotations: {} ## The label to use to retrieve the job name from. @@ -869,7 +886,11 @@ controller: # honorLabels: true targetLabels: [] relabelings: [] - metricRelabelings: [] + metricRelabelings: + - sourceLabels: + - __name__ + regex: nginx_ingress_controller_(bytes_sent_bucket|request_size_bucket|response_duration_seconds_bucket|response_size_bucket|request_duration_seconds_count|connect_duration_seconds_bucket|header_duration_seconds_bucket|bytes_sent_count|request_duration_seconds_sum|bytes_sent_sum|request_size_count|response_size_count|response_duration_seconds_sum|response_duration_seconds_count|ingress_upstream_latency_seconds|ingress_upstream_latency_seconds_sum|ingress_upstream_latency_seconds_count) + action: drop prometheusRule: enabled: false additionalLabels: {} @@ -936,8 +957,8 @@ defaultBackend: enabled: false name: defaultbackend image: - registry: registry.k8s.io - image: defaultbackend-amd64 + # registry: registry.k8s.io + image: giantswarm/defaultbackend ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: @@ -1056,7 +1077,7 @@ defaultBackend: # NetworkPolicy for default backend component. networkPolicy: # -- Enable 'networkPolicy' or not - enabled: false + enabled: true service: annotations: {} # clusterIP: "" @@ -1079,7 +1100,7 @@ rbac: ## If true, create & use Pod Security Policy resources ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ podSecurityPolicy: - enabled: false + enabled: true serviceAccount: create: true name: "" @@ -1110,3 +1131,27 @@ portNamePrefix: "" # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param dhParam: "" + +# -- Deprecated, use `controller.config` instead. +configmap: {} + +# Below are configuration values that you should not overwrite or set yourself. + +global: + podSecurityStandards: + # -- Wether Pod Security Standards are being used or not. + # This value is set automatically. Do not overwrite it. + enforced: false + +image: + # -- Registry host to pull images from. + # This value is set automatically. Do not overwrite it. + registry: gsoci.azurecr.io + +# -- Domain of the service's FQDN. +# This value is set automatically. Do not overwrite it. +baseDomain: "" + +# -- Provider the cluster is running on. +# This value is set automatically. Do not overwrite it. +provider: aws