DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Chart: Implement Giant Swarm changes.

Browse source
This commit is contained in:
Marco Ebert 2024-03-26 15:07:52 +01:00
parent aedb13c9fa
commit 0fd85b8c81
18 changed files with 205 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
charts/ingress-nginx/README.md
View file

@ -233,7 +233,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| Key | Type | Default | Description | | Key | Type | Default | Description |
|-----|------|---------|-------------| |-----|------|---------|-------------|
| baseDomain | string | `""` | Domain of the service's FQDN. This value is set automatically. Do not overwrite it. |
| commonLabels | object | `{}` | | | commonLabels | object | `{}` | |
| configmap | object | `{}` | Deprecated, use `controller.config` instead. |
| controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers | | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
| controller.admissionWebhooks.annotations | object | `{}` | | | controller.admissionWebhooks.annotations | object | `{}` | |
| controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | | | controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` | |
@ -253,13 +255,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.namespaceSelector | object | `{}` | | | controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334"` | | | controller.admissionWebhooks.patch.image.digest | string | `""` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.image | string | `"giantswarm/ingress-nginx-kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.0"` | | | controller.admissionWebhooks.patch.image.tag | string | `"v1.4.0"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
@ -279,13 +280,15 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # |
| controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.annotations | object | `{}` | |
| controller.autoscaling.behavior | object | `{}` | | | controller.autoscaling.behavior | object | `{}` | |
| controller.autoscaling.enabled | bool | `false` | | | controller.autoscaling.enabled | bool | `true` | |
| controller.autoscaling.maxReplicas | int | `11` | | | controller.autoscaling.maxReplicas | int | `20` | |
| controller.autoscaling.minReplicas | int | `1` | | | controller.autoscaling.minReplicas | int | `2` | |
| controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | controller.autoscaling.targetCPUUtilizationPercentage | int | `80` | |
| controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | controller.autoscaling.targetMemoryUtilizationPercentage | int | `80` | |
| controller.autoscalingTemplate | list | `[]` | | | controller.autoscalingTemplate | list | `[]` | |
| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | | controller.config | object | `{"hsts":"false","strict-validate-path-type":"true"}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ |
| controller.config.hsts | string | `"false"` | Enable HSTS or not. Disabled by default due to possible serious consequences. Ref: https://github.com/kubernetes/ingress-nginx/issues/549 |
| controller.config.strict-validate-path-type | string | `"true"` | Enable strict path type validation or not. Enabled by default for security reasons. Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type |
| controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. | | controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
| controller.containerName | string | `"controller"` | Configures the controller container name | | controller.containerName | string | `"controller"` | Configures the controller container name |
@ -297,7 +300,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
| controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. |
| controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' |
| controller.enableAnnotationValidations | bool | `false` | | | controller.enableAnnotationValidations | bool | `true` | |
| controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # |
| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false |
| controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one |
@ -318,12 +321,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | | | controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c"` | | | controller.image.digest | string | `""` | |
| controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` | | | controller.image.digestChroot | string | `""` | |
| controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.image | string | `"giantswarm/ingress-nginx-controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | | | controller.image.readOnlyRootFilesystem | bool | `false` | |
| controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | | | controller.image.runAsUser | int | `101` | |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
@ -358,8 +360,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.livenessProbe.periodSeconds | int | `10` | | | controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | | | controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | | | controller.livenessProbe.timeoutSeconds | int | `1` | |
| controller.maxUnavailable | string | `"25%"` | Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. |
| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases | | controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
| controller.metrics.enabled | bool | `false` | | | controller.metrics.enabled | bool | `true` | |
| controller.metrics.port | int | `10254` | | | controller.metrics.port | int | `10254` | |
| controller.metrics.portName | string | `"metrics"` | | | controller.metrics.portName | string | `"metrics"` | |
| controller.metrics.prometheusRule.additionalLabels | object | `{}` | | | controller.metrics.prometheusRule.additionalLabels | object | `{}` | |
@ -373,17 +376,18 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.service.type | string | `"ClusterIP"` | |
| controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | |
| controller.metrics.serviceMonitor.annotations | object | `{}` | | | controller.metrics.serviceMonitor.annotations | object | `{}` | |
| controller.metrics.serviceMonitor.enabled | bool | `false` | | | controller.metrics.serviceMonitor.enabled | bool | `true` | |
| controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.metricRelabelings[0].action | string | `"drop"` | |
| controller.metrics.serviceMonitor.metricRelabelings[0].regex | string | `"nginx_ingress_controller_(bytes_sent_bucket|request_size_bucket|response_duration_seconds_bucket|response_size_bucket|request_duration_seconds_count|connect_duration_seconds_bucket|header_duration_seconds_bucket|bytes_sent_count|request_duration_seconds_sum|bytes_sent_sum|request_size_count|response_size_count|response_duration_seconds_sum|response_duration_seconds_count|ingress_upstream_latency_seconds|ingress_upstream_latency_seconds_sum|ingress_upstream_latency_seconds_count)"` | |
| controller.metrics.serviceMonitor.metricRelabelings[0].sourceLabels[0] | string | `"__name__"` | |
| controller.metrics.serviceMonitor.namespace | string | `""` | | | controller.metrics.serviceMonitor.namespace | string | `""` | |
| controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | | | controller.metrics.serviceMonitor.namespaceSelector | object | `{}` | |
| controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.relabelings | list | `[]` | |
| controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | |
| controller.metrics.serviceMonitor.targetLabels | list | `[]` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | |
| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. |
| controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| controller.name | string | `"controller"` | | | controller.name | string | `"controller"` | |
| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | | controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
@ -392,10 +396,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.opentelemetry.enabled | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | | controller.opentelemetry.image.digest | string | `""` | |
| controller.opentelemetry.image.distroless | bool | `true` | | | controller.opentelemetry.image.distroless | bool | `true` | |
| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | | controller.opentelemetry.image.image | string | `"giantswarm/ingress-nginx-opentelemetry"` | |
| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | |
| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | | | controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | |
| controller.opentelemetry.name | string | `"opentelemetry"` | | | controller.opentelemetry.name | string | `"opentelemetry"` | |
| controller.opentelemetry.resources | object | `{}` | | | controller.opentelemetry.resources | object | `{}` | |
@ -415,10 +418,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.readinessProbe.periodSeconds | int | `10` | | | controller.readinessProbe.periodSeconds | int | `10` | |
| controller.readinessProbe.successThreshold | int | `1` | | | controller.readinessProbe.successThreshold | int | `1` | |
| controller.readinessProbe.timeoutSeconds | int | `1` | | | controller.readinessProbe.timeoutSeconds | int | `1` | |
| controller.replicaCount | int | `1` | | | controller.replicaCount | int | `2` | |
| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | | controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply |
| controller.resources.requests.cpu | string | `"100m"` | | | controller.resources.requests.cpu | string | `"250m"` | |
| controller.resources.requests.memory | string | `"90Mi"` | | | controller.resources.requests.memory | string | `"500Mi"` | |
| controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.enabled | bool | `false` | Enable 'scope' or not |
| controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) |
| controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. |
@ -429,14 +432,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | | controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | | controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | | controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
| controller.service.externalDNS.annotation | string | `"giantswarm.io/external-dns: managed"` | Annotation used so assign the external controller service to a specific ExternalDNS instance. |
| controller.service.externalDNS.enabled | bool | `true` | Add ExternalDNS annotations or not. |
| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | | controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.externalTrafficPolicy | string | `"Local"` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | | controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | | controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol |
| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | | controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | | controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. |
| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | | controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | | controller.service.internal.externalTrafficPolicy | string | `"Local"` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | | controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
@ -448,6 +453,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | | controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 |
| controller.service.internal.ports | object | `{}` | | | controller.service.internal.ports | object | `{}` | |
| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | | controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.internal.subdomain | string | `"ingress-internal"` | Defines the sub-domain prepended to the base domain in the FQDN of the internal controller service reconciled by ExternalDNS. |
| controller.service.internal.targetPorts | object | `{}` | | | controller.service.internal.targetPorts | object | `{}` | |
| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
@ -462,7 +468,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | | controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 |
| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. | | controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. |
| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. | | controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. |
| controller.service.public | bool | `true` | Makes the external controller service public or not. Adds annotations for making it internal if disabled. |
| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | | controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.subdomain | string | `"ingress"` | Defines the sub-domain prepended to the base domain in the FQDN of the external controller service reconciled by ExternalDNS. |
| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
@ -472,7 +480,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # | | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
| controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | controller.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| controller.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # | | controller.topologySpreadConstraints | list | `[{"labelSelector":{"matchLabels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"{{ .Release.Name }}","app.kubernetes.io/name":"{{ include \"ingress-nginx.name\" . }}"}},"maxSkew":1,"topologyKey":"topology.kubernetes.io/zone","whenUnsatisfiable":"ScheduleAnyway"},{"labelSelector":{"matchLabels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"{{ .Release.Name }}","app.kubernetes.io/name":"{{ include \"ingress-nginx.name\" . }}"}},"maxSkew":1,"topologyKey":"kubernetes.io/hostname","whenUnsatisfiable":"ScheduleAnyway"}]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # |
| controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap | | controller.udp.annotations | object | `{}` | Annotations to be added to the udp config configmap |
| controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
@ -493,10 +501,9 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.extraVolumeMounts | list | `[]` | | | defaultBackend.extraVolumeMounts | list | `[]` | |
| defaultBackend.extraVolumes | list | `[]` | | | defaultBackend.extraVolumes | list | `[]` | |
| defaultBackend.image.allowPrivilegeEscalation | bool | `false` | | | defaultBackend.image.allowPrivilegeEscalation | bool | `false` | |
| defaultBackend.image.image | string | `"defaultbackend-amd64"` | | | defaultBackend.image.image | string | `"giantswarm/defaultbackend"` | |
| defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | | | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` | |
| defaultBackend.image.readOnlyRootFilesystem | bool | `true` | | | defaultBackend.image.readOnlyRootFilesystem | bool | `true` | |
| defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | | | defaultBackend.image.runAsUser | int | `65534` | |
| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | | defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | |
@ -510,7 +517,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.minAvailable | int | `1` | | | defaultBackend.minAvailable | int | `1` | |
| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
| defaultBackend.name | string | `"defaultbackend"` | | | defaultBackend.name | string | `"defaultbackend"` | |
| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | defaultBackend.networkPolicy.enabled | bool | `true` | Enable 'networkPolicy' or not |
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
@ -535,10 +542,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # |
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| global.podSecurityStandards.enforced | bool | `false` | Wether Pod Security Standards are being used or not. This value is set automatically. Do not overwrite it. |
| image.registry | string | `"gsoci.azurecr.io"` | Registry host to pull images from. This value is set automatically. Do not overwrite it. |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | | | podSecurityPolicy.enabled | bool | `true` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| provider | string | `"aws"` | Provider the cluster is running on. This value is set automatically. Do not overwrite it. |
| rbac.create | bool | `true` | | | rbac.create | bool | `true` | |
| rbac.scope | bool | `false` | | | rbac.scope | bool | `false` | |
| revisionHistoryLimit | int | `10` | Rollback limit # | | revisionHistoryLimit | int | `10` | Rollback limit # |

2
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -135,6 +135,8 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }} {{- end }}
app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }} app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/managed-by: {{ .Release.Service }}
giantswarm.io/service-type: managed
application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
{{- if .Values.commonLabels}} {{- if .Values.commonLabels}}
{{ toYaml .Values.commonLabels }} {{ toYaml .Values.commonLabels }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View file

@ -20,7 +20,7 @@ rules:
verbs: verbs:
- get - get
- update - update
{{- if .Values.podSecurityPolicy.enabled }} {{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -42,7 +42,7 @@ spec:
{{- end }} {{- end }}
containers: containers:
- name: create - name: create
{{- with .Values.controller.admissionWebhooks.patch.image }} {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -42,7 +42,7 @@ spec:
{{- end }} {{- end }}
containers: containers:
- name: patch - name: patch
{{- with .Values.controller.admissionWebhooks.patch.image }} {{- with (merge .Values.controller.admissionWebhooks.patch.image .Values.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}

2
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View file

@ -1,5 +1,5 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} {{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:

5
charts/ingress-nginx/templates/controller-configmap.yaml
View file

@ -23,6 +23,9 @@ data:
{{- if .Values.dhParam }} {{- if .Values.dhParam }}
ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }} ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }} {{- end }}
{{- range $key, $value := .Values.controller.config }} {{- range $key, $value := merge .Values.controller.config .Values.configmap }}
{{- $key | nindent 2 }}: {{ $value | quote }} {{- $key | nindent 2 }}: {{ $value | quote }}
{{- end }} {{- end }}
{{- if and (or (eq .Values.provider "aws") (eq .Values.provider "capa")) (not (index .Values.controller.config "use-proxy-protocol")) }}
use-proxy-protocol: "true"
{{- end }}

7
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -6,6 +6,7 @@ metadata:
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
giantswarm.io/monitoring_basic_sli: "true"
{{- with .Values.controller.labels }} {{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
@ -76,7 +77,7 @@ spec:
{{- end }} {{- end }}
containers: containers:
- name: {{ .Values.controller.containerName }} - name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }} {{- with (merge .Values.controller.image .Values.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -183,13 +184,13 @@ spec:
{{- if .Values.controller.extraModules }} {{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }} {{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.opentelemetry.enabled }} {{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }} {{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

7
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -6,6 +6,7 @@ metadata:
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
giantswarm.io/monitoring_basic_sli: "true"
{{- with .Values.controller.labels }} {{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
@ -79,7 +80,7 @@ spec:
{{- end }} {{- end }}
containers: containers:
- name: {{ .Values.controller.containerName }} - name: {{ .Values.controller.containerName }}
{{- with .Values.controller.image }} {{- with (merge .Values.controller.image .Values.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
@ -186,13 +187,13 @@ spec:
{{- if .Values.controller.extraModules }} {{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }} {{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if .Values.controller.opentelemetry.enabled }} {{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }} {{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}

2
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -1,5 +1,5 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled (empty .Values.controller.existingPsp) -}} {{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) (empty .Values.controller.existingPsp) -}}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:

2
charts/ingress-nginx/templates/controller-role.yaml
View file

@ -91,7 +91,7 @@ rules:
- list - list
- watch - watch
- get - get
{{- if .Values.podSecurityPolicy.enabled }} {{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies'] resources: ['podsecuritypolicies']
verbs: ['use'] verbs: ['use']

21
charts/ingress-nginx/templates/controller-service-internal.yaml
View file

@ -1,4 +1,4 @@
{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}} {{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled -}}
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
@ -6,6 +6,25 @@ metadata:
{{- range $key, $value := .Values.controller.service.internal.annotations }} {{- range $key, $value := .Values.controller.service.internal.annotations }}
{{ $key }}: {{ tpl ($value | toString) $ | quote }} {{ $key }}: {{ tpl ($value | toString) $ | quote }}
{{- end }} {{- end }}
{{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }}
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.internal.subdomain }}.{{ .Values.baseDomain }}"
{{- if .Values.controller.service.externalDNS.annotation }}
{{ .Values.controller.service.externalDNS.annotation }}
{{- end }}
{{- end }}
{{- if eq .Values.controller.service.type "LoadBalancer" }}
{{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }}
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
{{- if ne (index (merge .Values.controller.config .Values.configmap) "use-proxy-protocol") "false" }}
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
{{- end }}
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
{{- else if or (eq .Values.provider "azure") (eq .Values.provider "capz") }}
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
{{- else if eq .Values.provider "cloud-director" }}
service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true"
{{- end }}
{{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller

23
charts/ingress-nginx/templates/controller-service.yaml
View file

@ -6,6 +6,29 @@ metadata:
{{- range $key, $value := .Values.controller.service.annotations }} {{- range $key, $value := .Values.controller.service.annotations }}
{{ $key }}: {{ tpl ($value | toString) $ | quote }} {{ $key }}: {{ tpl ($value | toString) $ | quote }}
{{- end }} {{- end }}
{{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }}
external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.subdomain }}.{{ .Values.baseDomain }}"
{{- if .Values.controller.service.externalDNS.annotation }}
{{ .Values.controller.service.externalDNS.annotation }}
{{- end }}
{{- end }}
{{- if eq .Values.controller.service.type "LoadBalancer" }}
{{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }}
{{- if not .Values.controller.service.public }}
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
{{- end }}
{{- if ne (index (merge .Values.controller.config .Values.configmap) "use-proxy-protocol") "false" }}
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
{{- end }}
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
{{- else if or (eq .Values.provider "azure") (eq .Values.provider "capz") }}
{{- if not .Values.controller.service.public }}
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
{{- end }}
{{- else if eq .Values.provider "cloud-director" }}
service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true"
{{- end }}
{{- end }}
labels: labels:
{{- include "ingress-nginx.labels" . | nindent 4 }} {{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller app.kubernetes.io/component: controller

2
charts/ingress-nginx/templates/default-backend-deployment.yaml
View file

@ -50,7 +50,7 @@ spec:
{{- end }} {{- end }}
containers: containers:
- name: {{ template "ingress-nginx.name" . }}-default-backend - name: {{ template "ingress-nginx.name" . }}-default-backend
{{- with .Values.defaultBackend.image }} {{- with (merge .Values.defaultBackend.image .Values.image) }}
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }}
{{- end }} {{- end }}
imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}

2
charts/ingress-nginx/templates/default-backend-psp.yaml
View file

@ -1,5 +1,5 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}} {{- if and .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled (empty .Values.defaultBackend.existingPsp) -}}
apiVersion: policy/v1beta1 apiVersion: policy/v1beta1
kind: PodSecurityPolicy kind: PodSecurityPolicy
metadata: metadata:

2
charts/ingress-nginx/templates/default-backend-role.yaml
View file

@ -1,4 +1,4 @@
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} {{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:

2
charts/ingress-nginx/templates/default-backend-rolebinding.yaml
View file

@ -1,4 +1,4 @@
{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled .Values.defaultBackend.enabled -}} {{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled (not .Values.global.podSecurityStandards.enforced) .Values.defaultBackend.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:

145
charts/ingress-nginx/values.yaml
View file

@ -17,18 +17,18 @@ commonLabels: {}
controller: controller:
name: controller name: controller
enableAnnotationValidations: false enableAnnotationValidations: true
image: image:
## Keep false as default for now! ## Keep false as default for now!
chroot: false chroot: false
registry: registry.k8s.io # registry: registry.k8s.io
image: ingress-nginx/controller image: giantswarm/ingress-nginx-controller
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
tag: "v1.10.0" tag: "v1.10.0"
digest: sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c digest: ""
digestChroot: sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096 digestChroot: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
runAsNonRoot: true runAsNonRoot: true
# www-data -> uid 101 # www-data -> uid 101
@ -46,7 +46,13 @@ controller:
http: 80 http: 80
https: 443 https: 443
# -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
config: {} config:
# -- Enable HSTS or not. Disabled by default due to possible serious consequences.
# Ref: https://github.com/kubernetes/ingress-nginx/issues/549
hsts: "false"
# -- Enable strict path type validation or not. Enabled by default for security reasons.
# Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type
strict-validate-path-type: "true"
# -- Annotations to be added to the controller config configuration configmap. # -- Annotations to be added to the controller config configuration configmap.
configAnnotations: {} configAnnotations: {}
# -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
@ -107,7 +113,7 @@ controller:
# NetworkPolicy for controller component. # NetworkPolicy for controller component.
networkPolicy: networkPolicy:
# -- Enable 'networkPolicy' or not # -- Enable 'networkPolicy' or not
enabled: false enabled: true
# -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
electionID: "" electionID: ""
# -- This section refers to the creation of the IngressClass resource. # -- This section refers to the creation of the IngressClass resource.
@ -288,23 +294,23 @@ controller:
# -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## ##
topologySpreadConstraints: [] topologySpreadConstraints:
# - labelSelector: - labelSelector:
# matchLabels: matchLabels:
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
# app.kubernetes.io/instance: '{{ .Release.Name }}' app.kubernetes.io/instance: '{{ .Release.Name }}'
# app.kubernetes.io/component: controller app.kubernetes.io/component: controller
# topologyKey: topology.kubernetes.io/zone topologyKey: topology.kubernetes.io/zone
# maxSkew: 1 maxSkew: 1
# whenUnsatisfiable: ScheduleAnyway whenUnsatisfiable: ScheduleAnyway
# - labelSelector: - labelSelector:
# matchLabels: matchLabels:
# app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
# app.kubernetes.io/instance: '{{ .Release.Name }}' app.kubernetes.io/instance: '{{ .Release.Name }}'
# app.kubernetes.io/component: controller app.kubernetes.io/component: controller
# topologyKey: kubernetes.io/hostname topologyKey: kubernetes.io/hostname
# maxSkew: 1 maxSkew: 1
# whenUnsatisfiable: ScheduleAnyway whenUnsatisfiable: ScheduleAnyway
# -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
## wait up to five minutes for the drain of connections ## wait up to five minutes for the drain of connections
@ -361,12 +367,12 @@ controller:
# -- Annotations to be added to controller pods # -- Annotations to be added to controller pods
## ##
podAnnotations: {} podAnnotations: {}
replicaCount: 1 replicaCount: 2
# -- Minimum available pods set in PodDisruptionBudget. # -- Minimum available pods set in PodDisruptionBudget.
# Define either 'minAvailable' or 'maxUnavailable', never both. # Define either 'minAvailable' or 'maxUnavailable', never both.
minAvailable: 1 # minAvailable: 1
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
# maxUnavailable: 1 maxUnavailable: "25%"
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
@ -377,16 +383,16 @@ controller:
## cpu: 100m ## cpu: 100m
## memory: 90Mi ## memory: 90Mi
requests: requests:
cpu: 100m cpu: 250m
memory: 90Mi memory: 500Mi
# Mutually exclusive with keda autoscaling # Mutually exclusive with keda autoscaling
autoscaling: autoscaling:
enabled: false enabled: true
annotations: {} annotations: {}
minReplicas: 1 minReplicas: 2
maxReplicas: 11 maxReplicas: 20
targetCPUUtilizationPercentage: 50 targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 80
behavior: {} behavior: {}
# scaleDown: # scaleDown:
# stabilizationWindowSeconds: 300 # stabilizationWindowSeconds: 300
@ -470,6 +476,15 @@ controller:
annotations: {} annotations: {}
# -- Labels to be added to both controller services. # -- Labels to be added to both controller services.
labels: {} labels: {}
externalDNS:
# -- Add ExternalDNS annotations or not.
enabled: true
# -- Annotation used so assign the external controller service to a specific ExternalDNS instance.
annotation: "giantswarm.io/external-dns: managed"
# -- Defines the sub-domain prepended to the base domain in the FQDN of the external controller service reconciled by ExternalDNS.
subdomain: ingress
# -- Makes the external controller service public or not. Adds annotations for making it internal if disabled.
public: true
# -- Type of the external controller service. # -- Type of the external controller service.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: LoadBalancer type: LoadBalancer
@ -494,7 +509,7 @@ controller:
# -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: "" externalTrafficPolicy: Local
# -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
# Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
sessionAffinity: "" sessionAffinity: ""
@ -549,6 +564,8 @@ controller:
# -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
annotations: {} annotations: {}
# -- Defines the sub-domain prepended to the base domain in the FQDN of the internal controller service reconciled by ExternalDNS.
subdomain: ingress-internal
# -- Type of the internal controller service. # -- Type of the internal controller service.
# Defaults to the value of `controller.service.type`. # Defaults to the value of `controller.service.type`.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
@ -574,7 +591,7 @@ controller:
# -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: "" externalTrafficPolicy: Local
# -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
# Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
sessionAffinity: "" sessionAffinity: ""
@ -700,13 +717,13 @@ controller:
enabled: false enabled: false
name: opentelemetry name: opentelemetry
image: image:
registry: registry.k8s.io # registry: registry.k8s.io
image: ingress-nginx/opentelemetry image: giantswarm/ingress-nginx-opentelemetry
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
tag: "v20230721-3e2062ee5" tag: "v20230721-3e2062ee5"
digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 digest: ""
distroless: true distroless: true
containerSecurityContext: containerSecurityContext:
runAsNonRoot: true runAsNonRoot: true
@ -794,13 +811,13 @@ controller:
patch: patch:
enabled: true enabled: true
image: image:
registry: registry.k8s.io # registry: registry.k8s.io
image: ingress-nginx/kube-webhook-certgen image: giantswarm/ingress-nginx-kube-webhook-certgen
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
tag: v1.4.0 tag: v1.4.0
digest: sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334 digest: ""
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job # -- Provide a priority class name to the webhook patching job
## ##
@ -809,7 +826,7 @@ controller:
# NetworkPolicy for webhook patch # NetworkPolicy for webhook patch
networkPolicy: networkPolicy:
# -- Enable 'networkPolicy' or not # -- Enable 'networkPolicy' or not
enabled: false enabled: true
nodeSelector: nodeSelector:
kubernetes.io/os: linux kubernetes.io/os: linux
tolerations: [] tolerations: []
@ -834,7 +851,7 @@ controller:
port: 10254 port: 10254
portName: metrics portName: metrics
# if this port is changed, change healthz-port: in extraArgs: accordingly # if this port is changed, change healthz-port: in extraArgs: accordingly
enabled: false enabled: true
service: service:
annotations: {} annotations: {}
# prometheus.io/scrape: "true" # prometheus.io/scrape: "true"
@ -854,7 +871,7 @@ controller:
# externalTrafficPolicy: "" # externalTrafficPolicy: ""
# nodePort: "" # nodePort: ""
serviceMonitor: serviceMonitor:
enabled: false enabled: true
additionalLabels: {} additionalLabels: {}
annotations: {} annotations: {}
## The label to use to retrieve the job name from. ## The label to use to retrieve the job name from.
@ -869,7 +886,11 @@ controller:
# honorLabels: true # honorLabels: true
targetLabels: [] targetLabels: []
relabelings: [] relabelings: []
metricRelabelings: [] metricRelabelings:
- sourceLabels:
- __name__
regex: nginx_ingress_controller_(bytes_sent_bucket|request_size_bucket|response_duration_seconds_bucket|response_size_bucket|request_duration_seconds_count|connect_duration_seconds_bucket|header_duration_seconds_bucket|bytes_sent_count|request_duration_seconds_sum|bytes_sent_sum|request_size_count|response_size_count|response_duration_seconds_sum|response_duration_seconds_count|ingress_upstream_latency_seconds|ingress_upstream_latency_seconds_sum|ingress_upstream_latency_seconds_count)
action: drop
prometheusRule: prometheusRule:
enabled: false enabled: false
additionalLabels: {} additionalLabels: {}
@ -936,8 +957,8 @@ defaultBackend:
enabled: false enabled: false
name: defaultbackend name: defaultbackend
image: image:
registry: registry.k8s.io # registry: registry.k8s.io
image: defaultbackend-amd64 image: giantswarm/defaultbackend
## for backwards compatibility consider setting the full image url via the repository value below ## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository: ## repository:
@ -1056,7 +1077,7 @@ defaultBackend:
# NetworkPolicy for default backend component. # NetworkPolicy for default backend component.
networkPolicy: networkPolicy:
# -- Enable 'networkPolicy' or not # -- Enable 'networkPolicy' or not
enabled: false enabled: true
service: service:
annotations: {} annotations: {}
# clusterIP: "" # clusterIP: ""
@ -1079,7 +1100,7 @@ rbac:
## If true, create & use Pod Security Policy resources ## If true, create & use Pod Security Policy resources
## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy: podSecurityPolicy:
enabled: false enabled: true
serviceAccount: serviceAccount:
create: true create: true
name: "" name: ""
@ -1110,3 +1131,27 @@ portNamePrefix: ""
# This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
dhParam: "" dhParam: ""
# -- Deprecated, use `controller.config` instead.
configmap: {}
# Below are configuration values that you should not overwrite or set yourself.
global:
podSecurityStandards:
# -- Wether Pod Security Standards are being used or not.
# This value is set automatically. Do not overwrite it.
enforced: false
image:
# -- Registry host to pull images from.
# This value is set automatically. Do not overwrite it.
registry: gsoci.azurecr.io
# -- Domain of the service's FQDN.
# This value is set automatically. Do not overwrite it.
baseDomain: ""
# -- Provider the cluster is running on.
# This value is set automatically. Do not overwrite it.
provider: aws