chore(nginx): Reduce unnecessary values from helmrelease

infrastructure/nginx-system/release.yaml

@@ -15,291 +15,59 @@ spec:
       version: 4.0.17
   interval: 5m
   values:
-    ## nginx configuration
-    ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
-    ##
-
-    ## Overrides for generated resource names
-    # See templates/_helpers.tpl
-    # nameOverride:
-    # fullnameOverride:
-
     controller:
-      # Process Ingress objects without ingressClass annotation/ingressClassName field
-      # Overrides value for --watch-ingress-without-class flag of the controller binary
-      # Defaults to false
-      watchIngressWithoutClass: false
-
-      # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
-      # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
-      # is merged
-      hostNetwork: false
-
-      ## Use host ports 80 and 443
-      ## Disabled by default
-      ##
-      hostPort:
-        enabled: true
-        ports:
-          http: 80
-          https: 443
-
-      # This section refers to the creation of the IngressClass resource
-      # IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
       ingressClassResource:
         name: nginx
         enabled: true
         default: true
         controllerValue: "k8s.io/ingress-nginx"
-
-        # Parameters is a link to a custom resource containing additional
-        # configuration for the controller. This is optional if the controller
-        # does not require extra parameters.
-        parameters: {}
-
-      ## Allows customization of the source of the IP address or FQDN to report
-      ## in the ingress status field. By default, it reads the information provided
-      ## by the service. If disable, the status field reports the IP address of the
-      ## node or nodes where an ingress controller pod is running.
-      publishService:
-        enabled: true
-        ## Allows overriding of the publish service to bind to
-        ## Must be <namespace>/<service_name>
-        ##
-        pathOverride: ""
-
-      ## Limit the scope of the controller
-      ##
-      scope:
-        enabled: false
-        namespace: ""   # defaults to $(POD_NAMESPACE)
-
-      ## Allows customization of the configmap / nginx-configmap namespace
-      ##
-      configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
-
-      # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+      # Configuring various details for ingress-nginx that make sense by default
       config:
         enable-modsecurity: "true"
         enable-owasp-modsecurity-crs: "true"
         enable-ocsp: "true"
         hsts: "true"
         hsts-max-age: "63072000"
+        hsts-include-subdomains: false
         enable-brotli: "true"
         use-http2: "true"
-
-      ## Allows customization of the tcp-services-configmap
-      ##
-      tcp:
-        configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
-        ## Annotations to be added to the tcp config configmap
-        annotations: {}
-
-      ## Allows customization of the udp-services-configmap
-      ##
-      udp:
-        configMapNamespace: ""   # defaults to $(POD_NAMESPACE)
-        ## Annotations to be added to the udp config configmap
-        annotations: {}
-
-      livenessProbe:
-        httpGet:
-          # should match container.healthCheckPath
-          path: "/healthz"
-          port: 10254
-          scheme: HTTP
-        initialDelaySeconds: 10
-        periodSeconds: 10
-        timeoutSeconds: 1
-        successThreshold: 1
-        failureThreshold: 5
-      readinessProbe:
-        httpGet:
-          # should match container.healthCheckPath
-          path: "/healthz"
-          port: 10254
-          scheme: HTTP
-        initialDelaySeconds: 10
-        periodSeconds: 10
-        timeoutSeconds: 1
-        successThreshold: 1
-        failureThreshold: 3
-
       replicaCount: 2
-
       minAvailable: 1
-
-      # Define requests resources to avoid probe issues due to CPU utilization in busy nodes
-      # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
-      # Ideally, there should be no limits.
-      # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
       resources:
-      #  limits:
-      #    cpu: 100m
-      #    memory: 90Mi
+        limits:
+          memory: 90Mi
         requests:
           cpu: 100m
           memory: 90Mi
-
-      ## Enable mimalloc as a drop-in replacement for malloc.
-      ## ref: https://github.com/microsoft/mimalloc
-      ##
-      enableMimalloc: true
-
-      ## Override NGINX template
-      customTemplate:
-        configMapName: ""
-        configMapKey: ""
-
       service:
         enabled: true
-
-        annotations: {}
-        labels: {}
-        # clusterIP: ""
-
-        ## List of IP addresses at which the controller services are available
-        ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
-        ##
-        externalIPs: []
-
-        # loadBalancerIP: ""
-        loadBalancerSourceRanges: []
-
         enableHttp: true
         enableHttps: true
-
-        ## Set external traffic policy to: "Local" to preserve source IP on
-        ## providers supporting it
-        ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
+        # Has to be set to keep external IPs
         externalTrafficPolicy: "Local"
-
-        # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
-        # sessionAffinity: ""
-
-        # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
-        # the service controller allocates a port from your cluster’s NodePort range.
-        # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-        # healthCheckNodePort: 0
-
         ports:
           http: 80
           https: 443
-
         targetPorts:
           http: http
           https: https
-
         type: LoadBalancer
-
-        # type: NodePort
-        # nodePorts:
-        #   http: 32080
-        #   https: 32443
-        #   tcp:
-        #     8080: 32808
-
-        ## Enables an additional internal load balancer (besides the external one).
-        ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
-        internal:
-          enabled: false
-          annotations: {}
-
-          # loadBalancerIP: ""
-
-          ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
-          loadBalancerSourceRanges: []
-
-          ## Set external traffic policy to: "Local" to preserve source IP on
-          ## providers supporting it
-          ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
-          # externalTrafficPolicy: ""
-
       admissionWebhooks:
-        annotations: {}
         enabled: true
         failurePolicy: Fail
-        # timeoutSeconds: 10
-        port: 8443
-        certificate: "/usr/local/certificates/cert"
-        key: "/usr/local/certificates/key"
-        namespaceSelector: {}
-        objectSelector: {}
-
-        # Use an existing PSP instead of creating one
-        existingPsp: ""
-
         service:
-          annotations: {}
-          # clusterIP: ""
-          externalIPs: []
-          # loadBalancerIP: ""
-          loadBalancerSourceRanges: []
           servicePort: 443
           type: ClusterIP
 
-        createSecretJob:
-          resources: {}
-            # limits:
-            #   cpu: 10m
-            #   memory: 20Mi
-            # requests:
-            #   cpu: 10m
-            #   memory: 20Mi
-
-        patchWebhookJob:
-          resources: {}
-
-        patch:
-          enabled: true
-
       metrics:
-        port: 10254
-        # if this port is changed, change healthz-port: in extraArgs: accordingly
         enabled: true
-
-        service:
-          annotations: {}
-          # prometheus.io/scrape: "true"
-          # prometheus.io/port: "10254"
-
-          # clusterIP: ""
-
-          ## List of IP addresses at which the stats-exporter service is available
-          ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
-          ##
-          externalIPs: []
-
-          # loadBalancerIP: ""
-          loadBalancerSourceRanges: []
-          servicePort: 10254
-          type: ClusterIP
-          # externalTrafficPolicy: ""
-          # nodePort: ""
-
+        port: 10254
         serviceMonitor:
           enabled: true
-          additionalLabels: {}
-          # The label to use to retrieve the job name from.
-          # jobLabel: "app.kubernetes.io/name"
-          namespace: ""
-          namespaceSelector: {}
-          # Default: scrape .Release.Namespace only
-          # To scrape all, use the following:
-          # namespaceSelector:
-          #   any: true
-          scrapeInterval: 30s
-          # honorLabels: true
-          targetLabels: []
-          metricRelabelings: []
-
         prometheusRule:
           enabled: true
-          additionalLabels: {}
-          # namespace: ""
           rules:
-            # # These are just examples rules, please adapt them to your needs
+            # # Initial ingress alerting rules
             - alert: NGINXConfigFailed
               expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
               for: 30m
@@ -332,188 +100,10 @@ spec:
               annotations:
                 description: Too many 4XXs
                 summary: More than 5% of all requests returned 4XX, this requires your attention
-
-      ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
-      ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
-      ## to 300, allowing the draining of connections up to five minutes.
-      ## If the active connections end before that, the pod will terminate gracefully at that time.
-      ## To effectively take advantage of this feature, the Configmap feature
-      ## worker-shutdown-timeout new value is 240s instead of 10s.
-      ##
-      lifecycle:
-        preStop:
-          exec:
-            command:
-              - /wait-shutdown
-
-      priorityClassName: ""
-
-    ## Rollback limit
-    ##
-    revisionHistoryLimit: 10
-
-    ## Default 404 backend
-    ##
-    defaultBackend:
-      ##
-      enabled: false
-
-      name: defaultbackend
-      image:
-        registry: k8s.gcr.io
-        image: defaultbackend-amd64
-        # for backwards compatibility consider setting the full image url via the repository value below
-        # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-        # repository:
-        tag: "1.5"
-        pullPolicy: IfNotPresent
-        # nobody user -> uid 65534
-        runAsUser: 65534
-        runAsNonRoot: true
-        readOnlyRootFilesystem: true
-        allowPrivilegeEscalation: false
-
-      # Use an existing PSP instead of creating one
-      existingPsp: ""
-
-      extraArgs: {}
-
-      serviceAccount:
-        create: true
-        name: ""
-        automountServiceAccountToken: true
-      ## Additional environment variables to set for defaultBackend pods
-      extraEnvs: []
-
-      port: 8080
-
-      ## Readiness and liveness probes for default backend
-      ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-      ##
-      livenessProbe:
-        failureThreshold: 3
-        initialDelaySeconds: 30
-        periodSeconds: 10
-        successThreshold: 1
-        timeoutSeconds: 5
-      readinessProbe:
-        failureThreshold: 6
-        initialDelaySeconds: 0
-        periodSeconds: 5
-        successThreshold: 1
-        timeoutSeconds: 5
-
-      ## Node tolerations for server scheduling to nodes with taints
-      ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-      ##
-      tolerations: []
-      #  - key: "key"
-      #    operator: "Equal|Exists"
-      #    value: "value"
-      #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
-
-      affinity: {}
-
-      ## Security Context policies for controller pods
-      ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
-      ## notes on enabling and using sysctls
-      ##
-      podSecurityContext: {}
-
-      # labels to add to the pod container metadata
-      podLabels: {}
-      #  key: value
-
-      ## Node labels for default backend pod assignment
-      ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
-      ##
-      nodeSelector:
-        kubernetes.io/os: linux
-
-      ## Annotations to be added to default backend pods
-      ##
-      podAnnotations: {}
-
-      replicaCount: 1
-
-      minAvailable: 1
-
-      resources: {}
-      # limits:
-      #   cpu: 10m
-      #   memory: 20Mi
-      # requests:
-      #   cpu: 10m
-      #   memory: 20Mi
-
-      extraVolumeMounts: []
-      ## Additional volumeMounts to the default backend container.
-      #  - name: copy-portal-skins
-      #   mountPath: /var/lib/lemonldap-ng/portal/skins
-
-      extraVolumes: []
-      ## Additional volumes to the default backend pod.
-      #  - name: copy-portal-skins
-      #    emptyDir: {}
-
-      autoscaling:
-        annotations: {}
-        enabled: false
-        minReplicas: 1
-        maxReplicas: 2
-        targetCPUUtilizationPercentage: 50
-        targetMemoryUtilizationPercentage: 50
-
-      service:
-        annotations: {}
-
-        # clusterIP: ""
-
-        ## List of IP addresses at which the default backend service is available
-        ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
-        ##
-        externalIPs: []
-
-        # loadBalancerIP: ""
-        loadBalancerSourceRanges: []
-        servicePort: 80
-        type: ClusterIP
-
-      priorityClassName: ""
-
-    ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
     rbac:
       create: true
       scope: false
-
-    # If true, create & use Pod Security Policy resources
-    # https://kubernetes.io/docs/concepts/policy/pod-security-policy/
     podSecurityPolicy:
       enabled: true
-
     serviceAccount:
       create: true
-      name: ""
-      automountServiceAccountToken: true
-
-    ## Optional array of imagePullSecrets containing private registry credentials
-    ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-    imagePullSecrets: []
-    # - name: secretName
-
-    # TCP service key:value pairs
-    # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
-    ##
-    tcp: {}
-    #  8080: "default/example-tcp-svc:9000"
-
-    # UDP service key:value pairs
-    # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
-    ##
-    udp: {}
-    #  53: "kube-system/kube-dns:53"
-
-    # A base64ed Diffie-Hellman parameter
-    # This can be generated with: openssl dhparam 4096 2> /dev/null | base64
-    # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
-    dhParam: