diff --git a/infrastructure/nginx-system/release.yaml b/infrastructure/nginx-system/release.yaml
index 25ff80559948f9096f2f338a568f293c904b8898..508e5de1c52f17563ce63bdfe22e6b72125234dc 100644
--- a/infrastructure/nginx-system/release.yaml
+++ b/infrastructure/nginx-system/release.yaml
@@ -15,291 +15,59 @@ spec:
version: 4.0.17
interval: 5m
values:
- ## nginx configuration
- ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
- ##
-
- ## Overrides for generated resource names
- # See templates/_helpers.tpl
- # nameOverride:
- # fullnameOverride:
-
controller:
- # Process Ingress objects without ingressClass annotation/ingressClassName field
- # Overrides value for --watch-ingress-without-class flag of the controller binary
- # Defaults to false
- watchIngressWithoutClass: false
-
- # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
- # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
- # is merged
- hostNetwork: false
-
- ## Use host ports 80 and 443
- ## Disabled by default
- ##
- hostPort:
- enabled: true
- ports:
- http: 80
- https: 443
-
- # This section refers to the creation of the IngressClass resource
- # IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19
ingressClassResource:
name: nginx
enabled: true
default: true
controllerValue: "k8s.io/ingress-nginx"
-
- # Parameters is a link to a custom resource containing additional
- # configuration for the controller. This is optional if the controller
- # does not require extra parameters.
- parameters: {}
-
- ## Allows customization of the source of the IP address or FQDN to report
- ## in the ingress status field. By default, it reads the information provided
- ## by the service. If disable, the status field reports the IP address of the
- ## node or nodes where an ingress controller pod is running.
- publishService:
- enabled: true
- ## Allows overriding of the publish service to bind to
- ## Must be <namespace>/<service_name>
- ##
- pathOverride: ""
-
- ## Limit the scope of the controller
- ##
- scope:
- enabled: false
- namespace: "" # defaults to $(POD_NAMESPACE)
-
- ## Allows customization of the configmap / nginx-configmap namespace
- ##
- configMapNamespace: "" # defaults to $(POD_NAMESPACE)
-
- # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
+ # Configuring various details for ingress-nginx that make sense by default
config:
enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"
enable-ocsp: "true"
hsts: "true"
hsts-max-age: "63072000"
+ hsts-include-subdomains: false
enable-brotli: "true"
use-http2: "true"
-
- ## Allows customization of the tcp-services-configmap
- ##
- tcp:
- configMapNamespace: "" # defaults to $(POD_NAMESPACE)
- ## Annotations to be added to the tcp config configmap
- annotations: {}
-
- ## Allows customization of the udp-services-configmap
- ##
- udp:
- configMapNamespace: "" # defaults to $(POD_NAMESPACE)
- ## Annotations to be added to the udp config configmap
- annotations: {}
-
- livenessProbe:
- httpGet:
- # should match container.healthCheckPath
- path: "/healthz"
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 5
- readinessProbe:
- httpGet:
- # should match container.healthCheckPath
- path: "/healthz"
- port: 10254
- scheme: HTTP
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
-
replicaCount: 2
-
minAvailable: 1
-
- # Define requests resources to avoid probe issues due to CPU utilization in busy nodes
- # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
- # Ideally, there should be no limits.
- # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
resources:
- # limits:
- # cpu: 100m
- # memory: 90Mi
+ limits:
+ memory: 90Mi
requests:
cpu: 100m
memory: 90Mi
-
- ## Enable mimalloc as a drop-in replacement for malloc.
- ## ref: https://github.com/microsoft/mimalloc
- ##
- enableMimalloc: true
-
- ## Override NGINX template
- customTemplate:
- configMapName: ""
- configMapKey: ""
-
service:
enabled: true
-
- annotations: {}
- labels: {}
- # clusterIP: ""
-
- ## List of IP addresses at which the controller services are available
- ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
- ##
- externalIPs: []
-
- # loadBalancerIP: ""
- loadBalancerSourceRanges: []
-
enableHttp: true
enableHttps: true
-
- ## Set external traffic policy to: "Local" to preserve source IP on
- ## providers supporting it
- ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
+ # Has to be set to keep external IPs
externalTrafficPolicy: "Local"
-
- # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
- # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
- # sessionAffinity: ""
-
- # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
- # the service controller allocates a port from your cluster’s NodePort range.
- # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
- # healthCheckNodePort: 0
-
ports:
http: 80
https: 443
-
targetPorts:
http: http
https: https
-
type: LoadBalancer
-
- # type: NodePort
- # nodePorts:
- # http: 32080
- # https: 32443
- # tcp:
- # 8080: 32808
-
- ## Enables an additional internal load balancer (besides the external one).
- ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
- internal:
- enabled: false
- annotations: {}
-
- # loadBalancerIP: ""
-
- ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
- loadBalancerSourceRanges: []
-
- ## Set external traffic policy to: "Local" to preserve source IP on
- ## providers supporting it
- ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
- # externalTrafficPolicy: ""
-
admissionWebhooks:
- annotations: {}
enabled: true
failurePolicy: Fail
- # timeoutSeconds: 10
- port: 8443
- certificate: "/usr/local/certificates/cert"
- key: "/usr/local/certificates/key"
- namespaceSelector: {}
- objectSelector: {}
-
- # Use an existing PSP instead of creating one
- existingPsp: ""
-
service:
- annotations: {}
- # clusterIP: ""
- externalIPs: []
- # loadBalancerIP: ""
- loadBalancerSourceRanges: []
servicePort: 443
type: ClusterIP
- createSecretJob:
- resources: {}
- # limits:
- # cpu: 10m
- # memory: 20Mi
- # requests:
- # cpu: 10m
- # memory: 20Mi
-
- patchWebhookJob:
- resources: {}
-
- patch:
- enabled: true
-
metrics:
- port: 10254
- # if this port is changed, change healthz-port: in extraArgs: accordingly
enabled: true
-
- service:
- annotations: {}
- # prometheus.io/scrape: "true"
- # prometheus.io/port: "10254"
-
- # clusterIP: ""
-
- ## List of IP addresses at which the stats-exporter service is available
- ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
- ##
- externalIPs: []
-
- # loadBalancerIP: ""
- loadBalancerSourceRanges: []
- servicePort: 10254
- type: ClusterIP
- # externalTrafficPolicy: ""
- # nodePort: ""
-
+ port: 10254
serviceMonitor:
enabled: true
- additionalLabels: {}
- # The label to use to retrieve the job name from.
- # jobLabel: "app.kubernetes.io/name"
- namespace: ""
- namespaceSelector: {}
- # Default: scrape .Release.Namespace only
- # To scrape all, use the following:
- # namespaceSelector:
- # any: true
- scrapeInterval: 30s
- # honorLabels: true
- targetLabels: []
- metricRelabelings: []
-
prometheusRule:
enabled: true
- additionalLabels: {}
- # namespace: ""
rules:
- # # These are just examples rules, please adapt them to your needs
+ # # Initial ingress alerting rules
- alert: NGINXConfigFailed
expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
for: 30m
@@ -332,188 +100,10 @@ spec:
annotations:
description: Too many 4XXs
summary: More than 5% of all requests returned 4XX, this requires your attention
-
- ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
- ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
- ## to 300, allowing the draining of connections up to five minutes.
- ## If the active connections end before that, the pod will terminate gracefully at that time.
- ## To effectively take advantage of this feature, the Configmap feature
- ## worker-shutdown-timeout new value is 240s instead of 10s.
- ##
- lifecycle:
- preStop:
- exec:
- command:
- - /wait-shutdown
-
- priorityClassName: ""
-
- ## Rollback limit
- ##
- revisionHistoryLimit: 10
-
- ## Default 404 backend
- ##
- defaultBackend:
- ##
- enabled: false
-
- name: defaultbackend
- image:
- registry: k8s.gcr.io
- image: defaultbackend-amd64
- # for backwards compatibility consider setting the full image url via the repository value below
- # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
- # repository:
- tag: "1.5"
- pullPolicy: IfNotPresent
- # nobody user -> uid 65534
- runAsUser: 65534
- runAsNonRoot: true
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
-
- # Use an existing PSP instead of creating one
- existingPsp: ""
-
- extraArgs: {}
-
- serviceAccount:
- create: true
- name: ""
- automountServiceAccountToken: true
- ## Additional environment variables to set for defaultBackend pods
- extraEnvs: []
-
- port: 8080
-
- ## Readiness and liveness probes for default backend
- ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
- ##
- livenessProbe:
- failureThreshold: 3
- initialDelaySeconds: 30
- periodSeconds: 10
- successThreshold: 1
- timeoutSeconds: 5
- readinessProbe:
- failureThreshold: 6
- initialDelaySeconds: 0
- periodSeconds: 5
- successThreshold: 1
- timeoutSeconds: 5
-
- ## Node tolerations for server scheduling to nodes with taints
- ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
- ##
- tolerations: []
- # - key: "key"
- # operator: "Equal|Exists"
- # value: "value"
- # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
-
- affinity: {}
-
- ## Security Context policies for controller pods
- ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
- ## notes on enabling and using sysctls
- ##
- podSecurityContext: {}
-
- # labels to add to the pod container metadata
- podLabels: {}
- # key: value
-
- ## Node labels for default backend pod assignment
- ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
- ##
- nodeSelector:
- kubernetes.io/os: linux
-
- ## Annotations to be added to default backend pods
- ##
- podAnnotations: {}
-
- replicaCount: 1
-
- minAvailable: 1
-
- resources: {}
- # limits:
- # cpu: 10m
- # memory: 20Mi
- # requests:
- # cpu: 10m
- # memory: 20Mi
-
- extraVolumeMounts: []
- ## Additional volumeMounts to the default backend container.
- # - name: copy-portal-skins
- # mountPath: /var/lib/lemonldap-ng/portal/skins
-
- extraVolumes: []
- ## Additional volumes to the default backend pod.
- # - name: copy-portal-skins
- # emptyDir: {}
-
- autoscaling:
- annotations: {}
- enabled: false
- minReplicas: 1
- maxReplicas: 2
- targetCPUUtilizationPercentage: 50
- targetMemoryUtilizationPercentage: 50
-
- service:
- annotations: {}
-
- # clusterIP: ""
-
- ## List of IP addresses at which the default backend service is available
- ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips
- ##
- externalIPs: []
-
- # loadBalancerIP: ""
- loadBalancerSourceRanges: []
- servicePort: 80
- type: ClusterIP
-
- priorityClassName: ""
-
- ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
rbac:
create: true
scope: false
-
- # If true, create & use Pod Security Policy resources
- # https://kubernetes.io/docs/concepts/policy/pod-security-policy/
podSecurityPolicy:
enabled: true
-
serviceAccount:
create: true
- name: ""
- automountServiceAccountToken: true
-
- ## Optional array of imagePullSecrets containing private registry credentials
- ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- imagePullSecrets: []
- # - name: secretName
-
- # TCP service key:value pairs
- # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
- ##
- tcp: {}
- # 8080: "default/example-tcp-svc:9000"
-
- # UDP service key:value pairs
- # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
- ##
- udp: {}
- # 53: "kube-system/kube-dns:53"
-
- # A base64ed Diffie-Hellman parameter
- # This can be generated with: openssl dhparam 4096 2> /dev/null | base64
- # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
- dhParam: