From ab56f6b68b3c3d3751707534d8a58b984e9c0d00 Mon Sep 17 00:00:00 2001 From: nold Date: Tue, 28 Feb 2023 09:55:44 +0100 Subject: [PATCH] change(ingress-external): switched to nginx --- projects/gitea/values/gitea.yaml | 2 +- projects/ingress-external/project.yml | 6 +- .../values/ingress-external-traefik.yaml | 63 ++++ .../values/ingress-external.yaml | 268 ++++++++++++++---- 4 files changed, 279 insertions(+), 60 deletions(-) create mode 100644 projects/ingress-external/values/ingress-external-traefik.yaml diff --git a/projects/gitea/values/gitea.yaml b/projects/gitea/values/gitea.yaml index 2f2bbd6b..194c58e1 100644 --- a/projects/gitea/values/gitea.yaml +++ b/projects/gitea/values/gitea.yaml @@ -43,7 +43,7 @@ service: ingress: enabled: true - className: ingress-external-traefik + className: ingress-external labels: environment: external annotations: diff --git a/projects/ingress-external/project.yml b/projects/ingress-external/project.yml index 53d7c3f8..174e8cab 100644 --- a/projects/ingress-external/project.yml +++ b/projects/ingress-external/project.yml @@ -11,7 +11,7 @@ config: apps: - name: ingress-external - repoURL: https://helm.traefik.io/traefik - chart: traefik - targetRevision: 21.1.0 + repoURL: https://kubernetes.github.io/ingress-nginx + chart: ingress-nginx + targetRevision: 4.5.2 syncWave: '0' diff --git a/projects/ingress-external/values/ingress-external-traefik.yaml b/projects/ingress-external/values/ingress-external-traefik.yaml new file mode 100644 index 00000000..ac40f2ba --- /dev/null +++ b/projects/ingress-external/values/ingress-external-traefik.yaml @@ -0,0 +1,63 @@ +ingressClass: + enabled: true + isDefaultClass: false + +providers: + kubernetesCRD: + enabled: true + #ingressClass: external + + kubernetesIngress: + labelSelector: environment=external + ingressClass: ingress-external + namespaces: + - ingress-external + - nextcloud + - gitea + - woodpecker + + publishedService: + enabled: true + +ports: + web: + redirectTo: websecure + websecure: + tls: + enabled: true + +globalArguments: [] + #additionalArguments: + #- "--providers.kubernetesingress.ingressclass=ingress-external" + +ingressRoute: + dashboard: + enabled: false + +tlsOptions: + default: + preferServerCipherSuites: true + minVersion: VersionTLS12 + sniStrict: true + cipherSuites: + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + +persistence: + enabled: true + +service: + enabled: true + type: LoadBalancer + annotations: + metallb.universe.tf/address-pool: external + externalIPs: + - 192.168.1.12 + +logs: + general: + level: INFO diff --git a/projects/ingress-external/values/ingress-external.yaml b/projects/ingress-external/values/ingress-external.yaml index ac40f2ba..71234a8c 100644 --- a/projects/ingress-external/values/ingress-external.yaml +++ b/projects/ingress-external/values/ingress-external.yaml @@ -1,63 +1,219 @@ -ingressClass: - enabled: true - isDefaultClass: false +controller: + name: controller + image: + ## Keep false as default for now! + chroot: false + registry: registry.k8s.io + image: ingress-nginx/controller + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v1.6.4" + digest: sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f + digestChroot: sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81 + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true -providers: - kubernetesCRD: - enabled: true - #ingressClass: external - - kubernetesIngress: - labelSelector: environment=external + # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + config: {} + # -- Annotations to be added to the controller config configuration configmap. + configAnnotations: {} + # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers + proxySetHeaders: {} + # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + # -- Optionally customize the pod dnsConfig. + dnsConfig: {} + # -- Optionally customize the pod hostname. + hostname: {} + # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + # -- Process Ingress objects without ingressClass annotation/ingressClassName field + # Overrides value for --watch-ingress-without-class flag of the controller binary + # Defaults to false + watchIngressWithoutClass: false + # -- Process IngressClass per name (additionally as per spec.controller). + ingressClassByName: false + # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" + # Defaults to false + enableTopologyAwareRouting: false + # -- This configuration defines if Ingress Controller should allow users to set + # their own *-snippet annotations, otherwise this is forbidden / dropped + # when users add those annotations. + # Global snippets in ConfigMap are still respected + allowSnippetAnnotations: true + ## This section refers to the creation of the IngressClass resource + ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + ingressClassResource: + # -- Name of the ingressClass + name: ingress-external + # -- Is this ingressClass enabled or not + enabled: true + # -- Is this the default ingressClass for the cluster + default: false + # -- Controller-value of the controller that is processing this ingressClass + controllerValue: "k8s.io/ingress-nginx" + # -- Parameters is a link to a custom resource containing additional + # configuration for the controller. This is optional if the controller + # does not require extra parameters. + parameters: {} + # -- For backwards compatibility with ingress.class annotation, use ingressClass. + # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation ingressClass: ingress-external - namespaces: - - ingress-external - - nextcloud - - gitea - - woodpecker + # -- Labels to add to the pod container metadata + podLabels: {} + # key: value - publishedService: - enabled: true + # -- Security Context policies for controller pods + podSecurityContext: {} + # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" -ports: - web: - redirectTo: websecure - websecure: - tls: - enabled: true + # -- Allows customization of the source of the IP address or FQDN to report + # in the ingress status field. By default, it reads the information provided + # by the service. If disable, the status field reports the IP address of the + # node or nodes where an ingress controller pod is running. + publishService: + # -- Enable 'publishService' or not + enabled: true + # -- Allows overriding of the publish service to bind to + # Must be / + pathOverride: "" + # Limit the scope of the controller to a specific namespace + scope: + # -- Enable 'scope' or not + enabled: false + # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE) + namespace: "" + # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels + # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. + namespaceSelector: "" + # + # -- Additional command line arguments to pass to nginx-ingress-controller + # E.g. to specify the default SSL certificate you can use + extraArgs: {} + ## extraArgs: + ## default-ssl-certificate: "/" -globalArguments: [] - #additionalArguments: - #- "--providers.kubernetesingress.ingressclass=ingress-external" + # -- Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource -ingressRoute: - dashboard: + # -- Use a `DaemonSet` or `Deployment` + kind: Deployment + # -- Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + # -- The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # -- `minReadySeconds` to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + service: + enabled: true + # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were + # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # It allows choosing the protocol for each backend specified in the Kubernetes service. + # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 + # Will be ignored for Kubernetes versions older than 1.20 + ## + appProtocol: true + annotations: + metallb.universe.tf/address-pool: external + externalIPs: + - 192.168.1.12 + # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + loadBalancerIP: "" + loadBalancerSourceRanges: [] + enableHttp: true + enableHttps: true + + # shareProcessNamespace enables process namespace sharing within the pod. + # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. + shareProcessNamespace: false + admissionWebhooks: + # Use certmanager to generate webhook certs + certManager: + enabled: true + # self-signed root certificate + rootCert: + # default to be 5y + duration: "" + admissionCert: + # default to be 1y + duration: "" + # issuerRef: + # name: "issuer" + # kind: "ClusterIssuer" + metrics: + port: 10254 + portName: metrics + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: true + service: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "10254" + + serviceMonitor: + enabled: true + additionalLabels: {} + ## The label to use to retrieve the job name from. + ## jobLabel: "app.kubernetes.io/name" + namespace: "" + namespaceSelector: {} + ## Default: scrape .Release.Namespace only + ## To scrape all, use the following: + ## namespaceSelector: + ## any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + relabelings: [] + metricRelabelings: [] + +defaultBackend: + ## enabled: false - -tlsOptions: - default: - preferServerCipherSuites: true - minVersion: VersionTLS12 - sniStrict: true - cipherSuites: - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - -persistence: - enabled: true - -service: - enabled: true - type: LoadBalancer - annotations: - metallb.universe.tf/address-pool: external - externalIPs: - - 192.168.1.12 - -logs: - general: - level: INFO + name: defaultbackend + image: + registry: registry.k8s.io + image: defaultbackend-amd64 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false