diff --git a/helm/nginx-ingress-controller-app/Configuration.md b/helm/nginx-ingress-controller-app/Configuration.md index dcf0bf9f..5bfe349e 100644 --- a/helm/nginx-ingress-controller-app/Configuration.md +++ b/helm/nginx-ingress-controller-app/Configuration.md @@ -2,17 +2,34 @@ This chart installs nginx-ingress-controller and its dependencies as managed applications. An Ingress Controller is a daemon, deployed as a Kubernetes Pod, that watches the apiserver's /ingresses endpoint for updates to the Ingress resource. Its job is to satisfy requests for Ingresses. - ## Configuration The following table lists the configurable parameters of the nginx-ingress-controller chart, its dependencies and default values. Parameter | Description | Default --- | --- | --- -`baseDomain` | Cluster base domain. Dynamically calculated during cluster creation. Manual change doesn't affect this value | 'aws' -`provider` | Provider identifier (`aws`/`azure`/`kvm`) | 'kvm' -`configmap.ingress-class` | Ingress class, which controller processes | `nginx` -`configmap.ssl-protocols` | SSL supported protocols | '' -`controller.service.enabled` | If true, create service | `true` +`baseDomain` | Cluster base domain. Dynamically calculated during cluster creation. Manual change doesn't affect this value | 'uun5a.k8s.ginger.eu-central-1.aws.gigantic.io' +`clusterID` | Cluster ID. Dynamically calculated during cluster creation. Manual change doesn't affect this value | 'uun5a' +`configmap` | Sets the nginx configmap configuration overrides. | See official docs for nginx [configmap configuration options](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#configuration-options) and their defaults. Built-in overrides are covered below. +`configmap.error-log-level` | Configures the logging level of errors. | "error" +`configmap.hsts` | Enables or disables the HTTP Strict Transport Security (HSTS) header in servers running SSL. | "false" +`configmap.server-name-hash-bucket-size` | Sets the size of the bucket for the server names hash tables. | "1024" +`configmap.server-tokens` | Controlls whether to send NGINX Server header in responses and display NGINX version in error pages. | "false" +`configmap.worker-processes` | Sets the number of worker processes. | "4" +`configmap.use-forwarded-headers` | If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. | "true" +`controller.annotationsPrefix` | Prefix of the Ingress annotations specific to the NGINX controller. | `nginx.ingress.kubernetes.io` +`controller.autoscaling.enabled` | Enables or disables Horizontal Pod Autoscaler (HPA) for NGINX Ingress Controller Deployment. | `false` +`controller.autoscaling.minReplicas` | Configures HPA min replicas. | `1` +`controller.autoscaling.maxReplicas` | Configures HPA max replicas. | `20` +`controller.autoscaling.targetCPUUtilizationPercentage` | Configures HPA target CPU utilization percentage. | `50` +`controller.autoscaling.targetMemoryUtilizationPercentage` | Configures HPA target memory utilization percentage. | `50` +`controller.defaultSSLCertificate` | The Secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. If this flag is not provided NGINX will use a self-signed certificate. Example value: "default/foo-tls" | "" +`controller.ingressController.legacy` | Legacy or node pools cluster. On aws provider node pool clusters LoadBalancer service gets created. Dynamically calculated during cluster creation. | `false` +`controller.ingressController.replicas` | Number of NGINX Ingress Controller Deployment replicas. Dynamically calculated during cluster creation. | `3` +`controller.ingressClass` | Ingress class, which controller processes | `nginx` +`controller.metrics.enabled` | If true, create metrics Service for prometheus-operator support. | `false` +`controller.metrics.port` | Configures container metrics port to be exposed. | `10254` +`controller.metrics.service.servicePort` | Configures metrics Service port. | `9913` +`controller.service.enabled` | If true, create NodePort service. Applies only to legacy clusters. | `true` `controller.service.type` | Applies only to `provider=aws` (`external`/`internal`) | `external` - +`provider` | Provider identifier (`aws`/`azure`/`kvm`) | `kvm` diff --git a/helm/nginx-ingress-controller-app/templates/configmap.yaml b/helm/nginx-ingress-controller-app/templates/configmap.yaml index 86c0b1eb..a742b304 100644 --- a/helm/nginx-ingress-controller-app/templates/configmap.yaml +++ b/helm/nginx-ingress-controller-app/templates/configmap.yaml @@ -7,67 +7,4 @@ metadata: giantswarm.io/service-type: "managed" k8s-addon: ingress-nginx.addons.k8s.io data: - - disable-access-log: "{{ index .Values.configmap "disable-access-log" }}" - {{- if index .Values.configmap "enable-underscores-in-headers" }} - enable-underscores-in-headers: "{{ index .Values.configmap "enable-underscores-in-headers" }}" - {{- end }} - enable-vts-status: "{{ index .Values.configmap "enable-vts-status" }}" - error-log-level: "{{ index .Values.configmap "error-log-level" }}" - - {{- if index .Values.configmap "http2-max-field-size" }} - http2-max-field-size: "{{ index .Values.configmap "http2-max-field-size" }}" - {{- end }} - - # Disables setting a 'Strict-Transport-Security' header, which can be harmful. - # See https://github.com/kubernetes/ingress-nginx/issues/549#issuecomment-291894246 - hsts: "{{ .Values.configmap.hsts }}" - - {{- if index .Values.configmap "http-snippet" }} - http-snippet: | - {{- range ((index .Values.configmap "http-snippet") | trimAll "\n " | split "\n") }} - {{ . }} - {{- end }} - {{- end }} - - {{- if index .Values.configmap "large-client-header-buffers" }} - large-client-header-buffers: "{{ index .Values.configmap "large-client-header-buffers" }}" - {{- end }} - - {{- if index .Values.configmap "log-format-upstream" }} - log-format-upstream: "{{ index .Values.configmap "log-format-upstream" }}" - {{- end }} - - {{- if index .Values.configmap "proxy-buffers-size" }} - proxy-buffers-size: "{{ index .Values.configmap "proxy-buffers-size" }}" - {{- end }} - - {{- if index .Values.configmap "proxy-buffers" }} - proxy-buffers: "{{ index .Values.configmap "proxy-buffers" }}" - {{- end }} - - {{- if index .Values.configmap "use-forwarded-headers" }} - use-forwarded-headers: "{{ index .Values.configmap "use-forwarded-headers" }}" - {{- end }} - - # Increase hash table size to allow more server names for stability reasons - server-name-hash-bucket-size: "{{ index .Values.configmap "server-name-hash-bucket-size" }}" - server-name-hash-max-size: "{{ index .Values.configmap "server-name-hash-max-size" }}" - server-tokens: "{{ index .Values.configmap "server-tokens" }}" - worker-processes: "{{ index .Values.configmap "worker-processes" }}" - - {{- if index .Values.configmap "use-proxy-protocol" }} - # Allow user to override value. - use-proxy-protocol: "{{ index .Values.configmap "use-proxy-protocol" }}" - {{- else }} - # Global is used as this key is used by the migration logic. - use-proxy-protocol: "{{ .Values.global.controller.useProxyProtocol }}" - {{- end }} - - {{- if index .Values.configmap "vts-default-filter-key" }} - vts-default-filter-key: "{{ index .Values.configmap "vts-default-filter-key" }}" - {{- end }} - - {{- if index .Values.configmap "ssl-protocols" }} - ssl-protocols: "{{ index .Values.configmap "ssl-protocols" }}" - {{- end }} + {{- toYaml .Values.configmap | trim | nindent 2 }} diff --git a/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml b/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml index 5fccb4bf..6eee0fc7 100644 --- a/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml +++ b/helm/nginx-ingress-controller-app/templates/controller-deployment.yaml @@ -51,13 +51,13 @@ spec: args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/{{ .Values.controller.configmap.name }} - - --annotations-prefix={{ index .Values.configmap "annotations-prefix" }} - {{- if index .Values.configmap "default-ssl-certificate" }} - - --default-ssl-certificate={{ index .Values.configmap "default-ssl-certificate" }} + - --annotations-prefix={{ .Values.controller.annotationsPrefix }} + {{- if .Values.controller.defaultSSLCertificate }} + - --default-ssl-certificate={{ .Values.controller.defaultSSLCertificate }} {{- end}} - --enable-ssl-chain-completion=false - --enable-dynamic-certificates=true - - --ingress-class={{ index .Values.configmap "ingress-class" }} + - --ingress-class={{ .Values.controller.ingressClass }} {{- if not .Values.ingressController.legacy }} - --publish-service={{ .Release.Namespace }}/{{ .Values.controller.name }} {{- end }} diff --git a/helm/nginx-ingress-controller-app/templates/controller-hpa.yaml b/helm/nginx-ingress-controller-app/templates/controller-hpa.yaml index 06c10599..be258a58 100644 --- a/helm/nginx-ingress-controller-app/templates/controller-hpa.yaml +++ b/helm/nginx-ingress-controller-app/templates/controller-hpa.yaml @@ -1,4 +1,4 @@ -{{- if (index .Values.configmap "hpa-enabled") eq "true" }} +{{- if .Values.controller.autoscaling.enabled }} apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: @@ -13,15 +13,19 @@ spec: apiVersion: apps/v1 kind: Deployment name: {{ .Values.controller.name }} - minReplicas: {{ index .Values.configmap "hpa-min-replicas" }} - maxReplicas: {{ index .Values.configmap "hpa-max-replicas" }} + minReplicas: {{ .Values.controller.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }} metrics: +{{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: name: cpu - targetAverageUtilization: {{ index .Values.configmap "hpa-target-cpu-utilization-percentage" }} + targetAverageUtilization: {{ . }} +{{- end }} +{{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ index .Values.configmap "hpa-target-memory-utilization-percentage" }} + targetAverageUtilization: {{ . }} +{{- end }} {{- end }} diff --git a/helm/nginx-ingress-controller-app/templates/rbac.yaml b/helm/nginx-ingress-controller-app/templates/rbac.yaml index f5b67ece..a9f60820 100644 --- a/helm/nginx-ingress-controller-app/templates/rbac.yaml +++ b/helm/nginx-ingress-controller-app/templates/rbac.yaml @@ -120,7 +120,7 @@ rules: # Here: "-" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - - "ingress-controller-leader-{{ index .Values.configmap "ingress-class" }}" + - "ingress-controller-leader-{{ .Values.controller.ingressClass }}" verbs: - get - update diff --git a/helm/nginx-ingress-controller-app/values.yaml b/helm/nginx-ingress-controller-app/values.yaml index 22dbd005..677357b1 100644 --- a/helm/nginx-ingress-controller-app/values.yaml +++ b/helm/nginx-ingress-controller-app/values.yaml @@ -2,8 +2,6 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -namespace: kube-system - # baseDomain is a dynamic value, it comes from the cluster values configmap # applies only to Giant Swarm clusters baseDomain: uun5a.k8s.ginger.eu-central-1.aws.gigantic.io @@ -19,44 +17,18 @@ ingressController: legacy: false replicas: 3 -# configmap contains settings that can be overridden with a custom values -# configmap. +# for all the nginx configmap config options see https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#configmaps configmap: - disable-access-log: "false" - enable-vts-status: "true" error-log-level: "error" + # Disables setting a 'Strict-Transport-Security' header, which can be harmful. + # See https://github.com/kubernetes/ingress-nginx/issues/549#issuecomment-291894246 hsts: "false" + # Increase hash table size to allow more server names for stability reasons server-name-hash-bucket-size: "1024" - server-name-hash-max-size: "1024" server-tokens: "false" worker-processes: "4" use-forwarded-headers: "true" - # optional settings that can be set. - enable-underscores-in-headers: "" - http-snippet: "" - http2-max-field-size: "" - large-client-header-buffers: "" - log-format-upstream: "" - proxy-buffers-size: "" - proxy-buffers: "" - use-proxy-protocol: "" - vts-default-filter-key: "" - # Enable the specified protocols (cf. http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols for the list of valid protocols) - ssl-protocols: "" - - # optional hpa settings - hpa-enabled: false - hpa-min-replicas: 2 - hpa-max-replicas: 11 - hpa-target-cpu-utilization-percentage: 50 - hpa-target-memory-utilization-percentage: 50 - - # command args options - annotations-prefix: nginx.ingress.kubernetes.io - default-ssl-certificate: "" - ingress-class: nginx - controller: name: nginx-ingress-controller k8sAppLabel: nginx-ingress-controller @@ -100,19 +72,25 @@ controller: cpu: 500m memory: 600Mi + # optional hpa settings + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 20 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + # command args options + annotationsPrefix: nginx.ingress.kubernetes.io + defaultSSLCertificate: "" + ingressClass: nginx + userID: 101 groupID: 101 image: registry: quay.io -global: - controller: - tempReplicas: 2 - useProxyProtocol: false - migration: - enabled: false - test: image: registry: quay.io