Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support all nginx configmap settings #26

Merged
merged 5 commits into from
Feb 10, 2020
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project's packages adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [v1.4.0] 2020-02-11

### Changed

- Support overriding all nginx configmap settings. ([#26](https://github.com/giantswarm/nginx-ingress-controller-app/pull/26))

## [v1.3.0] 2020-01-30

### Changed
Expand Down Expand Up @@ -42,6 +48,7 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s

Previous versions changelog can be found [here](https://github.com/giantswarm/kubernetes-nginx-ingress-controller/blob/master/CHANGELOG.md)

[v1.4.0]: https://github.com/giantswarm/nginx-ingress-controller-app/releases/tag/v1.4.0
[v1.3.0]: https://github.com/giantswarm/nginx-ingress-controller-app/releases/tag/v1.3.0
[v1.2.1]: https://github.com/giantswarm/nginx-ingress-controller-app/releases/tag/v1.2.1
[v1.2.0]: https://github.com/giantswarm/nginx-ingress-controller-app/releases/tag/v1.2.0
Expand Down
2 changes: 1 addition & 1 deletion helm/nginx-ingress-controller-app/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v1
appVersion: v0.27.1
appVersion: v0.28.0
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was missed in 1.3.0; I've added a note in values.yaml for the tag, when changing the tag to change also appVersion

description: A Helm chart for the nginx ingress-controller
home: https://github.com/giantswarm/nginx-ingress-controller-app
name: nginx-ingress-controller-app
Expand Down
31 changes: 24 additions & 7 deletions helm/nginx-ingress-controller-app/Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,34 @@

This chart installs nginx-ingress-controller and its dependencies as managed applications. An Ingress Controller is a daemon, deployed as a Kubernetes Pod, that watches the apiserver's /ingresses endpoint for updates to the Ingress resource. Its job is to satisfy requests for Ingresses.


## Configuration

The following table lists the configurable parameters of the nginx-ingress-controller chart, its dependencies and default values.

Parameter | Description | Default
--- | --- | ---
`baseDomain` | Cluster base domain. Dynamically calculated during cluster creation. Manual change doesn't affect this value | 'aws'
`provider` | Provider identifier (`aws`/`azure`/`kvm`) | 'kvm'
`configmap.ingress-class` | Ingress class, which controller processes | `nginx`
`configmap.ssl-protocols` | SSL supported protocols | ''
`controller.service.enabled` | If true, create service | `true`
`baseDomain` | Cluster base domain. Dynamically calculated during cluster creation. Manual change doesn't affect this value | 'uun5a.k8s.ginger.eu-central-1.aws.gigantic.io'
`clusterID` | Cluster ID. Dynamically calculated during cluster creation. Manual change doesn't affect this value | 'uun5a'
`configmap` | Sets the nginx configmap configuration overrides. | See official docs for nginx [configmap configuration options](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#configuration-options) and their defaults. Built-in overrides are covered below.
`configmap.error-log-level` | Configures the logging level of errors. | "error"
`configmap.hsts` | Enables or disables the HTTP Strict Transport Security (HSTS) header in servers running SSL. | "false"
`configmap.server-name-hash-bucket-size` | Sets the size of the bucket for the server names hash tables. | "1024"
`configmap.server-tokens` | Controlls whether to send NGINX Server header in responses and display NGINX version in error pages. | "false"
`configmap.worker-processes` | Sets the number of worker processes. | "4"
`configmap.use-forwarded-headers` | If true, NGINX passes the incoming `X-Forwarded-*` headers to upstreams. | "true"
`controller.annotationsPrefix` | Prefix of the Ingress annotations specific to the NGINX controller. | `nginx.ingress.kubernetes.io`
`controller.autoscaling.enabled` | Enables or disables Horizontal Pod Autoscaler (HPA) for NGINX Ingress Controller Deployment. | `false`
`controller.autoscaling.minReplicas` | Configures HPA min replicas. | `1`
`controller.autoscaling.maxReplicas` | Configures HPA max replicas. | `20`
`controller.autoscaling.targetCPUUtilizationPercentage` | Configures HPA target CPU utilization percentage. | `50`
`controller.autoscaling.targetMemoryUtilizationPercentage` | Configures HPA target memory utilization percentage. | `50`
`controller.defaultSSLCertificate` | The Secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. If this flag is not provided NGINX will use a self-signed certificate. Example value: "default/foo-tls" | ""
`controller.ingressController.legacy` | Legacy or node pools cluster. On aws provider node pool clusters LoadBalancer service gets created. Dynamically calculated during cluster creation. | `false`
`controller.ingressController.replicas` | Number of NGINX Ingress Controller Deployment replicas. Dynamically calculated during cluster creation. | `3`
`controller.ingressClass` | Ingress class, which controller processes | `nginx`
`controller.metrics.enabled` | If true, create metrics Service for prometheus-operator support. | `false`
`controller.metrics.port` | Configures container metrics port to be exposed. | `10254`
`controller.metrics.service.servicePort` | Configures metrics Service port. | `9913`
`controller.service.enabled` | If true, create NodePort service. Applies only to legacy clusters. | `true`
`controller.service.type` | Applies only to `provider=aws` (`external`/`internal`) | `external`

`provider` | Provider identifier (`aws`/`azure`/`kvm`) | `kvm`
65 changes: 1 addition & 64 deletions helm/nginx-ingress-controller-app/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,67 +7,4 @@ metadata:
giantswarm.io/service-type: "managed"
k8s-addon: ingress-nginx.addons.k8s.io
data:

disable-access-log: "{{ index .Values.configmap "disable-access-log" }}"
{{- if index .Values.configmap "enable-underscores-in-headers" }}
enable-underscores-in-headers: "{{ index .Values.configmap "enable-underscores-in-headers" }}"
{{- end }}
enable-vts-status: "{{ index .Values.configmap "enable-vts-status" }}"
error-log-level: "{{ index .Values.configmap "error-log-level" }}"

{{- if index .Values.configmap "http2-max-field-size" }}
http2-max-field-size: "{{ index .Values.configmap "http2-max-field-size" }}"
{{- end }}

# Disables setting a 'Strict-Transport-Security' header, which can be harmful.
# See https://github.com/kubernetes/ingress-nginx/issues/549#issuecomment-291894246
hsts: "{{ .Values.configmap.hsts }}"

{{- if index .Values.configmap "http-snippet" }}
http-snippet: |
{{- range ((index .Values.configmap "http-snippet") | trimAll "\n " | split "\n") }}
{{ . }}
{{- end }}
{{- end }}

{{- if index .Values.configmap "large-client-header-buffers" }}
large-client-header-buffers: "{{ index .Values.configmap "large-client-header-buffers" }}"
{{- end }}

{{- if index .Values.configmap "log-format-upstream" }}
log-format-upstream: "{{ index .Values.configmap "log-format-upstream" }}"
{{- end }}

{{- if index .Values.configmap "proxy-buffers-size" }}
proxy-buffers-size: "{{ index .Values.configmap "proxy-buffers-size" }}"
{{- end }}

{{- if index .Values.configmap "proxy-buffers" }}
proxy-buffers: "{{ index .Values.configmap "proxy-buffers" }}"
{{- end }}

{{- if index .Values.configmap "use-forwarded-headers" }}
use-forwarded-headers: "{{ index .Values.configmap "use-forwarded-headers" }}"
{{- end }}

# Increase hash table size to allow more server names for stability reasons
server-name-hash-bucket-size: "{{ index .Values.configmap "server-name-hash-bucket-size" }}"
server-name-hash-max-size: "{{ index .Values.configmap "server-name-hash-max-size" }}"
server-tokens: "{{ index .Values.configmap "server-tokens" }}"
worker-processes: "{{ index .Values.configmap "worker-processes" }}"

{{- if index .Values.configmap "use-proxy-protocol" }}
# Allow user to override value.
use-proxy-protocol: "{{ index .Values.configmap "use-proxy-protocol" }}"
{{- else }}
# Global is used as this key is used by the migration logic.
use-proxy-protocol: "{{ .Values.global.controller.useProxyProtocol }}"
{{- end }}

{{- if index .Values.configmap "vts-default-filter-key" }}
vts-default-filter-key: "{{ index .Values.configmap "vts-default-filter-key" }}"
{{- end }}

{{- if index .Values.configmap "ssl-protocols" }}
ssl-protocols: "{{ index .Values.configmap "ssl-protocols" }}"
{{- end }}
{{- toYaml .Values.configmap | trim | nindent 2 }}
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,13 @@ spec:
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/{{ .Values.controller.configmap.name }}
- --annotations-prefix={{ index .Values.configmap "annotations-prefix" }}
{{- if index .Values.configmap "default-ssl-certificate" }}
- --default-ssl-certificate={{ index .Values.configmap "default-ssl-certificate" }}
- --annotations-prefix={{ .Values.controller.annotationsPrefix }}
{{- if .Values.controller.defaultSSLCertificate }}
- --default-ssl-certificate={{ .Values.controller.defaultSSLCertificate }}
{{- end}}
- --enable-ssl-chain-completion=false
- --enable-dynamic-certificates=true
- --ingress-class={{ index .Values.configmap "ingress-class" }}
- --ingress-class={{ .Values.controller.ingressClass }}
{{- if not .Values.ingressController.legacy }}
- --publish-service={{ .Release.Namespace }}/{{ .Values.controller.name }}
{{- end }}
Expand Down
14 changes: 9 additions & 5 deletions helm/nginx-ingress-controller-app/templates/controller-hpa.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if (index .Values.configmap "hpa-enabled") eq "true" }}
{{- if .Values.controller.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
Expand All @@ -13,15 +13,19 @@ spec:
apiVersion: apps/v1
kind: Deployment
name: {{ .Values.controller.name }}
minReplicas: {{ index .Values.configmap "hpa-min-replicas" }}
maxReplicas: {{ index .Values.configmap "hpa-max-replicas" }}
minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
metrics:
{{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ index .Values.configmap "hpa-target-cpu-utilization-percentage" }}
targetAverageUtilization: {{ . }}
{{- end }}
{{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ index .Values.configmap "hpa-target-memory-utilization-percentage" }}
targetAverageUtilization: {{ . }}
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion helm/nginx-ingress-controller-app/templates/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ rules:
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-{{ index .Values.configmap "ingress-class" }}"
- "ingress-controller-leader-{{ .Values.controller.ingressClass }}"
verbs:
- get
- update
Expand Down
58 changes: 19 additions & 39 deletions helm/nginx-ingress-controller-app/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

namespace: kube-system

# baseDomain is a dynamic value, it comes from the cluster values configmap
# applies only to Giant Swarm clusters
baseDomain: uun5a.k8s.ginger.eu-central-1.aws.gigantic.io
Expand All @@ -19,44 +17,18 @@ ingressController:
legacy: false
replicas: 3

# configmap contains settings that can be overridden with a custom values
# configmap.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of the settings in values.yaml can be overriden with a custom values configmap.

.Values.configmap is now purely for nginx configmap config options. Everything else that doesn't actually belong here moved under different configuration key. Settings which were under configmap just to support overriding but weren't actually overriding upstream defaults were removed since that is no longer needed. Similarly, configmap entries which have same value as upstream default, so not overriding it, were removed. Existing actual overrides were kept. Settings no longer supported upstream were cleaned up.

# for all the nginx configmap config options see https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#configmaps
configmap:
disable-access-log: "false"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as upstream default, so dropped it not to create noise.

enable-vts-status: "true"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was dropped ages ago kubernetes/ingress-nginx#2643

error-log-level: "error"
# Disables setting a 'Strict-Transport-Security' header, which can be harmful.
# See https://github.com/kubernetes/ingress-nginx/issues/549#issuecomment-291894246
hsts: "false"
# Increase hash table size to allow more server names for stability reasons
server-name-hash-bucket-size: "1024"
server-name-hash-max-size: "1024"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as upstream default, so dropped it not to create noise.

server-tokens: "false"
worker-processes: "4"
use-forwarded-headers: "true"

# optional settings that can be set.
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is no longer needed, since all configmap settings can be overriden with custom values, no need to add explicit support for each of them.

enable-underscores-in-headers: ""
http-snippet: ""
http2-max-field-size: ""
large-client-header-buffers: ""
log-format-upstream: ""
proxy-buffers-size: ""
proxy-buffers: ""
use-proxy-protocol: ""
vts-default-filter-key: ""
# Enable the specified protocols (cf. http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols for the list of valid protocols)
ssl-protocols: ""

# optional hpa settings
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't belong here, it was moved under controller.autoscaling configuration key, like in upstream stable chart.

hpa-enabled: false
hpa-min-replicas: 2
hpa-max-replicas: 11
hpa-target-cpu-utilization-percentage: 50
hpa-target-memory-utilization-percentage: 50

# command args options
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These do not belong here as they are not nginx configmap config options, they were moved under controller config key.

annotations-prefix: nginx.ingress.kubernetes.io
default-ssl-certificate: ""
ingress-class: nginx

controller:
name: nginx-ingress-controller
k8sAppLabel: nginx-ingress-controller
Expand All @@ -68,6 +40,7 @@ controller:

image:
repository: giantswarm/nginx-ingress-controller
# when updating tag make sure to also keep appVersion in Chart.yaml in sync
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<3

tag: 0.28.0

rbac:
Expand Down Expand Up @@ -100,19 +73,26 @@ controller:
cpu: 500m
memory: 600Mi

# optional hpa settings
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 20
targetCPUUtilizationPercentage: 50
targetMemoryUtilizationPercentage: 50

# command args options
annotationsPrefix: nginx.ingress.kubernetes.io
defaultSSLCertificate: ""
ingressClass: nginx

# www-data -> uid 101
userID: 101
groupID: 101

image:
registry: quay.io

global:
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With exception of useProxyProtocol, these weren't used anywhere, dropped them. Dropped also useProxyProtocol since it can be overriden with use-proxy-protocol configmap, and upstream defaults to false so no need to explicitly set it in configmap either.

controller:
tempReplicas: 2
useProxyProtocol: false
migration:
enabled: false

test:
image:
registry: quay.io
Expand Down