From 607befd663c38445fd1dc53b36dfd34649604898 Mon Sep 17 00:00:00 2001 From: MBorne Date: Tue, 23 Jul 2024 13:24:35 +0200 Subject: [PATCH] docs(nginx): update template values --- nginx-ingress-controller/helm/values.dist.yml | 294 ++++++++++++++---- 1 file changed, 232 insertions(+), 62 deletions(-) diff --git a/nginx-ingress-controller/helm/values.dist.yml b/nginx-ingress-controller/helm/values.dist.yml index 72be6c4..61ec165 100644 --- a/nginx-ingress-controller/helm/values.dist.yml +++ b/nginx-ingress-controller/helm/values.dist.yml @@ -1,4 +1,4 @@ -# Copyright VMware, Inc. +# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 ## @section Global parameters @@ -16,7 +16,15 @@ global: ## - myRegistryKeySecretName ## imagePullSecrets: [] - + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto ## @section Common parameters ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) @@ -43,14 +51,13 @@ extraDeploy: [] ## @param clusterDomain Kubernetes cluster domain name ## clusterDomain: cluster.local - ## @section Nginx Ingress Controller parameters ## Bitnami NGINX Ingress controller image version ## ref: https://hub.docker.com/r/bitnami/nginx-ingress-controller/tags/ -## @param image.registry Nginx Ingress Controller image registry -## @param image.repository Nginx Ingress Controller image repository -## @param image.tag Nginx Ingress Controller image tag (immutable tags are recommended) +## @param image.registry [default: REGISTRY_NAME] Nginx Ingress Controller image registry +## @param image.repository [default: REPOSITORY_NAME/nginx-ingress-controller] Nginx Ingress Controller image repository +## @skip image.tag Nginx Ingress Controller image tag (immutable tags are recommended) ## @param image.digest Nginx Ingress Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy Nginx Ingress Controller image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array @@ -58,11 +65,11 @@ clusterDomain: cluster.local image: registry: docker.io repository: bitnami/nginx-ingress-controller - tag: 1.9.3-debian-11-r0 + tag: 1.11.1-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -73,12 +80,25 @@ image: ## - myRegistryKeySecretName ## pullSecrets: [] -## @param containerPorts [object] Controller container ports to open +## @param containerPorts.http Nginx Ingress Controller HTTP port +## @param containerPorts.https Nginx Ingress Controller HTTPS port +## @param containerPorts.defaultServer Nginx Ingress Controller default server port +## @param containerPorts.metrics Nginx Ingress Controller metrics port +## @param containerPorts.profiler Nginx Ingress Controller profiler port +## @param containerPorts.status Nginx Ingress Controller status port +## @param containerPorts.stream Nginx Ingress Controller stream port ## containerPorts: - http: 80 - https: 443 + http: 8080 + https: 8443 + defaultServer: 8181 metrics: 10254 + profiler: 10245 + status: 10246 + stream: 10247 +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: true ## @param hostAliases Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -102,6 +122,9 @@ defaultBackendService: "" ## @param electionID Election ID to use for status update ## electionID: ingress-controller-leader +## @param allowSnippetAnnotations Allow users to set snippet annotations +## +allowSnippetAnnotations: false ## @param reportNodeInternalIp If using `hostNetwork=true`, setting `reportNodeInternalIp=true`, will pass the flag `report-node-internal-ip-address` to Nginx Ingress Controller ## Bare-metal considerations via the host network ## ref: https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network @@ -205,7 +228,6 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Name of a existing Secret containing extra environment variables ## extraEnvVarsSecret: "" - ## @section Nginx Ingress deployment / daemonset parameters ## @param kind Install as Deployment or DaemonSet @@ -235,51 +257,67 @@ revisionHistoryLimit: 10 ## Controller pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enable Controller pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups ## @param podSecurityContext.fsGroup Group ID for the container filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Controller containers' Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enable Controller containers' Security Context ## @param containerSecurityContext.allowPrivilegeEscalation Switch to allow priviledge escalation on the Controller container +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser User ID for the Controller container +## @param containerSecurityContext.runAsGroup Group ID for the Controller container +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param containerSecurityContext.capabilities.drop [array] Linux Kernel capabilities that should be dropped ## @param containerSecurityContext.capabilities.add [array] Linux Kernel capabilities that should be added ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false + seLinuxOptions: null runAsUser: 1001 + runAsGroup: 1001 + readOnlyRootFilesystem: true capabilities: drop: ["ALL"] add: ["NET_BIND_SERVICE"] runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" ## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update ## minReadySeconds: 0 ## Controller containers' resource requests and limits -## ref: https://kubernetes.io/docs/user-guide/compute-resources +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. -## @param resources.limits The resources limits for the Controller container -## @param resources.requests The requested resources for the Controller container +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resources: - ## Example: - ## limits: - ## cpu: 250m - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 250m - ## memory: 256Mi - requests: {} +resourcesPreset: "nano" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} ## Controller containers' liveness probe. Evaluated as a template. ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @param livenessProbe.enabled Enable livenessProbe @@ -407,7 +445,7 @@ nodeAffinityPreset: ## affinity: {} ## @param nodeSelector Node labels for pod assignment. Evaluated as a template. -## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param tolerations Tolerations for pod assignment. Evaluated as a template. @@ -464,7 +502,6 @@ topologySpreadConstraints: [] ## podSecurityPolicy: enabled: false - ## @section Default backend parameters ## Default 404 backend @@ -473,15 +510,18 @@ defaultBackend: ## @param defaultBackend.enabled Enable a default backend based on NGINX ## enabled: true + ## @param defaultBackend.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true ## @param defaultBackend.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] ## Bitnami NGINX image ## ref: https://hub.docker.com/r/bitnami/nginx/tags/ - ## @param defaultBackend.image.registry Default backend image registry - ## @param defaultBackend.image.repository Default backend image repository - ## @param defaultBackend.image.tag Default backend image tag (immutable tags are recommended) + ## @param defaultBackend.image.registry [default: REGISTRY_NAME] Default backend image registry + ## @param defaultBackend.image.repository [default: REPOSITORY_NAME/nginx] Default backend image repository + ## @skip defaultBackend.image.tag Default backend image tag (immutable tags are recommended) ## @param defaultBackend.image.digest Default backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param defaultBackend.image.pullPolicy Image pull policy ## @param defaultBackend.image.pullSecrets Specify docker-registry secret names as an array @@ -489,11 +529,11 @@ defaultBackend: image: registry: docker.io repository: bitnami/nginx - tag: 1.25.2-debian-11-r47 + tag: 1.27.0-debian-12-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' - ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -527,41 +567,62 @@ defaultBackend: ## Default backend pods' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param defaultBackend.podSecurityContext.enabled Enable Default backend pods' Security Context + ## @param defaultBackend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param defaultBackend.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param defaultBackend.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param defaultBackend.podSecurityContext.fsGroup Group ID for the container filesystem ## podSecurityContext: enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] fsGroup: 1001 ## Default backend containers' Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param defaultBackend.containerSecurityContext.enabled Enable Default backend containers' Security Context + ## @param defaultBackend.containerSecurityContext.capabilities.drop [array] Linux Kernel capabilities that should be dropped + ## @param defaultBackend.containerSecurityContext.allowPrivilegeEscalation Switch to allow priviledge escalation on the container + ## @param defaultBackend.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param defaultBackend.containerSecurityContext.runAsUser User ID for the Default backend container + ## @param defaultBackend.containerSecurityContext.runAsGroup Group ID for the Default backend container + ## @param defaultBackend.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem ## @param defaultBackend.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param defaultBackend.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true + allowPrivilegeEscalation: false + seLinuxOptions: null runAsUser: 1001 + runAsGroup: 1001 + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] runAsNonRoot: true + seccompProfile: + type: "RuntimeDefault" ## Default backend containers' resource requests and limits - ## ref: https://kubernetes.io/docs/user-guide/compute-resources + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. - ## @param defaultBackend.resources.limits The resources limits for the Default backend container - ## @param defaultBackend.resources.requests The requested resources for the Default backend container + ## @param defaultBackend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultBackend.resources is set (defaultBackend.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## - resources: - ## Example: - ## limits: - ## cpu: 250m - ## memory: 256Mi - limits: {} - ## Examples: - ## requests: - ## cpu: 250m - ## memory: 256Mi - requests: {} + resourcesPreset: "nano" + ## @param defaultBackend.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} ## Default backend containers' liveness probe. Evaluated as a template. ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @param defaultBackend.livenessProbe.enabled Enable livenessProbe @@ -726,7 +787,7 @@ defaultBackend: ## affinity: {} ## @param defaultBackend.nodeSelector Node labels for pod assignment - ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ## nodeSelector: {} ## @param defaultBackend.tolerations Tolerations for pod assignment @@ -746,20 +807,74 @@ defaultBackend: ## @param defaultBackend.service.annotations Annotations for the default backend service ## annotations: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param defaultBackend.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param defaultBackend.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param defaultBackend.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param defaultBackend.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param defaultBackend.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param defaultBackend.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param defaultBackend.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## Default backend Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## pdb: ## @param defaultBackend.pdb.create Enable/disable a Pod Disruption Budget creation for Default backend ## - create: false + create: true ## @param defaultBackend.pdb.minAvailable Minimum number/percentage of Default backend pods that should remain scheduled ## - minAvailable: 1 - ## @param defaultBackend.pdb.maxUnavailable Maximum number/percentage of Default backend pods that may be made unavailable + minAvailable: "" + ## @param defaultBackend.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `defaultBackend.pdb.minAvailable` and `defaultBackend.pdb.maxUnavailable` are empty. ## maxUnavailable: "" - ## @section Traffic exposure parameters ## Service parameters @@ -798,7 +913,7 @@ service: ## clusterIP: "" ## @param service.externalIPs Controller Service external IP addresses - ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips ## externalIPs: [] ## @param service.ipFamilyPolicy Controller Service ipFamilyPolicy (optional, cloud specific) @@ -812,7 +927,7 @@ service: ## ipFamilies: [] ## @param service.loadBalancerIP Kubernetes LoadBalancerIP to request for Controller (optional, cloud specific) - ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ## loadBalancerIP: "" ## @param service.loadBalancerSourceRanges List of IP CIDRs allowed access to load balancer (if supported) @@ -841,7 +956,64 @@ service: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} - +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section RBAC parameters ## Pods Service Account @@ -860,7 +1032,7 @@ serviceAccount: annotations: {} ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## - automountServiceAccountToken: true + automountServiceAccountToken: false ## Role Based Access ## Ref: https://kubernetes.io/docs/admin/authorization/rbac/ ## @@ -888,11 +1060,11 @@ rbac: pdb: ## @param pdb.create Enable/disable a Pod Disruption Budget creation for Controller ## - create: false + create: true ## @param pdb.minAvailable Minimum number/percentage of Controller pods that should remain scheduled ## - minAvailable: 1 - ## @param pdb.maxUnavailable Maximum number/percentage of Controller pods that may be made unavailable + minAvailable: "" + ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. ## maxUnavailable: "" ## Controller Autoscaling configuration @@ -908,7 +1080,6 @@ autoscaling: maxReplicas: 11 targetCPU: "" targetMemory: "" - ## @section Metrics parameters ## Prometheus exporter parameters @@ -981,7 +1152,6 @@ metrics: ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels ## honorLabels: false - ## @param metrics.prometheusRule.enabled Create PrometheusRules resource for scraping metrics using PrometheusOperator ## @param metrics.prometheusRule.additionalLabels Used to pass Labels that are required by the Installed Prometheus Operator ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in