--- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: ingress-nginx namespace: networking spec: interval: 30m chart: spec: chart: ingress-nginx version: 4.7.2 sourceRef: kind: HelmRepository name: ingress-nginx namespace: flux-system maxHistory: 2 install: createNamespace: true remediation: retries: 3 upgrade: cleanupOnFail: true remediation: retries: 3 uninstall: keepHistory: false values: controller: replicaCount: 2 service: type: LoadBalancer loadBalancerIP: "${CLUSTER_LB_NGINX}" externalTrafficPolicy: Local publishService: enabled: true ingressClassResource: default: true config: client-body-buffer-size: "100M" client-body-timeout: 120 client-header-timeout: 120 custom-http-errors: 400,401,403,404,500,502,503,504 enable-brotli: "true" enable-real-ip: "true" hsts-max-age: "31449600" keep-alive-requests: 10000 keep-alive: 120 proxy-body-size: "100M" proxy-buffering: "off" proxy-read-timeout: "6000" proxy-send-timeout: "6000" # proxy-buffer-size: "16k" ssl-protocols: "TLSv1.3 TLSv1.2" use-forwarded-headers: "true" # crowdsec bouncer # plugins: "crowdsec" # lua-shared-dicts: "crowdsec_cache: 50m" metrics: enabled: true serviceMonitor: enabled: true namespace: default namespaceSelector: any: true extraArgs: default-ssl-certificate: |- networking/${SECRET_CLUSTER_DOMAIN/./-}-tls topologySpreadConstraints: - maxSkew: 1 topologyKey: kubernetes.io/hostname whenUnsatisfiable: DoNotSchedule labelSelector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/component: controller # crowdsec bouncer # extraVolumes: # - name: crowdsec-bouncer-plugin # emptyDir: {} # extraInitContainers: # - name: init-clone-crowdsec-bouncer # image: crowdsecurity/lua-bouncer-plugin # tag: v0.1.11 # imagePullPolicy: IfNotPresent # env: # - name: API_URL # value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # - name: API_KEY # value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}" # - name: DISABLE_RUN # value: "true" # - name: BOUNCER_CONFIG # value: "/crowdsec/crowdsec-bouncer.conf" # command: # - "/bin/sh" # - "-c" # - | # #!/bin/sh # sh /docker_start.sh # mkdir -p /lua_plugins/crowdsec/ # cp -pr /crowdsec/* /lua_plugins/crowdsec/ # volumeMounts: # - name: crowdsec-bouncer-plugin # mountPath: /lua_plugins # extraVolumeMounts: # - name: crowdsec-bouncer-plugin # mountPath: /etc/nginx/lua/plugins/crowdsec # subPath: crowdsec # resources: # requests: # memory: 400Mi # cpu: 25m # limits: # memory: 1Gi defaultBackend: enabled: true image: repository: ghcr.io/tarampampam/error-pages tag: 2.25.0 extraEnvs: - name: TEMPLATE_NAME value: l7-light - name: SHOW_DETAILS value: "true" affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app.kubernetes.io/name operator: In values: ["ingress-nginx"] - key: app.kubernetes.io/component operator: In values: ["default-backend"] topologyKey: kubernetes.io/hostname