home-cluster-ops/kubernetes/templates/apps/ingress-nginx/release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  interval: 1h
  driftDetection:
    mode: enabled
  chart:
    spec:
      chart: ingress-nginx
      version: 4.10.1
      sourceRef:
        kind: HelmRepository
        namespace: ingress-nginx
        name: ingress-nginx
      interval: 1h
  values:
    rbac:
      create: true

    controller:
      priorityClassName: system-cluster-critical

      extraArgs:
        update-status-on-shutdown: "false"

      podLabels:
        rpi5.cluster.policy/egress-kubeapi: "true"
        rpi5.cluster.policy/egress-namespace: "true"
        rpi5.cluster.policy/egress-world-with-lan: "true"
        rpi5.cluster.policy/ingress-nodes: "true"
        rpi5.cluster.policy/ingress-prometheus: "true"
        rpi5.cluster.policy/ingress-world: "true"

      allowSnippetAnnotations: true

      maxmindLicenseKey: ${geoip_license_key}

      config:
        proxy-buffer-size: 16k
        use-gzip: ${use_gzip:=true}
        enable-brotli: ${enable_brotli:=true}
        hsts-max-age: ${hsts_max_age:=31536000}
        hsts-preload: ${hsts_preload:=true}
        disable-ipv6: ${disable_ipv6:=true}
        disable-ipv6-dns: ${disable_ipv6_dns:=true}
        keep-alive-requests: ${keep_alive_requests:=1000}
        use-geoip2: ${use_geoip2:=true}
        custom-http-errors: 401,403,404,500,501,502,503,504

      extraEnvs:
        - name: TZ
          value: Australia/Sydney

      addHeaders:
        Referrer-Policy: same-origin, strict-origin-when-cross-origin
        X-Content-Type-Options: nosniff
        X-Frame-Options: SAMEORIGIN
        X-XSS-Protection: 1; mode=block

      ingressClassResource:
        default: true

      service:
        externalTrafficPolicy: Local
        loadBalancerIP: ${load_balancer_ip}
        ipFamilyPolicy: SingleStack

      metrics:
        enabled: ${metrics_enabled:=false}
#        serviceMonitor:
#          enabled: ${metrics_enabled:=false}
#          scrapeInterval: 1m

      admissionWebhooks:
        labels:
          rpi5.cluster.policy/egress-kubeapi: "true"
        patch:
          labels:
            rpi5.cluster.policy/egress-kubeapi: "true"

    defaultBackend:
      enabled: true
      image:
        repository: ghcr.io/tarampampam/error-pages
        tag: 2.27.0@sha256:40e2631173b1a407c18fe7d1ba8104d995cf9e4780d123eeadfa1d57c68eaf4f
        pullPolicy: IfNotPresent
      extraEnvs:
        - name: TEMPLATE_NAME
          value: connection
        - name: SHOW_DETAILS
          value: "true"
        - name: READ_BUFFER_SIZE
          value: "8192"
      podLabels:
        rpi5.cluster.policy/ingress-namespace: "true"