home-cluster-ops/kubernetes/infrastructure/ingress-nginx/app/release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
spec:
  interval: 1h
  driftDetection:
    mode: enabled
  chart:
    spec:
      chart: ingress-nginx
      version: 4.10.1
      sourceRef:
        kind: HelmRepository
        namespace: ingress-nginx
        name: ingress-nginx
      interval: 1h
  values:
    rbac:
      create: true

    controller:
      priorityClassName: system-cluster-critical

      extraArgs:
        update-status-on-shutdown: "false"
        tcp-services-configmap: "ingress-nginx/tcp-services"
        udp-services-configmap: "ingress-nginx/udp-services"

      podLabels:
        rpi5.cluster.policy/egress-kubeapi: "true"
        rpi5.cluster.policy/egress-namespace: "true"
        rpi5.cluster.policy/egress-world-with-lan: "true"
        rpi5.cluster.policy/ingress-nodes: "true"
        rpi5.cluster.policy/ingress-prometheus: "true"
        rpi5.cluster.policy/ingress-world: "true"

      allowSnippetAnnotations: true

#      maxmindLicenseKey: ${geoip_license_key}

      config:
        proxy-buffer-size: 16k
        use-gzip: ${use_gzip:=true}
        enable-brotli: ${enable_brotli:=true}
        hsts-max-age: ${hsts_max_age:=31536000}
        hsts-preload: ${hsts_preload:=true}
        disable-ipv6: ${disable_ipv6:=false}
        disable-ipv6-dns: ${disable_ipv6_dns:=false}
        keep-alive-requests: ${keep_alive_requests:=1000}
        use-geoip2: ${use_geoip2:=true}
        custom-http-errors: 401,403,404,500,501,502,503,504

      extraEnvs:
        - name: TZ
          value: Australia/Sydney

      addHeaders:
        Referrer-Policy: same-origin, strict-origin-when-cross-origin
        X-Content-Type-Options: nosniff
        X-Frame-Options: SAMEORIGIN
        X-XSS-Protection: 1; mode=block

      ingressClassResource:
        default: true

      service:
        externalTrafficPolicy: Cluster
        ipFamilyPolicy: SingleStack

      metrics:
        enabled: ${metrics_enabled:=false}
#        serviceMonitor:
#          enabled: ${metrics_enabled:=false}
#          scrapeInterval: 1m

      admissionWebhooks:
        labels:
          rpi5.cluster.policy/egress-kubeapi: "true"
        patch:
          labels:
            rpi5.cluster.policy/egress-kubeapi: "true"

      spec:
        template:
          spec:
            containers:
              volumeMounts:
                - mountPath: /etc/nginx/template
                  name: nginx-template-volume
                  readOnly: true
            volumes:
              - name: nginx-template-volume
                hostPath:
                  path: /mnt/nfs/AppData/ingress-nginx/etc/nginx/template
                  type: Directory

    defaultBackend:
      enabled: true
      image:
        repository: ghcr.io/tarampampam/error-pages
        tag: 2.27.0@sha256:40e2631173b1a407c18fe7d1ba8104d995cf9e4780d123eeadfa1d57c68eaf4f
        pullPolicy: IfNotPresent
      extraEnvs:
        - name: TEMPLATE_NAME
          value: connection
        - name: SHOW_DETAILS
          value: "true"
        - name: READ_BUFFER_SIZE
          value: "8192"
      podLabels:
        rpi5.cluster.policy/ingress-namespace: "true"