Chart: Implement Giant Swarm changes.

charts/ingress-nginx/templates/_helpers.tpl

@@ -136,6 +136,8 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/part-of: {{ template "ingress-nginx.name" . }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+giantswarm.io/service-type: managed
+application.giantswarm.io/team: {{ index .Chart.Annotations "application.giantswarm.io/team" | quote }}
 {{- if .Values.commonLabels}}
 {{ toYaml .Values.commonLabels }}
 {{- end }}

charts/ingress-nginx/templates/controller-configmap.yaml

@@ -28,3 +28,6 @@ data:
 {{- range $key, $value := .Values.controller.config }}
   {{- $key | nindent 2 }}: {{ tpl (toString $value) $ | quote }}
 {{- end }}
+{{- if and (or (eq .Values.provider "aws") (eq .Values.provider "capa")) (not (index .Values.controller.config "use-proxy-protocol")) }}
+  use-proxy-protocol: "true"
+{{- end }}

charts/ingress-nginx/templates/controller-service-internal.yaml

@@ -1,11 +1,30 @@
-{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}}
+{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
   {{- range $key, $value := .Values.controller.service.internal.annotations }}
     {{ $key }}: {{ tpl ($value | toString) $ | quote }}
   {{- end }}
+  {{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }}
+    external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.internal.subdomain }}.{{ .Values.baseDomain }}"
+    {{- if .Values.controller.service.externalDNS.annotation }}
+    {{ .Values.controller.service.externalDNS.annotation }}
+    {{- end }}
+  {{- end }}
+  {{- if eq .Values.controller.service.type "LoadBalancer" }}
+  {{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }}
+    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+    {{- if ne (index .Values.controller.config "use-proxy-protocol") "false" }}
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+    {{- end }}
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+  {{- else if or (eq .Values.provider "azure") (eq .Values.provider "capz") }}
+    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+  {{- else if eq .Values.provider "cloud-director" }}
+    service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true"
+  {{- end }}
+  {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller

charts/ingress-nginx/templates/controller-service.yaml

@@ -6,6 +6,29 @@ metadata:
   {{- range $key, $value := .Values.controller.service.annotations }}
     {{ $key }}: {{ tpl ($value | toString) $ | quote }}
   {{- end }}
+  {{- if and .Values.controller.service.externalDNS.enabled .Values.baseDomain }}
+    external-dns.alpha.kubernetes.io/hostname: "{{ .Values.controller.service.subdomain }}.{{ .Values.baseDomain }}"
+    {{- if .Values.controller.service.externalDNS.annotation }}
+    {{ .Values.controller.service.externalDNS.annotation }}
+    {{- end }}
+  {{- end }}
+  {{- if eq .Values.controller.service.type "LoadBalancer" }}
+  {{- if or (eq .Values.provider "aws") (eq .Values.provider "capa") }}
+    {{- if not .Values.controller.service.public }}
+    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+    {{- end }}
+    {{- if ne (index .Values.controller.config "use-proxy-protocol") "false" }}
+    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+    {{- end }}
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
+  {{- else if or (eq .Values.provider "azure") (eq .Values.provider "capz") }}
+    {{- if not .Values.controller.service.public }}
+    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+    {{- end }}
+  {{- else if eq .Values.provider "cloud-director" }}
+    service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true"
+  {{- end }}
+  {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller

charts/ingress-nginx/values.yaml

@@ -5,7 +5,7 @@
 global:
   image:
     # -- Registry host to pull images from.
-    registry: registry.k8s.io
+    registry: gsoci.azurecr.io
 ## Overrides for generated resource names
 # See templates/_helpers.tpl
 # nameOverride:
@@ -26,13 +26,13 @@ controller:
     ## Keep false as default for now!
     chroot: false
     # registry: registry.k8s.io
-    image: ingress-nginx/controller
+    image: giantswarm/ingress-nginx-controller
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
     tag: "v1.12.0"
-    digest: sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa
-    digestChroot: sha256:87c88e1c38a6c8d4483c8f70b69e2cca49853bb3ec3124b9b1be648edf139af3
+    digest: ""
+    digestChroot: ""
     pullPolicy: IfNotPresent
     runAsNonRoot: true
     # -- This value must not be changed using the official image.
@@ -53,7 +53,10 @@ controller:
     https: 443
   # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
   # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
-  config: {}
+  config:
+    # -- Enable HSTS or not. Disabled by default due to possible serious consequences.
+    # Ref: https://github.com/kubernetes/ingress-nginx/issues/549
+    hsts: "false"
   # -- Annotations to be added to the controller config configuration configmap.
   configAnnotations: {}
   # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
@@ -116,7 +119,7 @@ controller:
   # NetworkPolicy for controller component.
   networkPolicy:
     # -- Enable 'networkPolicy' or not
-    enabled: false
+    enabled: true
   # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
   electionID: ""
   # -- This section refers to the creation of the IngressClass resource.
@@ -302,27 +305,27 @@ controller:
   # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
   ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
   ##
-  topologySpreadConstraints: []
-  # - labelSelector:
-  #     matchLabels:
-  #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
-  #       app.kubernetes.io/instance: '{{ .Release.Name }}'
-  #       app.kubernetes.io/component: controller
-  #   matchLabelKeys:
-  #   - pod-template-hash
-  #   topologyKey: topology.kubernetes.io/zone
-  #   maxSkew: 1
-  #   whenUnsatisfiable: ScheduleAnyway
-  # - labelSelector:
-  #     matchLabels:
-  #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
-  #       app.kubernetes.io/instance: '{{ .Release.Name }}'
-  #       app.kubernetes.io/component: controller
-  #   matchLabelKeys:
-  #   - pod-template-hash
-  #   topologyKey: kubernetes.io/hostname
-  #   maxSkew: 1
-  #   whenUnsatisfiable: ScheduleAnyway
+  topologySpreadConstraints:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+          app.kubernetes.io/instance: '{{ .Release.Name }}'
+          app.kubernetes.io/component: controller
+      matchLabelKeys:
+      - pod-template-hash
+      topologyKey: topology.kubernetes.io/zone
+      maxSkew: 1
+      whenUnsatisfiable: ScheduleAnyway
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
+          app.kubernetes.io/instance: '{{ .Release.Name }}'
+          app.kubernetes.io/component: controller
+      matchLabelKeys:
+      - pod-template-hash
+      topologyKey: kubernetes.io/hostname
+      maxSkew: 1
+      whenUnsatisfiable: ScheduleAnyway
 
   # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
   ## wait up to five minutes for the drain of connections
@@ -379,12 +382,12 @@ controller:
   # -- Annotations to be added to controller pods
   ##
   podAnnotations: {}
-  replicaCount: 1
+  replicaCount: 2
   # -- Minimum available pods set in PodDisruptionBudget.
   # Define either 'minAvailable' or 'maxUnavailable', never both.
-  minAvailable: 1
+  # minAvailable: 1
   # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
-  # maxUnavailable: 1
+  maxUnavailable: "25%"
   # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
   # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
   unhealthyPodEvictionPolicy: ""
@@ -397,16 +400,16 @@ controller:
     ##    cpu: 100m
     ##    memory: 90Mi
     requests:
-      cpu: 100m
-      memory: 90Mi
+      cpu: 250m
+      memory: 500Mi
   # Mutually exclusive with keda autoscaling
   autoscaling:
-    enabled: false
+    enabled: true
     annotations: {}
-    minReplicas: 1
-    maxReplicas: 11
-    targetCPUUtilizationPercentage: 50
-    targetMemoryUtilizationPercentage: 50
+    minReplicas: 2
+    maxReplicas: 20
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: 80
     behavior: {}
     # scaleDown:
     #   stabilizationWindowSeconds: 300
@@ -490,6 +493,15 @@ controller:
     annotations: {}
     # -- Labels to be added to both controller services.
     labels: {}
+    externalDNS:
+      # -- Add ExternalDNS annotations or not.
+      enabled: true
+      # -- Annotation used so assign the external controller service to a specific ExternalDNS instance.
+      annotation: "giantswarm.io/external-dns: managed"
+    # -- Defines the sub-domain prepended to the base domain in the FQDN of the external controller service reconciled by ExternalDNS.
+    subdomain: ingress
+    # -- Makes the external controller service public or not. Adds annotations for making it internal if disabled.
+    public: true
     # -- Type of the external controller service.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
     type: LoadBalancer
@@ -518,7 +530,7 @@ controller:
 
     # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
     # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-    externalTrafficPolicy: ""
+    externalTrafficPolicy: Local
     # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
     # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
     sessionAffinity: ""
@@ -573,6 +585,8 @@ controller:
       # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
       annotations: {}
+      # -- Defines the sub-domain prepended to the base domain in the FQDN of the internal controller service reconciled by ExternalDNS.
+      subdomain: ingress-internal
       # -- Type of the internal controller service.
       # Defaults to the value of `controller.service.type`.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
@@ -602,7 +616,7 @@ controller:
 
       # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
       # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-      externalTrafficPolicy: ""
+      externalTrafficPolicy: Local
       # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
       # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
       sessionAffinity: ""
@@ -800,12 +814,12 @@ controller:
       enabled: true
       image:
         # registry: registry.k8s.io
-        image: ingress-nginx/kube-webhook-certgen
+        image: giantswarm/ingress-nginx-kube-webhook-certgen
         ## for backwards compatibility consider setting the full image url via the repository value below
         ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         ## repository:
         tag: v1.5.0
-        digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
+        digest: ""
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##
@@ -814,7 +828,7 @@ controller:
       # NetworkPolicy for webhook patch
       networkPolicy:
         # -- Enable 'networkPolicy' or not
-        enabled: false
+        enabled: true
       nodeSelector:
         kubernetes.io/os: linux
       tolerations: []
@@ -851,7 +865,7 @@ controller:
     port: 10254
     portName: metrics
     # if this port is changed, change healthz-port: in extraArgs: accordingly
-    enabled: false
+    enabled: true
     service:
       # -- Enable the metrics service or not.
       enabled: true
@@ -873,7 +887,7 @@ controller:
       # externalTrafficPolicy: ""
       # nodePort: ""
     serviceMonitor:
-      enabled: false
+      enabled: true
       additionalLabels: {}
       # -- Annotations to be added to the ServiceMonitor.
       annotations: {}
@@ -888,8 +902,20 @@ controller:
       scrapeInterval: 30s
       # honorLabels: true
       targetLabels: []
-      relabelings: []
-      metricRelabelings: []
+      relabelings:
+      - sourceLabels:
+        - __meta_kubernetes_pod_label_app
+        action: replace
+        targetLabel: app
+      - sourceLabels:
+        - __meta_kubernetes_pod_node_name
+        action: replace
+        targetLabel: node
+      metricRelabelings:
+      - sourceLabels:
+        - __name__
+        regex: nginx_ingress_controller_(bytes_sent_bucket|request_size_bucket|response_duration_seconds_bucket|response_size_bucket|request_duration_seconds_count|connect_duration_seconds_bucket|header_duration_seconds_bucket|bytes_sent_count|request_duration_seconds_sum|bytes_sent_sum|request_size_count|response_size_count|response_duration_seconds_sum|response_duration_seconds_count|ingress_upstream_latency_seconds|ingress_upstream_latency_seconds_sum|ingress_upstream_latency_seconds_count)
+        action: drop
       # -- Per-scrape limit on number of labels that will be accepted for a sample.
       labelLimit: 0
       # -- Per-scrape limit on length of labels name that will be accepted for a sample.
@@ -969,7 +995,7 @@ defaultBackend:
   name: defaultbackend
   image:
     # registry: registry.k8s.io
-    image: defaultbackend-amd64
+    image: giantswarm/defaultbackend
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
@@ -1159,7 +1185,7 @@ defaultBackend:
   # NetworkPolicy for default backend component.
   networkPolicy:
     # -- Enable 'networkPolicy' or not
-    enabled: false
+    enabled: true
   service:
     annotations: {}
     # clusterIP: ""
@@ -1213,3 +1239,13 @@ portNamePrefix: ""
 # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
 ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
 dhParam: ""
+
+# Below are configuration values that you should not overwrite or set yourself.
+
+# -- Domain of the service's FQDN.
+# This value is set automatically. Do not overwrite it.
+baseDomain: ""
+
+# -- Provider the cluster is running on.
+# This value is set automatically. Do not overwrite it.
+provider: aws