IngressNginxController

Scope: Cluster

v1v1alpha1
  • spec
    object

    Required value

    • spec.acceptRequestsFrom
      array of strings

      List of IP addresses in the CIDR format that are allowed accessing the load balancer.

      Regardless of the inlet type, the address to be verified (the original_address field in logs) is always the original IP address the connection is established from and not the client address that can be passed in some inlets via headers or using the proxy protocol.

      This parameter is implemented using the map module. If the original address is not allowed, nginx closes the connection, returning the code 444.

      By default, the controller can be connected to from any address.

      • Element of the array
        string

        Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.additionalHeaders
      object

      Additional headers to add to all requests. Use the key: value(string) format.

    • spec.additionalLogFields
      object

      Additional fields to add to nginx logs. Use the key: value(string) format.

    • spec.annotationValidationEnabled
      boolean

      Enables validation for Ingress rule annotations.

      Default: false

    • spec.chaosMonkey
      boolean

      Tool for unexpected and random termination of Ingress controller Pods in a systemic manner.

      Intended for testing the fault tolerance of the Ingress controller.

      Default: false

    • spec.config
      object

      Section of the Ingress controller parameters where you can add any supported option in the key: value(string) format.

      An error in options may lead to the failure of the Ingress controller.

      Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.

    • spec.controllerLogLevel
      string

      Defines the verbosity level for the Ingress controller logs.

      Default: "Info"

      Allowed values: Error — Only critical errors will be logged.
      Warn — Warnings and errors will be logged.
      Info — Informational messages, including basic debugging information.
      Extended — Extended information about changes in system state.
      Debug — Verbose debugging output, potentially very noisy.
      Trace — Trace-level logs with detailed step-by-step context.

    • spec.controllerPodsAdditionalAnnotations
      object

      Additional custom annotations for Ingress controller pods.

      Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.

    • spec.controllerVersion
      string

      NGINX Ingress Controller version.

      By default, the version set in the module settings is used.

      Allowed values: 1.9, 1.10, 1.12

    • spec.customErrors
      object

      Section with parameters for HTTP error customization.

      If this section is defined in the configuration, all its parameters are required.

      Changing any parameter causes the restart of all NGINX Ingress Controllers.

      • spec.customErrors.codes
        array of strings

        Required value

        List of response codes (array) causing redirection to the custom backend.

        • Element of the array
          string

          Pattern: ^[1-5][0-9][0-9]$

      • spec.customErrors.namespace
        string

        Required value

        Name of a namespace keeping the service used as a default custom backend.

        Example:

        namespace: default
      • spec.customErrors.serviceName
        string

        Required value

        Name of a service to be used as a default custom backend.

        Example:

        serviceName: custom-errors-backend-service
    • spec.defaultSSLCertificate
      object

      The certificate that is used:

      • For catch-all server requests (here, “catch-all server” refers to the nginx server directive. Requests without a corresponding Ingress resource end up on the catch-all server.
      • For Ingress resources that do not have a secretName specified in the tls section.

      By default, a self-signed certificate is used.

      Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. To specify the certificate to use in the Ingress resources of Deckhouse modules, use the global parameter modules.https.customCertificate.

      • spec.defaultSSLCertificate.secretRef
        object

        Link to the Secret for passing to the Ingress controller.

        • spec.defaultSSLCertificate.secretRef.name
          string

          Name of Secret containing the SSL certificate.

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

        • spec.defaultSSLCertificate.secretRef.namespace
          string

          Name of the namespace containing the Secret with the SSL certificate.

          Default: "d8-ingress-nginx"

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

    • spec.disableHTTP2
      boolean

      Disables HTTP/2 support.

      Default: false

    • spec.enableHTTP3
      boolean

      Enables HTTP/3 support.

      HTTP3 is only available in Ingress controller version 1.10.

      Default: false

    • spec.enableIstioSidecar
      boolean

      Attaches annotations to the controller pods to automatically inject Istio sidecar containers.

      After setting this parameter, the sidecar.istio.io/inject: "true" and traffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>" annotations will be attached to the Ingress controller pods. When these pods are created, Istio sidecars will be automatically added to them via a mutating webhook. After that, the sidecar will intercept all traffic directed to the Service CIDR.

      To use this feature, add the following annotations to your Ingress resources:

      • nginx.ingress.kubernetes.io/service-upstream: "true": Using this annotation, the Ingress controller sends requests to a service ClusterIP (from Service CIDR) instead of sending them to the application pods. The istio-proxy sidecar only intercepts traffic directed to Service CIDR, while the remaining requests are sent directly.
      • nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc: Using this annotation, the sidecar can identify the application service that serves requests.

      Caution. This parameter cannot be enabled if the Ingress controller inlet is set to HostWithFailover.

    • spec.geoIP2
      object

      GeoIP2 activation options.

      • spec.geoIP2.maxmindEditionIDs
        array of strings

        List of database revisions to download at startup.

        For details on GeoLite databases, refer to the MaxMind blog article.

        Default: ["GeoLite2-City","GeoLite2-ASN"]

        • Element of the array
          string

          Allowed values: GeoIP2-Anonymous-IP, GeoIP2-Country, GeoIP2-City, GeoIP2-Connection-Type, GeoIP2-Domain, GeoIP2-ISP, GeoIP2-ASN, GeoLite2-ASN, GeoLite2-Country, GeoLite2-City

      • spec.geoIP2.maxmindLicenseKey
        string

        License key to download the GeoIP2 database.

        If the key is set in the configuration, the module downloads the GeoIP2 database every time the controller is started. For details on obtaining a key, refer to the MaxMind blog article.

    • spec.hostPort
      object

      Section of the HostPort inlet parameters.

      • spec.hostPort.behindL7Proxy
        boolean

        Enables processing and passing of the incoming X-Forwarded-* headers.

        Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only. To set restrictions, use the acceptRequestsFrom parameter.

      • spec.hostPort.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:

        httpPort: 80
      • spec.hostPort.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:

        httpsPort: 443
      • spec.hostPort.realIPHeader
        string

        The header for identifying the original IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: "X-Forwarded-For"

        Example:

        realIPHeader: CF-Connecting-IP
    • spec.hostPortWithProxyProtocol
      object

      Section of the HostPortWithProxyProtocol inlet parameters.

      • spec.hostPortWithProxyProtocol.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:

        httpPort: 80
      • spec.hostPortWithProxyProtocol.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:

        httpsPort: 443
    • spec.hostPortWithSSLPassthrough
      object

      Section of the HostPortWithSSLPassthrough inlet parameters.

      • spec.hostPortWithSSLPassthrough.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:

        httpPort: 80
      • spec.hostPortWithSSLPassthrough.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:

        httpsPort: 443
    • spec.hsts
      boolean

      Enables HTTP Strict-Transport-Security (HSTS) response headers. For details on HSTS headers, refer to the MDN Web Docs article.

      Default: false

    • spec.hstsOptions
      object

      HSTS parameters.

      • spec.hstsOptions.includeSubDomains
        boolean

        Applies HSTS parameters to all subdomains of a website.

        Default: false

      • spec.hstsOptions.maxAge
        string

        Time in seconds during which the browser remembers that the website is only accessible via HTTPS.

        Default: "31536000"

        Pattern: ^[1-9][0-9]*$

        Example:

        maxAge: '31536000'
      • spec.hstsOptions.preload
        boolean

        Adds a website to the preload list.

        The list instructs browsers to establish connections to the specified websites over HTTPS only.

        Default: false

    • spec.ingressClass
      string

      Name of the Ingress class to use with the NGINX Ingress Controller.

      Using this option, you can create several controllers to use with a single Ingress class.

      If you set it to nginx, Ingress resources without the kubernetes.io/ingress.class annotation or the spec.ingressClassName field will be handled as well.

      Default: "nginx"

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

      Example:

      ingressClass: nginx
    • spec.inlet
      string

      Required value

      The way external traffic is routed to the cluster. Once you set the method, you cannot change it later.

      Allowed values:

      • LoadBalancer: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned.
      • LoadBalancerWithProxyProtocol: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned. The Ingress controller uses the proxy-protocol to get a real IP address of the client.

      • LoadBalancerWithSSLPassthrough: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.

        The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.

        The SSL Passthrough protocol leverages Server Name Indication (SNI) and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.

        If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which subsequently proxies the request to the default backend.

        Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.

        Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.

      • HostPort: The Ingress controller is deployed and made available on node ports via hostPort.

      • HostPortWithProxyProtocol: The Ingress controller is deployed and made available on node ports via hostPort. The Ingress controller uses the proxy-protocol to get a real IP address of the client.

        Caution. When using this inlet, ensure that requests to the Ingress come from trusted sources only. To enforce it, use the acceptRequestsFrom parameter.

      • HostPortWithSSLPassthrough: The Ingress controller is deployed and made available on node ports via hostPort. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.

        Specify inlet parameters in the spec.HostPortWithSSLPassthrough section.

        The SSL Passthrough protocol leverages SNI and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.

        If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which subsequently proxies the request to the default backend.

        The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.

        Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.

        Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.

      • HostWithFailover: Two Ingress controllers are deployed: a primary and a backup. The primary controller runs in a hostNetwork. If the primary controller pods are unavailable, traffic is routed to the backup controller.

        There can be only one controller with this inlet type on a single host.

        Ensure the following ports are available on the node: 80, 81, 443, 444, 4207, 4208.

        To change the inlet, remove the iptables rules and restart the kube-proxy pods or reboot the nodes hosting Ingress controllers.

        This inlet cannot be used if the enableIstioSidecar parameter is enabled.

      Allowed values: LoadBalancer, LoadBalancerWithSSLPassthrough, LoadBalancerWithProxyProtocol, HostPort, HostPortWithSSLPassthrough, HostPortWithProxyProtocol, HostWithFailover

    • spec.legacySSL
      boolean

      Enables outdated versions of the TLS protocol and cipher suites.

      Enables the following TLS protocol versions: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.

      Enables the following combinations of cipher suites in order from the strongest to the weakest: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES256-GCM-SHA384, AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, AES256-SHA, AES128-SHA.

      By default, only TLSv1.2 and TLSv1.3 with the newest cipher suites are enabled.

    • spec.loadBalancer
      object

      Not required value.

      Section of the LoadBalancer inlet parameters.

      • spec.loadBalancer.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancer.behindL7Proxy
        boolean

        Enables processing and passing of the incoming X-Forwarded-* headers.

        Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only.

      • spec.loadBalancer.loadBalancerClass
        string

        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).

      • spec.loadBalancer.realIPHeader
        string

        The header for identifying the original IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: "X-Forwarded-For"

        Example:

        realIPHeader: CF-Connecting-IP
      • spec.loadBalancer.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.loadBalancerWithProxyProtocol
      object

      Not required value.

      Section of the LoadBalancerWithProxyProtocol inlet parameters.

      • spec.loadBalancerWithProxyProtocol.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancerWithProxyProtocol.loadBalancerClass
        string

        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).

      • spec.loadBalancerWithProxyProtocol.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.loadBalancerWithSSLPassthrough
      object

      Not required value.

      Section of the LoadBalancerWithSSLPassthrough inlet parameters.

      • spec.loadBalancerWithSSLPassthrough.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancerWithSSLPassthrough.loadBalancerClass
        string

        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).

      • spec.loadBalancerWithSSLPassthrough.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.maxReplicas
      integer

      Maximum number of LoadBalancer, LoadBalancerWithProxyProtocol and LoadBalancerWithSSLPassthrough replicas for HPA.

      Default: 1

      Allowed values: 1 <= X

    • spec.minReplicas
      integer

      Minimum number of LoadBalancer, LoadBalancerWithProxyProtocol and LoadBalancerWithSSLPassthrough replicas for HPA.

      Default: 1

      Allowed values: 1 <= X

    • spec.nodeSelector
      object

      Same as the spec.nodeSelector parameter in Kubernetes Pods.

      If the parameter is omitted or set to false, Deckhouse will try to determine the value automatically.

      Use the format of a standard nodeSelector list. Instance pods inherit this field as is.

    • spec.resourcesRequests
      object

      Maximum amount of CPU and memory resources a Pod can request when selecting a node. If the VPA is disabled, these max values become the default ones.

      • spec.resourcesRequests.mode
        string

        Required value

        Resource request management mode.

        Default: "VPA"

        Allowed values: VPA, Static

      • spec.resourcesRequests.static
        object

        Static management mode parameters.

        • spec.resourcesRequests.static.cpu
          string

          Value for CPU requests.

          Default: "350m"

        • spec.resourcesRequests.static.memory
          string

          Value for memory requests.

          Default: "500Mi"

      • spec.resourcesRequests.vpa
        object

        Vertical Pod Autoscaler (VPA) mode parameters.

        • spec.resourcesRequests.vpa.cpu
          object

          Parameters of CPU request restrictions.

          • spec.resourcesRequests.vpa.cpu.max
            string

            Maximum value of allowed CPU requests to be submitted by the VPA.

            Default: "50m"

          • spec.resourcesRequests.vpa.cpu.min
            string

            Minimum value of allowed CPU requests to be submitted by the VPA.

            Default: "10m"

        • spec.resourcesRequests.vpa.memory
          object

          Parameters of memory request restrictions.

          • spec.resourcesRequests.vpa.memory.max
            string

            Maximum value of allowed memory requests to be submitted by the VPA.

            Default: "200Mi"

          • spec.resourcesRequests.vpa.memory.min
            string

            Minimum value of allowed memory requests to be submitted by the VPA.

            Default: "50Mi"

        • spec.resourcesRequests.vpa.mode
          string

          VPA usage mode.

          Default: "Initial"

          Allowed values: Initial, Auto

    • spec.tolerations
      array of objects

      Same as the spec.tolerations parameter in Kubernetes Pods.

      If the parameter is omitted or set to false, all the possible tolerations are automatically applied the module’s Pods.

      Use the format of a standard toleration list. Instance pods inherit this field as is.

      • spec.tolerations.effect
        string

        Allowed values: NoSchedule, PreferNoSchedule, NoExecute

      • spec.tolerations.key
        string
      • spec.tolerations.operator
        string

        Default: "Equal"

        Allowed values: Exists, Equal

      • spec.tolerations.tolerationSeconds
        integer
      • spec.tolerations.value
        string
    • spec.underscoresInHeaders
      boolean

      Enables using the underscore symbol in headers.

      Related resources:

      Default: false

    • spec.validationEnabled
      boolean

      Enables validation for Ingress rules.

      Default: true

    • spec.waitLoadBalancerOnTerminating
      integer

      Number of seconds before the /healthz endpoint begins returning the 500 code when the pod enters the Terminating state.

Deprecated resource. Support for the resource might be removed in a later release.

  • spec
    object

    Required value

    • spec.acceptRequestsFrom
      array of strings

      IP or CIDR that is allowed to access the Ingress controller.

      Regardless of the inlet type, the source IP address gets always verified (the original_address field in logs) (the address that the connection was established from) and not the “address of the client” that can be passed in some inlets via headers or using the proxy protocol.

      This parameter is implemented using the map module. If the source address is not in the list of allowed addresses, nginx closes the connection immediately using HTTP code 444.

      By default, the connection to the controller can be made from any address.

      • Element of the array
        string

        Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.additionalHeaders
      object

      Additional headers to add to all request. (map: key (string)).

    • spec.additionalLogFields
      object

      Additional fields to add to nginx logs. (map: key (string)).

    • spec.annotationValidationEnabled
      boolean

      Enables the annotation validation feature.

      Default: false

    • spec.chaosMonkey
      boolean

      The instrument for unexpected and random termination of ingress controller Pods in a systemic manner. Chaos Monkey tests the resilience of ingress controller.

      Default: false

    • spec.config
      object

      The section with the Ingress controller parameters.

      You can specify any supported parameter in it in the key: value (string) format.

      Caution. An erroneous option may lead to the failure of the ingress controller;

      Caution. The usage of this parameter is not recommended; the backward compatibility or operability of the ingress controller that uses this option is not guaranteed

    • spec.controllerVersion
      string

      One of the supported NGINX Ingress controller versions.

      By default: the version in the module settings is used.

      Allowed values: 1.9, 1.10, 1.12

    • spec.customErrors
      object

      The section with parameters of custom HTTP errors.

      All parameters in this section are mandatory if it is defined. Changing any parameter leads to the restart of all NGINX Ingress controllers.

      • spec.customErrors.codes
        array of strings

        Required value

        Error codes which should be redirected to custom errors backend.

        • Element of the array
          string

          Pattern: ^[1-5][0-9][0-9]$

      • spec.customErrors.namespace
        string

        Required value

        Namespace of custom errors backend.

        Example:

        namespace: default
      • spec.customErrors.serviceName
        string

        Required value

        Name of kubernetes service that leads to custom errors backend.

        Example:

        serviceName: custom-errors-backend-service
    • spec.defaultSSLCertificate
      object

      This certificate is used:

      • for catch-all server requests (here, “catch-all server” refers to the nginx server directive. Requests for which there is no corresponding Ingress resource end up on the catch-all server.
      • for Ingress resources that do not have a secretName specified in the tls section.

      By default, a self-signed certificate is used.

      Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. You can specify the certificate to be used in the Ingress resources of the Deckhouse modules with the modules.https.customCertificate global parameter.

      • spec.defaultSSLCertificate.secretRef
        object

        The Secret reference to pass to the Ingress Controller.

        • spec.defaultSSLCertificate.secretRef.name
          string

          Name of Secret containing SSL—certificate.

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

        • spec.defaultSSLCertificate.secretRef.namespace
          string

          Namespace, where the Secret is located.

          Default: "d8-ingress-nginx"

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

    • spec.disableHTTP2
      boolean

      Switch off HTTP2 support.

      Default: false

    • spec.enableIstioSidecar
      boolean

      Attach annotations to the controller pods to automatically inject Istio sidecar containers.

      After setting this parameter, the sidecar.istio.io/inject: "true" and traffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>" annotations will be attached to the ingress-controller pods. During pod creation, the Istio’s mutating webhook will add the sidecar to it. After that, the sidecar will catch the network traffic to Service CIDR.

      To use this feature in your application, you must add these annotations to your Ingress resources:

      • nginx.ingress.kubernetes.io/service-upstream: "true" — using this annotation, the ingress-controller sends requests to a single ClusterIP (from Service CIDR) while envoy load balances them. Istio sidecar containers only catching traffic directed to Service CIDR.
      • nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc — using this annotation, the sidecar can identify the application service that serves requests.

      Caution. This parameter cannot be enabled if the Ingress controller inlet is set to HostWithFailover.

    • spec.geoIP2
      object

      Enable GeoIP2 databases.

      • spec.geoIP2.maxmindEditionIDs
        array of strings

        A list of database editions to download at startup.

        More info…

        Default: ["GeoLite2-City","GeoLite2-ASN"]

        • Element of the array
          string

          Allowed values: GeoIP2-Anonymous-IP, GeoIP2-Country, GeoIP2-City, GeoIP2-Connection-Type, GeoIP2-Domain, GeoIP2-ISP, GeoIP2-ASN, GeoLite2-ASN, GeoLite2-Country, GeoLite2-City

      • spec.geoIP2.maxmindLicenseKey
        string

        A license key to download the GeoIP2 database.

        If the key is set, the module downloads the GeoIP2 database every time the controller is started. Click here to learn more about obtaining a license key.

    • spec.hostPort
      object

      HostPort inlet settings.

      • spec.hostPort.behindL7Proxy
        boolean

        Accepts all the incoming X-Forwarded-* headers and passes them to upstreams.

        Caution. Make sure that requests to the ingress are sent from trusted sources when using this option. The acceptRequestsFrom parameter can help you with defining trusted sources.

      • spec.hostPort.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, the connection over HTTP cannot be established.

        This parameter is mandatory if httpsPort is not set.

        Example:

        httpPort: 80
      • spec.hostPort.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, the connection over HTTPS cannot be established.

        This parameter is mandatory if httpPort is not set.

        Example:

        httpsPort: 443
      • spec.hostPort.realIPHeader
        string

        Sets the header field for identifying the originating IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: "X-Forwarded-For"

        Example:

        realIPHeader: CF-Connecting-IP
    • spec.hostPortWithProxyProtocol
      object

      A section of parameters of the HostPortWithProxyProtocol inlet.

      • spec.hostPortWithProxyProtocol.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, the connection over HTTP cannot be established.

        This parameter is mandatory if httpsPort is not set.

        Example:

        httpPort: 80
      • spec.hostPortWithProxyProtocol.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, the connection over HTTPS cannot be established.

        This parameter is mandatory if httpPort is not set.

        Example:

        httpsPort: 443
    • spec.hsts
      boolean

      Determines whether hsts is enabled. Read more…).

      Default: false

    • spec.hstsOptions
      object

      Options for HTTP Strict Transport Security.

      • spec.hstsOptions.includeSubDomains
        boolean

        If this optional parameter is specified, this rule applies to all of subdomains as well.

        Default: false

      • spec.hstsOptions.maxAge
        string

        The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

        Default: "31536000"

        Pattern: ^[1-9][0-9]*$

        Example:

        maxAge: '31536000'
      • spec.hstsOptions.preload
        boolean

        Add your site to preload list to enforce to use SSL/TLS connections on your site.

        Default: false

    • spec.ingressClass
      string

      The name of the Ingress class to use with the NGINX Ingress controller.

      Using this option, you can create several controllers to use with a single ingress

      Caution. If you set it to “nginx”, then Ingress resources lacking the kubernetes.io/ingress.class annotation or spec.ingressClassName field will also be handled.

      Default: "nginx"

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

      Example:

      ingressClass: nginx
    • spec.inlet
      string

      Required value

      The way traffic from the external network is routed to the cluster. Once you have set the method, you cannot change it later.

      • LoadBalancer — Ingress controller is deployed and the service of LoadBalancer type is provisioned.
      • LoadBalancerWithProxyProtocol — Ingress controller is deployed and the service of LoadBalancer type is provisioned. Ingress controller uses proxy-protocol to get a real IP of the client.

      • HostPort — Ingress controller is deployed and available through nodes’ ports via hostPort;

        Settings are required in spec.HostPort.

      • HostPortWithProxyProtocol — Ingress controller is deployed and available through nodes’ ports via `hostPort, it uses proxy-protocol to get a real IP of the client;

        Settings are required in spec.HostPortWithProxyProtocol.

        Caution. Make sure that requests to the Ingress are sent from trusted sources when using this inlet. The acceptRequestsFrom parameter can help you with defining trusted sources.

      • HostWithFailover — installs two ingress controllers, the primary and the backup one. The primary controller runs in a hostNetwork. If the pods of the primary controller are not available, the traffic is routed to the backup one;

        Caution. There can be only one controller with this inlet type on a host.

        Caution. The following ports must be available on the node: 80, 81, 443, 444, 4207, 4208.

        Caution. To change inlet, remove the iptables rules and restart the kube-proxy pods or reboot the nodes hosting Ingress controllers.

        Caution. This inlet cannot be used if the enableIstioSidecar parameter is enabled.

      Allowed values: LoadBalancer, LoadBalancerWithProxyProtocol, HostPort, HostPortWithProxyProtocol, HostWithFailover

    • spec.legacySSL
      boolean

      Enable outdated versions of the TLS protocol and cipher suites.

      Enables the following TLS protocol versions: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.

      Enables the following combinations of cipher suites in order from the strongest to the weakest: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES256-GCM-SHA384, AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, AES256-SHA, AES128-SHA.

      By default, only TLSv1.2 and TLSv1.3 with the newest cipher suites are enabled.

    • spec.loadBalancer
      object

      Not required value.

      A section of parameters of the LoadBalancer inlet.

      • spec.loadBalancer.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        Caution. The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate IngressNginxController (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.

      • spec.loadBalancer.behindL7Proxy
        boolean

        Accepts all the incoming X-Forwarded-* headers and passes them to upstreams.

        Caution. Make sure that requests to the Ingress controller are sent from trusted sources when using this option.

      • spec.loadBalancer.loadBalancerClass
        string

        The LoadBalancer class (it is passed to the spec.loadBalancerClass parameter of the provisioned service of the LoadBalancer type).

      • spec.loadBalancer.realIPHeader
        string

        Sets the header field for identifying the originating IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: "X-Forwarded-For"

        Example:

        realIPHeader: CF-Connecting-IP
      • spec.loadBalancer.sourceRanges
        array of strings

        IP ranges (CIDR) that are allowed to access the load balancer.

        Caution. The cloud provider may not support this option or ignore it. Providers supporting the option: AWS, GCP, Azure. Providers ignoring the option: YandexCloud. For other cloud providers, the behavior may depend on the specifics of the cloud implementation. Testing is recommended before use of the option in production.

        • Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.loadBalancerWithProxyProtocol
      object

      Not required value.

      A section of parameters of the LoadBalancerWithProxyProtocol inlet.

      • spec.loadBalancerWithProxyProtocol.annotations
        object

        Annotations that will be passed to service with type load balancer to configure it.

        Caution. The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate IngressNginxController (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.

      • spec.loadBalancerWithProxyProtocol.loadBalancerClass
        string

        The LoadBalancer class (it is passed to the spec.loadBalancerClass parameter of the provisioned service of the LoadBalancer type).

      • spec.loadBalancerWithProxyProtocol.sourceRanges
        array of strings

        IP ranges (CIDR) that are allowed to access the load balancer.

        Caution. The cloud provider may not support this option or ignore it. Providers supporting the option: AWS, GCP, Azure. Providers ignoring the option: YandexCloud. For other cloud providers, the behavior may depend on the specifics of the cloud implementation. Testing is recommended before use of the option in production.

        • Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.maxReplicas
      integer

      LoadBalancer and LoadBalancerWithProxyProtocol controller’s Horizontal Pod Autoscaler maximum replicas count.

      Default: 1

      Allowed values: 1 <= X

    • spec.minReplicas
      integer

      LoadBalancer and LoadBalancerWithProxyProtocol controller’s Horizontal Pod Autoscaler minimum replicas count.

      Default: 1

      Allowed values: 1 <= X

    • spec.nodeSelector
      object

      The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      Format: the standard nodeSelector list. Instance pods inherit this field as is.

    • spec.resourcesRequests
      object

      Max amounts of CPU and memory resources that the pod can request when selecting a node (if the VPA is disabled, then these values become the default ones).

      • spec.resourcesRequests.mode
        string

        Required value

        The mode for managing resource requests.

        Default: "VPA"

        Allowed values: VPA, Static

      • spec.resourcesRequests.static
        object

        Static mode settings.

        • spec.resourcesRequests.static.cpu
          string

          CPU requests.

          Default: "350m"

        • spec.resourcesRequests.static.memory
          string

          Memory requests.

          Default: "500Mi"

      • spec.resourcesRequests.vpa
        object

        Parameters of the vpa mode.

        • spec.resourcesRequests.vpa.cpu
          object

          CPU-related parameters.

          • spec.resourcesRequests.vpa.cpu.max
            string

            Maximum allowed CPU requests.

            Default: "50m"

          • spec.resourcesRequests.vpa.cpu.min
            string

            Minimum allowed CPU requests.

            Default: "10m"

        • spec.resourcesRequests.vpa.memory
          object

          The amount of memory requested.

          • spec.resourcesRequests.vpa.memory.max
            string

            Maximum allowed memory requests.

            Default: "200Mi"

          • spec.resourcesRequests.vpa.memory.min
            string

            Minimum allowed memory requests.

            Default: "50Mi"

        • spec.resourcesRequests.vpa.mode
          string

          The VPA usage mode.

          Default: "Initial"

          Allowed values: Initial, Auto

    • spec.tolerations
      array of objects

      The same as in the pods’ spec.tolerations parameter in Kubernetes;

      If the parameter is omitted or false, it will be determined automatically.

      Format: the standard toleration list. Instance pods inherit this field as is.

      • spec.tolerations.effect
        string

        Allowed values: NoSchedule, PreferNoSchedule, NoExecute

      • spec.tolerations.key
        string
      • spec.tolerations.operator
        string

        Default: "Equal"

        Allowed values: Exists, Equal

      • spec.tolerations.tolerationSeconds
        integer
      • spec.tolerations.value
        string
    • spec.underscoresInHeaders
      boolean

      Determines whether underscores are allowed in headers. Learn more….

      This tutorial sheds light on why you should not enable it without careful consideration.

      Default: false

    • spec.validationEnabled
      boolean

      Enable ingress validation admission.

      Default: true

    • spec.waitLoadBalancerOnTerminating
      integer

      The number of seconds before the /healthz location will start to return a 500 code when the pod enters the Terminating state. This parameter has default values:

      • 0s - for HostWithFailover
      • 60s - for HostPort and HostPortWithProxyProtocol
      • 120s - for LoadBalancer and LoadBalancerWithProxyProtocol