The ingress-nginx module: Custom Resources

Required value

• spec.acceptRequestsFromarray of strings

  IP or CIDR that is allowed to access the Ingress controller.

  Regardless of the inlet type, the source IP address gets always verified (the original_address field in logs) (the address that the connection was established from) and not the “address of the client” that can be passed in some inlets via headers or using the proxy protocol.

  This parameter is implemented using the map module. If the source address is not in the list of allowed addresses, nginx closes the connection immediately using HTTP code 444.

  By default, the connection to the controller can be made from any address.

  • Element of the arraystring

    Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

• spec.additionalHeadersobject

  Additional headers to add to all request. (map: key (string)).

• spec.additionalLogFieldsobject

  Additional fields to add to nginx logs. (map: key (string)).

• spec.annotationValidationEnabledboolean

  Enables the annotation validation feature.

  Requires a controller of 1.9 version.

  Default: false

• spec.chaosMonkeyboolean

  The instrument for unexpected and random termination of ingress controller Pods in a systemic manner. Chaos Monkey tests the resilience of ingress controller.

  Default: false

• spec.configobject

  The section with the Ingress controller parameters.

  You can specify any supported parameter in it in the key: value (string) format.

  Caution! An erroneous option may lead to the failure of the ingress controller;

  Caution! The usage of this parameter is not recommended; the backward compatibility or operability of the ingress controller that uses this option is not guaranteed

• spec.controllerVersionstring

  One of the supported NGINX Ingress controller versions.

  By default: the version in the module settings is used.

  Allowed values: 1.1, 1.6, 1.9

• spec.customErrorsobject

  The section with parameters of custom HTTP errors.

  All parameters in this section are mandatory if it is defined. Changing any parameter leads to the restart of all NGINX Ingress controllers.

  • spec.customErrors.codesarray of strings

    Required value

    Error codes which should be redirected to custom errors backend.

    • Element of the arraystring

      Pattern: ^[1-5][0-9][0-9]$

  • spec.customErrors.namespacestring

    Required value

    Namespace of custom errors backend.

    Example:

    namespace: default
    

  • spec.customErrors.serviceNamestring

    Required value

    Name of kubernetes service that leads to custom errors backend.

    Example:

    serviceName: custom-errors-backend-service
    

• spec.defaultSSLCertificateobject

  This certificate is used:

  • for catch-all server requests (here, “catch-all server” refers to the nginx server directive). Requests for which there is no corresponding Ingress resource end up on the catch-all server.
  • for Ingress resources that do not have a secretName specified in the tls section.

  By default, a self-signed certificate is used.

  Caution! This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. You can specify the certificate to be used in the Ingress resources of the Deckhouse modules with the modules.https.customCertificate global parameter.

  • spec.defaultSSLCertificate.secretRefobject

    The Secret reference to pass to the Ingress Controller.

    • spec.defaultSSLCertificate.secretRef.namestring

      Name of Secret containing SSL—certificate.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • spec.defaultSSLCertificate.secretRef.namespacestring

      Namespace, where the Secret is located.

      Default: "d8-ingress-nginx"

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

• spec.disableHTTP2boolean

  Switch off HTTP2 support.

  Default: false

• spec.enableIstioSidecarboolean

  Attach annotations to the controller pods to automatically inject Istio sidecar containers.

  After setting this parameter, the sidecar.istio.io/inject: "true" and traffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>" annotations will be attached to the ingress-controller pods. During pod creation, the Istio’s mutating webhook will add the sidecar to it. After that, the sidecar will catch the network traffic to Service CIDR.

  To use this feature in your application, you must add these annotations to your Ingress resources:

  • nginx.ingress.kubernetes.io/service-upstream: "true" — using this annotation, the ingress-controller sends requests to a single ClusterIP (from Service CIDR) while envoy load balances them. Istio sidecar containers only catching traffic directed to Service CIDR.
  • nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc — using this annotation, the sidecar can identify the application service that serves requests.
• spec.geoIP2object

  Enable GeoIP2 databases.

  • spec.geoIP2.maxmindEditionIDsarray of strings

    A list of database editions to download at startup.

    More info…

    Default: ["GeoLite2-City","GeoLite2-ASN"]

    • Element of the arraystring

      Allowed values: GeoIP2-Anonymous-IP, GeoIP2-Country, GeoIP2-City, GeoIP2-Connection-Type, GeoIP2-Domain, GeoIP2-ISP, GeoIP2-ASN, GeoLite2-ASN, GeoLite2-Country, GeoLite2-City

  • spec.geoIP2.maxmindLicenseKeystring

    A license key to download the GeoIP2 database.

    If the key is set, the module downloads the GeoIP2 database every time the controller is started. Click here to learn more about obtaining a license key.

• spec.hostPortobject

  HostPort inlet settings.

  • spec.hostPort.behindL7Proxyboolean

    Accepts all the incoming X-Forwarded-* headers and passes them to upstreams.

    Caution! Make sure that requests to the ingress are sent from trusted sources when using this option. The acceptRequestsFrom parameter can help you with defining trusted sources.

  • spec.hostPort.httpPortinteger

    Port for insecure HTTP connections.

    If the parameter is not set, the connection over HTTP cannot be established.

    This parameter is mandatory if httpsPort is not set.

    Example:

    httpPort: '80'
    

  • spec.hostPort.httpsPortinteger

    Port for secure HTTPS connections.

    If the parameter is not set, the connection over HTTPS cannot be established.

    This parameter is mandatory if httpPort is not set.

    Example:

    httpsPort: '443'
    

  • spec.hostPort.realIPHeaderstring

    Sets the header field for identifying the originating IP address of a client.

    This option works only if behindL7Proxy is enabled.

    Default: "X-Forwarded-For"

    Example:

    realIPHeader: CF-Connecting-IP
    

• spec.hostPortWithProxyProtocolobject

  A section of parameters of the HostPortWithProxyProtocol inlet.

  • spec.hostPortWithProxyProtocol.httpPortinteger

    Port for insecure HTTP connections.

    If the parameter is not set, the connection over HTTP cannot be established.

    This parameter is mandatory if httpsPort is not set.

    Example:

    httpPort: '80'
    

  • spec.hostPortWithProxyProtocol.httpsPortinteger

    Port for secure HTTPS connections.

    If the parameter is not set, the connection over HTTPS cannot be established.

    This parameter is mandatory if httpPort is not set.

    Example:

    httpsPort: '443'
    

• spec.hstsboolean

  Determines whether hsts is enabled (read more…).

  Default: false

• spec.hstsOptionsobject

  Options for HTTP Strict Transport Security.

  • spec.hstsOptions.includeSubDomainsboolean

    If this optional parameter is specified, this rule applies to all of subdomains as well.

    Default: false

  • spec.hstsOptions.maxAgestring

    The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

    Default: "31536000"

    Pattern: ^[1-9][0-9]*$

    Example:

    maxAge: '31536000'
    

  • spec.hstsOptions.preloadboolean

    Add your site to preload list to enforce to use SSL/TLS connections on your site.

    Default: false

• spec.ingressClassstring

  The name of the Ingress class to use with the NGINX Ingress controller.

  Using this option, you can create several controllers to use with a single ingress

  Caution! If you set it to “nginx”, then Ingress resources lacking the kubernetes.io/ingress.class annotation or spec.ingressClassName field will also be handled.

  Default: "nginx"

  Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

  Example:

  ingressClass: nginx
  

• spec.inletstring

  Required value

  The way traffic from the external network is routed to the cluster. Once you have set the method, you cannot change it later.

  • LoadBalancer — Ingress controller is deployed and the service of LoadBalancer type is provisioned.
  • LoadBalancerWithProxyProtocol — Ingress controller is deployed and the service of LoadBalancer type is provisioned. Ingress controller uses proxy-protocol to get a real IP of the client.

  • HostPort — Ingress controller is deployed and available through nodes’ ports via hostPort;

    Settings are required in spec.HostPort.

  • HostPortWithProxyProtocol — Ingress controller is deployed and available through nodes’ ports via `hostPort, it uses proxy-protocol to get a real IP of the client;

    Settings are required in spec.HostPortWithProxyProtocol.

    Caution! Make sure that requests to the Ingress are sent from trusted sources when using this inlet. The acceptRequestsFrom parameter can help you with defining trusted sources.

  • HostWithFailover — installs two ingress controllers, the primary and the backup one. The primary controller runs in a hostNetwork. If the pods of the primary controller are not available, the traffic is routed to the backup one;

    Caution! There can be only one controller with this inlet type on a host.

    Caution! The following ports must be available on the node: 80, 81, 443, 444, 10354, 10355.

    Caution! To change inlet, remove the iptables rules and restart the kube-proxy pods or reboot the nodes hosting Ingress controllers.

  Allowed values: LoadBalancer, LoadBalancerWithProxyProtocol, HostPort, HostPortWithProxyProtocol, HostWithFailover

• spec.legacySSLboolean

  Enable old TLS protocol versions and legacy cipher suites.

  Also, this options enables legacy cipher suites to support legacy libraries and software: OWASP Cipher String ‘C’ . Learn more here.

  By default, only TLSv1.2 and the newest cipher suites are enabled.

• spec.loadBalancerobject

  Not required value.

  A section of parameters of the LoadBalancer inlet.

  • spec.loadBalancer.annotationsobject

    Annotations to assign to the service for flexible configuration of the load balancer.

    Caution! The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate IngressNginxController (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.

  • spec.loadBalancer.behindL7Proxyboolean

    Accepts all the incoming X-Forwarded-* headers and passes them to upstreams.

    Caution! Make sure that requests to the Ingress are sent from trusted sources when using this option.

  • spec.loadBalancer.realIPHeaderstring

    Sets the header field for identifying the originating IP address of a client.

    This option works only if behindL7Proxy is enabled.

    Default: "X-Forwarded-For"

    Example:

    realIPHeader: CF-Connecting-IP
    

  • spec.loadBalancer.sourceRangesarray of strings

    IP ranges (CIDR) that are allowed to access the load balancer.

    The cloud provider may not support this option or ignore it. .

    • Element of the arraystring

      Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

• spec.loadBalancerWithProxyProtocolobject

  Not required value.

  A section of parameters of the LoadBalancerWithProxyProtocol inlet.

  • spec.loadBalancerWithProxyProtocol.annotationsobject

    Annotations that will be passed to service with type load balancer to configure it.

    Caution! The module does not take into account the specifics of setting annotations in different clouds. Note that you will need to recreate IngressNginxController (or create a new controller and then delete the old one) if annotations to provision a load balancer are only used when creating the service.

  • spec.loadBalancerWithProxyProtocol.sourceRangesarray of strings

    IP ranges (CIDR) that are allowed to access the load balancer.

    The cloud provider may not support this option or ignore it. .

    • Element of the arraystring

      Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

• spec.maxReplicasinteger

  LoadBalancer and LoadBalancerWithProxyProtocol controller’s Horizontal Pod Autoscaler maximum replicas count.

  Default: 1

  Allowed values: 1 <= X

• spec.minReplicasinteger

  LoadBalancer and LoadBalancerWithProxyProtocol controller’s Horizontal Pod Autoscaler minimum replicas count.

  Default: 1

  Allowed values: 1 <= X

• spec.nodeSelectorobject

  The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

  If the parameter is omitted or false, it will be determined automatically.

  Format: the standard nodeSelector list. Instance pods inherit this field as is.

• spec.resourcesRequestsobject

  Max amounts of CPU and memory resources that the pod can request when selecting a node (if the VPA is disabled, then these values become the default ones).

  • spec.resourcesRequests.modestring

    Required value

    The mode for managing resource requests.

    Default: "VPA"

    Allowed values: VPA, Static

  • spec.resourcesRequests.staticobject

    Static mode settings.

    • spec.resourcesRequests.static.cpustring

      CPU requests.

      Default: "350m"

    • spec.resourcesRequests.static.memorystring

      Memory requests.

      Default: "500Mi"

  • spec.resourcesRequests.vpaobject

    Parameters of the vpa mode.

    • spec.resourcesRequests.vpa.cpuobject

      CPU-related parameters.

      • spec.resourcesRequests.vpa.cpu.maxstring

        Maximum allowed CPU requests.

        Default: "50m"

      • spec.resourcesRequests.vpa.cpu.minstring

        Minimum allowed CPU requests.

        Default: "10m"

    • spec.resourcesRequests.vpa.memoryobject

      The amount of memory requested.

      • spec.resourcesRequests.vpa.memory.maxstring

        Maximum allowed memory requests.

        Default: "200Mi"

      • spec.resourcesRequests.vpa.memory.minstring

        Minimum allowed memory requests.

        Default: "50Mi"

    • spec.resourcesRequests.vpa.modestring

      The VPA usage mode.

      Default: "Initial"

      Allowed values: Initial, Auto

• spec.tolerationsarray of objects

  The same as in the pods’ spec.tolerations parameter in Kubernetes;

  If the parameter is omitted or false, it will be determined automatically.

  Format: the standard toleration list. Instance pods inherit this field as is.

  • spec.tolerations.effectstring

    Allowed values: NoSchedule, PreferNoSchedule, NoExecute

  • spec.tolerations.keystring
  • spec.tolerations.operatorstring

    Default: "Equal"

    Allowed values: Exists, Equal

  • spec.tolerations.tolerationSecondsinteger
  • spec.tolerations.valuestring
• spec.underscoresInHeadersboolean

  Determines whether underscores are allowed in headers. Learn more….

  This tutorial sheds light on why you should not enable it without careful consideration.

  Default: false

• spec.validationEnabledboolean

  Enable ingress validation admission.

  Default: true

• spec.waitLoadBalancerOnTerminatinginteger

  The number of seconds before the /healthz location will start to return a 500 code when the pod enters the Terminating state. This parameter has default values:

  • 0s - for HostWithFailover
  • 60s - for HostPort and HostPortWithProxyProtocol
  • 120s - for LoadBalancer and LoadBalancerWithProxyProtocol