The module lifecycle stage: General Availability
The module has requirements for installation
The Deckhouse Kubernetes Platform installs CRDs but does not remove them when a module is disabled. If you no longer need the created CRDs, delete them.
IngressNginxController
Scope: Cluster
-
objectspec
-
array of stringsspec.acceptRequestsFrom
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Regardless of the inlet type, the address to be verified (the
original_addressfield in logs) is always the original IP address the connection is established from and not the client address that can be passed in some inlets via headers or using the proxy protocol.This parameter is implemented using the map module. If the original address is not allowed, nginx closes the connection, returning the code
444.By default, the controller can be connected to from any address.
-
stringspec.acceptRequestsFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
objectspec.additionalHeadersAdditional headers to add to all requests. Use the
key: value(string)format. -
objectspec.additionalLogFieldsAdditional fields to add to nginx logs. Use the
key: value(string)format. -
booleanspec.annotationValidationEnabledEnables validation for Ingress rule annotations.
Default:
false -
booleanspec.chaosMonkey
Tool for unexpected and random termination of Ingress controller Pods in a systemic manner.
Intended for testing the fault tolerance of the Ingress controller.
Default:
false -
objectspec.config
Section of the Ingress controller parameters where you can add any supported option in the
key: value(string)format.An error in options may lead to the failure of the Ingress controller.
Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.
-
stringspec.controllerLogLevelDefines the verbosity level for the Ingress controller logs.
Default:
InfoAllowed values:
Error— Only critical errors will be logged.Warn— Warnings and errors will be logged.Info— Informational messages, including basic debugging information.Extended— Extended information about changes in system state.Debug— Verbose debugging output, potentially very noisy.Trace— Trace-level logs with detailed step-by-step context. -
objectspec.controllerPodsAdditionalAnnotations
Additional custom annotations for Ingress controller pods.
Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.
-
stringspec.controllerVersion
Ingress NGINX Controller version.
By default, the version set in the module settings is used.
Allowed values:
1.10,1.12,1.14,1.15 -
objectspec.customErrors
Section with parameters for HTTP error customization.
If this section is defined in the configuration, all its parameters are required.
Changing any parameter causes the restart of all Ingress NGINX Controllers.
-
array of stringsspec.customErrors.codes
Required value
List of response codes (array) causing redirection to the custom backend.-
stringspec.customErrors.codes.Element of the array
Pattern:
^[1-5][0-9][0-9]$
-
-
stringspec.customErrors.namespace
Required value
Name of a namespace keeping the service used as a default custom backend.Example:
namespace: default -
stringspec.customErrors.serviceName
Required value
Name of a service to be used as a default custom backend.Example:
serviceName: custom-errors-backend-service
-
-
objectspec.defaultSSLCertificate
The certificate that is used:
- For
catch-allserver requests (here, “catch-all server” refers to the nginx server directive. Requests without a corresponding Ingress resource end up on thecatch-allserver. - For Ingress resources that do not have a
secretNamespecified in thetlssection.
By default, a self-signed certificate is used.
Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. To specify the certificate to use in the Ingress resources of Deckhouse modules, use the global parameter
modules.https.customCertificate.-
objectspec.defaultSSLCertificate.secretRefLink to the Secret for passing to the Ingress controller.
-
stringspec.defaultSSLCertificate.secretRef.nameName of Secret containing the SSL certificate.
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ -
stringspec.defaultSSLCertificate.secretRef.namespaceName of the namespace containing the Secret with the SSL certificate.
Default:
d8-ingress-nginxPattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-
- For
-
booleanspec.disableHTTP2Disables HTTP/2 support.
Default:
false -
booleanspec.enableHTTP3
Enables HTTP/3 support.
HTTP/3 cannot be enabled when the inlet is set to
HostPortWithProxyProtocolorLoadBalancerWithProxyProtocol.For the
HostWithFailoverinlet, HTTP/3 is applied only to the primary controller; the failover controller always runs without HTTP/3.Default:
false -
booleanspec.enableIstioSidecar
Attaches annotations to the controller pods to automatically inject Istio sidecar containers.
After setting this parameter, the
sidecar.istio.io/inject: "true"andtraffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>"annotations will be attached to the Ingress controller pods. When these pods are created, Istio sidecars will be automatically added to them via a mutating webhook. After that, the sidecar will intercept all traffic directed to the Service CIDR.To use this feature, add the following annotations to your Ingress resources:
nginx.ingress.kubernetes.io/service-upstream: "true": Using this annotation, the Ingress controller sends requests to a service ClusterIP (from Service CIDR) instead of sending them to the application pods. Theistio-proxysidecar only intercepts traffic directed to Service CIDR, while the remaining requests are sent directly.nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc: Using this annotation, the sidecar can identify the application service that serves requests.
Caution. This parameter cannot be enabled if the Ingress controller inlet is set to
HostWithFailover. -
objectspec.geoIP2GeoIP2 activation options.
-
integerspec.geoIP2.maxmindAccountID
MaxMind Account ID used to authenticate GeoIP2 database downloads.
Required when
licenseKeyis set. IfaccountIDparameter is provided, downloads are performed using the official librarygeoipupdate, which allows you to skip unchanged updates and save the license limit. [https://github.com/maxmind/geoipupdate]Allowed values:
1 <= X -
array of stringsspec.geoIP2.maxmindEditionIDs
List of database revisions to download at startup.
For details on GeoLite databases, refer to the MaxMind blog article.
Default:
[ "GeoLite2-City", "GeoLite2-ASN" ]-
stringspec.geoIP2.maxmindEditionIDs.Element of the array
Allowed values:
GeoIP2-Anonymous-IP,GeoIP2-Country,GeoIP2-City,GeoIP2-Connection-Type,GeoIP2-Domain,GeoIP2-ISP,GeoIP2-ASN,GeoLite2-ASN,GeoLite2-Country,GeoLite2-City
-
-
stringspec.geoIP2.maxmindLicenseKey
License key to download the GeoIP2 database.
If the key is set in the configuration, the module downloads the GeoIP2 database every time the controller is started. For details on obtaining a key, refer to the MaxMind blog article.
-
objectspec.geoIP2.maxmindMirror
Mirror configuration for downloading GeoIP databases.
If no parameter is specified or the parameter has an empty value, the default value will be used, which is
https://download.maxmind.com.If this mirror is used to host preloaded archives, the
licenseKeyparameter may be omitted.-
stringspec.geoIP2.maxmindMirror.caCustom CA certificate in PEM format for verifying TLS connections to the mirror.
Example:
ca: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -
booleanspec.geoIP2.maxmindMirror.insecureSkipVerifySkip TLS certificate verification for the mirror, for example when using self-signed certificates.
-
stringspec.geoIP2.maxmindMirror.url
Required value
The URL for downloading GeoIP databases.Pattern:
^https?://.+$Examples:
url: https://mirror.localurl: absolute path https://mirror.local/GeoLite2-City.tar.gz
-
-
-
objectspec.hostPortSection of the
HostPortinlet parameters.-
array of stringsspec.hostPort.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.hostPort.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
booleanspec.hostPort.behindL7Proxy
Enables processing and passing of the incoming
X-Forwarded-*headers.Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only. To set restrictions, use the
acceptRequestsFromparameter. -
integerspec.hostPort.httpPort
Port for insecure HTTP connections.
If the parameter is not set, HTTP connections cannot be established.
This parameter is required if
httpsPortis not set.Example:
httpPort: 80 -
integerspec.hostPort.httpsPort
Port for secure HTTPS connections.
If the parameter is not set, HTTPS connections cannot be established.
This parameter is required if
httpPortis not set.Example:
httpsPort: 443 -
stringspec.hostPort.realIPHeader
The header for identifying the original IP address of a client.
This option works only if
behindL7Proxyis enabled.Default:
X-Forwarded-ForExample:
realIPHeader: CF-Connecting-IP
-
-
objectspec.hostPortWithProxyProtocolSection of the
HostPortWithProxyProtocolinlet parameters.-
array of stringsspec.hostPortWithProxyProtocol.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.hostPortWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
integerspec.hostPortWithProxyProtocol.httpPort
Port for insecure HTTP connections.
If the parameter is not set, HTTP connections cannot be established.
This parameter is required if
httpsPortis not set.Example:
httpPort: 80 -
integerspec.hostPortWithProxyProtocol.httpsPort
Port for secure HTTPS connections.
If the parameter is not set, HTTPS connections cannot be established.
This parameter is required if
httpPortis not set.Example:
httpsPort: 443
-
-
objectspec.hostPortWithSSLPassthroughSection of the
HostPortWithSSLPassthroughinlet parameters.-
integerspec.hostPortWithSSLPassthrough.httpPort
Port for insecure HTTP connections.
If the parameter is not set, HTTP connections cannot be established.
This parameter is required if
httpsPortis not set.Example:
httpPort: 80 -
integerspec.hostPortWithSSLPassthrough.httpsPort
Port for secure HTTPS connections.
If the parameter is not set, HTTPS connections cannot be established.
This parameter is required if
httpPortis not set.Example:
httpsPort: 443
-
-
booleanspec.hsts
Enables HTTP Strict-Transport-Security (HSTS) response headers.
For details on HSTS headers, refer to the MDN Web Docs article.
Default:
false -
objectspec.hstsOptionsHSTS parameters.
-
booleanspec.hstsOptions.includeSubDomainsApplies HSTS parameters to all subdomains of a website.
Default:
false -
stringspec.hstsOptions.maxAgeTime in seconds during which the browser remembers that the website is only accessible via HTTPS.
Default:
31536000Pattern:
^[1-9][0-9]*$Example:
maxAge: '31536000' -
booleanspec.hstsOptions.preload
Adds a website to the preload list.
The list instructs browsers to establish connections to the specified websites over HTTPS only.
Default:
false
-
-
stringspec.ingressClass
Name of the Ingress class to use with the Ingress NGINX Controller.
Using this option, you can create several controllers to use with a single Ingress class.
If you set it to
nginx, Ingress resources without thekubernetes.io/ingress.classannotation or thespec.ingressClassNamefield will be handled as well.Default:
nginxPattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Example:
ingressClass: nginx -
stringspec.inlet
Required value
The way external traffic is routed to the cluster. Once you set the method, you cannot change it later.
Allowed values:
-
LoadBalancer: The Ingress controller is deployed, and aLoadBalancer-type service is provisioned. -
LoadBalancerWithProxyProtocol: The Ingress controller is deployed, and aLoadBalancer-type service is provisioned. The Ingress controller uses the proxy-protocol to get a real IP address of the client.Note. HTTP/3 (
enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol. -
LoadBalancerWithSSLPassthrough: The Ingress controller is deployed, and aLoadBalancer-type service is provisioned. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default:
443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.The SSL Passthrough protocol leverages Server Name Indication (SNI) and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.
If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default:
442), which subsequently proxies the request to the default backend.Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.
Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.
-
HostPort: The Ingress controller is deployed and made available on node ports viahostPort. -
HostPortWithProxyProtocol: The Ingress controller is deployed and made available on node ports viahostPort. The Ingress controller uses the proxy-protocol to get a real IP address of the client.Caution. When using this inlet, ensure that requests to the Ingress come from trusted sources only. To enforce it, use the
acceptRequestsFromparameter.Note. HTTP/3 (
enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol. -
HostPortWithSSLPassthrough: The Ingress controller is deployed and made available on node ports viahostPort. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.Specify inlet parameters in the
spec.HostPortWithSSLPassthroughsection.The SSL Passthrough protocol leverages SNI and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.
If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default:
442), which subsequently proxies the request to the default backend.The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default:
443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.
Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.
-
HostWithFailover: Two Ingress controllers are deployed: a primary and a backup. The primary controller runs in ahostNetwork. If the primary controller pods are unavailable, traffic is routed to the backup controller.There can be only one controller with this inlet type on a single host.
Ensure the following ports are available on the node:
80,81,443,444,4207,4208.To change the inlet, remove the iptables rules and restart the
kube-proxypods or reboot the nodes hosting Ingress controllers.This inlet cannot be used if the
enableIstioSidecarparameter is enabled.Note. When HTTP/3 (
enableHTTP3) is enabled, it is applied only to the primary controller; the failover controller always runs without HTTP/3.
Allowed values:
LoadBalancer,LoadBalancerWithSSLPassthrough,LoadBalancerWithProxyProtocol,HostPort,HostPortWithSSLPassthrough,HostPortWithProxyProtocol,HostWithFailover -
-
booleanspec.legacySSL
Enables outdated versions of the TLS protocol and cipher suites.
Enables the following TLS protocol versions:
TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.Enables the following combinations of cipher suites in order from the strongest to the weakest:
ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,AES256-GCM-SHA384,AES128-GCM-SHA256,AES256-SHA256,AES128-SHA256,AES256-SHA,AES128-SHA.By default, only
TLSv1.2andTLSv1.3with the newest cipher suites are enabled. -
objectspec.loadBalancerSection of the
LoadBalancerinlet parameters.-
array of stringsspec.loadBalancer.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.loadBalancer.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
objectspec.loadBalancer.annotations
Annotations to assign to the service for flexible configuration of the load balancer.
The module does not take into account the specifics of setting annotations in different clouds.
If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).
-
booleanspec.loadBalancer.behindL7Proxy
Enables processing and passing of the incoming
X-Forwarded-*headers.Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only.
-
integerspec.loadBalancer.httpPort
External port for insecure HTTP connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port
80. If you sethttpsPortwithouthttpPort, or sethttpPortto a value other than80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port80to the controller externally.Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
80Allowed values:
1 <= X <= 65535 -
integerspec.loadBalancer.httpsPort
External port for secure HTTPS connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you sethttpsPortto a non-standard value, users may be redirected to TCP port443and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
443Allowed values:
1 <= X <= 65535 -
stringspec.loadBalancer.loadBalancerClassClass of the load balancer for incoming network requests (passed to the
spec.loadBalancerClassparameter of the provisioned service with theLoadBalancertype). -
stringspec.loadBalancer.realIPHeader
The header for identifying the original IP address of a client.
This option works only if
behindL7Proxyis enabled.Default:
X-Forwarded-ForExample:
realIPHeader: CF-Connecting-IP -
array of stringsspec.loadBalancer.sourceRanges
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Caution. A cloud provider may not support this option or ignore it.
Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.
For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.
-
stringspec.loadBalancer.sourceRanges.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
-
objectspec.loadBalancerWithProxyProtocolSection of the
LoadBalancerWithProxyProtocolinlet parameters.-
array of stringsspec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
objectspec.loadBalancerWithProxyProtocol.annotations
Annotations to assign to the service for flexible configuration of the load balancer.
The module does not take into account the specifics of setting annotations in different clouds.
If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).
-
integerspec.loadBalancerWithProxyProtocol.httpPort
External port for insecure HTTP connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port
80. If you sethttpsPortwithouthttpPort, or sethttpPortto a value other than80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port80to the controller externally.Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
80Allowed values:
1 <= X <= 65535 -
integerspec.loadBalancerWithProxyProtocol.httpsPort
External port for secure HTTPS connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you sethttpsPortto a non-standard value, users may be redirected to TCP port443and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
443Allowed values:
1 <= X <= 65535 -
stringspec.loadBalancerWithProxyProtocol.loadBalancerClassClass of the load balancer for incoming network requests (passed to the
spec.loadBalancerClassparameter of the provisioned service with theLoadBalancertype). -
array of stringsspec.loadBalancerWithProxyProtocol.sourceRanges
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Caution. A cloud provider may not support this option or ignore it.
Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.
For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.
-
stringspec.loadBalancerWithProxyProtocol.sourceRanges.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
-
objectspec.loadBalancerWithSSLPassthroughSection of the
LoadBalancerWithSSLPassthroughinlet parameters.-
objectspec.loadBalancerWithSSLPassthrough.annotations
Annotations to assign to the service for flexible configuration of the load balancer.
The module does not take into account the specifics of setting annotations in different clouds.
If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).
-
integerspec.loadBalancerWithSSLPassthrough.httpPort
External port for insecure HTTP connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port
80. If you sethttpsPortwithouthttpPort, or sethttpPortto a value other than80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port80to the controller externally.Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
80Allowed values:
1 <= X <= 65535 -
integerspec.loadBalancerWithSSLPassthrough.httpsPort
External port for secure HTTPS connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you sethttpsPortto a non-standard value, users may be redirected to TCP port443and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
443Allowed values:
1 <= X <= 65535 -
stringspec.loadBalancerWithSSLPassthrough.loadBalancerClassClass of the load balancer for incoming network requests (passed to the
spec.loadBalancerClassparameter of the provisioned service with theLoadBalancertype). -
array of stringsspec.loadBalancerWithSSLPassthrough.sourceRanges
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Caution. A cloud provider may not support this option or ignore it.
Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.
For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.
-
stringspec.loadBalancerWithSSLPassthrough.sourceRanges.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
-
integerspec.maxReplicasMaximum number of
LoadBalancer,LoadBalancerWithProxyProtocolandLoadBalancerWithSSLPassthroughreplicas for HPA.Default:
1Allowed values:
1 <= X -
integerspec.minReplicasMinimum number of
LoadBalancer,LoadBalancerWithProxyProtocolandLoadBalancerWithSSLPassthroughreplicas for HPA.Default:
1Allowed values:
1 <= X -
objectspec.nodeSelector
Same as the
spec.nodeSelectorparameter in Kubernetes Pods.If the parameter is omitted or set to
false, DKP will try to determine the value automatically.Use the format of a standard
nodeSelectorlist. Instance pods inherit this field as is. -
objectspec.resourcesManagementCPU and memory request and limit settings for the controller Pods.
-
stringspec.resourcesManagement.mode
Required value
Resource management mode.Default:
VPAAllowed values:
VPA,Static -
objectspec.resourcesManagement.staticStatic mode settings.
-
objectspec.resourcesManagement.static.limitsResource limits.
-
stringspec.resourcesManagement.static.limits.cpuCPU limits.
-
stringspec.resourcesManagement.static.limits.memoryMemory limits.
-
-
objectspec.resourcesManagement.static.requestsResource requests.
-
stringspec.resourcesManagement.static.requests.cpuCPU requests.
Default:
350m -
stringspec.resourcesManagement.static.requests.memoryMemory requests.
Default:
500Mi
-
-
-
objectspec.resourcesManagement.vpaResource management settings for the VPA mode.
-
objectspec.resourcesManagement.vpa.cpuCPU-related VPA settings.
-
numberspec.resourcesManagement.vpa.cpu.limitRatio
The CPU limits/requests ratio.
If set, the limits are calculated based on the requests and the specified ratio.
-
stringspec.resourcesManagement.vpa.cpu.maxMaximum value of allowed CPU requests to be submitted by the VPA.
Default:
1500m -
stringspec.resourcesManagement.vpa.cpu.minMinimum value of allowed CPU requests to be submitted by the VPA.
Default:
100m
-
-
objectspec.resourcesManagement.vpa.memoryMemory-related VPA settings.
-
numberspec.resourcesManagement.vpa.memory.limitRatio
The memory limits/requests ratio.
If set, the limits are calculated based on the requests and the specified ratio.
-
stringspec.resourcesManagement.vpa.memory.maxMaximum value of allowed memory requests to be submitted by the VPA.
Default:
2000Mi -
stringspec.resourcesManagement.vpa.memory.minMinimum value of allowed memory requests to be submitted by the VPA.
Default:
500Mi
-
-
stringspec.resourcesManagement.vpa.modeVPA operating mode.
Default:
InitialAllowed values:
Initial,InPlaceOrRecreate
-
-
-
array of objectsspec.tolerations
Same as the
spec.tolerationsparameter in Kubernetes Pods.If the parameter is omitted or set to
false, all the possible tolerations are automatically applied the module’s Pods.Use the format of a standard toleration list. Instance pods inherit this field as is.
-
stringspec.tolerations.effect
Allowed values:
NoSchedule,PreferNoSchedule,NoExecute -
stringspec.tolerations.key
-
stringspec.tolerations.operator
Default:
EqualAllowed values:
Exists,Equal -
integerspec.tolerations.tolerationSeconds
-
stringspec.tolerations.value
-
-
booleanspec.underscoresInHeaders
Enables using the underscore symbol in headers.
Related resources:
Default:
false -
booleanspec.validationEnabled
Enables validation for Ingress rules.
Warning. Enabling validation increases the load on the master nodes of the cluster.
Default:
true -
stringspec.validationIsolationMode
Selects the validation isolation mode.
Note. This configuration is applied only to controller versions
1.14and1.15.Supported modes:
NoIsolation: No isolation is applied during NGINX configuration validation. To minimize security risks, the validation scope is limited to a single Ingress object resulting in weak validation.IsolatedFilesystem: NGINX configuration validation is executed in a separate file system with no access to the file system of the running NGINX server, effectively limiting the attack surface. The validation scope is limited by theingressClassparameter, resulting in strong validation.IsolatedProcess: NGINX configuration validation is executed inside a sandboxed environment where every syscall is traced. It is the most secure isolation mode limited by theingressClassparameter.
Note.
IsolatedProcessmode is experimental and may not work in hardened environments where creating new user namespaces or using ptrace is prohibited.Note.
IsolatedProcessrequires containerd v2 running on target nodes.Default:
NoIsolationAllowed values:
NoIsolation,IsolatedFilesystem,IsolatedProcess -
integerspec.waitLoadBalancerOnTerminatingNumber of seconds before the
/healthzendpoint begins returning the500code when the pod enters theTerminatingstate.
-
-
objectstatus
-
objectstatus.loadBalancerContains IP address and hostname of the associated load balancer.
-
stringstatus.loadBalancer.hostnameHostname of the load balancer.
-
stringstatus.loadBalancer.ipIP address of the load balancer.
-
-
-
objectspec
-
array of stringsspec.acceptRequestsFrom
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Regardless of the inlet type, the address to be verified (the
original_addressfield in logs) is always the original IP address the connection is established from and not the client address that can be passed in some inlets via headers or using the proxy protocol.This parameter is implemented using the map module. If the original address is not allowed, nginx closes the connection, returning the code
444.By default, the controller can be connected to from any address.
-
stringspec.acceptRequestsFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
objectspec.additionalHeadersAdditional headers to add to all requests. Use the
key: value(string)format. -
objectspec.additionalLogFieldsAdditional fields to add to nginx logs. Use the
key: value(string)format. -
booleanspec.annotationValidationEnabledEnables validation for Ingress rule annotations.
Default:
false -
booleanspec.chaosMonkey
Tool for unexpected and random termination of Ingress controller Pods in a systemic manner.
Intended for testing the fault tolerance of the Ingress controller.
Default:
false -
objectspec.config
Section of the Ingress controller parameters where you can add any supported option in the
key: value(string)format.An error in options may lead to the failure of the Ingress controller.
Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.
-
stringspec.controllerLogLevelDefines the verbosity level for the Ingress controller logs.
Default:
InfoAllowed values:
Error— Only critical errors will be logged.Warn— Warnings and errors will be logged.Info— Informational messages, including basic debugging information.Extended— Extended information about changes in system state.Debug— Verbose debugging output, potentially very noisy.Trace— Trace-level logs with detailed step-by-step context. -
objectspec.controllerPodsAdditionalAnnotations
Additional custom annotations for Ingress controller pods.
Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.
-
stringspec.controllerVersion
Ingress NGINX Controller version.
By default, the version set in the module settings is used.
Allowed values:
1.10,1.12,1.14,1.15 -
objectspec.customErrors
Section with parameters for HTTP error customization.
If this section is defined in the configuration, all its parameters are required.
Changing any parameter causes the restart of all Ingress NGINX Controllers.
-
array of stringsspec.customErrors.codes
Required value
List of response codes (array) causing redirection to the custom backend.-
stringspec.customErrors.codes.Element of the array
Pattern:
^[1-5][0-9][0-9]$
-
-
stringspec.customErrors.namespace
Required value
Name of a namespace keeping the service used as a default custom backend.Example:
namespace: default -
stringspec.customErrors.serviceName
Required value
Name of a service to be used as a default custom backend.Example:
serviceName: custom-errors-backend-service
-
-
objectspec.defaultSSLCertificate
The certificate that is used:
- For
catch-allserver requests (here, “catch-all server” refers to the nginx server directive. Requests without a corresponding Ingress resource end up on thecatch-allserver. - For Ingress resources that do not have a
secretNamespecified in thetlssection.
By default, a self-signed certificate is used.
Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. To specify the certificate to use in the Ingress resources of Deckhouse modules, use the global parameter
modules.https.customCertificate.-
objectspec.defaultSSLCertificate.secretRefLink to the Secret for passing to the Ingress controller.
-
stringspec.defaultSSLCertificate.secretRef.nameName of Secret containing the SSL certificate.
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ -
stringspec.defaultSSLCertificate.secretRef.namespaceName of the namespace containing the Secret with the SSL certificate.
Default:
d8-ingress-nginxPattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-
- For
-
booleanspec.disableHTTP2Disables HTTP/2 support.
Default:
false -
booleanspec.enableHTTP3
Enables HTTP/3 support.
HTTP/3 cannot be enabled when the inlet is set to
HostPortWithProxyProtocolorLoadBalancerWithProxyProtocol.For the
HostWithFailoverinlet, HTTP/3 is applied only to the primary controller; the failover controller always runs without HTTP/3.Default:
false -
booleanspec.enableIstioSidecar
Attaches annotations to the controller pods to automatically inject Istio sidecar containers.
After setting this parameter, the
sidecar.istio.io/inject: "true"andtraffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>"annotations will be attached to the Ingress controller pods. When these pods are created, Istio sidecars will be automatically added to them via a mutating webhook. After that, the sidecar will intercept all traffic directed to the Service CIDR.To use this feature, add the following annotations to your Ingress resources:
nginx.ingress.kubernetes.io/service-upstream: "true": Using this annotation, the Ingress controller sends requests to a service ClusterIP (from Service CIDR) instead of sending them to the application pods. Theistio-proxysidecar only intercepts traffic directed to Service CIDR, while the remaining requests are sent directly.nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc: Using this annotation, the sidecar can identify the application service that serves requests.
Caution. This parameter cannot be enabled if the Ingress controller inlet is set to
HostWithFailover. -
objectspec.geoIP2GeoIP2 activation options.
-
integerspec.geoIP2.maxmindAccountID
MaxMind Account ID used to authenticate GeoIP2 database downloads.
Required when
licenseKeyis set. IfaccountIDparameter is provided, downloads are performed using the official librarygeoipupdate, which allows you to skip unchanged updates and save the license limit. [https://github.com/maxmind/geoipupdate]Allowed values:
1 <= X -
array of stringsspec.geoIP2.maxmindEditionIDs
List of database revisions to download at startup.
For details on GeoLite databases, refer to the MaxMind blog article.
Default:
[ "GeoLite2-City", "GeoLite2-ASN" ]-
stringspec.geoIP2.maxmindEditionIDs.Element of the array
Allowed values:
GeoIP2-Anonymous-IP,GeoIP2-Country,GeoIP2-City,GeoIP2-Connection-Type,GeoIP2-Domain,GeoIP2-ISP,GeoIP2-ASN,GeoLite2-ASN,GeoLite2-Country,GeoLite2-City
-
-
stringspec.geoIP2.maxmindLicenseKey
License key to download the GeoIP2 database.
If the key is set in the configuration, the module downloads the GeoIP2 database every time the controller is started. For details on obtaining a key, refer to the MaxMind blog article.
-
objectspec.geoIP2.maxmindMirror
Mirror configuration for downloading GeoIP databases. If no parameter is specified or the parameter has an empty value, the default value will be used, which is
https://download.maxmind.com.If this mirror is used to host preloaded archives, the
licenseKeyparameter may be omitted.-
stringspec.geoIP2.maxmindMirror.caCustom CA certificate in PEM format for verifying TLS connections to the mirror.
Example:
ca: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -
booleanspec.geoIP2.maxmindMirror.insecureSkipVerifySkip TLS certificate verification for the mirror, for example when using self-signed certificates.
-
stringspec.geoIP2.maxmindMirror.url
Required value
The URL for downloading GeoIP databases.Pattern:
^https?://.+$Examples:
url: https://mirror.localurl: absolute path https://mirror.local/GeoLite2-City.tar.gz
-
-
-
objectspec.hostPortSection of the
HostPortinlet parameters.-
array of stringsspec.hostPort.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.hostPort.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
booleanspec.hostPort.behindL7Proxy
Enables processing and passing of the incoming
X-Forwarded-*headers.Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only. To set restrictions, use the
acceptRequestsFromparameter. -
integerspec.hostPort.httpPort
Port for insecure HTTP connections.
If the parameter is not set, HTTP connections cannot be established.
This parameter is required if
httpsPortis not set.Example:
httpPort: 80 -
integerspec.hostPort.httpsPort
Port for secure HTTPS connections.
If the parameter is not set, HTTPS connections cannot be established.
This parameter is required if
httpPortis not set.Example:
httpsPort: 443 -
stringspec.hostPort.realIPHeader
The header for identifying the original IP address of a client.
This option works only if
behindL7Proxyis enabled.Default:
X-Forwarded-ForExample:
realIPHeader: CF-Connecting-IP
-
-
objectspec.hostPortWithProxyProtocolSection of the
HostPortWithProxyProtocolinlet parameters.-
array of stringsspec.hostPortWithProxyProtocol.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.hostPortWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
integerspec.hostPortWithProxyProtocol.httpPort
Port for insecure HTTP connections.
If the parameter is not set, HTTP connections cannot be established.
This parameter is required if
httpsPortis not set.Example:
httpPort: 80 -
integerspec.hostPortWithProxyProtocol.httpsPort
Port for secure HTTPS connections.
If the parameter is not set, HTTPS connections cannot be established.
This parameter is required if
httpPortis not set.Example:
httpsPort: 443
-
-
objectspec.hostPortWithSSLPassthroughSection of the
HostPortWithSSLPassthroughinlet parameters.-
integerspec.hostPortWithSSLPassthrough.httpPort
Port for insecure HTTP connections.
If the parameter is not set, HTTP connections cannot be established.
This parameter is required if
httpsPortis not set.Example:
httpPort: 80 -
integerspec.hostPortWithSSLPassthrough.httpsPort
Port for secure HTTPS connections.
If the parameter is not set, HTTPS connections cannot be established.
This parameter is required if
httpPortis not set.Example:
httpsPort: 443
-
-
booleanspec.hstsEnables HTTP Strict-Transport-Security (HSTS) response headers. For details on HSTS headers, refer to the MDN Web Docs article.
Default:
false -
objectspec.hstsOptionsHSTS parameters.
-
booleanspec.hstsOptions.includeSubDomainsApplies HSTS parameters to all subdomains of a website.
Default:
false -
stringspec.hstsOptions.maxAgeTime in seconds during which the browser remembers that the website is only accessible via HTTPS.
Default:
31536000Pattern:
^[1-9][0-9]*$Example:
maxAge: '31536000' -
booleanspec.hstsOptions.preload
Adds a website to the preload list.
The list instructs browsers to establish connections to the specified websites over HTTPS only.
Default:
false
-
-
stringspec.ingressClass
Name of the Ingress class to use with the Ingress NGINX Controller.
Using this option, you can create several controllers to use with a single Ingress class.
If you set it to
nginx, Ingress resources without thekubernetes.io/ingress.classannotation or thespec.ingressClassNamefield will be handled as well.Default:
nginxPattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Example:
ingressClass: nginx -
stringspec.inlet
Required value
The way external traffic is routed to the cluster. Once you set the method, you cannot change it later.
Allowed values:
-
LoadBalancer: The Ingress controller is deployed, and aLoadBalancer-type service is provisioned. -
LoadBalancerWithProxyProtocol: The Ingress controller is deployed, and aLoadBalancer-type service is provisioned. The Ingress controller uses the proxy-protocol to get a real IP address of the client.Note. HTTP/3 (
enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol. -
LoadBalancerWithSSLPassthrough: The Ingress controller is deployed, and aLoadBalancer-type service is provisioned. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default:
443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.The SSL Passthrough protocol leverages Server Name Indication (SNI) and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.
If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default:
442), which subsequently proxies the request to the default backend.Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.
Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.
-
HostPort: The Ingress controller is deployed and made available on node ports viahostPort. -
HostPortWithProxyProtocol: The Ingress controller is deployed and made available on node ports viahostPort. The Ingress controller uses the proxy-protocol to get a real IP address of the client.Caution. When using this inlet, ensure that requests to the Ingress come from trusted sources only. To enforce it, use the
acceptRequestsFromparameter.Note. HTTP/3 (
enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol. -
HostPortWithSSLPassthrough: The Ingress controller is deployed and made available on node ports viahostPort. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.Specify inlet parameters in the
spec.HostPortWithSSLPassthroughsection.The SSL Passthrough protocol leverages SNI and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.
If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default:
442), which subsequently proxies the request to the default backend.The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default:
443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.
Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.
-
HostWithFailover: Two Ingress controllers are deployed: a primary and a backup. The primary controller runs in ahostNetwork. If the primary controller pods are unavailable, traffic is routed to the backup controller.There can be only one controller with this inlet type on a single host.
Ensure the following ports are available on the node:
80,81,443,444,4207,4208.To change the inlet, remove the iptables rules and restart the
kube-proxypods or reboot the nodes hosting Ingress controllers.This inlet cannot be used if the
enableIstioSidecarparameter is enabled.Note. When HTTP/3 (
enableHTTP3) is enabled, it is applied only to the primary controller; the failover controller always runs without HTTP/3.
Allowed values:
LoadBalancer,LoadBalancerWithSSLPassthrough,LoadBalancerWithProxyProtocol,HostPort,HostPortWithSSLPassthrough,HostPortWithProxyProtocol,HostWithFailover -
-
booleanspec.legacySSL
Enables outdated versions of the TLS protocol and cipher suites.
Enables the following TLS protocol versions:
TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.Enables the following combinations of cipher suites in order from the strongest to the weakest:
ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,AES256-GCM-SHA384,AES128-GCM-SHA256,AES256-SHA256,AES128-SHA256,AES256-SHA,AES128-SHA.By default, only
TLSv1.2andTLSv1.3with the newest cipher suites are enabled. -
objectspec.loadBalancerSection of the
LoadBalancerinlet parameters.-
array of stringsspec.loadBalancer.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.loadBalancer.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
objectspec.loadBalancer.annotations
Annotations to assign to the service for flexible configuration of the load balancer.
The module does not take into account the specifics of setting annotations in different clouds.
If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).
-
booleanspec.loadBalancer.behindL7Proxy
Enables processing and passing of the incoming
X-Forwarded-*headers.Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only.
-
integerspec.loadBalancer.httpPort
External port for insecure HTTP connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port
80. If you sethttpsPortwithouthttpPort, or sethttpPortto a value other than80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port80to the controller externally.Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
80Allowed values:
1 <= X <= 65535 -
integerspec.loadBalancer.httpsPort
External port for secure HTTPS connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you sethttpsPortto a non-standard value, users may be redirected to TCP port443and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
443Allowed values:
1 <= X <= 65535 -
stringspec.loadBalancer.loadBalancerClassClass of the load balancer for incoming network requests (passed to the
spec.loadBalancerClassparameter of the provisioned service with theLoadBalancertype). -
stringspec.loadBalancer.realIPHeader
The header for identifying the original IP address of a client.
This option works only if
behindL7Proxyis enabled.Default:
X-Forwarded-ForExample:
realIPHeader: CF-Connecting-IP -
array of stringsspec.loadBalancer.sourceRanges
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Caution. A cloud provider may not support this option or ignore it.
Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.
For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.
-
stringspec.loadBalancer.sourceRanges.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
-
objectspec.loadBalancerWithProxyProtocolSection of the
LoadBalancerWithProxyProtocolinlet parameters.-
array of stringsspec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFromDefines a list of trusted CIDR ranges that are known to send correct
X-Forwarded-*/ProxyProtocolheaders.Default:
[ "0.0.0.0/0" ]Example:
acceptClientIPHeadersFrom: - 192.168.0.0/24-
stringspec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
objectspec.loadBalancerWithProxyProtocol.annotations
Annotations to assign to the service for flexible configuration of the load balancer.
The module does not take into account the specifics of setting annotations in different clouds.
If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).
-
integerspec.loadBalancerWithProxyProtocol.httpPort
External port for insecure HTTP connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port
80. If you sethttpsPortwithouthttpPort, or sethttpPortto a value other than80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port80to the controller externally.Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
80Allowed values:
1 <= X <= 65535 -
integerspec.loadBalancerWithProxyProtocol.httpsPort
External port for secure HTTPS connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you sethttpsPortto a non-standard value, users may be redirected to TCP port443and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
443Allowed values:
1 <= X <= 65535 -
stringspec.loadBalancerWithProxyProtocol.loadBalancerClassClass of the load balancer for incoming network requests (passed to the
spec.loadBalancerClassparameter of the provisioned service with theLoadBalancertype). -
array of stringsspec.loadBalancerWithProxyProtocol.sourceRanges
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Caution. A cloud provider may not support this option or ignore it.
Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.
For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.
-
stringspec.loadBalancerWithProxyProtocol.sourceRanges.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
-
objectspec.loadBalancerWithSSLPassthroughSection of the
LoadBalancerWithSSLPassthroughinlet parameters.-
objectspec.loadBalancerWithSSLPassthrough.annotations
Annotations to assign to the service for flexible configuration of the load balancer.
The module does not take into account the specifics of setting annotations in different clouds.
If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).
-
integerspec.loadBalancerWithSSLPassthrough.httpPort
External port for insecure HTTP connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port
80. If you sethttpsPortwithouthttpPort, or sethttpPortto a value other than80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port80to the controller externally.Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
80Allowed values:
1 <= X <= 65535 -
integerspec.loadBalancerWithSSLPassthrough.httpsPort
External port for secure HTTPS connections exposed by the provisioned
LoadBalancerservice.If neither
httpPortnorhttpsPortis set, the service exposes the standard ports80and443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.
Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports
80/443). If you sethttpsPortto a non-standard value, users may be redirected to TCP port443and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.Default:
443Allowed values:
1 <= X <= 65535 -
stringspec.loadBalancerWithSSLPassthrough.loadBalancerClassClass of the load balancer for incoming network requests (passed to the
spec.loadBalancerClassparameter of the provisioned service with theLoadBalancertype). -
array of stringsspec.loadBalancerWithSSLPassthrough.sourceRanges
List of IP addresses in the CIDR format that are allowed accessing the load balancer.
Caution. A cloud provider may not support this option or ignore it.
Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.
For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.
-
stringspec.loadBalancerWithSSLPassthrough.sourceRanges.Element of the array
Pattern:
^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$
-
-
-
integerspec.maxReplicasMaximum number of
LoadBalancer,LoadBalancerWithProxyProtocolandLoadBalancerWithSSLPassthroughreplicas for HPA.Default:
1Allowed values:
1 <= X -
integerspec.minReplicasMinimum number of
LoadBalancer,LoadBalancerWithProxyProtocolandLoadBalancerWithSSLPassthroughreplicas for HPA.Default:
1Allowed values:
1 <= X -
objectspec.nodeSelector
Same as the
spec.nodeSelectorparameter in Kubernetes Pods.If the parameter is omitted or set to
false, Deckhouse will try to determine the value automatically.Use the format of a standard
nodeSelectorlist. Instance pods inherit this field as is. -
objectspec.resourcesRequests
Configures CPU and memory for controller Pods.
In VPA mode, set bounds (min/max) and optional limit ratios for requests that VPA manages. In Static mode, set pod requests and optional limits under static.
-
stringspec.resourcesRequests.mode
Required value
Resource request management mode.Default:
VPAAllowed values:
VPA,Static -
objectspec.resourcesRequests.staticStatic management mode parameters.
-
stringspec.resourcesRequests.static.cpuValue for CPU requests.
Default:
350m -
objectspec.resourcesRequests.static.limitsResource limits.
-
stringspec.resourcesRequests.static.limits.cpuCPU limits.
-
stringspec.resourcesRequests.static.limits.memoryMemory limits.
-
-
stringspec.resourcesRequests.static.memoryValue for memory requests.
Default:
500Mi
-
-
objectspec.resourcesRequests.vpaVertical Pod Autoscaler (VPA) mode parameters.
-
objectspec.resourcesRequests.vpa.cpuParameters of CPU request restrictions.
-
numberspec.resourcesRequests.vpa.cpu.limitRatio
The CPU limits/requests ratio.
If set, the limits are calculated based on the requests and the specified ratio.
-
stringspec.resourcesRequests.vpa.cpu.maxMaximum value of allowed CPU requests to be submitted by the VPA.
Default:
1500m -
stringspec.resourcesRequests.vpa.cpu.minMinimum value of allowed CPU requests to be submitted by the VPA.
Default:
100m
-
-
objectspec.resourcesRequests.vpa.memoryParameters of memory request restrictions.
-
numberspec.resourcesRequests.vpa.memory.limitRatio
The memory limits/requests ratio.
If set, the limits are calculated based on the requests and the specified ratio.
-
stringspec.resourcesRequests.vpa.memory.maxMaximum value of allowed memory requests to be submitted by the VPA.
Default:
2000Mi -
stringspec.resourcesRequests.vpa.memory.minMinimum value of allowed memory requests to be submitted by the VPA.
Default:
500Mi
-
-
stringspec.resourcesRequests.vpa.modeVPA usage mode.
Default:
InitialAllowed values:
Initial,InPlaceOrRecreate
-
-
-
array of objectsspec.tolerations
Same as the
spec.tolerationsparameter in Kubernetes Pods.If the parameter is omitted or set to
false, all the possible tolerations are automatically applied the module’s Pods.Use the format of a standard toleration list. Instance pods inherit this field as is.
-
stringspec.tolerations.effect
Allowed values:
NoSchedule,PreferNoSchedule,NoExecute -
stringspec.tolerations.key
-
stringspec.tolerations.operator
Default:
EqualAllowed values:
Exists,Equal -
integerspec.tolerations.tolerationSeconds
-
stringspec.tolerations.value
-
-
booleanspec.underscoresInHeaders
Enables using the underscore symbol in headers.
Related resources:
Default:
false -
booleanspec.validationEnabled
Enables validation for Ingress rules.
Warning. Enabling validation increases the load on the master nodes of the cluster.
Default:
true -
stringspec.validationIsolationMode
Selects the validation isolation mode.
Note. This configuration is applied only to controller versions
1.14and1.15.Supported modes:
NoIsolation: No isolation is applied during NGINX configuration validation. To minimize security risks, the validation scope is limited to a single Ingress object resulting in weak validation.IsolatedFilesystem: NGINX configuration validation is executed in a separate file system with no access to the file system of the running NGINX server, effectively limiting the attack surface. The validation scope is limited by theingressClassparameter, resulting in strong validation.IsolatedProcess: NGINX configuration validation is executed inside a sandboxed environment where every syscall is traced. It is the most secure isolation mode limited by theingressClassparameter.
Note.
IsolatedProcessmode is experimental and may not work in hardened environments where creating new user namespaces or using ptrace is prohibited.Note.
IsolatedProcessrequires containerd v2 running on target nodes.Default:
NoIsolationAllowed values:
NoIsolation,IsolatedFilesystem,IsolatedProcess -
integerspec.waitLoadBalancerOnTerminatingNumber of seconds before the
/healthzendpoint begins returning the500code when the pod enters theTerminatingstate.
-
-
objectstatus
-
objectstatus.loadBalancer
-
stringstatus.loadBalancer.hostnameHostname of the load balancer.
-
stringstatus.loadBalancer.ipIP address of the load balancer.
-
-