The module lifecycle stageGeneral Availability
The module has requirements for installation

The Deckhouse Kubernetes Platform installs CRDs but does not remove them when a module is disabled. If you no longer need the created CRDs, delete them.

IngressNginxController

Scope: Cluster

  • spec
    object
    • spec.acceptRequestsFrom
      array of strings

      List of IP addresses in the CIDR format that are allowed accessing the load balancer.

      Regardless of the inlet type, the address to be verified (the original_address field in logs) is always the original IP address the connection is established from and not the client address that can be passed in some inlets via headers or using the proxy protocol.

      This parameter is implemented using the map module. If the original address is not allowed, nginx closes the connection, returning the code 444.

      By default, the controller can be connected to from any address.

      • spec.acceptRequestsFrom.Element of the array
        string

        Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.additionalHeaders
      object
      Additional headers to add to all requests. Use the key: value(string) format.
    • spec.additionalLogFields
      object
      Additional fields to add to nginx logs. Use the key: value(string) format.
    • spec.annotationValidationEnabled
      boolean
      Enables validation for Ingress rule annotations.

      Default: false

    • spec.chaosMonkey
      boolean

      Tool for unexpected and random termination of Ingress controller Pods in a systemic manner.

      Intended for testing the fault tolerance of the Ingress controller.

      Default: false

    • spec.config
      object

      Section of the Ingress controller parameters where you can add any supported option in the key: value(string) format.

      An error in options may lead to the failure of the Ingress controller.

      Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.

    • spec.controllerLogLevel
      string
      Defines the verbosity level for the Ingress controller logs.

      Default: Info

      Allowed values:

      Error — Only critical errors will be logged.
      Warn — Warnings and errors will be logged.
      Info — Informational messages, including basic debugging information.
      Extended — Extended information about changes in system state.
      Debug — Verbose debugging output, potentially very noisy.
      Trace — Trace-level logs with detailed step-by-step context.

    • spec.controllerPodsAdditionalAnnotations
      object

      Additional custom annotations for Ingress controller pods.

      Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.

    • spec.controllerVersion
      string

      Ingress NGINX Controller version.

      By default, the version set in the module settings is used.

      Allowed values: 1.10, 1.12, 1.14, 1.15

    • spec.customErrors
      object

      Section with parameters for HTTP error customization.

      If this section is defined in the configuration, all its parameters are required.

      Changing any parameter causes the restart of all Ingress NGINX Controllers.

      • spec.customErrors.codes
        array of strings

        Required value

        List of response codes (array) causing redirection to the custom backend.
        • spec.customErrors.codes.Element of the array
          string

          Pattern: ^[1-5][0-9][0-9]$

      • spec.customErrors.namespace
        string

        Required value

        Name of a namespace keeping the service used as a default custom backend.

        Example:


        namespace: default
        
      • spec.customErrors.serviceName
        string

        Required value

        Name of a service to be used as a default custom backend.

        Example:


        serviceName: custom-errors-backend-service
        
    • spec.defaultSSLCertificate
      object

      The certificate that is used:

      • For catch-all server requests (here, “catch-all server” refers to the nginx server directive. Requests without a corresponding Ingress resource end up on the catch-all server.
      • For Ingress resources that do not have a secretName specified in the tls section.

      By default, a self-signed certificate is used.

      Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. To specify the certificate to use in the Ingress resources of Deckhouse modules, use the global parameter modules.https.customCertificate.

      • spec.defaultSSLCertificate.secretRef
        object
        Link to the Secret for passing to the Ingress controller.
        • spec.defaultSSLCertificate.secretRef.name
          string
          Name of Secret containing the SSL certificate.

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

        • spec.defaultSSLCertificate.secretRef.namespace
          string
          Name of the namespace containing the Secret with the SSL certificate.

          Default: d8-ingress-nginx

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

    • spec.disableHTTP2
      boolean
      Disables HTTP/2 support.

      Default: false

    • spec.enableHTTP3
      boolean

      Enables HTTP/3 support.

      HTTP/3 cannot be enabled when the inlet is set to HostPortWithProxyProtocol or LoadBalancerWithProxyProtocol.

      For the HostWithFailover inlet, HTTP/3 is applied only to the primary controller; the failover controller always runs without HTTP/3.

      Default: false

    • spec.enableIstioSidecar
      boolean

      Attaches annotations to the controller pods to automatically inject Istio sidecar containers.

      After setting this parameter, the sidecar.istio.io/inject: "true" and traffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>" annotations will be attached to the Ingress controller pods. When these pods are created, Istio sidecars will be automatically added to them via a mutating webhook. After that, the sidecar will intercept all traffic directed to the Service CIDR.

      To use this feature, add the following annotations to your Ingress resources:

      • nginx.ingress.kubernetes.io/service-upstream: "true": Using this annotation, the Ingress controller sends requests to a service ClusterIP (from Service CIDR) instead of sending them to the application pods. The istio-proxy sidecar only intercepts traffic directed to Service CIDR, while the remaining requests are sent directly.
      • nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc: Using this annotation, the sidecar can identify the application service that serves requests.

      Caution. This parameter cannot be enabled if the Ingress controller inlet is set to HostWithFailover.

    • spec.geoIP2
      object
      GeoIP2 activation options.
      • spec.geoIP2.maxmindAccountID
        integer

        MaxMind Account ID used to authenticate GeoIP2 database downloads.

        Required when licenseKey is set. If accountID parameter is provided, downloads are performed using the official library geoipupdate, which allows you to skip unchanged updates and save the license limit. [https://github.com/maxmind/geoipupdate]

        Allowed values: 1 <= X

      • spec.geoIP2.maxmindEditionIDs
        array of strings

        List of database revisions to download at startup.

        For details on GeoLite databases, refer to the MaxMind blog article.

        Default: [ "GeoLite2-City", "GeoLite2-ASN" ]

        • spec.geoIP2.maxmindEditionIDs.Element of the array
          string

          Allowed values: GeoIP2-Anonymous-IP, GeoIP2-Country, GeoIP2-City, GeoIP2-Connection-Type, GeoIP2-Domain, GeoIP2-ISP, GeoIP2-ASN, GeoLite2-ASN, GeoLite2-Country, GeoLite2-City

      • spec.geoIP2.maxmindLicenseKey
        string

        License key to download the GeoIP2 database.

        If the key is set in the configuration, the module downloads the GeoIP2 database every time the controller is started. For details on obtaining a key, refer to the MaxMind blog article.

      • spec.geoIP2.maxmindMirror
        object

        Mirror configuration for downloading GeoIP databases.

        If no parameter is specified or the parameter has an empty value, the default value will be used, which is https://download.maxmind.com.

        If this mirror is used to host preloaded archives, the licenseKey parameter may be omitted.

        • spec.geoIP2.maxmindMirror.ca
          string
          Custom CA certificate in PEM format for verifying TLS connections to the mirror.

          Example:


          ca: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          
        • spec.geoIP2.maxmindMirror.insecureSkipVerify
          boolean
          Skip TLS certificate verification for the mirror, for example when using self-signed certificates.
        • spec.geoIP2.maxmindMirror.url
          string

          Required value

          The URL for downloading GeoIP databases.

          Pattern: ^https?://.+$

          Examples:


          url: https://mirror.local
          
          url: absolute path https://mirror.local/GeoLite2-City.tar.gz
          
    • spec.hostPort
      object
      Section of the HostPort inlet parameters.
      • spec.hostPort.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.hostPort.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.hostPort.behindL7Proxy
        boolean

        Enables processing and passing of the incoming X-Forwarded-* headers.

        Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only. To set restrictions, use the acceptRequestsFrom parameter.

      • spec.hostPort.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:


        httpPort: 80
        
      • spec.hostPort.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:


        httpsPort: 443
        
      • spec.hostPort.realIPHeader
        string

        The header for identifying the original IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: X-Forwarded-For

        Example:


        realIPHeader: CF-Connecting-IP
        
    • spec.hostPortWithProxyProtocol
      object
      Section of the HostPortWithProxyProtocol inlet parameters.
      • spec.hostPortWithProxyProtocol.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.hostPortWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.hostPortWithProxyProtocol.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:


        httpPort: 80
        
      • spec.hostPortWithProxyProtocol.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:


        httpsPort: 443
        
    • spec.hostPortWithSSLPassthrough
      object
      Section of the HostPortWithSSLPassthrough inlet parameters.
      • spec.hostPortWithSSLPassthrough.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:


        httpPort: 80
        
      • spec.hostPortWithSSLPassthrough.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:


        httpsPort: 443
        
    • spec.hsts
      boolean

      Enables HTTP Strict-Transport-Security (HSTS) response headers.

      For details on HSTS headers, refer to the MDN Web Docs article.

      Default: false

    • spec.hstsOptions
      object
      HSTS parameters.
      • spec.hstsOptions.includeSubDomains
        boolean
        Applies HSTS parameters to all subdomains of a website.

        Default: false

      • spec.hstsOptions.maxAge
        string
        Time in seconds during which the browser remembers that the website is only accessible via HTTPS.

        Default: 31536000

        Pattern: ^[1-9][0-9]*$

        Example:


        maxAge: '31536000'
        
      • spec.hstsOptions.preload
        boolean

        Adds a website to the preload list.

        The list instructs browsers to establish connections to the specified websites over HTTPS only.

        Default: false

    • spec.ingressClass
      string

      Name of the Ingress class to use with the Ingress NGINX Controller.

      Using this option, you can create several controllers to use with a single Ingress class.

      If you set it to nginx, Ingress resources without the kubernetes.io/ingress.class annotation or the spec.ingressClassName field will be handled as well.

      Default: nginx

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

      Example:


      ingressClass: nginx
      
    • spec.inlet
      string

      Required value

      The way external traffic is routed to the cluster. Once you set the method, you cannot change it later.

      Allowed values:

      • LoadBalancer: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned.

      • LoadBalancerWithProxyProtocol: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned. The Ingress controller uses the proxy-protocol to get a real IP address of the client.

        Note. HTTP/3 (enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol.

      • LoadBalancerWithSSLPassthrough: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.

        The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.

        The SSL Passthrough protocol leverages Server Name Indication (SNI) and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.

        If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which subsequently proxies the request to the default backend.

        Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.

        Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.

      • HostPort: The Ingress controller is deployed and made available on node ports via hostPort.

      • HostPortWithProxyProtocol: The Ingress controller is deployed and made available on node ports via hostPort. The Ingress controller uses the proxy-protocol to get a real IP address of the client.

        Caution. When using this inlet, ensure that requests to the Ingress come from trusted sources only. To enforce it, use the acceptRequestsFrom parameter.

        Note. HTTP/3 (enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol.

      • HostPortWithSSLPassthrough: The Ingress controller is deployed and made available on node ports via hostPort. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.

        Specify inlet parameters in the spec.HostPortWithSSLPassthrough section.

        The SSL Passthrough protocol leverages SNI and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.

        If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which subsequently proxies the request to the default backend.

        The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.

        Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.

        Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.

      • HostWithFailover: Two Ingress controllers are deployed: a primary and a backup. The primary controller runs in a hostNetwork. If the primary controller pods are unavailable, traffic is routed to the backup controller.

        There can be only one controller with this inlet type on a single host.

        Ensure the following ports are available on the node: 80, 81, 443, 444, 4207, 4208.

        To change the inlet, remove the iptables rules and restart the kube-proxy pods or reboot the nodes hosting Ingress controllers.

        This inlet cannot be used if the enableIstioSidecar parameter is enabled.

        Note. When HTTP/3 (enableHTTP3) is enabled, it is applied only to the primary controller; the failover controller always runs without HTTP/3.

      Allowed values: LoadBalancer, LoadBalancerWithSSLPassthrough, LoadBalancerWithProxyProtocol, HostPort, HostPortWithSSLPassthrough, HostPortWithProxyProtocol, HostWithFailover

    • spec.legacySSL
      boolean

      Enables outdated versions of the TLS protocol and cipher suites.

      Enables the following TLS protocol versions: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.

      Enables the following combinations of cipher suites in order from the strongest to the weakest: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES256-GCM-SHA384, AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, AES256-SHA, AES128-SHA.

      By default, only TLSv1.2 and TLSv1.3 with the newest cipher suites are enabled.

    • spec.loadBalancer
      object
      Section of the LoadBalancer inlet parameters.
      • spec.loadBalancer.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.loadBalancer.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.loadBalancer.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancer.behindL7Proxy
        boolean

        Enables processing and passing of the incoming X-Forwarded-* headers.

        Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only.

      • spec.loadBalancer.httpPort
        integer

        External port for insecure HTTP connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port 80. If you set httpsPort without httpPort, or set httpPort to a value other than 80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port 80 to the controller externally.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 80

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancer.httpsPort
        integer

        External port for secure HTTPS connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you set httpsPort to a non-standard value, users may be redirected to TCP port 443 and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 443

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancer.loadBalancerClass
        string
        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).
      • spec.loadBalancer.realIPHeader
        string

        The header for identifying the original IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: X-Forwarded-For

        Example:


        realIPHeader: CF-Connecting-IP
        
      • spec.loadBalancer.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • spec.loadBalancer.sourceRanges.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.loadBalancerWithProxyProtocol
      object
      Section of the LoadBalancerWithProxyProtocol inlet parameters.
      • spec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.loadBalancerWithProxyProtocol.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancerWithProxyProtocol.httpPort
        integer

        External port for insecure HTTP connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port 80. If you set httpsPort without httpPort, or set httpPort to a value other than 80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port 80 to the controller externally.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 80

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithProxyProtocol.httpsPort
        integer

        External port for secure HTTPS connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you set httpsPort to a non-standard value, users may be redirected to TCP port 443 and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 443

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithProxyProtocol.loadBalancerClass
        string
        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).
      • spec.loadBalancerWithProxyProtocol.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • spec.loadBalancerWithProxyProtocol.sourceRanges.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.loadBalancerWithSSLPassthrough
      object
      Section of the LoadBalancerWithSSLPassthrough inlet parameters.
      • spec.loadBalancerWithSSLPassthrough.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancerWithSSLPassthrough.httpPort
        integer

        External port for insecure HTTP connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port 80. If you set httpsPort without httpPort, or set httpPort to a value other than 80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port 80 to the controller externally.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 80

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithSSLPassthrough.httpsPort
        integer

        External port for secure HTTPS connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you set httpsPort to a non-standard value, users may be redirected to TCP port 443 and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 443

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithSSLPassthrough.loadBalancerClass
        string
        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).
      • spec.loadBalancerWithSSLPassthrough.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • spec.loadBalancerWithSSLPassthrough.sourceRanges.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.maxReplicas
      integer
      Maximum number of LoadBalancer, LoadBalancerWithProxyProtocol and LoadBalancerWithSSLPassthrough replicas for HPA.

      Default: 1

      Allowed values: 1 <= X

    • spec.minReplicas
      integer
      Minimum number of LoadBalancer, LoadBalancerWithProxyProtocol and LoadBalancerWithSSLPassthrough replicas for HPA.

      Default: 1

      Allowed values: 1 <= X

    • spec.nodeSelector
      object

      Same as the spec.nodeSelector parameter in Kubernetes Pods.

      If the parameter is omitted or set to false, DKP will try to determine the value automatically.

      Use the format of a standard nodeSelector list. Instance pods inherit this field as is.

    • spec.resourcesManagement
      object
      CPU and memory request and limit settings for the controller Pods.
      • spec.resourcesManagement.mode
        string

        Required value

        Resource management mode.

        Default: VPA

        Allowed values: VPA, Static

      • spec.resourcesManagement.static
        object
        Static mode settings.
        • spec.resourcesManagement.static.limits
          object
          Resource limits.
          • spec.resourcesManagement.static.limits.cpu
            string
            CPU limits.
          • spec.resourcesManagement.static.limits.memory
            string
            Memory limits.
        • spec.resourcesManagement.static.requests
          object
          Resource requests.
          • spec.resourcesManagement.static.requests.cpu
            string
            CPU requests.

            Default: 350m

          • spec.resourcesManagement.static.requests.memory
            string
            Memory requests.

            Default: 500Mi

      • spec.resourcesManagement.vpa
        object
        Resource management settings for the VPA mode.
        • spec.resourcesManagement.vpa.cpu
          object
          CPU-related VPA settings.
          • spec.resourcesManagement.vpa.cpu.limitRatio
            number

            The CPU limits/requests ratio.

            If set, the limits are calculated based on the requests and the specified ratio.

          • spec.resourcesManagement.vpa.cpu.max
            string
            Maximum value of allowed CPU requests to be submitted by the VPA.

            Default: 1500m

          • spec.resourcesManagement.vpa.cpu.min
            string
            Minimum value of allowed CPU requests to be submitted by the VPA.

            Default: 100m

        • spec.resourcesManagement.vpa.memory
          object
          Memory-related VPA settings.
          • spec.resourcesManagement.vpa.memory.limitRatio
            number

            The memory limits/requests ratio.

            If set, the limits are calculated based on the requests and the specified ratio.

          • spec.resourcesManagement.vpa.memory.max
            string
            Maximum value of allowed memory requests to be submitted by the VPA.

            Default: 2000Mi

          • spec.resourcesManagement.vpa.memory.min
            string
            Minimum value of allowed memory requests to be submitted by the VPA.

            Default: 500Mi

        • spec.resourcesManagement.vpa.mode
          string
          VPA operating mode.

          Default: Initial

          Allowed values: Initial, InPlaceOrRecreate

    • spec.tolerations
      array of objects

      Same as the spec.tolerations parameter in Kubernetes Pods.

      If the parameter is omitted or set to false, all the possible tolerations are automatically applied the module’s Pods.

      Use the format of a standard toleration list. Instance pods inherit this field as is.

      • spec.tolerations.effect
        string

        Allowed values: NoSchedule, PreferNoSchedule, NoExecute

      • spec.tolerations.key
        string
      • spec.tolerations.operator
        string

        Default: Equal

        Allowed values: Exists, Equal

      • spec.tolerations.tolerationSeconds
        integer
      • spec.tolerations.value
        string
    • spec.underscoresInHeaders
      boolean

      Enables using the underscore symbol in headers.

      Related resources:

      Default: false

    • spec.validationEnabled
      boolean

      Enables validation for Ingress rules.

      Warning. Enabling validation increases the load on the master nodes of the cluster.

      Default: true

    • spec.validationIsolationMode
      string

      Selects the validation isolation mode.

      Note. This configuration is applied only to controller versions 1.14 and 1.15.

      Supported modes:

      • NoIsolation: No isolation is applied during NGINX configuration validation. To minimize security risks, the validation scope is limited to a single Ingress object resulting in weak validation.
      • IsolatedFilesystem: NGINX configuration validation is executed in a separate file system with no access to the file system of the running NGINX server, effectively limiting the attack surface. The validation scope is limited by the ingressClass parameter, resulting in strong validation.
      • IsolatedProcess: NGINX configuration validation is executed inside a sandboxed environment where every syscall is traced. It is the most secure isolation mode limited by the ingressClass parameter.

      Note. IsolatedProcess mode is experimental and may not work in hardened environments where creating new user namespaces or using ptrace is prohibited.

      Note. IsolatedProcess requires containerd v2 running on target nodes.

      Default: NoIsolation

      Allowed values: NoIsolation, IsolatedFilesystem, IsolatedProcess

    • spec.waitLoadBalancerOnTerminating
      integer
      Number of seconds before the /healthz endpoint begins returning the 500 code when the pod enters the Terminating state.
  • status
    object
    • status.loadBalancer
      object
      Contains IP address and hostname of the associated load balancer.
      • status.loadBalancer.hostname
        string
        Hostname of the load balancer.
      • status.loadBalancer.ip
        string
        IP address of the load balancer.
  • spec
    object
    • spec.acceptRequestsFrom
      array of strings

      List of IP addresses in the CIDR format that are allowed accessing the load balancer.

      Regardless of the inlet type, the address to be verified (the original_address field in logs) is always the original IP address the connection is established from and not the client address that can be passed in some inlets via headers or using the proxy protocol.

      This parameter is implemented using the map module. If the original address is not allowed, nginx closes the connection, returning the code 444.

      By default, the controller can be connected to from any address.

      • spec.acceptRequestsFrom.Element of the array
        string

        Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.additionalHeaders
      object
      Additional headers to add to all requests. Use the key: value(string) format.
    • spec.additionalLogFields
      object
      Additional fields to add to nginx logs. Use the key: value(string) format.
    • spec.annotationValidationEnabled
      boolean
      Enables validation for Ingress rule annotations.

      Default: false

    • spec.chaosMonkey
      boolean

      Tool for unexpected and random termination of Ingress controller Pods in a systemic manner.

      Intended for testing the fault tolerance of the Ingress controller.

      Default: false

    • spec.config
      object

      Section of the Ingress controller parameters where you can add any supported option in the key: value(string) format.

      An error in options may lead to the failure of the Ingress controller.

      Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.

    • spec.controllerLogLevel
      string
      Defines the verbosity level for the Ingress controller logs.

      Default: Info

      Allowed values:

      Error — Only critical errors will be logged.
      Warn — Warnings and errors will be logged.
      Info — Informational messages, including basic debugging information.
      Extended — Extended information about changes in system state.
      Debug — Verbose debugging output, potentially very noisy.
      Trace — Trace-level logs with detailed step-by-step context.

    • spec.controllerPodsAdditionalAnnotations
      object

      Additional custom annotations for Ingress controller pods.

      Be careful when using this parameter, as backward compatibility or stability of the target Ingress controller are not guaranteed.

    • spec.controllerVersion
      string

      Ingress NGINX Controller version.

      By default, the version set in the module settings is used.

      Allowed values: 1.10, 1.12, 1.14, 1.15

    • spec.customErrors
      object

      Section with parameters for HTTP error customization.

      If this section is defined in the configuration, all its parameters are required.

      Changing any parameter causes the restart of all Ingress NGINX Controllers.

      • spec.customErrors.codes
        array of strings

        Required value

        List of response codes (array) causing redirection to the custom backend.
        • spec.customErrors.codes.Element of the array
          string

          Pattern: ^[1-5][0-9][0-9]$

      • spec.customErrors.namespace
        string

        Required value

        Name of a namespace keeping the service used as a default custom backend.

        Example:


        namespace: default
        
      • spec.customErrors.serviceName
        string

        Required value

        Name of a service to be used as a default custom backend.

        Example:


        serviceName: custom-errors-backend-service
        
    • spec.defaultSSLCertificate
      object

      The certificate that is used:

      • For catch-all server requests (here, “catch-all server” refers to the nginx server directive. Requests without a corresponding Ingress resource end up on the catch-all server.
      • For Ingress resources that do not have a secretName specified in the tls section.

      By default, a self-signed certificate is used.

      Caution. This parameter does not affect certificates used in the Ingress resources of the Deckhouse modules. To specify the certificate to use in the Ingress resources of Deckhouse modules, use the global parameter modules.https.customCertificate.

      • spec.defaultSSLCertificate.secretRef
        object
        Link to the Secret for passing to the Ingress controller.
        • spec.defaultSSLCertificate.secretRef.name
          string
          Name of Secret containing the SSL certificate.

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

        • spec.defaultSSLCertificate.secretRef.namespace
          string
          Name of the namespace containing the Secret with the SSL certificate.

          Default: d8-ingress-nginx

          Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

    • spec.disableHTTP2
      boolean
      Disables HTTP/2 support.

      Default: false

    • spec.enableHTTP3
      boolean

      Enables HTTP/3 support.

      HTTP/3 cannot be enabled when the inlet is set to HostPortWithProxyProtocol or LoadBalancerWithProxyProtocol.

      For the HostWithFailover inlet, HTTP/3 is applied only to the primary controller; the failover controller always runs without HTTP/3.

      Default: false

    • spec.enableIstioSidecar
      boolean

      Attaches annotations to the controller pods to automatically inject Istio sidecar containers.

      After setting this parameter, the sidecar.istio.io/inject: "true" and traffic.sidecar.istio.io/includeOutboundIPRanges: "<Service CIDR>" annotations will be attached to the Ingress controller pods. When these pods are created, Istio sidecars will be automatically added to them via a mutating webhook. After that, the sidecar will intercept all traffic directed to the Service CIDR.

      To use this feature, add the following annotations to your Ingress resources:

      • nginx.ingress.kubernetes.io/service-upstream: "true": Using this annotation, the Ingress controller sends requests to a service ClusterIP (from Service CIDR) instead of sending them to the application pods. The istio-proxy sidecar only intercepts traffic directed to Service CIDR, while the remaining requests are sent directly.
      • nginx.ingress.kubernetes.io/upstream-vhost: myservice.myns.svc: Using this annotation, the sidecar can identify the application service that serves requests.

      Caution. This parameter cannot be enabled if the Ingress controller inlet is set to HostWithFailover.

    • spec.geoIP2
      object
      GeoIP2 activation options.
      • spec.geoIP2.maxmindAccountID
        integer

        MaxMind Account ID used to authenticate GeoIP2 database downloads.

        Required when licenseKey is set. If accountID parameter is provided, downloads are performed using the official library geoipupdate, which allows you to skip unchanged updates and save the license limit. [https://github.com/maxmind/geoipupdate]

        Allowed values: 1 <= X

      • spec.geoIP2.maxmindEditionIDs
        array of strings

        List of database revisions to download at startup.

        For details on GeoLite databases, refer to the MaxMind blog article.

        Default: [ "GeoLite2-City", "GeoLite2-ASN" ]

        • spec.geoIP2.maxmindEditionIDs.Element of the array
          string

          Allowed values: GeoIP2-Anonymous-IP, GeoIP2-Country, GeoIP2-City, GeoIP2-Connection-Type, GeoIP2-Domain, GeoIP2-ISP, GeoIP2-ASN, GeoLite2-ASN, GeoLite2-Country, GeoLite2-City

      • spec.geoIP2.maxmindLicenseKey
        string

        License key to download the GeoIP2 database.

        If the key is set in the configuration, the module downloads the GeoIP2 database every time the controller is started. For details on obtaining a key, refer to the MaxMind blog article.

      • spec.geoIP2.maxmindMirror
        object

        Mirror configuration for downloading GeoIP databases. If no parameter is specified or the parameter has an empty value, the default value will be used, which is https://download.maxmind.com.

        If this mirror is used to host preloaded archives, the licenseKey parameter may be omitted.

        • spec.geoIP2.maxmindMirror.ca
          string
          Custom CA certificate in PEM format for verifying TLS connections to the mirror.

          Example:


          ca: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
          
        • spec.geoIP2.maxmindMirror.insecureSkipVerify
          boolean
          Skip TLS certificate verification for the mirror, for example when using self-signed certificates.
        • spec.geoIP2.maxmindMirror.url
          string

          Required value

          The URL for downloading GeoIP databases.

          Pattern: ^https?://.+$

          Examples:


          url: https://mirror.local
          
          url: absolute path https://mirror.local/GeoLite2-City.tar.gz
          
    • spec.hostPort
      object
      Section of the HostPort inlet parameters.
      • spec.hostPort.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.hostPort.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.hostPort.behindL7Proxy
        boolean

        Enables processing and passing of the incoming X-Forwarded-* headers.

        Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only. To set restrictions, use the acceptRequestsFrom parameter.

      • spec.hostPort.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:


        httpPort: 80
        
      • spec.hostPort.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:


        httpsPort: 443
        
      • spec.hostPort.realIPHeader
        string

        The header for identifying the original IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: X-Forwarded-For

        Example:


        realIPHeader: CF-Connecting-IP
        
    • spec.hostPortWithProxyProtocol
      object
      Section of the HostPortWithProxyProtocol inlet parameters.
      • spec.hostPortWithProxyProtocol.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.hostPortWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.hostPortWithProxyProtocol.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:


        httpPort: 80
        
      • spec.hostPortWithProxyProtocol.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:


        httpsPort: 443
        
    • spec.hostPortWithSSLPassthrough
      object
      Section of the HostPortWithSSLPassthrough inlet parameters.
      • spec.hostPortWithSSLPassthrough.httpPort
        integer

        Port for insecure HTTP connections.

        If the parameter is not set, HTTP connections cannot be established.

        This parameter is required if httpsPort is not set.

        Example:


        httpPort: 80
        
      • spec.hostPortWithSSLPassthrough.httpsPort
        integer

        Port for secure HTTPS connections.

        If the parameter is not set, HTTPS connections cannot be established.

        This parameter is required if httpPort is not set.

        Example:


        httpsPort: 443
        
    • spec.hsts
      boolean
      Enables HTTP Strict-Transport-Security (HSTS) response headers. For details on HSTS headers, refer to the MDN Web Docs article.

      Default: false

    • spec.hstsOptions
      object
      HSTS parameters.
      • spec.hstsOptions.includeSubDomains
        boolean
        Applies HSTS parameters to all subdomains of a website.

        Default: false

      • spec.hstsOptions.maxAge
        string
        Time in seconds during which the browser remembers that the website is only accessible via HTTPS.

        Default: 31536000

        Pattern: ^[1-9][0-9]*$

        Example:


        maxAge: '31536000'
        
      • spec.hstsOptions.preload
        boolean

        Adds a website to the preload list.

        The list instructs browsers to establish connections to the specified websites over HTTPS only.

        Default: false

    • spec.ingressClass
      string

      Name of the Ingress class to use with the Ingress NGINX Controller.

      Using this option, you can create several controllers to use with a single Ingress class.

      If you set it to nginx, Ingress resources without the kubernetes.io/ingress.class annotation or the spec.ingressClassName field will be handled as well.

      Default: nginx

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

      Example:


      ingressClass: nginx
      
    • spec.inlet
      string

      Required value

      The way external traffic is routed to the cluster. Once you set the method, you cannot change it later.

      Allowed values:

      • LoadBalancer: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned.

      • LoadBalancerWithProxyProtocol: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned. The Ingress controller uses the proxy-protocol to get a real IP address of the client.

        Note. HTTP/3 (enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol.

      • LoadBalancerWithSSLPassthrough: The Ingress controller is deployed, and a LoadBalancer-type service is provisioned. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.

        The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.

        The SSL Passthrough protocol leverages Server Name Indication (SNI) and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.

        If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which subsequently proxies the request to the default backend.

        Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.

        Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.

      • HostPort: The Ingress controller is deployed and made available on node ports via hostPort.

      • HostPortWithProxyProtocol: The Ingress controller is deployed and made available on node ports via hostPort. The Ingress controller uses the proxy-protocol to get a real IP address of the client.

        Caution. When using this inlet, ensure that requests to the Ingress come from trusted sources only. To enforce it, use the acceptRequestsFrom parameter.

        Note. HTTP/3 (enableHTTP3) cannot be enabled with this inlet because QUIC is incompatible with PROXY protocol.

      • HostPortWithSSLPassthrough: The Ingress controller is deployed and made available on node ports via hostPort. This option enables the SSL Passthrough feature, allowing backends to be configured to accept SSL traffic directly without termination at the Ingress controller.

        Specify inlet parameters in the spec.HostPortWithSSLPassthrough section.

        The SSL Passthrough protocol leverages SNI and reads the virtual domain data from the TLS handshake protocol, which requires a compatible client.

        If the host name doesn’t match the requested host name, the request is forwarded to NGINX on the configured SSL Passthrough proxy port (default: 442), which subsequently proxies the request to the default backend.

        The SSL Passthrough feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and routing it to a local TCP proxy. This implementation bypasses nginx completely and introduces a significant performance penalty.

        Unlike HTTP backends, traffic to SSL Passthrough backends is routed to the ClusterIP of the backing service instead of individual endpoints.

        Since SSL Passthrough works at layer 4 of the OSI model (TCP) and not layer 7 (HTTP), using SSL Passthrough makes it impossible to use other annotations configured on an Ingress object.

      • HostWithFailover: Two Ingress controllers are deployed: a primary and a backup. The primary controller runs in a hostNetwork. If the primary controller pods are unavailable, traffic is routed to the backup controller.

        There can be only one controller with this inlet type on a single host.

        Ensure the following ports are available on the node: 80, 81, 443, 444, 4207, 4208.

        To change the inlet, remove the iptables rules and restart the kube-proxy pods or reboot the nodes hosting Ingress controllers.

        This inlet cannot be used if the enableIstioSidecar parameter is enabled.

        Note. When HTTP/3 (enableHTTP3) is enabled, it is applied only to the primary controller; the failover controller always runs without HTTP/3.

      Allowed values: LoadBalancer, LoadBalancerWithSSLPassthrough, LoadBalancerWithProxyProtocol, HostPort, HostPortWithSSLPassthrough, HostPortWithProxyProtocol, HostWithFailover

    • spec.legacySSL
      boolean

      Enables outdated versions of the TLS protocol and cipher suites.

      Enables the following TLS protocol versions: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3.

      Enables the following combinations of cipher suites in order from the strongest to the weakest: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, AES256-GCM-SHA384, AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, AES256-SHA, AES128-SHA.

      By default, only TLSv1.2 and TLSv1.3 with the newest cipher suites are enabled.

    • spec.loadBalancer
      object
      Section of the LoadBalancer inlet parameters.
      • spec.loadBalancer.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.loadBalancer.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.loadBalancer.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancer.behindL7Proxy
        boolean

        Enables processing and passing of the incoming X-Forwarded-* headers.

        Caution. Before using that option, ensure that requests to the Ingress come from trusted sources only.

      • spec.loadBalancer.httpPort
        integer

        External port for insecure HTTP connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port 80. If you set httpsPort without httpPort, or set httpPort to a value other than 80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port 80 to the controller externally.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 80

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancer.httpsPort
        integer

        External port for secure HTTPS connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you set httpsPort to a non-standard value, users may be redirected to TCP port 443 and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 443

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancer.loadBalancerClass
        string
        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).
      • spec.loadBalancer.realIPHeader
        string

        The header for identifying the original IP address of a client.

        This option works only if behindL7Proxy is enabled.

        Default: X-Forwarded-For

        Example:


        realIPHeader: CF-Connecting-IP
        
      • spec.loadBalancer.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • spec.loadBalancer.sourceRanges.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.loadBalancerWithProxyProtocol
      object
      Section of the LoadBalancerWithProxyProtocol inlet parameters.
      • spec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFrom
        array of strings
        Defines a list of trusted CIDR ranges that are known to send correct X-Forwarded-*/ProxyProtocol headers.

        Default: [ "0.0.0.0/0" ]

        Example:


        acceptClientIPHeadersFrom:
        - 192.168.0.0/24
        
        • spec.loadBalancerWithProxyProtocol.acceptClientIPHeadersFrom.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

      • spec.loadBalancerWithProxyProtocol.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancerWithProxyProtocol.httpPort
        integer

        External port for insecure HTTP connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port 80. If you set httpsPort without httpPort, or set httpPort to a value other than 80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port 80 to the controller externally.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 80

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithProxyProtocol.httpsPort
        integer

        External port for secure HTTPS connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you set httpsPort to a non-standard value, users may be redirected to TCP port 443 and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 443

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithProxyProtocol.loadBalancerClass
        string
        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).
      • spec.loadBalancerWithProxyProtocol.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • spec.loadBalancerWithProxyProtocol.sourceRanges.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.loadBalancerWithSSLPassthrough
      object
      Section of the LoadBalancerWithSSLPassthrough inlet parameters.
      • spec.loadBalancerWithSSLPassthrough.annotations
        object

        Annotations to assign to the service for flexible configuration of the load balancer.

        The module does not take into account the specifics of setting annotations in different clouds.

        If annotations for provisioning a load balancer are only applied when creating a service, recreate the IngressNginxController resource to update respective parameters (or create a new resource and then delete the old one).

      • spec.loadBalancerWithSSLPassthrough.httpPort
        integer

        External port for insecure HTTP connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. ACME HTTP-01 challenges (e.g. Let’s Encrypt via cert-manager) require the Ingress controller to be reachable on TCP port 80. If you set httpsPort without httpPort, or set httpPort to a value other than 80, certificate issuance/renewal may stop working unless you use DNS-01 or forward port 80 to the controller externally.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you expose the Ingress controller on non-standard external ports, users may be redirected to the wrong port and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 80

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithSSLPassthrough.httpsPort
        integer

        External port for secure HTTPS connections exposed by the provisioned LoadBalancer service.

        If neither httpPort nor httpsPort is set, the service exposes the standard ports 80 and 443. If at least one of these parameters is specified, the service will listen only to explicitly specified ports for the corresponding connection type. For connection types for which no parameter is specified, nothing changes: the standard port is listened to.

        Caution. Changing service ports may trigger provider-specific side effects (for example, recreating the LoadBalancer or changing its public IP address). Such behavior depends on the cloud implementation; test it before using it in production.

        Caution. Many applications (including some Deckhouse module components) form absolute URLs and redirects without an explicit port (assuming standard ports 80/443). If you set httpsPort to a non-standard value, users may be redirected to TCP port 443 and links may be generated incorrectly; prefer using standard ports externally or configure external port forwarding/proxying.

        Default: 443

        Allowed values: 1 <= X <= 65535

      • spec.loadBalancerWithSSLPassthrough.loadBalancerClass
        string
        Class of the load balancer for incoming network requests (passed to the spec.loadBalancerClass parameter of the provisioned service with the LoadBalancer type).
      • spec.loadBalancerWithSSLPassthrough.sourceRanges
        array of strings

        List of IP addresses in the CIDR format that are allowed accessing the load balancer.

        Caution. A cloud provider may not support this option or ignore it.

        Providers supporting this option: AWS, Azure, GCP. Providers ignoring this option: Yandex Cloud.

        For other cloud providers, behavior may vary depending on the cloud implementation specifics. Test this option before using it in a production environment.

        • spec.loadBalancerWithSSLPassthrough.sourceRanges.Element of the array
          string

          Pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$

    • spec.maxReplicas
      integer
      Maximum number of LoadBalancer, LoadBalancerWithProxyProtocol and LoadBalancerWithSSLPassthrough replicas for HPA.

      Default: 1

      Allowed values: 1 <= X

    • spec.minReplicas
      integer
      Minimum number of LoadBalancer, LoadBalancerWithProxyProtocol and LoadBalancerWithSSLPassthrough replicas for HPA.

      Default: 1

      Allowed values: 1 <= X

    • spec.nodeSelector
      object

      Same as the spec.nodeSelector parameter in Kubernetes Pods.

      If the parameter is omitted or set to false, Deckhouse will try to determine the value automatically.

      Use the format of a standard nodeSelector list. Instance pods inherit this field as is.

    • spec.resourcesRequests
      object

      Configures CPU and memory for controller Pods.

      In VPA mode, set bounds (min/max) and optional limit ratios for requests that VPA manages. In Static mode, set pod requests and optional limits under static.

      • spec.resourcesRequests.mode
        string

        Required value

        Resource request management mode.

        Default: VPA

        Allowed values: VPA, Static

      • spec.resourcesRequests.static
        object
        Static management mode parameters.
        • spec.resourcesRequests.static.cpu
          string
          Value for CPU requests.

          Default: 350m

        • spec.resourcesRequests.static.limits
          object
          Resource limits.
          • spec.resourcesRequests.static.limits.cpu
            string
            CPU limits.
          • spec.resourcesRequests.static.limits.memory
            string
            Memory limits.
        • spec.resourcesRequests.static.memory
          string
          Value for memory requests.

          Default: 500Mi

      • spec.resourcesRequests.vpa
        object
        Vertical Pod Autoscaler (VPA) mode parameters.
        • spec.resourcesRequests.vpa.cpu
          object
          Parameters of CPU request restrictions.
          • spec.resourcesRequests.vpa.cpu.limitRatio
            number

            The CPU limits/requests ratio.

            If set, the limits are calculated based on the requests and the specified ratio.

          • spec.resourcesRequests.vpa.cpu.max
            string
            Maximum value of allowed CPU requests to be submitted by the VPA.

            Default: 1500m

          • spec.resourcesRequests.vpa.cpu.min
            string
            Minimum value of allowed CPU requests to be submitted by the VPA.

            Default: 100m

        • spec.resourcesRequests.vpa.memory
          object
          Parameters of memory request restrictions.
          • spec.resourcesRequests.vpa.memory.limitRatio
            number

            The memory limits/requests ratio.

            If set, the limits are calculated based on the requests and the specified ratio.

          • spec.resourcesRequests.vpa.memory.max
            string
            Maximum value of allowed memory requests to be submitted by the VPA.

            Default: 2000Mi

          • spec.resourcesRequests.vpa.memory.min
            string
            Minimum value of allowed memory requests to be submitted by the VPA.

            Default: 500Mi

        • spec.resourcesRequests.vpa.mode
          string
          VPA usage mode.

          Default: Initial

          Allowed values: Initial, InPlaceOrRecreate

    • spec.tolerations
      array of objects

      Same as the spec.tolerations parameter in Kubernetes Pods.

      If the parameter is omitted or set to false, all the possible tolerations are automatically applied the module’s Pods.

      Use the format of a standard toleration list. Instance pods inherit this field as is.

      • spec.tolerations.effect
        string

        Allowed values: NoSchedule, PreferNoSchedule, NoExecute

      • spec.tolerations.key
        string
      • spec.tolerations.operator
        string

        Default: Equal

        Allowed values: Exists, Equal

      • spec.tolerations.tolerationSeconds
        integer
      • spec.tolerations.value
        string
    • spec.underscoresInHeaders
      boolean

      Enables using the underscore symbol in headers.

      Related resources:

      Default: false

    • spec.validationEnabled
      boolean

      Enables validation for Ingress rules.

      Warning. Enabling validation increases the load on the master nodes of the cluster.

      Default: true

    • spec.validationIsolationMode
      string

      Selects the validation isolation mode.

      Note. This configuration is applied only to controller versions 1.14 and 1.15.

      Supported modes:

      • NoIsolation: No isolation is applied during NGINX configuration validation. To minimize security risks, the validation scope is limited to a single Ingress object resulting in weak validation.
      • IsolatedFilesystem: NGINX configuration validation is executed in a separate file system with no access to the file system of the running NGINX server, effectively limiting the attack surface. The validation scope is limited by the ingressClass parameter, resulting in strong validation.
      • IsolatedProcess: NGINX configuration validation is executed inside a sandboxed environment where every syscall is traced. It is the most secure isolation mode limited by the ingressClass parameter.

      Note. IsolatedProcess mode is experimental and may not work in hardened environments where creating new user namespaces or using ptrace is prohibited.

      Note. IsolatedProcess requires containerd v2 running on target nodes.

      Default: NoIsolation

      Allowed values: NoIsolation, IsolatedFilesystem, IsolatedProcess

    • spec.waitLoadBalancerOnTerminating
      integer
      Number of seconds before the /healthz endpoint begins returning the 500 code when the pod enters the Terminating state.
  • status
    object
    • status.loadBalancer
      object
      • status.loadBalancer.hostname
        string
        Hostname of the load balancer.
      • status.loadBalancer.ip
        string
        IP address of the load balancer.