NGINX
Setup
For NGINX we will deploy two ingress controllers: Internal and External. Where External is either forwarded by your router or, for example, a cloudflare tunnel. Internal, however, is not routed anywhere and is used as a safe default to just have charts reached from your internal network only.
Example setup
Here are example values to configure both Internal and External Please note the IP variables that need to be set to your specific configuration wishes and the use of metallb, that also has to be configured correctly
Internal
controller: replicaCount: 2 service: externalTrafficPolicy: Local annotations: metallb.io/ip-allocated-from-pool: main metallb.io/loadBalancerIPs: ${NGINX_INTERNAL_IP} ingressClassByName: true watchIngressWithoutClass: true ingressClassResource: name: internal default: true controllerValue: k8s.io/internal config: allow-snippet-annotations: true annotations-risk-level: Critical client-body-buffer-size: 100M client-body-timeout: 120 client-header-timeout: 120 enable-brotli: "true" enable-ocsp: "true" enable-real-ip: "true" force-ssl-redirect: "true" hide-headers: Server,X-Powered-By hsts-max-age: "31449600" keep-alive-requests: 10000 keep-alive: 120 proxy-body-size: 0 proxy-buffer-size: 16k proxy-busy-buffers-size: 32k ssl-protocols: TLSv1.3 TLSv1.2 use-forwarded-headers: "true" metrics: enabled: true extraArgs: default-ssl-certificate: "clusterissuer/certificate-issuer-general-wildcard" publish-status-address: ${NGINX_INTERNAL_IP} terminationGracePeriodSeconds: 120 publishService: enabled: false resources: requests: cpu: 100m limits: memory: 500MidefaultBackend: enabled: false
External
controller: replicaCount: 2 service: externalTrafficPolicy: Local annotations: metallb.io/ip-allocated-from-pool: main metallb.io/loadBalancerIPs: ${NGINX_EXTERNAL_IP} ingressClassByName: true watchIngressWithoutClass: false ingressClassResource: name: external default: false controllerValue: k8s.io/external config: allow-snippet-annotations: true annotations-risk-level: Critical client-body-buffer-size: 100M client-body-timeout: 120 client-header-timeout: 120 enable-brotli: "true" enable-ocsp: "true" enable-real-ip: "true" force-ssl-redirect: "true" hide-headers: Server,X-Powered-By hsts-max-age: "31449600" keep-alive-requests: 10000 keep-alive: 120 proxy-body-size: 0 proxy-buffer-size: 16k proxy-busy-buffers-size: 32k ssl-protocols: TLSv1.3 TLSv1.2 use-forwarded-headers: "true" metrics: enabled: true extraArgs: default-ssl-certificate: "clusterissuer/certificate-issuer-general-wildcard" publish-status-address: ${NGINX_EXTERNAL_IP} terminationGracePeriodSeconds: 120 publishService: enabled: false resources: requests: cpu: 100m limits: memory: 500MidefaultBackend: enabled: false
Using the IngressClasses
You can set charts to use either of them by specifying either:
ingressClassName: internal
or
ingressClassName: external
Nginx Integration examples
Our Common-Chart offers some Nginx Integrations which save some time compared to manually setting the annotations.
These can be configured in the following section of the ingress which is disabled
by default:
ingress: main: integrations: nginx: #disabled by default enabled: true
In the following sections only the nginx part is shown for simplicity.
Authelia
nginx: enabled: true auth: type: "authelia" internalHost: "authelia.authelia.svc.cluster.local:9091" externalHost: "auth.${DOMAIN_1}" # Can be left default in most cases responseHeaders: []
Authentik
When using Authentik, take care to configure the service as follows.
annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
For domain-level forward auth, you must configure the embedded outpost first (please refer to Authentik’s docs). The basic steps are to create a provider and application, then enable the embedded outpost for your newly created application.
Once that has been done, configure each service you wish to place behind Authentik as follows:
nginx: enabled: true auth: type: "authentik" internalHost: "authentik-http.authentik.svc.cluster.local:10230" externalHost: "auth.${DOMAIN_1}" # Can be left default in most cases responseHeaders: []
IP Whitelist
nginx: enabled: true ipWhitelist: [49.36.X.X/32]
Themepark
nginx: enabled: true themepark: enabled: true css: "https://gilbn.github.io/theme.park/CSS/themes/APP_NAME/THEME.css"
Annotations Examples
Here we will showcase some annotations you can use to customize your NGINX ingress behavior
Redirect to Https
annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
Redirect-Regex
annotations: nginx.ingress.kubernetes.io/configuration-snippet: | rewrite ^/$ /admin permanent;