Skip to content

NGINX

Setup

For NGINX we will deploy two ingress controllers: Internal and External. Where External is either forwarded by your router or, for example, a cloudflare tunnel. Internal, however, is not routed anywhere and is used as a safe default to just have charts reached from your internal network only.

Example setup

Here are example values to configure both Internal and External Please note the IP variables that need to be set to your specific configuration wishes and the use of metallb, that also has to be configured correctly

Internal

controller:
replicaCount: 2
service:
externalTrafficPolicy: Local
annotations:
metallb.io/ip-allocated-from-pool: main
metallb.io/loadBalancerIPs: ${NGINX_INTERNAL_IP}
ingressClassByName: true
watchIngressWithoutClass: true
ingressClassResource:
name: internal
default: true
controllerValue: k8s.io/internal
config:
allow-snippet-annotations: true
annotations-risk-level: Critical
client-body-buffer-size: 100M
client-body-timeout: 120
client-header-timeout: 120
enable-brotli: "true"
enable-ocsp: "true"
enable-real-ip: "true"
force-ssl-redirect: "true"
hide-headers: Server,X-Powered-By
hsts-max-age: "31449600"
keep-alive-requests: 10000
keep-alive: 120
proxy-body-size: 0
proxy-buffer-size: 16k
proxy-busy-buffers-size: 32k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: "true"
metrics:
enabled: true
extraArgs:
default-ssl-certificate: "clusterissuer/certificate-issuer-general-wildcard"
publish-status-address: ${NGINX_INTERNAL_IP}
terminationGracePeriodSeconds: 120
publishService:
enabled: false
resources:
requests:
cpu: 100m
limits:
memory: 500Mi
defaultBackend:
enabled: false

External

controller:
replicaCount: 2
service:
externalTrafficPolicy: Local
annotations:
metallb.io/ip-allocated-from-pool: main
metallb.io/loadBalancerIPs: ${NGINX_EXTERNAL_IP}
ingressClassByName: true
watchIngressWithoutClass: false
ingressClassResource:
name: external
default: false
controllerValue: k8s.io/external
config:
allow-snippet-annotations: true
annotations-risk-level: Critical
client-body-buffer-size: 100M
client-body-timeout: 120
client-header-timeout: 120
enable-brotli: "true"
enable-ocsp: "true"
enable-real-ip: "true"
force-ssl-redirect: "true"
hide-headers: Server,X-Powered-By
hsts-max-age: "31449600"
keep-alive-requests: 10000
keep-alive: 120
proxy-body-size: 0
proxy-buffer-size: 16k
proxy-busy-buffers-size: 32k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: "true"
metrics:
enabled: true
extraArgs:
default-ssl-certificate: "clusterissuer/certificate-issuer-general-wildcard"
publish-status-address: ${NGINX_EXTERNAL_IP}
terminationGracePeriodSeconds: 120
publishService:
enabled: false
resources:
requests:
cpu: 100m
limits:
memory: 500Mi
defaultBackend:
enabled: false

Using the IngressClasses

You can set charts to use either of them by specifying either: ingressClassName: internal or ingressClassName: external

Nginx Integration examples

Our Common-Chart offers some Nginx Integrations which save some time compared to manually setting the annotations. These can be configured in the following section of the ingress which is disabled by default:

ingress:
main:
integrations:
nginx:
#disabled by default
enabled: true

In the following sections only the nginx part is shown for simplicity.

Authelia

nginx:
enabled: true
auth:
type: "authelia"
internalHost: "authelia.authelia.svc.cluster.local:9091"
externalHost: "auth.${DOMAIN_1}"
# Can be left default in most cases
responseHeaders: []

Authentik

When using Authentik, take care to configure the service as follows.

annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

For domain-level forward auth, you must configure the embedded outpost first (please refer to Authentik’s docs). The basic steps are to create a provider and application, then enable the embedded outpost for your newly created application.

Once that has been done, configure each service you wish to place behind Authentik as follows:

nginx:
enabled: true
auth:
type: "authentik"
internalHost: "authentik-http.authentik.svc.cluster.local:10230"
externalHost: "auth.${DOMAIN_1}"
# Can be left default in most cases
responseHeaders: []

IP Whitelist

nginx:
enabled: true
ipWhitelist: [49.36.X.X/32]

Themepark

nginx:
enabled: true
themepark:
enabled: true
css: "https://gilbn.github.io/theme.park/CSS/themes/APP_NAME/THEME.css"

Annotations Examples

Here we will showcase some annotations you can use to customize your NGINX ingress behavior

Redirect to Https

annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

Redirect-Regex

annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite ^/$ /admin permanent;