From b3f7050feee4a0944a55647a6875d2368d95e2da Mon Sep 17 00:00:00 2001
From: rohow <admin@dev.cm>
Date: Mon, 9 Mar 2026 14:45:36 +0800
Subject: [PATCH] feat(helm): enable real IP handling in helmchart and clean up
 nodelocaldns configuration

---
 apps/infra/net/nginx/helmchart.yaml |  2 ++
 apps/kube/coredns/nodelocaldns.yaml | 10 ----------
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/apps/infra/net/nginx/helmchart.yaml b/apps/infra/net/nginx/helmchart.yaml
index da3cbbe..57429e2 100644
--- a/apps/infra/net/nginx/helmchart.yaml
+++ b/apps/infra/net/nginx/helmchart.yaml
@@ -42,6 +42,8 @@ spec:
       enableAnnotationValidations: false
       config:
         use-forwarded-headers: "true"
+        enable-real-ip: "true"
+        proxy-real-ip-cidr: "10.0.0.0/8,100.64.0.0/10"
         allow-snippet-annotations: "true"
         annotations-risk-level: Critical
         # 启用http2
diff --git a/apps/kube/coredns/nodelocaldns.yaml b/apps/kube/coredns/nodelocaldns.yaml
index a7e9a76..0467b82 100644
--- a/apps/kube/coredns/nodelocaldns.yaml
+++ b/apps/kube/coredns/nodelocaldns.yaml
@@ -120,16 +120,6 @@ spec:
         prometheus.io/port: "9253"
         prometheus.io/scrape: "true"
     spec:
-      # 控制面板不启用
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/control-plane
-                    operator: NotIn
-                    values:
-                      - "true"
       priorityClassName: system-node-critical
       serviceAccountName: node-local-dns
       hostNetwork: true