apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: ingress-nginx namespace: infra-net spec: interval: 30m timeout: 15m chart: spec: chart: ingress-nginx version: 4.13.2 sourceRef: kind: HelmRepository name: ingress-nginx namespace: infra-gitops interval: 12h valuesFrom: - kind: Secret name: infra-net-env valuesKey: ingress-nginx-values.yaml values: fullnameOverride: ingress-nginx controller: image: registry: docker.io image: crowdsecurity/controller tag: v1.13.2 digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56 labels: devcm-log-collecting/enabled: "true" kind: DaemonSet hostNetwork: true hostPort: enabled: true service: enabled: false publishService: enabled: false # 禁用默认的注解验证以防止冲突 enableAnnotationValidations: false config: use-forwarded-headers: "true" enable-real-ip: "true" forwarded-for-header: "X-Dev-Cm-Real-IP" proxy-real-ip-cidr: "0.0.0.0/0" allow-snippet-annotations: "true" annotations-risk-level: Critical # 启用http2 use-http2: "true" # http to https重定向 ssl-redirect: "true" # 自定义错误页面 custom-http-errors: "403,404,502,503" # 全局限速配置 limit-req-status-code: "429" limit-conn-status-code: "429" http-snippet: | # lua插件配置 lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # 缓存配置 proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off; proxy_cache_key $uri$is_args$args; proxy_cache_lock on; proxy_cache_use_stale updating; # 全局限速配置 limit_req_zone $binary_remote_addr zone=global_limit:20m rate=20r/s; limit_req zone=global_limit burst=50 nodelay; server-snippet: | # dns配置 配置在http块下会出现重复配置 所以配置在server块下 resolver 169.254.20.10 10.43.0.10 ipv6=off; # 代理全局静态资源 可提供serviceWorker的支持 location ^~ /__static/ { proxy_pass http://ingress-nginx-defaultbackend.infra-net.svc.cluster.local/static/; proxy_set_header Host $host; add_header Service-Worker-Allowed "/"; } # 启用geoip2模块 use-geoip: "false" use-geoip2: "true" # 日志配置 log-format-escape-json: "true" log-format-upstream: '{ "msec": "$msec", "connection": "$connection", "connection_requests": "$connection_requests", "pid": "$pid", "request_id": "$request_id", "request_length": "$request_length", "remote_addr": "$remote_addr", "remote_user": "$remote_user", "remote_port": "$remote_port", "time_local": "$time_local", "time_iso8601": "$time_iso8601", "request": "$request", "request_uri": "$request_uri", "args": "$args", "status": "$status", "body_bytes_sent": "$body_bytes_sent", "bytes_sent": "$bytes_sent", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "http_x_forwarded_for": "$http_x_forwarded_for", "http_host": "$http_host", "http_upgrade": "$http_upgrade", "server_name": "$server_name", "request_time": "$request_time", "upstream": "$upstream_addr", "upstream_connect_time": "$upstream_connect_time", "upstream_header_time": "$upstream_header_time", "upstream_response_time": "$upstream_response_time", "upstream_response_length": "$upstream_response_length", "upstream_cache_status": "$upstream_cache_status", "ssl_protocol": "$ssl_protocol", "ssl_cipher": "$ssl_cipher", "scheme": "$scheme", "request_method": "$request_method", "server_protocol": "$server_protocol", "pipe": "$pipe", "gzip_ratio": "$gzip_ratio", "http_cf_ray": "$http_cf_ray", "geoip_country_code": "$geoip2_city_country_code", "geoip_city": "$geoip2_city", "geoip_org": "$geoip2_org", "geoip_longitude": "$geoip2_longitude", "geoip_latitude": "$geoip2_latitude", "level": "info" }' # crowdsec插件配置 plugins: "crowdsec" lua-shared-dicts: "crowdsec_cache: 50m" extraArgs: default-ssl-certificate: "infra-net/dev-cm-crt" # crowdsec插件配置 extraInitContainers: - name: init-clone-crowdsec-bouncer image: crowdsecurity/lua-bouncer-plugin:v1.1.2 imagePullPolicy: IfNotPresent env: - name: SHELL value: "/bin/sh" - name: API_URL value: "http://crowdsec-service.infra-net.svc.cluster.local:8080" - name: API_KEY valueFrom: secretKeyRef: name: infra-net-env key: NET_CROWDSEC_BOUNCER_API_KEY - name: BOUNCER_CONFIG value: "/crowdsec/crowdsec-bouncer.conf" - name: MODE value: "live" - name: CACHE_EXPIRATION value: "3" - name: UPDATE_FREQUENCY value: "10" - name: REQUEST_TIMEOUT value: "1000" - name: CAPTCHA_PROVIDER value: "turnstile" - name: SITE_KEY valueFrom: secretKeyRef: name: infra-net-env key: NET_TURNSTILE_SITE_KEY - name: SECRET_KEY valueFrom: secretKeyRef: name: infra-net-env key: NET_TURNSTILE_SECRET_KEY - name: CAPTCHA_TEMPLATE_PATH value: /etc/nginx/static/captcha.html command: ['/bin/sh', '-c'] args: ['sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/'] volumeMounts: - name: crowdsec-bouncer-plugin mountPath: /lua_plugins extraVolumes: - name: crowdsec-bouncer-plugin emptyDir: {} - name: static configMap: name: static extraVolumeMounts: - name: crowdsec-bouncer-plugin mountPath: /etc/nginx/lua/plugins/crowdsec subPath: crowdsec - name: static mountPath: /etc/nginx/static defaultBackend: enabled: true image: registry: docker.io image: devcm/default-backend tag: v0.2.0 autoscaling: enabled: true minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 extraVolumes: - name: static configMap: name: static extraVolumeMounts: - name: static mountPath: /app/static