k3s/apps/infra/net/nginx/helmchart.yaml

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: ingress-nginx
  namespace: infra-net
spec:
  repo: https://kubernetes.github.io/ingress-nginx
  chart: ingress-nginx
  version: 4.10.0
  targetNamespace: infra-net
  valuesContent: |-
    fullnameOverride: ingress-nginx
    controller:
      nodeSelector:
        svccontroller.k3s.cattle.io/enablelb: "true"
      tolerations:
        - key: "node-role.kubernetes.io/master"
          operator: "Exists"
          effect: "NoSchedule"
      labels:
        log-collecting/enabled: "true"
      kind: DaemonSet
      hostNetwork: true
      hostPort:
        enabled: true
      service:
        enabled: false
      publishService:
        enabled: false
      config:
        use-forwarded-headers: "true"
        allow-snippet-annotations: "true"
        # http to https重定向
        ssl-redirect: "true"
        # 自定义错误页面
        custom-http-errors: "403,404,502,503"
        # 缓存配置
        http-snippet: |
          proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
          proxy_cache_key $uri$is_args$args;
          proxy_cache_lock on;
          proxy_cache_use_stale updating;
        # dns配置
        server-snippet : |
          resolver 169.254.20.10 10.43.0.10 ipv6=off;
        # 启用geoip2模块
        use-geoip: "false"
        use-geoip2: "true"
        # 日志配置
        log-format-escape-json: "true"
        log-format-upstream: '{
          "msec": "$msec",
          "connection": "$connection",
          "connection_requests": "$connection_requests",
          "pid": "$pid",
          "request_id": "$request_id",
          "request_length": "$request_length",
          "remote_addr": "$remote_addr",
          "remote_user": "$remote_user",
          "remote_port": "$remote_port",
          "time_local": "$time_local",
          "time_iso8601": "$time_iso8601",
          "request": "$request",
          "request_uri": "$request_uri",
          "args": "$args",
          "status": "$status",
          "body_bytes_sent": "$body_bytes_sent",
          "bytes_sent": "$bytes_sent",
          "http_referer": "$http_referer",
          "http_user_agent": "$http_user_agent",
          "http_x_forwarded_for": "$http_x_forwarded_for",
          "http_host": "$http_host",
          "http_upgrade": "$http_upgrade",
          "server_name": "$server_name",
          "request_time": "$request_time",
          "upstream": "$upstream_addr",
          "upstream_connect_time": "$upstream_connect_time",
          "upstream_header_time": "$upstream_header_time",
          "upstream_response_time": "$upstream_response_time",
          "upstream_response_length": "$upstream_response_length",
          "upstream_cache_status": "$upstream_cache_status",
          "ssl_protocol": "$ssl_protocol",
          "ssl_cipher": "$ssl_cipher",
          "scheme": "$scheme",
          "request_method": "$request_method",
          "server_protocol": "$server_protocol",
          "pipe": "$pipe",
          "gzip_ratio": "$gzip_ratio",
          "http_cf_ray": "$http_cf_ray",
          "geoip_country_code": "$geoip2_city_country_code",
          "geoip_city": "$geoip2_city",
          "geoip_org": "$geoip2_org",
          "geoip_longitude": "$geoip2_longitude",
          "geoip_latitude": "$geoip2_latitude"
        }'
        # crowdsec插件配置
        plugins: "crowdsec"
        lua-shared-dicts: "crowdsec_cache: 50m"
      # 启用geoip2模块
      maxmindLicenseKey: "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"
      extraArgs:
        default-ssl-certificate: "infra-net/dev-cm-crt"
      # crowdsec插件配置
      extraVolumes:
        - name: crowdsec-bouncer-plugin
          emptyDir: {}
      extraInitContainers:
        - name: init-clone-crowdsec-bouncer
          image: devcm/lua-bouncer-plugin
          imagePullPolicy: IfNotPresent
          env:
            - name: API_URL
              value: "http://crowdsec-service.infra-monitor.svc.cluster.local:8080"
            - name: API_KEY
              value: "rgILO2mh/t+30LMvzyyMXbfHRmDfBkDDkhEflzHaoQ0"
            - name: BOUNCER_CONFIG
              value: "/crowdsec/crowdsec-bouncer.conf"
            - name: CAPTCHA_PROVIDER
              value: "turnstile"
            - name: SITE_KEY
              value: "0x4AAAAAAAxJ2RPNWzn2LCc-"
            - name: SECRET_KEY
              value: "0x4AAAAAAAxJ2dwFOaNg5ae3c6wYTmWH0bU"
            - name: CAPTCHA_TEMPLATE_PATH
              value: /etc/nginx/lua/plugins/crowdsec/templates/captcha.html
          command: ['sh', '-c', "bash /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"]
          volumeMounts:
            - name: crowdsec-bouncer-plugin
              mountPath: /lua_plugins
      extraVolumeMounts:
        - name: crowdsec-bouncer-plugin
          mountPath: /etc/nginx/lua/plugins/crowdsec
          subPath: crowdsec
    defaultBackend:
      enabled: true
      image:
        registry: registry.k8s.io
        image: ingress-nginx/custom-error-pages
        tag: v1.0.1
      extraVolumes:
        - name: custom-html
          configMap:
            name: custom-html
      extraVolumeMounts:
        - name: custom-html
          mountPath: /www
      # 和controller部署同一节点
      nodeSelector:
        svccontroller.k3s.cattle.io/enablelb: "true"