k3s/apps/infra/net/nginx/helmchart.yaml

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: ingress-nginx
  namespace: infra-net
spec:
  repo: https://kubernetes.github.io/ingress-nginx
  chart: ingress-nginx
  version: 4.13.2
  targetNamespace: infra-net
  valuesContent: |-
    fullnameOverride: ingress-nginx
    controller:
      image:
        registry: docker.io
        image: crowdsecurity/controller
        tag: v1.13.2
        digest: sha256:4575be24781cad35f8e58437db6a3f492df2a3167fed2b6759a6ff0dc3488d56
      nodeSelector:
        svccontroller.k3s.cattle.io/enablelb: "true"
      tolerations:
        - key: "node-role.kubernetes.io/control-plane"
          operator: "Exists"
          effect: "NoSchedule"
      labels:
        devcm-log-collecting/enabled: "true"
      kind: DaemonSet
      hostNetwork: true
      hostPort:
        enabled: true
      # 添加 DNS 配置
      dnsPolicy: "None"
      dnsConfig:
        nameservers:
          - "169.254.20.10"
          - "10.43.0.10"
      service:
        enabled: false
      publishService:
        enabled: false
      # 禁用默认的注解验证以防止冲突
      enableAnnotationValidations: false
      config:
        use-forwarded-headers: "true"
        allow-snippet-annotations: "true"
        annotations-risk-level: Critical
        # 启用http2
        use-http2: "true"
        # http to https重定向
        ssl-redirect: "true"
        # 自定义错误页面
        custom-http-errors: "403,404,502,503"
        # 全局限速配置
        limit-req-status-code: "429"
        limit-conn-status-code: "429"
        http-snippet: |
          # lua插件配置
          lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
          # 缓存配置
          proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
          proxy_cache_key $uri$is_args$args;
          proxy_cache_lock on;
          proxy_cache_use_stale updating;
          # 全局限速配置
          limit_req_zone $binary_remote_addr zone=global_limit:20m rate=20r/s;
          limit_req zone=global_limit burst=50 nodelay;
        server-snippet: |
          # dns配置 配置在http块下会出现重复配置 所以配置在server块下
          resolver 169.254.20.10 10.43.0.10 ipv6=off;
          # 代理全局静态资源 可提供serviceWorker的支持
          location ^~ /__static/ {
            proxy_pass http://ingress-nginx-defaultbackend.infra-net.svc.cluster.local/static/;
            proxy_set_header Host $host;
            add_header Service-Worker-Allowed "/";
          }
        # 启用geoip2模块
        use-geoip: "false"
        use-geoip2: "true"
        # 日志配置
        log-format-escape-json: "true"
        log-format-upstream: '{
          "msec": "$msec",
          "connection": "$connection",
          "connection_requests": "$connection_requests",
          "pid": "$pid",
          "request_id": "$request_id",
          "request_length": "$request_length",
          "remote_addr": "$remote_addr",
          "remote_user": "$remote_user",
          "remote_port": "$remote_port",
          "time_local": "$time_local",
          "time_iso8601": "$time_iso8601",
          "request": "$request",
          "request_uri": "$request_uri",
          "args": "$args",
          "status": "$status",
          "body_bytes_sent": "$body_bytes_sent",
          "bytes_sent": "$bytes_sent",
          "http_referer": "$http_referer",
          "http_user_agent": "$http_user_agent",
          "http_x_forwarded_for": "$http_x_forwarded_for",
          "http_host": "$http_host",
          "http_upgrade": "$http_upgrade",
          "server_name": "$server_name",
          "request_time": "$request_time",
          "upstream": "$upstream_addr",
          "upstream_connect_time": "$upstream_connect_time",
          "upstream_header_time": "$upstream_header_time",
          "upstream_response_time": "$upstream_response_time",
          "upstream_response_length": "$upstream_response_length",
          "upstream_cache_status": "$upstream_cache_status",
          "ssl_protocol": "$ssl_protocol",
          "ssl_cipher": "$ssl_cipher",
          "scheme": "$scheme",
          "request_method": "$request_method",
          "server_protocol": "$server_protocol",
          "pipe": "$pipe",
          "gzip_ratio": "$gzip_ratio",
          "http_cf_ray": "$http_cf_ray",
          "geoip_country_code": "$geoip2_city_country_code",
          "geoip_city": "$geoip2_city",
          "geoip_org": "$geoip2_org",
          "geoip_longitude": "$geoip2_longitude",
          "geoip_latitude": "$geoip2_latitude",
          "level": "info"
        }'
        # crowdsec插件配置
        plugins: "crowdsec"
        lua-shared-dicts: "crowdsec_cache: 50m"
      # 启用geoip2模块
      maxmindLicenseKey: "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"
      extraArgs:
        default-ssl-certificate: "infra-net/dev-cm-crt"
      # crowdsec插件配置
      extraInitContainers:
        - name: init-clone-crowdsec-bouncer
          image: crowdsecurity/lua-bouncer-plugin:v1.1.2
          imagePullPolicy: IfNotPresent
          env:
            - name: SHELL
              value: "/bin/sh"
            - name: API_URL
              value: "http://crowdsec-service.infra-net.svc.cluster.local:8080"
            - name: API_KEY
              value: "Y+21CixTaU4dHT88FjenubUTQ3hBtb66dRsh23TmDnw"
            - name: BOUNCER_CONFIG
              value: "/crowdsec/crowdsec-bouncer.conf"
            - name: MODE
              value: "live"
            - name: CACHE_EXPIRATION
              value: "3"
            - name: UPDATE_FREQUENCY
              value: "10"
            - name: REQUEST_TIMEOUT
              value: "1000"
            - name: CAPTCHA_PROVIDER
              value: "turnstile"
            - name: SITE_KEY
              value: "0x4AAAAAAAxJ2RPNWzn2LCc-"
            - name: SECRET_KEY
              value: "0x4AAAAAAAxJ2dwFOaNg5ae3c6wYTmWH0bU"
            - name: CAPTCHA_TEMPLATE_PATH
              value: /etc/nginx/static/captcha.html
          command: ['/bin/sh', '-c']
          args: ['sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/']
          volumeMounts:
            - name: crowdsec-bouncer-plugin
              mountPath: /lua_plugins
      extraVolumes:
        - name: crowdsec-bouncer-plugin
          emptyDir: {}
        - name: static
          configMap:
            name: static
      extraVolumeMounts:
        - name: crowdsec-bouncer-plugin
          mountPath: /etc/nginx/lua/plugins/crowdsec
          subPath: crowdsec
        - name: static
          mountPath: /etc/nginx/static
    defaultBackend:
      enabled: true
      image:
        registry: docker.io
        image: devcm/default-backend
        tag: v0.2.0
      autoscaling:
        enabled: true
        minReplicas: 1
        maxReplicas: 3
        targetCPUUtilizationPercentage: 80
      extraVolumes:
        - name: static
          configMap:
            name: static
      extraVolumeMounts:
        - name: static
          mountPath: /app/static
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: topology.kubernetes.io/region
                    operator: In
                    values:
                      - "cn-sh"
                      - "cn-hk"