-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
ingress-nginx_argocd_appset.yaml
180 lines (160 loc) · 7.49 KB
/
ingress-nginx_argocd_appset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: ingress-nginx-helm-appset
namespace: argocd
spec:
goTemplate: true
# generator allows us to source specific values from an external k8s secret
generators:
- plugin:
configMapRef:
name: secret-var-plugin-generator
input:
parameters:
secret_vars:
- global_time_zone
template:
metadata:
name: ingress-nginx-helm
spec:
project: ingress-nginx
destination:
server: 'https://kubernetes.default.svc'
namespace: ingress-nginx
syncPolicy:
syncOptions:
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
source:
repoURL: 'https://kubernetes.github.io/ingress-nginx'
chart: ingress-nginx
targetRevision: 4.11.3
helm:
releaseName: 'ingress-nginx'
valuesObject:
controller:
# Mutually exclusive with keda autoscaling
autoscaling:
enabled: true
annotations: {}
minReplicas: 1
maxReplicas: 4
targetCPUUtilizationPercentage: 500
targetMemoryUtilizationPercentage: 500
behavior:
scaleDown:
stabilizationWindowSeconds: 60
policies:
- type: Pods
value: 1
periodSeconds: 30
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Pods
value: 1
periodSeconds: 30
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
## Ideally, there should be no limits.
## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
resources:
limits:
cpu: 1000m
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
config:
# set log format to json
log-format-escape-json: "true"
log-format-upstream: '{"time": "$time_iso8601", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "remote_user": "$remote_user", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent" }'
# always use 301 instead of a 308 redirect
http-redirect-code: "301"
# block all requests with no user-agent to kick out the annoying script kiddies
block-user-agents: ""
# show real ip in the logs
enable-real-ip: "true"
use-forwarded-headers: "true"
proxy-real-ip-cidr: "0.0.0.0/0"
# restrict old versions of tls, could break old browsers/phones
ssl-protocols: "TLSv1.3"
# Enables Online Certificate Status Protocol stapling (OCSP) support.
enable-ocsp: "true"
# reject SSL handshake to an unknown virtualhost. helps to
# mitigate the fingerprinting using default certificate of ingress
ssl-reject-handshake: "true"
# Enable Modsecurity and the OWASP Core rule set
enable-modsecurity: "true"
# Update ModSecurity config and rules
modsecurity-snippet: |
# plugins for rule exclusions
Include /etc/nginx/owasp-modsecurity-crs/plugins/argocd-rule-exclusions-before.conf
Include /etc/nginx/owasp-modsecurity-crs/plugins/grafana-rule-exclusions-before.conf
Include /etc/nginx/owasp-modsecurity-crs/plugins/home-assistant-rule-exclusions-before.conf
Include /etc/nginx/owasp-modsecurity-crs/plugins/matrix-rule-exclusions-before.conf
Include /etc/nginx/owasp-modsecurity-crs/plugins/nextcloud-rule-exclusions-before.conf
Include /etc/nginx/owasp-modsecurity-crs/plugins/postgres-s3-rule-exclusions-before.conf
Include /etc/nginx/owasp-modsecurity-crs/plugins/zitadel-rule-exclusions-before.conf
# OWASP Core Rule Set
Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
# Enable prevention mode. Can be any of: DetectionOnly,On,Off (default is DetectionOnly)
SecRuleEngine Off
# Enable scanning of the request body
SecRequestBodyAccess On
# Enable XML parsing
SecRule REQUEST_HEADERS:Content-Type "(?:text|application(?:/soap\+|/)|application/xml)/" \
"id:200000,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Enable JSON parsing
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:200001,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# Note NGINX Ingress has its own annotations, keep in sync!
#
# Max request sizes in bytes (with/without files)
# 10Gb (default is 12.5Mb)
SecRequestBodyLimit 10740000000
# 10Gb (default is 128Kb)
SecRequestBodyNoFilesLimit 10740000000
# Reject if larger (we could also let it pass with ProcessPartial)
SecRequestBodyLimitAction Reject
# Send ModSecurity audit logs to the stdout (only for rejected requests)
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
# could be On/Off/RelevantOnly
SecAuditEngine RelevantOnly
# we set the timezone on the pod, to make logs easier to read
extraEnvs:
- name: TZ
value: '{{ .global_time_zone }}'
extraVolumes:
- name: plugins
configMap:
name: modsecurity-plugins
extraVolumeMounts:
- name: plugins
mountPath: /etc/nginx/owasp-modsecurity-crs/plugins
# -- This configuration defines if Ingress Controller should allow users to set
# their own *-snippet annotations, otherwise this is forbidden / dropped
# when users add those annotations.
# Global snippets in ConfigMap are still respected
allowSnippetAnnotations: true
resources:
requests:
cpu: 100m
memory: 90Mi
service:
enabled: true
type: LoadBalancer
externalTrafficPolicy: 'Local'
external:
enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: true
prometheusRule:
enabled: false