- Note, this is downstream from the main NGINX Product. These options should work with the standard NGINX deployment as well. Just adjust name and namespace accordingly.
- Use your own Cipher suite as desired
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
config:
disable-access-log: "false"
ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-protocols: TLSv1.3
ssl-prefer-server-ciphers: off
- Granular logging of transactions for ingress
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
config:
enable-access-log-for-default-backend: true
- Turns on HTTP Strict Transfer Protocol
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
config:
hsts: "true"
hsts-include-subdomains: "true"
hsts-max-age: 15550000 # 180 Days for Example
hsts-preload: "false"
- Used for containers that require TLS termination at the pod directly.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
config:
use-forwarded-headers: "true"
extraArgs:
enable-ssl-passthrough: "true"
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
config:
force-ssl-redirect: true
proxy-body-size: 0
proxy-read-timeout: 1800
proxy-request-buffering: 'off'
proxy-send-timeout: 1800
- Disable if you don't want port 80 or 443 exposed on the host directly.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
hostNetwork: false
hostPort:
enabled: false
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
publishService:
enabled: true
service:
enabled: true
- Used to be a trusted certificate regardless if backend service is unreachable.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
extraArgs:
# create tls-secret in your default namespace and set your "namespace/secret-name"
default-ssl-certificate: default/rke2-cert-nginx
Enable Snippets | Snippets How-to
- This is an advance option and can have security implications.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
enableSnippets:
enabled: true
OR
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
allowSnippetAnnotations: "true"
- Useful if you want to isolate or force deploy this application on a specific tainted node/s.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
tolerations:
- key: "key"
operator: "Exists"
effect: "NoSchedule"
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
metrics:
service:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "10254"