Our NGINX fork
Tier: Free, Premium, Ultimate
Offering: Self-managed
Our fork of the NGINX chart was pulled from GitHub.
Adjustments to the NGINX fork
The following adjustments were made to the NGINX fork:
-
tcp-configmap.yaml
: is optional depending on newtcpExternalConfig
setting - Ability to use a templated TCP ConfigMap name from another chart
-
controller-configmap-tcp.yaml
:.metadata.name
is a templateingress-nginx.tcp-configmap
-
controller-deployment.yaml
:.spec.template.spec.containers[0].args
usesingress-nginx.tcp-configmap
template for ConfigMap name - GitLab chart overrides
ingress-nginx.tcp-configmap
so thatgitlab/gitlab-org/charts/gitlab-shell
can configure its TCP service
-
- Ability to use a templated Ingress name based on the release name
- Replace
controller.service.loadBalancerIP
withexternalIpTpl
(defaults toglobal.hosts.externalIP
) - Added support to add common labels through
common.labels
configuration option -
controller-deployment.yaml
:- Add
podlabels
andglobal.pod.labels
to.spec.template.metadata.labels
- Add
-
default-backend-deployment.yaml
:- Add
podlabels
andglobal.pod.labels
to.spec.template.metadata.labels
- Add
- Disable NGINX’s default nodeSelectors.
- Added support for PDB
maxUnavailable
. - Remove NGINX’s
isControllerTagValid
helper incharts/nginx-ingress/templates/_helpers.tpl
- The check had not been updated since it was implemented in 2020.
- As part of #3383, we need to refer to a tag that will contain
ubi
, meaning that thesemverCompare
would not work as expected anyway.
- Added support for autoscaling/v2beta2 and autoscaling/v2 APIs in HPAs and extended HPA settings to support memory and custom metrics, as well as behavior configuration.
- Added conditional support for API version of PodDisruptionBudget.
- Add the following booleans to enable/disable GitLab Shell (SSH access) independently for the external and internal (if enabled with
controller.service.internal.enabled
) services:-
controller.service.enableShell
. -
controller.service.internal.enableShell
. (follows the exisiting chart pattern ofcontroller.service.enableHttp(s)
)
-
- Add the template call
{{ include "ingress-nginx.automountServiceAccountToken" . }}
tocontroller-serviceaccount.yaml
-
Add the template to
_helpers.tpl
:{{/* Set if the default ServiceAccount token should be mounted by Kubernetes or not. Default is 'true' */}} {{- define "ingress-nginx.automountServiceAccountToken" -}} automountServiceAccountToken: {{ pluck "automountServiceAccountToken" .Values.serviceAccount .Values.global.serviceAccount | first }} {{- end -}}
- Add the template call
{{ include "ingress-nginx.defaultBackend.automountServiceAccountToken" . }}
todefault-backend-serviceaccount.yaml
-
Add the template to
_helpers.tpl
:{{/* Set if the default ServiceAccount token should be mounted by Kubernetes or not. Default is 'true' */}} {{- define "ingress-nginx.defaultBackend.automountServiceAccountToken" -}} automountServiceAccountToken: {{ pluck "automountServiceAccountToken" .Values.defaultBackend.serviceAccount .Values.global.serviceAccount | first }} {{- end -}}
- Add the following attributes to comply with Pod Security Standards Profile Restricted:
-
controller-deployment.yaml
spec.template.spec.containers[0].securityContext.runAsNonRoot
spec.template.spec.containers[0].securityContext.seccompProfile
-