OpenGov · amitgithub12345 · Oct 8, 2024 · Oct 8, 2024
diff --git a/charts/og-public-ingress/Chart.yaml b/charts/og-public-ingress/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: 1.3.0
+description: Prepare a OpenGov cluster for public facing web services/ingress
+name: og-public-ingress
+version: 3.2.0
diff --git a/charts/og-public-ingress/requirements.lock b/charts/og-public-ingress/requirements.lock
@@ -0,0 +1,9 @@
+dependencies:
+- name: nginx-ingress
+ repository: https://charts.helm.sh/stable
+ version: 1.41.3
+- name: ingress-nginx
+ repository: https://kubernetes.github.io/ingress-nginx
+ version: 4.2.0
+digest: sha256:285d292c692364602ce200f0ffc0b7366c10694e3b83c192d7feac239e1ffc41
+generated: "2022-07-22T12:31:03.969491207+05:30"
diff --git a/charts/og-public-ingress/requirements.yaml b/charts/og-public-ingress/requirements.yaml
@@ -0,0 +1,10 @@
+dependencies:
+ - name: nginx-ingress
+ repository: https://charts.helm.sh/stable
+ version: 1.41.3
+ condition: nginx-ingress.enabled
+
+ - name: ingress-nginx
+ repository: https://kubernetes.github.io/ingress-nginx
+ version: 4.2.0
+ condition: ingress-nginx.enabled
diff --git a/charts/og-public-ingress/templates/_helpers.tpl b/charts/og-public-ingress/templates/_helpers.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "og-public-ingress.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "og-public-ingress.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "og-public-ingress.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/charts/og-public-ingress/values.yaml b/charts/og-public-ingress/values.yaml
@@ -0,0 +1,174 @@
+# Default values for og-public-ingress.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# Nginx
+ingress-nginx:
+ defaultBackend:
+ replicaCount: 2
+ resources:
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ limits:
+ cpu: 100m
+ memory: 64Mi
+
+ rbac:
+ create: true
+
+ controller:
+ # We currently run as the root user for Amazon Linux 2, which is the default.
+ # TODO: Find a better non-privileged user that will work
+ # runAsUser: 0
+
+ replicaCount: 2
+
+ autoscaling:
+ enabled: true
+
+ # Should match the replicaCount
+ minReplicas: 2
+ maxReplicas: 8
+
+ targetCPUUtilizationPercentage: 50
+ targetMemoryUtilizationPercentage: 75
+
+ # publishService is required to make external-dns work happily
+ publishService:
+ enabled: true
+
+ service:
+ # Support for AWS ELB TLS Termination
+ targetPorts:
+ http: http
+ https: http
+
+ annotations:
+ # Needs to be configured before launching
+ # service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: 'kubernetes-cluster=${EKS_CLUSTER_NAME_HERE}'
+ service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "1"
+ service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+ service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
+ service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+ service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+
+ # Force TLS redirection; this is required when TLS termination occurs at the ELB
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+ # See https://github.com/kubernetes/kubernetes/blob/v1.10.3/pkg/cloudprovider/providers/aws/aws.go#L99
+ # for more supported annotations
+
+ config:
+ # Assumes AWS ELB (L7) in front
+ use-proxy-protocol: "false"
+
+ # This will buffer server side responses which should help free up the backends of the requests much sooner
+ proxy-buffering: "on"
+
+ # The global max body upload size
+ proxy-body-size: 128m
+
+ # Sets server_tokens: off in nginx config which stops the nginx version from being sent in the 'server' header
+ server-tokens: "false"
+
+ # This is because IE does not support a 308 code
+ http-redirect-code: "301"
+
+ # Trust any client to extract true client IP address from X-Forwarded-For header. Required when run behind ELB SSL termination
+ use-forwarded-headers: "true"
+
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2Gi
+ limits:
+ cpu: 500m
+ memory: 2Gi
+
+nginx-ingress:
+ defaultBackend:
+ replicaCount: 2
+ resources:
+ requests:
+ cpu: 100m
+ memory: 64Mi
+ limits:
+ cpu: 100m
+ memory: 64Mi
+
+ rbac:
+ create: true
+
+ controller:
+ # We currently run as the root user for Amazon Linux 2, which is the default.
+ # TODO: Find a better non-privileged user that will work
+ # runAsUser: 0
+
+ replicaCount: 2
+
+ autoscaling:
+ enabled: true
+
+ # Should match the replicaCount
+ minReplicas: 2
+ maxReplicas: 8
+
+ targetCPUUtilizationPercentage: 50
+ targetMemoryUtilizationPercentage: 75
+
+ podAnnotations:
+ sumologic.com/sourceCategory: "og-public-ingress"
+ sumologic.com/sourceName: "nginx-ingress-controller"
+
+ # publishService is required to make external-dns work happily
+ publishService:
+ enabled: true
+
+ service:
+ # Support for AWS ELB TLS Termination
+ targetPorts:
+ http: http
+ https: http
+
+ annotations:
+ # Needs to be configured before launching
+ # service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: 'kubernetes-cluster=${EKS_CLUSTER_NAME_HERE}'
+ service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "1"
+ service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
+ service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
+ service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+ service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+
+ # Force TLS redirection; this is required when TLS termination occurs at the ELB
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+ # See https://github.com/kubernetes/kubernetes/blob/v1.10.3/pkg/cloudprovider/providers/aws/aws.go#L99
+ # for more supported annotations
+
+ config:
+ # Assumes AWS ELB (L7) in front
+ use-proxy-protocol: "false"
+
+ # This will buffer server side responses which should help free up the backends of the requests much sooner
+ proxy-buffering: "on"
+
+ # The global max body upload size
+ proxy-body-size: 128m
+
+ # Sets server_tokens: off in nginx config which stops the nginx version from being sent in the 'server' header
+ server-tokens: "false"
+
+ # This is because IE does not support a 308 code
+ http-redirect-code: "301"
+
+ # Trust any client to extract true client IP address from X-Forwarded-For header. Required when run behind ELB SSL termination
+ use-forwarded-headers: "true"
+
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2Gi
+ limits:
+ cpu: 500m
+ memory: 2Gi