From 3659673e2d3cb1bfd0f9e30b9cabedbde014a0ba Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Sat, 4 Jan 2025 17:35:16 -0500 Subject: [PATCH] fix(ingress-nginx): make renovate happy Signed-off-by: Devin Buhl --- .../external/helmrelease.yaml.j2 | 28 +++++++++---------- .../internal/helmrelease.yaml.j2 | 19 ++++++------- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/templates/config/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 b/templates/config/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 index 4c4efb5dd38..9c725eef9b1 100644 --- a/templates/config/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 +++ b/templates/config/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2 @@ -30,11 +30,7 @@ spec: annotations: external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" lbipam.cilium.io/ips: "#{ cloudflare.tunnel.ingress_vip }#" - #% if bgp.enabled %# - externalTrafficPolicy: Local - #% else %# - externalTrafficPolicy: Cluster - #% endif %# + externalTrafficPolicy: "#{ 'Local' if bgp.enabled else 'Cluster' }#" ingressClassResource: name: external default: false @@ -46,24 +42,32 @@ spec: operator: In values: ["external"] config: + allow-snippet-annotations: true + annotations-risk-level: Critical client-body-buffer-size: 100M client-body-timeout: 120 client-header-timeout: 120 enable-brotli: "true" + enable-ocsp: "true" enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By hsts-max-age: 31449600 keep-alive-requests: 10000 keep-alive: 120 log-format-escape-json: "true" log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", - "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", - "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", + "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", + "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", + "path": "$uri", "request_query": "$args", "request_length": $request_length, + "duration": $request_time,"method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent"} proxy-body-size: 0 proxy-buffer-size: 16k ssl-protocols: TLSv1.3 TLSv1.2 + use-forwarded-headers: "true" metrics: enabled: true serviceMonitor: @@ -71,11 +75,7 @@ spec: namespaceSelector: any: true extraArgs: - #% if cloudflare.acme.production %# - default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" - #% else %# - default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" - #% endif %# + default-ssl-certificate: "${SECRET_DOMAIN/./-}-#{ 'production' if cloudflare.acme.production else 'staging' }#-tls" resources: requests: cpu: 100m diff --git a/templates/config/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 b/templates/config/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 index 6a41409c978..714ac0cd0b4 100644 --- a/templates/config/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 +++ b/templates/config/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2 @@ -26,11 +26,7 @@ spec: service: annotations: lbipam.cilium.io/ips: "#{ cloudflare.ingress_vip }#" - #% if bgp.enabled %# - externalTrafficPolicy: Local - #% else %# - externalTrafficPolicy: Cluster - #% endif %# + externalTrafficPolicy: "#{ 'Local' if bgp.enabled else 'Cluster' }#" ingressClassResource: name: internal default: true @@ -42,11 +38,17 @@ spec: operator: In values: ["internal"] config: + allow-snippet-annotations: true + annotations-risk-level: Critical + block-user-agents: "AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot," # taken from https://github.com/ai-robots-txt/ai.robots.txt client-body-buffer-size: 100M client-body-timeout: 120 client-header-timeout: 120 enable-brotli: "true" + enable-ocsp: "true" enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By hsts-max-age: 31449600 keep-alive-requests: 10000 keep-alive: 120 @@ -60,6 +62,7 @@ spec: proxy-body-size: 0 proxy-buffer-size: 16k ssl-protocols: TLSv1.3 TLSv1.2 + use-forwarded-headers: "true" metrics: enabled: true serviceMonitor: @@ -67,11 +70,7 @@ spec: namespaceSelector: any: true extraArgs: - #% if cloudflare.acme.production %# - default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" - #% else %# - default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" - #% endif %# + default-ssl-certificate: "${SECRET_DOMAIN/./-}-#{ 'production' if cloudflare.acme.production else 'staging' }#-tls" resources: requests: cpu: 100m