From 65808726e58e628c77afe5397178f8cbd0c5ae91 Mon Sep 17 00:00:00 2001
From: songtianlun <tianlun.song@foxmail.com>
Date: Mon, 21 Apr 2025 15:46:05 +0800
Subject: [PATCH] feat: update nginx ingress settings

- Enable hostPort for controller
- Disable external controller service
- Add new configuration options for Nginx controller with
  allow-snippet-annotations and real-ip handling settings

These changes improve the networking configuration of the Nginx
Ingress controller, enabling better handling of forwarded IP
addresses and ensuring the correct annotations are applied.
It also modifies service accessibility to better fit internal
deployments.
---
 nginx-ingress/vaules.yaml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/nginx-ingress/vaules.yaml b/nginx-ingress/vaules.yaml
index 9a32292..66d4d25 100644
--- a/nginx-ingress/vaules.yaml
+++ b/nginx-ingress/vaules.yaml
@@ -53,7 +53,14 @@ controller:
     https: 443
   # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
   # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
-  config: {}
+  config: # {}
+    allow-snippet-annotations: "true"
+    annotations-risk-level: "Critical"
+    use-forwarded-headers: "true"
+    compute-full-forwarded-for: "true" # 附加模式，让 Nginx 信任并追加
+    #!!! 关键：替换为实际的 K3s 节点、Pod 和 Service CIDR!!!
+    proxy-real-ip-cidr: "10.42.0.0/16,10.43.0.0/16,100.64.0.0/10"
+    real-ip-header: "X-Forwarded-For"
   # -- Annotations to be added to the controller config configuration configmap.
   configAnnotations: {}
   # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
@@ -107,7 +114,7 @@ controller:
   ## Disabled by default
   hostPort:
     # -- Enable 'hostPort' or not
-    enabled: false
+    enabled: true
     ports:
       # -- 'hostPort' http port
       http: 80
@@ -490,7 +497,7 @@ controller:
     configMapKey: ""
   service:
     # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service.
-    enabled: true
+    enabled: false
     external:
       # -- Enable the external controller service or not. Useful for internal-only deployments.
       enabled: true