feat: update nginx ingress settings

- Enable hostPort for controller
- Disable external controller service
- Add new configuration options for Nginx controller with
  allow-snippet-annotations and real-ip handling settings

These changes improve the networking configuration of the Nginx
Ingress controller, enabling better handling of forwarded IP
addresses and ensuring the correct annotations are applied.
It also modifies service accessibility to better fit internal
deployments.

nginx-ingress/vaules.yaml

@@ -53,7 +53,14 @@ controller:
     https: 443
   # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
   # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
-  config: {}
+  config: # {}
+    allow-snippet-annotations: "true"
+    annotations-risk-level: "Critical"
+    use-forwarded-headers: "true"
+    compute-full-forwarded-for: "true" # 附加模式，让 Nginx 信任并追加
+    #!!! 关键：替换为实际的 K3s 节点、Pod 和 Service CIDR!!!
+    proxy-real-ip-cidr: "10.42.0.0/16,10.43.0.0/16,100.64.0.0/10"
+    real-ip-header: "X-Forwarded-For"
   # -- Annotations to be added to the controller config configuration configmap.
   configAnnotations: {}
   # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
@@ -107,7 +114,7 @@ controller:
   ## Disabled by default
   hostPort:
     # -- Enable 'hostPort' or not
-    enabled: false
+    enabled: true
     ports:
       # -- 'hostPort' http port
       http: 80
@@ -490,7 +497,7 @@ controller:
     configMapKey: ""
   service:
     # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service.
-    enabled: true
+    enabled: false
     external:
       # -- Enable the external controller service or not. Useful for internal-only deployments.
       enabled: true