Merge branch 'user-overridable-ingress-annotations' into 'master'

apiVersion: v1

description: GitLab's Auto-deploy Helm Chart

name: auto-deploy-app

version: 2.26.0

version: 2.27.0

icon: https://gitlab.com/gitlab-com/gitlab-artwork/raw/master/logo/logo-square.png

| service.extraPorts.protocol | Protocol of the service port definition | `nil` |

| service.extraPorts.name | Name of the service port definition | `nil` |

| ingress.enabled               | If true, enables ingress | `true`                |

| ingress.className             | The name of the ingress class to use | `nginx`                |

| ingress.className             | The name of the ingress class to use. When present, sets `ingressClassName` and `kubernetes.io/ingress.class` as appropriate. | `nil`                |

| ingress.path                  | Default path for the ingress | `/` |

| ingress.tls.enabled           | If true, enables SSL | `true`                    |

| ingress.tls.acme              | Controls `kubernetes.io/tls-acme` annotation | `true` |

| ingress.modSecurity.enabled | Enable custom configuration for modsecurity, defaulting to [the Core Rule Set](https://coreruleset.org) | `false` |

| ingress.modSecurity.secRuleEngine | Configuration for [ModSecurity's rule engine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRuleEngine) | `DetectionOnly` |

| ingress.modSecurity.secRules | Configuration for custom [ModSecurity's rules](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secrule) | `nil` |

| ingress.annotations           | Ingress annotations | `{kubernetes.io/ingress.class: "nginx"}` |

| ingress.annotations           | Ingress annotations | See [`_ingress-annotations.yaml`](./templates/_ingress-annotations.yaml) |

| livenessProbe.path            | Path to access on the HTTP server on periodic probe of container liveness. | `/`                                |

| livenessProbe.scheme          | Scheme to access the HTTP server (HTTP or HTTPS). | `HTTP`                                |

| livenessProbe.initialDelaySeconds | # of seconds after the container has started before liveness probes are initiated. | `15`                               |

{{ toYaml $.Values.extraLabels }}

{{- end }}

{{- end -}}

{{- define "ingress.annotations" -}}

{{- $defaults := include (print $.Template.BasePath "/_ingress-annotations.yaml") . | fromYaml -}}

{{- $custom := .Values.ingress.annotations | default dict -}}

{{- $merged := deepCopy $custom | mergeOverwrite $defaults -}}

{{- $merged | toYaml -}}

{{- end -}}

{{/* We set the annotation value regardless of API versions, because the user may have an old controller that still works */}}

kubernetes.io/ingress.class: {{ .Values.ingress.className | default "nginx" | quote }}

{{- if .Values.ingress.tls.enabled }}

kubernetes.io/tls-acme: {{ .Values.ingress.tls.acme | quote }}

{{- end }}

{{- if eq .Values.application.track "canary" }}

nginx.ingress.kubernetes.io/canary: "true"

nginx.ingress.kubernetes.io/canary-by-header: "canary"

{{-   if .Values.ingress.canary.weight }}

nginx.ingress.kubernetes.io/canary-weight: {{ .Values.ingress.canary.weight | quote }}

{{-   end }}

{{- end }}

{{- with .Values.ingress.modSecurity }}

{{-   if .enabled }}

nginx.ingress.kubernetes.io/modsecurity-transaction-id: "$server_name-$request_id"

nginx.ingress.kubernetes.io/modsecurity-snippet: |

  SecRuleEngine {{ .secRuleEngine | default "DetectionOnly" | title }}

{{-     range $rule := .secRules }}

{{        (include "secrule" $rule) | indent 2 }}

{{-     end }}

{{-   end }}

{{- end }}

{{- if .Values.prometheus.metrics }}

nginx.ingress.kubernetes.io/server-snippet: |-

  location /metrics {

      deny all;

  }

{{- end }}

  labels:

{{ include "sharedlabels" . | indent 4 }}

  annotations:

{{- if not (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}

    kubernetes.io/ingress.class: {{ .Values.ingress.className | quote }}

{{- end }}

{{- if .Values.ingress.annotations }}

{{ toYaml .Values.ingress.annotations | indent 4 }}

{{- end }}

{{- if .Values.ingress.tls.enabled }}

    kubernetes.io/tls-acme: {{ .Values.ingress.tls.acme | quote }}

{{- end }}

{{- if eq .Values.application.track "canary" }}

    nginx.ingress.kubernetes.io/canary: "true"

    nginx.ingress.kubernetes.io/canary-by-header: "canary"

{{- if .Values.ingress.canary.weight }}

    nginx.ingress.kubernetes.io/canary-weight: {{ .Values.ingress.canary.weight | quote }}

{{- end }}

{{- end }}

{{- with .Values.ingress.modSecurity }}

{{- if .enabled }}

    nginx.ingress.kubernetes.io/modsecurity-transaction-id: "$server_name-$request_id"

    nginx.ingress.kubernetes.io/modsecurity-snippet: |

      SecRuleEngine {{ .secRuleEngine | default "DetectionOnly" | title }}

{{- range $rule := .secRules }}

{{ (include "secrule" $rule) | indent 6 }}

{{- end }}

{{- end }}

{{- end }}

{{- if .Values.prometheus.metrics }}

    nginx.ingress.kubernetes.io/server-snippet: |-

      location /metrics {

          deny all;

      }

{{- end }}

{{ include "ingress.annotations" . | indent 4 }}

spec:

{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}

{{/* We don't set a default value because old ingress controllers may not provide an IngressClass, causing deployments to fail */}}

{{- if and .Values.ingress.className (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}

  ingressClassName: {{ .Values.ingress.className | quote }}

{{- end }}

{{- if .Values.ingress.tls.enabled }}