Helm chart : ingress annotations hard-coded to nginx

Summary

When using an external ingress controller (non chart deployed), it is possible to overwrite the ingress class with

global:
  ingress:
    class: haproxy

however the resulting ingresses still get many nginx specific annotations:

    kubernetes.io/ingress.class: "haproxy"
    kubernetes.io/ingress.provider: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "900"
    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
    nginx.ingress.kubernetes.io/proxy-buffering: "off"

This isn't fatal as overwriting the class allows the ingress to work, but leaves a few unwanted annotations in the ingress which isn't clean.

Steps to reproduce

helm repo add gitlab  https://charts.gitlab.io/
helm pull gitlab/gitlab
tar xzf *.tgz
cat <<EOF > values.yaml
nginx-ingress:
  enabled: false
certmanager-issuer:
  email: test
global:
  ingress:
    class: haproxy
certmanager:
  install: false
EOF
helm template gitlab gitlab -f values.yaml > chart.yaml

Search the output for nginx, example below:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: gitlab-webservice-default
  namespace: default
  labels:
    app: webservice
    chart: webservice-4.8.3
    release: gitlab
    heritage: Helm
    gitlab.com/webservice-name: default
  annotations:
    kubernetes.io/ingress.class: "haproxy"
    kubernetes.io/ingress.provider: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: "512m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
    certmanager.k8s.io/issuer: "gitlab-issuer"
    nginx.ingress.kubernetes.io/service-upstream: "true"

Looking at the code, this is because there are hard-coded elements in gitlab/charts/webservice/templates/ingress.yaml:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: {{ template "webservice.fullname.withSuffix" . }}
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "gitlab.standardLabels" $ | nindent 4 }}
    {{- include "webservice.labels" . | nindent 4 }}
  annotations:
    kubernetes.io/ingress.class: "{{ template "gitlab.ingressclass" $ }}"
    kubernetes.io/ingress.provider: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: {{ .ingress.proxyBodySize | quote }}
    nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .ingress.proxyReadTimeout | quote }}
    nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ .ingress.proxyConnectTimeout | quote }}

What is the current bug behavior?

As above, most ingress annotations are nginx specific.

What is the expected correct behavior?

  • Allow the kubernetes.io/ingress.provider annotation to be overwritten by in globals similarly to the class
  • Hide the nginx.ingress.kubernetes.io* annotations if the class/provider is not nginx
  • Do not generate the gitlab/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml configmap if the class/provider is not nginx.

Possible fixes

Affected files:

  • gitlab/charts/gitlab/charts/webservice/templates/ingress.yaml
  • gitlab/charts/minio/templates/ingress.yaml
  • gitlab/charts/registry/templates/ingress.yaml
  • gitlab/charts/gitlab/charts/gitlab-shell/templates/nginx-tcp-configmap.yml