Update default backend to add TLS >=1.2 support

charts/ingress-nginx/README.md

@@ -435,20 +435,37 @@ Kubernetes: `>=1.20.0-0`
 | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` |  |
 | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` |  |
 | defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
+| defaultBackend.defaultBackendMessage | string | `"Default Backend - 404"` |  |
 | defaultBackend.enabled | bool | `false` |  |
 | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
 | defaultBackend.extraArgs | object | `{}` |  |
 | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods |
-| defaultBackend.extraVolumeMounts | list | `[]` |  |
-| defaultBackend.extraVolumes | list | `[]` |  |
+| defaultBackend.extraVolumeMounts[0].mountPath | string | `"/usr/share/nginx/html/index.html"` |  |
+| defaultBackend.extraVolumeMounts[0].name | string | `"config"` |  |
+| defaultBackend.extraVolumeMounts[0].readOnly | bool | `true` |  |
+| defaultBackend.extraVolumeMounts[0].subPath | string | `"index.html"` |  |
+| defaultBackend.extraVolumeMounts[1].mountPath | string | `"/var/cache/nginx/"` |  |
+| defaultBackend.extraVolumeMounts[1].name | string | `"nginx-empty"` |  |
+| defaultBackend.extraVolumeMounts[2].mountPath | string | `"/var/run/"` |  |
+| defaultBackend.extraVolumeMounts[2].name | string | `"nginx-run"` |  |
+| defaultBackend.extraVolumeMounts[3].mountPath | string | `"/etc/nginx/conf.d/default.conf"` |  |
+| defaultBackend.extraVolumeMounts[3].name | string | `"nginx-conf"` |  |
+| defaultBackend.extraVolumeMounts[3].subPath | string | `"default.conf"` |  |
+| defaultBackend.extraVolumes[0].configMap.name | string | `"default-backend-message-configmap"` |  |
+| defaultBackend.extraVolumes[0].name | string | `"config"` |  |
+| defaultBackend.extraVolumes[1].emptyDir | object | `{}` |  |
+| defaultBackend.extraVolumes[1].name | string | `"nginx-empty"` |  |
+| defaultBackend.extraVolumes[2].emptyDir | object | `{}` |  |
+| defaultBackend.extraVolumes[2].name | string | `"nginx-run"` |  |
+| defaultBackend.extraVolumes[3].configMap.name | string | `"default-backend-nginx-conf-configmap"` |  |
+| defaultBackend.extraVolumes[3].name | string | `"nginx-conf"` |  |
 | defaultBackend.image.allowPrivilegeEscalation | bool | `false` |  |
-| defaultBackend.image.image | string | `"defaultbackend-amd64"` |  |
 | defaultBackend.image.pullPolicy | string | `"IfNotPresent"` |  |
 | defaultBackend.image.readOnlyRootFilesystem | bool | `true` |  |
-| defaultBackend.image.registry | string | `"registry.k8s.io"` |  |
+| defaultBackend.image.repository | string | `"nginx"` |  |
 | defaultBackend.image.runAsNonRoot | bool | `true` |  |
 | defaultBackend.image.runAsUser | int | `65534` |  |
-| defaultBackend.image.tag | string | `"1.5"` |  |
+| defaultBackend.image.tag | string | `"1.19.10-alpine"` |  |
 | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
 | defaultBackend.livenessProbe.failureThreshold | int | `3` |  |
 | defaultBackend.livenessProbe.initialDelaySeconds | int | `30` |  |

charts/ingress-nginx/templates/default-backend-configmap-nginxconf.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+data:
+  default.conf: |
+    server {
+        listen       {{ .Values.defaultBackend.port }};
+        listen  [::]:{{ .Values.defaultBackend.port }};
+        server_name  localhost;
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+kind: ConfigMap
+metadata:
+  name: default-backend-nginx-conf-configmap

charts/ingress-nginx/templates/default-backend-configmap.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  index.html: |
+    <h1>{{ .Values.defaultBackend.defaultBackendMessage }}</h1>
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+  name: default-backend-message-configmap
+  namespace: {{ .Release.Namespace }}

charts/ingress-nginx/templates/default-backend-deployment.yaml

@@ -73,7 +73,7 @@ spec:
         {{- end }}
           livenessProbe:
             httpGet:
-              path: /healthz
+              path: /
               port: {{ .Values.defaultBackend.port }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.defaultBackend.livenessProbe.initialDelaySeconds }}
@@ -83,7 +83,7 @@ spec:
             failureThreshold: {{ .Values.defaultBackend.livenessProbe.failureThreshold }}
           readinessProbe:
             httpGet:
-              path: /healthz
+              path: /
               port: {{ .Values.defaultBackend.port }}
               scheme: HTTP
             initialDelaySeconds: {{ .Values.defaultBackend.readinessProbe.initialDelaySeconds }}

charts/ingress-nginx/templates/default-backend-service.yaml

@@ -31,7 +31,7 @@ spec:
     - name: http
       port: {{ .Values.defaultBackend.service.servicePort }}
       protocol: TCP
-      targetPort: http
+      targetPort: {{ .Values.defaultBackend.port }}
     {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }}
       appProtocol: http
     {{- end }}

charts/ingress-nginx/values.yaml

@@ -772,19 +772,21 @@ defaultBackend:
 
   name: defaultbackend
   image:
-    registry: registry.k8s.io
-    image: defaultbackend-amd64
+    repository: nginx
+    tag: 1.19.10-alpine
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "1.5"
     pullPolicy: IfNotPresent
     # nobody user -> uid 65534
     runAsUser: 65534
     runAsNonRoot: true
     readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
 
+  # Default Backend Message to show
+  defaultBackendMessage: "Default Backend - 404"
+
   # -- Use an existing PSP instead of creating one
   existingPsp: ""
 
@@ -797,6 +799,7 @@ defaultBackend:
   # -- Additional environment variables to set for defaultBackend pods
   extraEnvs: []
 
+  # Port to Open in the Default Backend Container > 1000 (NON ROOT PORT)
   port: 8080
 
   ## Readiness and liveness probes for default backend
@@ -814,7 +817,6 @@ defaultBackend:
     periodSeconds: 5
     successThreshold: 1
     timeoutSeconds: 5
-
   # -- Node tolerations for server scheduling to nodes with taints
   ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
   ##
@@ -864,12 +866,35 @@ defaultBackend:
   #   cpu: 10m
   #   memory: 20Mi
 
-  extraVolumeMounts: []
+  extraVolumeMounts:
+    - name: config
+      mountPath: "/usr/share/nginx/html/index.html"
+      subPath: index.html
+      readOnly: true
+    - mountPath: /var/cache/nginx/
+      name: nginx-empty
+    - mountPath: /var/run/
+      name: nginx-run
+    - name: nginx-conf
+      mountPath: "/etc/nginx/conf.d/default.conf"
+      subPath: default.conf
+
   ## Additional volumeMounts to the default backend container.
   #  - name: copy-portal-skins
   #   mountPath: /var/lib/lemonldap-ng/portal/skins
 
-  extraVolumes: []
+  extraVolumes:
+    - name: config
+      configMap:
+        name: default-backend-message-configmap
+    - name: nginx-empty
+      emptyDir: {}
+    - name: nginx-run
+      emptyDir: {}
+    - name: nginx-conf
+      configMap:
+        name: default-backend-nginx-conf-configmap
+
   ## Additional volumes to the default backend pod.
   #  - name: copy-portal-skins
   #    emptyDir: {}