Updating nginx configruation

Author: LukasCuperDT

kubernetes/helm_charts/upstream/zitadel/Chart.yaml

@@ -5,5 +5,5 @@ type: application
 version: 0.1.0
 dependencies:
   - name: zitadel
-    version: "9.4.0"
+    version: "9.4.1"
     repository: "https://charts.zitadel.com"

kubernetes/helm_charts/upstream/zitadel/values-preprod.yaml

@@ -9,6 +9,7 @@ zitadel:
     # See all defaults here:
     # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
     configmapConfig:
+      # The configmapConfig should be minimal as the main config comes from the secret
       Machine:
         Identification:
           Hostname:
@@ -19,7 +20,7 @@ zitadel:
     # The ZITADEL config under secretConfig is written to a Kubernetes Secret
     # See all defaults here:
     # https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
-    secretConfig:
+    # secretConfig:
 
     # Annotations set on secretConfig secret
     secretConfigAnnotations:
@@ -138,8 +139,8 @@ zitadel:
 
   imagePullSecrets:
     - name: regcred
-  nameOverride: ""
-  fullnameOverride: ""
+  # nameOverride: ""
+  # fullnameOverride: ""
 
   # Annotations to add to the deployment
   annotations: {}
@@ -211,16 +212,15 @@ zitadel:
     annotations:
       kubernetes.io/ingress.class: "nginx"
       cert-manager.io/cluster-issuer: "letsencrypt-prod"
-      nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
-      nginx.ingress.kubernetes.io/proxy-body-size: "64m"
-      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-      nginx.ingress.kubernetes.io/ssl-redirect: "true"
-      nginx.ingress.kubernetes.io/enable-cors: "true"
-      nginx.ingress.kubernetes.io/cors-allow-origin: "*"
-      nginx.ingress.kubernetes.io/cors-allow-methods: "GET, PUT, POST, DELETE, PATCH, OPTIONS"
-      nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"
-      nginx.ingress.kubernetes.io/cors-max-age: "86400"
+      nginx.ingress.kubernetes.io/modsecurity-snippet: |
+          SecRuleRemoveById 949110
+      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+          grpc_set_header Host $host;
+          more_clear_input_headers "Host" "X-Forwarded-Host";
+          proxy_set_header Host $http_host;
+          proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
+      nginx.ingress.kubernetes.io/server-snippet: "grpc_buffer_size 8k;"
     hosts:
       - host: zitadel.eco-preprod.tsi-dev.otc-service.com
         paths:
@@ -277,11 +277,10 @@ zitadel:
     additionalArgs:
       - "--init-projections=true"
       - "--tlsMode=external"
-      - "--force=true"
     machinekeyWriter:
       image:
-        repository: bitnami/kubectl
-        tag: ""
+        repository: alpine/k8s
+        tag: "1.31.4"
       resources: {}
 
   readinessProbe:
@@ -322,17 +321,18 @@ zitadel:
   # extraContainers allows you to add any sidecar containers you wish to use in the Zitadel pod.
   extraContainers: []
 
-  extraVolumes: []
-    # - name: ca-certs
-    #   secret:
-    #     defaultMode: 420
-    #     secretName: ca-certs
-
-  extraVolumeMounts: []
-    # - name: ca-certs
-    #   mountPath: /etc/ssl/certs/myca.pem
-    #   subPath: myca.pem
-    #   readOnly: true
+  extraVolumes:
+    # Add the zitadel-config secret as a volume
+    - name: zitadel-secret-config-yaml
+      secret:
+        defaultMode: 420
+        secretName: zitadel-config
+
+  extraVolumeMounts:
+    # Mount the zitadel-config secret directly at /config/zitadel-config-yaml
+    - name: zitadel-secret-config-yaml
+      mountPath: /config/zitadel-config-yaml
+      readOnly: true
 
   # extraManifests allows you to add your own Kubernetes manifests
   # You can use templating logic like {{ .Release.Namespace }} and {{ .Values.replicaCount }} as long as your manifest is a valid YAML