feat: Replace nginx snippet annotation with custom header annotation (#106)

2026-01-27 10:20:51 +00:00 · 2024-08-29 04:30:42 +02:00
parent eac4a45fce
commit 6c1cf6aee6
4 changed files with 26 additions and 18 deletions
--- a/charts/vaultwarden/Chart.yaml
+++ b/charts/vaultwarden/Chart.yaml
@@ -13,5 +13,5 @@ maintainers:
  - name: guerzon
    email: guerzon@proton.me
    url: https://github.com/guerzon
-version: 0.24.4
+version: 0.25.0
 kubeVersion: ">=1.12.0-0"
--- a/charts/vaultwarden/templates/configmap.yaml
+++ b/charts/vaultwarden/templates/configmap.yaml
@@ -1,5 +1,12 @@
 apiVersion: v1
 kind: ConfigMap
+metadata:
+  name: custom-headers-configmap
+data:
+  Request-Id: $req_id
+---
+apiVersion: v1
+kind: ConfigMap
 metadata:
  name: {{ include "vaultwarden.fullname" . }}
  namespace: {{ .Release.Namespace }}
--- a/charts/vaultwarden/templates/ingress.yaml
+++ b/charts/vaultwarden/templates/ingress.yaml
@@ -26,8 +26,7 @@ metadata:
    {{- toYaml $ingress.additionalAnnotations | nindent 4 }}
    {{- end }}
    {{- if $ingress.nginxIngressAnnotations }}
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      more_set_headers "Request-Id: $req_id";
+    nginx.ingress.kubernetes.io/custom-headers: {{ $ingress.customHeadersConfigMap }}
    nginx.ingress.kubernetes.io/connection-proxy-header: "keep-alive"
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
--- a/charts/vaultwarden/values.yaml
+++ b/charts/vaultwarden/values.yaml
@@ -101,13 +101,15 @@ serviceAccount:

 ## @param podSecurityContext Pod security options
 ##
-podSecurityContext: {}
+podSecurityContext:
+  {}
  # fsGroup: 1001
  # supplementalGroups:
  #   - 1001

 ## @param securityContext Default security options to run vault as read only container without privilege escalation
-securityContext: {}
+securityContext:
+  {}
  # allowPrivilegeEscalation: false
  # privileged: false
  # readOnlyRootFilesystem: true
@@ -122,7 +124,6 @@ securityContext: {}
 ## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
 dnsConfig: {}

-
 ## @section Reliability configuration
 ##

@@ -194,7 +195,8 @@ startupProbe:

 ## @param resources Resource configurations
 ##
-resources: {}
+resources:
+  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -208,7 +210,8 @@ resources: {}

 ## @param strategy Resource configurations
 ##
-strategy: {}
+strategy:
+  {}
  # type: RollingUpdate
  # rollingUpdate:
  #   maxSurge: 1
@@ -224,13 +227,13 @@ podDisruptionBudget:
  ## @param podDisruptionBudget.maxUnavailable Maximum number/percentage of pods that may be made unavailable
  maxUnavailable: null

-
 ## @section Persistent data configuration
 ##

 ## @param data Data directory configuration, refer to values.yaml for parameters.
 ##
-data: {}
+data:
+  {}
  # name: "vaultwarden-data"
  # size: "15Gi"
  # class: ""
@@ -241,7 +244,8 @@ data: {}
 ## @param attachments Attachments directory configuration, refer to values.yaml for parameters.
 ## By default, attachments/ is located inside the data directory.
 ##
-attachments: {}
+attachments:
+  {}
  # name: "vaultwarden-files"
  # size: "100Gi"
  # class: ""
@@ -296,7 +300,6 @@ database:
 ## Supported since 1.29.0.
 ## Refer to https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification for details
 ##
-
 pushNotifications:
  ## @param pushNotifications.enabled Enable the push notification service
  ##
@@ -451,7 +454,6 @@ emailChangeAllowed: "true"
 ##
 showPassHint: "false"

-
 ## @section Advanced settings
 ##

@@ -529,14 +531,12 @@ adminRateLimitMaxBurst: "3"
 ##
 timeZone: ""

-
 ## @section BETA Features
 ##

 ## @param orgGroupsEnabled Controls whether group support is enabled for organizations
 orgGroupsEnabled: "false"

-
 ## @section MFA/2FA settings
 ##

@@ -564,7 +564,6 @@ duo:
  ##
  hostname: ""

-
 ## @section SMTP Configuration
 ##
 smtp:
@@ -628,7 +627,6 @@ smtp:
  ##
  debug: false

-
 ## @section Exposure settings
 ##

@@ -667,7 +665,7 @@ ingress:
  #
  class: "nginx"
  ## @param ingress.nginxIngressAnnotations Add nginx specific ingress annotations
-  ## This annotations are only makes sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/)
+  ## These annotations only make sense for the kubernetes nginx ingress controller (https://kubernetes.github.io/ingress-nginx/)
  ##
  nginxIngressAnnotations: true
  ## @param ingress.additionalAnnotations Additional annotations for the ingress resource.
@@ -698,6 +696,10 @@ ingress:
  ## @param ingress.nginxAllowList Comma-separated list of IP addresses and subnets to allow.
  ##
  nginxAllowList: ""
+  ## @param ingress.customHeadersConfigMap ConfigMap containing custom headers to be added to the ingress.
+  ## Defaults to "custom-headers-configmap", which sets a Request-ID header.
+  ##
+  customHeadersConfigMap: "custom-headers-configmap"
  ## TODO:
  ##   - Add support for using cert-manager.
  ##   - Support for multiple TLS hostnames.