controller:
  kind: DaemonSet

  hostNetwork: true
  hostPort:
    enabled: false
    ports:
      http: 80
      https: 443

  dnsPolicy: ClusterFirstWithHostNet

  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate

  publishService:
    enabled: false

  config:
    worker-processes: "auto"
    worker-cpu-affinity: "auto"
    error-log-level: "error"

    server-tokens: "false"
    http-redirect-code: "301"

    use-gzip: "true"
    use-geoip: "false"
    use-geoip2: "false"

    use-forwarded-headers: "true"
    # curl https://www.cloudflare.com/ips-v4 2>/dev/null | tr '\n' ','
    proxy-real-ip-cidr: "173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14,172.16.0.0/12"

    enable-access-log-for-default-backend: "true"
    log-format-escape-json: "true"
    log-format-upstream: '{"ip":"$remote_addr", "ssl":"$ssl_protocol", "method":"$request_method", "proto":"$scheme", "host":"$host", "uri":"$request_uri", "status":$status, "size":$bytes_sent, "agent":"$http_user_agent", "referer":"$http_referer", "namespace":"$namespace"}'

    upstream-keepalive-connections: "32"
    proxy-connect-timeout: "10"
    proxy-read-timeout: "60"
    proxy-send-timeout: "60"

    ssl-protocols: "TLSv1.3"
    hsts: "true"
    hsts-max-age: "31536000"
    hsts-include-subdomains: "true"
    hsts-preload: "true"
    proxy-hide-headers: "strict-transport-security"
    proxy-headers-hash-bucket-size: "128"

    server-name-hash-bucket-size: "64"
    server-name-hash-max-size: "512"

    limit-req-status-code: "429"

    client-header-timeout: "30"
    client-body-timeout: "30"

  minReadySeconds: 15

  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "10254"

  extraEnvs:
    - name: NODE_NAME
      valueFrom:
        fieldRef:
          fieldPath: metadata.name

  livenessProbe:
    initialDelaySeconds: 15
    periodSeconds: 30
  readinessProbe:
    periodSeconds: 30

  resources:
    limits:
      cpu: 1
      memory: 1Gi
    requests:
      cpu: 100m
      memory: 128Mi

  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: project.io/node-pool
                operator: In
                values:
                  - web

  service:
    enabled: true
    type: ClusterIP
    clusterIP: None
    ipFamilyPolicy: "RequireDualStack"
    ipFamilies:
      - IPv4
      - IPv6

  admissionWebhooks:
    enabled: false
  metrics:
    enabled: false

revisionHistoryLimit: 2

defaultBackend:
  enabled: false