feat(helm): add more control on default nginx proxy option timeout (#54)

ixxeL2097 · Frederic Spiers · web-flow · commit c3a8f35f125e · 2025-09-22T14:55:23.000+02:00
Co-authored-by: Frederic Spiers &lt;frederic.spiers@gitguardian.com&gt;
diff --git a/helm/ggbridge/README.md b/helm/ggbridge/README.md
@@ -75,6 +75,13 @@ A Helm chart for installing ggbridge
 | podSecurityContext.enabled | bool | `true` | Enable Pod security Context in deployments |
 | proxy.affinity | object | `{}` | Affinity for pod assignment |
 | proxy.annotations | object | `{}` | Set proxy annotations |
+| proxy.config | object | `{"server":{"proxyConnectTimeout":"10s","proxyTimeout":"600s"},"upstream":{"failTimeout":"10s","maxFails":1}}` | Nginx configuration |
+| proxy.config.server | object | `{"proxyConnectTimeout":"10s","proxyTimeout":"600s"}` | Nginx server configuration |
+| proxy.config.server.proxyConnectTimeout | string | `"10s"` | Nginx proxy timeout for TCP handshake |
+| proxy.config.server.proxyTimeout | string | `"600s"` | Nginx proxy timeout for data exchange |
+| proxy.config.upstream | object | `{"failTimeout":"10s","maxFails":1}` | Nginx upstream configuration |
+| proxy.config.upstream.failTimeout | string | `"10s"` | Time during which the specified number of unsuccessful attempts must happen to mark the server as unavailable |
+| proxy.config.upstream.maxFails | int | `1` | Maximum number of unsuccessful attempts to communicate with the server |
 | proxy.labels | object | `{}` | Set proxy labels |
 | proxy.logLevel | string | `"notice"` | Set nginx sidecar container and proxy pod log level (default: notice) |
 | proxy.networkPolicy.allowExternal | bool | `true` | When true, server will accept connections from any source |
@@ -178,9 +185,6 @@ A Helm chart for installing ggbridge
 | proxy.updateStrategy.rollingUpdate.maxSurge | int | `1` |  |
 | proxy.updateStrategy.rollingUpdate.maxUnavailable | int | `0` |  |
 | proxy.updateStrategy.type | string | `"RollingUpdate"` | Customize updateStrategy |
-| proxy.upstream | object | `{"failTimeout":"5s","maxFails":1}` | Nginx upstream configuration |
-| proxy.upstream.failTimeout | string | `"5s"` | Time during which the specified number of unsuccessful attempts must happen to mark the server as unavailable |
-| proxy.upstream.maxFails | int | `1` | Maximum number of unsuccessful attempts to communicate with the server |
 | proxyProtocol.enabled | bool | `true` | When true, enables proxy protocol v2 for web/tls tunnels |
 | replicaCount | int | `1` | Number of pods for each deployment |
 | resources.limits | object | `{}` | Set container limits |
diff --git a/helm/ggbridge/files/proxy/nginx.conf b/helm/ggbridge/files/proxy/nginx.conf
@@ -6,8 +6,10 @@
 {{- $fullname := ternary (include "ggbridge.server.fullname" $context) (include "ggbridge.client.fullname" $context) (eq $context.Values.mode "server") -}}
 {{- $ports := $context.Values.proxy.service.ports -}}
 {{- $logLevel := $context.Values.proxy.logLevel -}}
-{{- $maxFails := $context.Values.proxy.upstream.maxFails | default 1 -}}
-{{- $failTimeout := $context.Values.proxy.upstream.failTimeout | default "5s" -}}
+{{- $maxFails := $context.Values.proxy.config.upstream.maxFails | default 1 -}}
+{{- $failTimeout := $context.Values.proxy.config.upstream.failTimeout | default "10s" -}}
+{{- $proxyTimeout := $context.Values.proxy.config.server.proxyTimeout | default "600s" -}}
+{{- $proxyConnectTimeout := $context.Values.proxy.config.server.proxyConnectTimeout | default "10s" -}}
 
 load_module "/usr/lib/nginx/modules/ngx_stream_module.so";
 
@@ -45,8 +47,8 @@ stream {
     server {
         listen {{ $config.containerPort }};
         proxy_pass {{ $tunnel }};
-        proxy_timeout 600s;
-        proxy_connect_timeout 5s;
+        proxy_timeout {{ $proxyTimeout }};
+        proxy_connect_timeout {{ $proxyConnectTimeout }};
     }
     {{ end }}
 }
diff --git a/helm/ggbridge/values.yaml b/helm/ggbridge/values.yaml
@@ -395,12 +395,20 @@ proxy:
   # -- Set proxy labels
   labels: {}
 
-  # -- Nginx upstream configuration
-  upstream:
-    # -- Maximum number of unsuccessful attempts to communicate with the server
-    maxFails: 1
-    # -- Time during which the specified number of unsuccessful attempts must happen to mark the server as unavailable
-    failTimeout: 5s
+  # -- Nginx configuration
+  config:
+    # -- Nginx server configuration
+    server:
+      # -- Nginx proxy timeout for data exchange
+      proxyTimeout: 600s
+      # -- Nginx proxy timeout for TCP handshake
+      proxyConnectTimeout: 10s
+    # -- Nginx upstream configuration
+    upstream:
+      # -- Maximum number of unsuccessful attempts to communicate with the server
+      maxFails: 1
+      # -- Time during which the specified number of unsuccessful attempts must happen to mark the server as unavailable
+      failTimeout: 10s
 
   # -- Set the Proxy DNS resolver
   resolver: kube-dns.kube-system.svc.cluster.local
