DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/charts/ingress-nginx/templates/controller-deployment.yaml

244 lines
11 KiB
YAML
Raw Permalink Normal View History

DOCS Remove support for running Both (#10255)
2023-10-12 17:51:40 +00:00
{{- if eq .Values.controller.kind "Deployment" -}}
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
apiVersion: apps/v1
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
kind: Deployment
metadata:
labels:
Update helm templates to match new chart name
2020-02-28 14:53:24 +00:00
{{- include "ingress-nginx.labels" . | nindent 4 }}
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app>
2020-03-04 02:53:23 +00:00
app.kubernetes.io/component: controller
Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration Update: allow values.yaml without labels to pass
2020-08-31 20:14:44 +00:00
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app>
2020-03-04 02:53:23 +00:00
name: {{ include "ingress-nginx.controller.fullname" . }}
feat: add namespace overrides (#10539) * feat: add namespace overrides * add value in readme * fix: readme description * fix: description in value * fix: set max length and trim last "-"
2023-10-24 17:53:46 +00:00
namespace: {{ include "ingress-nginx.namespace" . }}
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
spec:
selector:
matchLabels:
Update helm templates to match new chart name
2020-02-28 14:53:24 +00:00
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app>
2020-03-04 02:53:23 +00:00
app.kubernetes.io/component: controller
Chart: Align HPA & KEDA conditions. (#11110)
2024-03-12 13:43:51 +00:00
{{- if eq .Values.controller.autoscaling.enabled .Values.controller.keda.enabled }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
replicas: {{ .Values.controller.replicaCount }}
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
Chart: Add `controller.progressDeadlineSeconds`. (#12017)
2024-09-27 10:14:01 +00:00
{{- if .Values.controller.progressDeadlineSeconds }}
progressDeadlineSeconds: {{ .Values.controller.progressDeadlineSeconds }}
{{- end }}
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
{{- if .Values.controller.updateStrategy }}
Deployment/DaemonSet: Fix templating & value. (#10240)
2023-09-10 14:20:09 +00:00
strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
minReadySeconds: {{ .Values.controller.minReadySeconds }}
template:
metadata:
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- if .Values.controller.podAnnotations }}
[Helm] allow configuring controller container name Signed-off-by: amirschw <24677563+amirschw@users.noreply.github.com>
2021-04-13 11:48:34 +00:00
annotations:
fix podAnnotations quotes for #6315 bumped chart version, daemonset podannotations missing end on podannotations ci values files new lines at the end of files
2020-10-11 10:14:36 +00:00
{{- range $key, $value := .Values.controller.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
labels:
Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732)
2023-03-14 13:44:17 +00:00
{{- include "ingress-nginx.labels" . | nindent 8 }}
Hardcode component names. By removing this, we reduce unecessary config options and moving parts. Signed-off-by: Naseem <naseem@transit.app>
2020-03-04 02:53:23 +00:00
app.kubernetes.io/component: controller
[Helm] Add labels to resources (#6992) * Add labels to RBAC resources * Add labels to all resources * Fix labels indentaton in patch jobs * Add controller and default backend labels to pods Signed-off-by: Muhammad Hamza Zaib <hamzazaib3202@gmail.com> * Bump chart version and update changelog Signed-off-by: Muhammad Hamza Zaib <hamzazaib3202@gmail.com>
2021-11-19 14:52:52 +00:00
{{- with .Values.controller.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- if .Values.controller.podLabels }}
{{- toYaml .Values.controller.podLabels | nindent 8 }}
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
spec:
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
[helm] configure allow to configure hostAliases (#10180) Signed-off-by: Jan-Otto Kröpke <joe@cloudeteer.de>
2023-07-28 11:41:56 +00:00
{{- end }}
{{- if .Values.controller.hostAliases }}
hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
Add hostname value to override pod's hostname (#7386)
2021-08-09 13:45:31 +00:00
{{- if .Values.controller.hostname }}
hostname: {{ toYaml .Values.controller.hostname | nindent 8 }}
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
dnsPolicy: {{ .Values.controller.dnsPolicy }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName should be in " " (#7512) * priorityClassName should be in " " Example: https://github.com/helm/charts/blob/master/stable/k8s-spot-rescheduler/templates/deployment.yaml#L28 * Update charts/ingress-nginx/templates/controller-deployment.yaml Co-authored-by: Alex Harder <13860012+ChiefAlexander@users.noreply.github.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> Co-authored-by: Alex Harder <13860012+ChiefAlexander@users.noreply.github.com>
2021-10-24 22:28:21 +00:00
priorityClassName: {{ .Values.controller.priorityClassName | quote }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
Add sysctl exemptions to controller PSP I would like to be able to support this construction in my DaemonSet, I have coontrol over the host and this is the easiest way yo bump the socket properties. ```yaml securityContext: sysctls: - name: net.core.somaxconn value: "8192" ```
2020-06-12 07:45:55 +00:00
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- if .Values.controller.podSecurityContext }}
Add sysctl exemptions to controller PSP I would like to be able to support this construction in my DaemonSet, I have coontrol over the host and this is the easiest way yo bump the socket properties. ```yaml securityContext: sysctls: - name: net.core.somaxconn value: "8192" ```
2020-06-12 07:45:55 +00:00
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- end }}
{{- if .Values.controller.sysctls }}
Add sysctl exemptions to controller PSP I would like to be able to support this construction in my DaemonSet, I have coontrol over the host and this is the easiest way yo bump the socket properties. ```yaml securityContext: sysctls: - name: net.core.somaxconn value: "8192" ```
2020-06-12 07:45:55 +00:00
sysctls:
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- range $sysctl, $value := .Values.controller.sysctls }}
- name: {{ $sysctl | quote }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
Add the shareProcessNamespace as a configurable setting. (#8287)
2022-03-14 15:51:57 +00:00
{{- end }}
{{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
containers:
[Helm] allow configuring controller container name Signed-off-by: amirschw <24677563+amirschw@users.noreply.github.com>
2021-04-13 11:48:34 +00:00
- name: {{ .Values.controller.containerName }}
Chart: Add `global.image.registry`. (#12028)
2024-09-30 08:26:04 +00:00
{{- with (merge .Values.controller.image .Values.global.image) }}
Chart: Simplify image templating. (#10708)
2023-12-05 16:22:12 +00:00
image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}
Allow pulling images by digest The digest uniquely identifies a specific version of the image, so it is never updated by Kubernetes unless you change the digest value. This is desirable for security to gain confidence that no unvetted changes are pulled to a deployment.
2020-05-20 15:34:18 +00:00
{{- end }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
args: {{ include "ingress-nginx.params" . | nindent 12 }}
securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
Add lifecycle hook and option to enable mimalloc
2020-04-06 16:34:19 +00:00
{{- if .Values.controller.enableMimalloc }}
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- if .Values.controller.extraEnvs }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- toYaml .Values.controller.extraEnvs | nindent 12 }}
Release v1 (#7470) * Drop v1beta1 from ingress nginx (#7156) * Drop v1beta1 from ingress nginx Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix intorstr logic in controller Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * fixing admission Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * more intorstr fixing * correct template rendering Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix e2e tests for v1 api Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix gofmt errors * This is finally working...almost there... Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Re-add removed validation of AdmissionReview * Prepare for v1.0.0-alpha.1 release Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Update changelog and matrix table for v1.0.0-alpha.1 (#7274) Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * add docs for syslog feature (#7219) * Fix link to e2e-tests.md in developer-guide (#7201) * Use ENV expansion for namespace in args (#7146) Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does. * chart: using Helm builtin capabilities check (#7190) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944) It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780 * Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107) * Fix MaxWorkerOpenFiles calculation on high cores nodes * Add e2e test for rlimit_nofile * Fix doc for max-worker-open-files * ingress/tcp: add additional error logging on failed (#7208) * Add file containing stable release (#7313) * Handle named (non-numeric) ports correctly (#7311) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Updated v1beta1 to v1 as its deprecated (#7308) * remove mercurial from build (#7031) * Retry to download maxmind DB if it fails (#7242) * Retry to download maxmind DB if it fails. Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Add retries count arg, move retry logic into DownloadGeoLite2DB function Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Reorder parameters in DownloadGeoLite2DB Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Remove hardcoded value Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Release v1.0.0-alpha.1 * Add changelog for v1.0.0-alpha.2 * controller: ignore non-service backends (#7332) * controller: ignore non-service backends Signed-off-by: Carlos Panato <ctadeu@gmail.com> * update per feedback Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix: allow scope/tcp/udp configmap namespace to altered (#7161) * Lower webhook timeout for digital ocean (#7319) * Lower webhook timeout for digital ocean * Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29 * update OWNERS and aliases files (#7365) (#7366) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Downgrade Lua modules for s390x (#7355) Downgrade Lua modules to last known working version. * Fix IngressClass logic for newer releases (#7341) * Fix IngressClass logic for newer releases Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Change e2e tests for the new IngressClass presence * Fix chart and admission tests Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix helm chart test Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix reviews * Remove ingressclass code from admission * update tag to v1.0.0-beta.1 * update readme and changelog for v1.0.0-beta.1 * Release v1.0.0-beta.1 - helm and manifests (#7422) * Change the order of annotation just to trigger a new helm release (#7425) * [cherry-pick] Add dev-v1 branch into helm releaser (#7428) * Add dev-v1 branch into helm releaser (#7424) * chore: add link for artifacthub.io/prerelease annotations Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> * k8s job ci pipeline for dev-v1 br v1.22.0 (#7453) * k8s job ci pipeline for dev-v1 br v1.22.0 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * k8s job ci pipeline for dev-v1 br v1.21.2 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * remove v1.21.1 version Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * Add controller.watchIngressWithoutClass config option (#7459) Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com> * Release new helm chart with certgen fixed (#7478) * Update go version, modules and remove ioutil * Release new helm chart with certgen fixed * changed appversion, chartversion, TAG, image (#7490) * Fix CI conflict * Fix CI conflict * Fix build.sh from rebase process * Fix controller_test post rebase Co-authored-by: Tianhao Guo <rggth09@gmail.com> Co-authored-by: Ray <61553+rctay@users.noreply.github.com> Co-authored-by: Bill Cassidy <cassid4@gmail.com> Co-authored-by: Jintao Zhang <tao12345666333@163.com> Co-authored-by: Sathish Ramani <rsathishx87@gmail.com> Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com> Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com> Co-authored-by: Tom Hayward <thayward@infoblox.com> Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com> Co-authored-by: Tore <tore.lonoy@gmail.com> Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl> Co-authored-by: Shahid <shahid@us.ibm.com> Co-authored-by: James Strong <strong.james.e@gmail.com> Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com> Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com> Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com>
2021-08-21 20:42:00 +00:00
{{- end }}
Add support for custom probes (#7137) * Add support for custom probes * Fix lint issue with comment * Bump chart version * Fix lint issue
2021-05-18 13:37:31 +00:00
{{- if .Values.controller.startupProbe }}
startupProbe: {{ toYaml .Values.controller.startupProbe | nindent 12 }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- end }}
Adding support for disabling liveness and readiness probes in the Helm chart (#9238)
2022-11-08 14:44:25 +00:00
{{- if .Values.controller.livenessProbe }}
Add support for custom probes (#7137) * Add support for custom probes * Fix lint issue with comment * Bump chart version * Fix lint issue
2021-05-18 13:37:31 +00:00
livenessProbe: {{ toYaml .Values.controller.livenessProbe | nindent 12 }}
Adding support for disabling liveness and readiness probes in the Helm chart (#9238)
2022-11-08 14:44:25 +00:00
{{- end }}
{{- if .Values.controller.readinessProbe }}
Add support for custom probes (#7137) * Add support for custom probes * Fix lint issue with comment * Bump chart version * Fix lint issue
2021-05-18 13:37:31 +00:00
readinessProbe: {{ toYaml .Values.controller.readinessProbe | nindent 12 }}
Adding support for disabling liveness and readiness probes in the Helm chart (#9238)
2022-11-08 14:44:25 +00:00
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
{{- if $.Values.controller.hostPort.enabled }}
hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
Add support for hostPort in Deployment
2020-03-14 21:24:46 +00:00
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- end }}
{{- if .Values.controller.metrics.enabled }}
parameterize port name
2022-09-12 19:34:40 +00:00
- name: {{ .Values.controller.metrics.portName }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook
containerPort: {{ .Values.controller.admissionWebhooks.port }}
protocol: TCP
{{- end }}
{{- range $key, $value := .Values.tcp }}
Add portNamePreffix Helm chart parameter (#8458) Allow user to set custom preffix for TCP and UDP ports
2022-05-10 16:13:43 +00:00
- name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
containerPort: {{ $key }}
protocol: TCP
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
{{- if $.Values.controller.hostPort.enabled }}
hostPort: {{ $key }}
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- end }}
{{- range $key, $value := .Values.udp }}
Add portNamePreffix Helm chart parameter (#8458) Allow user to set custom preffix for TCP and UDP ports
2022-05-10 16:13:43 +00:00
- name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
containerPort: {{ $key }}
protocol: UDP
Remove duplicated annotations definition and refactor hostPort configuration
2020-04-06 23:01:52 +00:00
{{- if $.Values.controller.hostPort.enabled }}
hostPort: {{ $key }}
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- end }}
Images: Remove OpenTelemetry. (#12024)
2024-09-29 15:31:04 +00:00
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
volumeMounts:
Images: Remove OpenTelemetry. (#12024)
2024-09-29 15:31:04 +00:00
{{- if .Values.controller.extraModules }}
First sidecar module: OpenTelemetry (#8013) * remove opentelemetry from main nginx image * add opentelemetry sidecar image * handle extra modules in helm chart * fix running helm chart * mount the modules volume in the init container * merge the mounted folder * fix the otel image * fix licence year * fix cloudbuild image * use the same nginx version as in the main image * only retrieve /etc/nginx/modules for now
2022-01-16 21:33:28 +00:00
- name: modules
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- if .Values.controller.image.chroot }}
fix chroot module mount path (#9090)
2022-09-28 21:02:30 +00:00
mountPath: /chroot/modules_mount
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- else }}
First sidecar module: OpenTelemetry (#8013) * remove opentelemetry from main nginx image * add opentelemetry sidecar image * handle extra modules in helm chart * fix running helm chart * mount the modules volume in the init container * merge the mounted folder * fix the otel image * fix licence year * fix cloudbuild image * use the same nginx version as in the main image * only retrieve /etc/nginx/modules for now
2022-01-16 21:33:28 +00:00
mountPath: /modules_mount
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- end }}
First sidecar module: OpenTelemetry (#8013) * remove opentelemetry from main nginx image * add opentelemetry sidecar image * handle extra modules in helm chart * fix running helm chart * mount the modules volume in the init container * merge the mounted folder * fix the otel image * fix licence year * fix cloudbuild image * use the same nginx version as in the main image * only retrieve /etc/nginx/modules for now
2022-01-16 21:33:28 +00:00
{{- end }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- if .Values.controller.customTemplate.configMapName }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
- name: webhook-cert
Cleanup chart code
2020-03-02 14:49:26 +00:00
mountPath: /usr/local/certificates/
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
readOnly: true
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
{{- if .Values.controller.extraVolumeMounts }}
{{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.controller.resources }}
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
Images: Remove OpenTelemetry. (#12024)
2024-09-29 15:31:04 +00:00
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }}
First sidecar module: OpenTelemetry (#8013) * remove opentelemetry from main nginx image * add opentelemetry sidecar image * handle extra modules in helm chart * fix running helm chart * mount the modules volume in the init container * merge the mounted folder * fix the otel image * fix licence year * fix cloudbuild image * use the same nginx version as in the main image * only retrieve /etc/nginx/modules for now
2022-01-16 21:33:28 +00:00
initContainers:
{{- if .Values.controller.extraInitContainers }}
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
First sidecar module: OpenTelemetry (#8013) * remove opentelemetry from main nginx image * add opentelemetry sidecar image * handle extra modules in helm chart * fix running helm chart * mount the modules volume in the init container * merge the mounted folder * fix the otel image * fix licence year * fix cloudbuild image * use the same nginx version as in the main image * only retrieve /etc/nginx/modules for now
2022-01-16 21:33:28 +00:00
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
Deployment/DaemonSet: Fix templating & value. (#10240)
2023-09-10 14:20:09 +00:00
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
Chart: Add `global.image.registry`. (#12028)
2024-09-30 08:26:04 +00:00
{{- include "extraModules" (dict "name" .name "image" (merge .image $.Values.global.image) "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
Chart: Tighten `securityContext`s and Pod Security Policies. (#10491) * Values: Fix docs of `controller.podSecurityContext` & `controller.sysctls`. * Values: Add missing `controller.containerSecurityContext`. Already in use, but has never been added to values. * Values: Fix docs of `defaultBackend.podSecurityContext` & `defaultBackend.containerSecurityContext`. * Helpers: Rename `controller.containerSecurityContext` to `ingress-nginx.controller.containerSecurityContext`. Due to alignment with other templates. * Helpers: Improve `extraModules`. - Make `command` a multiline list. - Fix `toYaml` usage. - Remove `toYaml` where not necessary. * Helpers: Move `ingress-nginx.defaultBackend.fullname`. * Helpers: Add `ingress-nginx.defaultBackend.containerSecurityContext`. Extracts the default backend `securityContext` into a template, as for the controller. * Controller: Fix indentation of `controller.podSecurityContext` & `controller.sysctls`. * Controller: Improve `controller.extraModules` & `controller.opentelemetry`. - Add `controller.extraModules.distroless` & `controller.extraModules.resources`. - Add `controller.opentelemetry.name` & `controller.opentelemetry.distroless`. - Align `extraModules` inclusion for `controller.extraModules` & `controller.opentelemetry`. - Remove redundant whitespaces. * Controller/PSP: Align indentation. * Controller/PSP: Remove quotes. * Controller/PSP: Improve comments. * Controller/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Admission Webhooks: Fix indentation of `controller.admissionWebhooks.patch.securityContext`. * Admission Webhooks/PSP: Align indentation. * Admission Webhooks/PSP: Reorder fields. * Admission Webhooks/PSP: Align condition. * Admission Webhooks/ClusterRole: Align PSP rule. * Default Backend/PSP: Align indentation. * Default Backend/PSP: Reorder fields. See https://v1-24.docs.kubernetes.io/docs/concepts/security/pod-security-policy. * Values: Tighten `controller.image`. Due to recent changes, the controller image can be run without privilege escalation: - https://github.com/kubernetes/ingress-nginx/issues/8499 - https://github.com/kubernetes/ingress-nginx/pull/7449 * Values: Tighten `controller.extraModules.containerSecurityContext`. * Values: Tighten `controller.opentelemetry.containerSecurityContext`. * Values: Tighten `controller.admissionWebhooks.*.securityContext`. Moves the pod `securityContext` to the containers to not interfere with injected containers. * Values: Tighten `defaultBackend.image`.
2023-11-07 17:52:36 +00:00
{{- end }}
{{- end }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
{{- if .Values.controller.hostNetwork }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
hostNetwork: {{ .Values.controller.hostNetwork }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- if .Values.controller.nodeSelector }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- end }}
{{- if .Values.controller.tolerations }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- end }}
{{- if .Values.controller.affinity }}
Chart: Make pod affinity templatable. (#11453) * [helm] template pod affinity * update README * Apply suggestions from code review Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * revert Chart.yaml version bump * add unittests * add docs defaultBackend.affinity * add README section to values * fix README syntax * Apply suggestions from code review Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * Update charts/ingress-nginx/values.yaml Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * update formatting of unittests + add README examples * fix affinity labels on default-backend * Apply suggestions from code review Co-authored-by: Marco Ebert <marco_ebert@icloud.com> * remove double quotes on string --------- Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
2024-06-14 09:13:44 +00:00
affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }}
add `topologySpreadConstraint` to controller
2020-09-11 06:55:34 +00:00
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259)
2023-09-10 12:38:10 +00:00
topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
{{- end }}
Update helm templates to match new chart name
2020-02-28 14:53:24 +00:00
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
Chart: Set `automountServiceAccountToken` in workloads. (#12247) Signed-off-by: Aran Shavit <Aranshavit@gmail.com> Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
2024-10-29 20:55:25 +00:00
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
Images: Remove OpenTelemetry. (#12024)
2024-09-29 15:31:04 +00:00
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
volumes:
Images: Remove OpenTelemetry. (#12024)
2024-09-29 15:31:04 +00:00
{{- if .Values.controller.extraModules }}
First sidecar module: OpenTelemetry (#8013) * remove opentelemetry from main nginx image * add opentelemetry sidecar image * handle extra modules in helm chart * fix running helm chart * mount the modules volume in the init container * merge the mounted folder * fix the otel image * fix licence year * fix cloudbuild image * use the same nginx version as in the main image * only retrieve /etc/nginx/modules for now
2022-01-16 21:33:28 +00:00
- name: modules
emptyDir: {}
{{- end }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- if .Values.controller.customTemplate.configMapName }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
- name: nginx-template-volume
configMap:
name: {{ .Values.controller.customTemplate.configMapName }}
items:
- key: {{ .Values.controller.customTemplate.configMapKey }}
path: nginx.tmpl
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
Start migration of helm chart (#5159)
2020-02-24 19:25:57 +00:00
- name: webhook-cert
secret:
Admission Webhook: Truncate name. (#10523)
2023-10-29 17:26:05 +00:00
secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
feat(helm): Optionally use cert-manager instead admission patch (#9279)
2022-12-07 12:16:38 +00:00
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt
path: cert
- key: tls.key
path: key
{{- end }}
Cleanup chart code
2020-03-02 14:49:26 +00:00
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}
added namespace field in the namespace scoped resource templates of helm chart (#7256) * added namespace field in the namespace scoped resource templates of helm chart * moved namespace field from roleRef to metadata
2021-06-21 11:56:51 +00:00
{{- end }}
Reference in a new issue Copy permalink