DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'upstream/main' into pie

Browse source 
Changed text as commented in PR
Added client response e2e tests
This commit is contained in:
Christoph Hartmann 2023-11-10 21:43:36 +01:00
commit 0fd5b19c1b
122 changed files with 1171 additions and 1731 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
.github/workflows/ci.yaml vendored
View file

@ -42,7 +42,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
@ -69,7 +69,7 @@ jobs:
(needs.changes.outputs.go == 'true')
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go
id: go
@ -90,7 +90,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go
id: go
@ -155,7 +155,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
@ -230,7 +230,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: cache
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@ -278,7 +278,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: cache
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@ -329,7 +329,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: cache
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@ -372,7 +372,7 @@ jobs:
PLATFORMS: linux/amd64,linux/arm64
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images
@ -409,7 +409,7 @@ jobs:
PLATFORMS: linux/amd64,linux/arm64
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images
@ -481,7 +481,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images

4
.github/workflows/depreview.yaml vendored
View file

@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Dependency Review'
uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
uses: actions/dependency-review-action@9f45b2463b475767b61721ccfef113fef513e6aa # v3.1.1

4
.github/workflows/docs.yaml vendored
View file

@ -23,7 +23,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter
@ -47,7 +47,7 @@ jobs:
steps:
- name: Checkout master
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Deploy
uses: ./.github/actions/mkdocs

2
.github/workflows/golangci-lint.yml vendored
View file

@ -19,7 +19,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Go
id: go

6
.github/workflows/helm.yaml vendored
View file

@ -23,7 +23,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Artifact Hub lint
run: |
@ -61,7 +61,7 @@ jobs:
steps:
- name: Checkout master
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
# Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
fetch-depth: 0
@ -73,7 +73,7 @@ jobs:
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Helm Chart Releaser
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_SKIP_EXISTING: true
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

2
.github/workflows/junit-reports.yaml vendored
View file

@ -9,7 +9,7 @@ jobs:
report:
runs-on: ubuntu-latest
steps:
- uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0
- uses: dorny/test-reporter@afe6793191b75b608954023a46831a3fe10048d4 # v1.7.0
with:
artifact: /e2e-test-reports-(.*)/
name: JEST Tests $1 # Name of the check run which will be created

2
.github/workflows/perftest.yaml vendored
View file

@ -19,7 +19,7 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install K6
run: |

2
.github/workflows/plugin.yaml vendored
View file

@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

4
.github/workflows/scorecards.yml vendored
View file

@ -27,12 +27,12 @@ jobs:
steps:
- name: "Checkout code"
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif

6
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
versions: ${{ steps.version.outputs.TAGS }}
steps:
- name: Checkout code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
@ -52,7 +52,7 @@ jobs:
versions: ${{ fromJSON(needs.version.outputs.versions) }}
steps:
- name: Checkout code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- shell: bash
id: test
@ -60,7 +60,7 @@ jobs:
- name: Scan image with AquaSec/Trivy
id: scan
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1
with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif'

9
README.md
View file

@ -38,16 +38,17 @@ the versions listed. Ingress-Nginx versions **may** work on older versions, but
| Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version |
|:--:|-----------------------|------------------------------|----------------|---------------|------------------------------|
| 🔄 | **v1.9.3** | 1.28, 1.27,1.26, 1.25 | 3.18.2 | 1.21.6 | 4.8.* |
| 🔄 | **v1.9.1** | 1.28, 1.27,1.26, 1.25 | 3.18.2 | 1.21.6 | 4.8.* |
| 🔄 | **v1.9.4** | 1.28, 1.27,1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.3* |
| 🔄 | **v1.9.3** | 1.28, 1.27,1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.* |
| 🔄 | **v1.9.1** | 1.28, 1.27,1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.* |
| 🔄 | **v1.9.0** | 1.28, 1.27,1.26, 1.25 | 3.18.2 | 1.21.6 | 4.8.* |
| 🔄 | **v1.8.2** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* |
| 🔄 | **v1.8.4** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* |
| 🔄 | **v1.8.2** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* |
| 🔄 | **v1.8.1** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* |
| 🔄 | **v1.8.0** | 1.27,1.26, 1.25, 1.24 | 3.18.0 | 1.21.6 | 4.7.* |
| 🔄 | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* |
| 🔄 | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* |
| | **v1.6.4** | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* |
| | v1.6.4 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* |
| | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | 4.4.* |
| | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 |
| | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 |

2
TAG
View file

@ -1 +1 @@
v1.9.3
v1.9.4

13
changelog/Changelog-1.9.4.md Normal file
View file

@ -0,0 +1,13 @@
# Changelog
### 1.9.4
Images:
* registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.4@sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
### All Changes:
* Cherry pick fcgi fix and release v1.9.4 (#10544)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.3...controller-controller-v1.9.4

7
charts/ingress-nginx/Chart.yaml
View file

@ -1,10 +1,9 @@
annotations:
artifacthub.io/changes: |-
- "update nginx base, httpbun, e2e, helm webhook cert gen (#10506)"
- "Update Ingress-Nginx version controller-v1.9.3"
- "Update Ingress-Nginx version controller-v1.9.4"
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 1.9.3
appVersion: 1.9.4
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
load balancer
home: https://github.com/kubernetes/ingress-nginx
@ -20,4 +19,4 @@ maintainers:
name: ingress-nginx
sources:
- https://github.com/kubernetes/ingress-nginx
version: 4.8.2
version: 4.8.3

42
charts/ingress-nginx/README.md
View file

@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.8.2](https://img.shields.io/badge/Version-4.8.2-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square)
![Version: 4.8.3](https://img.shields.io/badge/Version-4.8.3-informational?style=flat-square) ![AppVersion: 1.9.4](https://img.shields.io/badge/AppVersion-1.9.4-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
@ -240,14 +240,16 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.certManager.enabled | bool | `false` | |
| controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | |
| controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | |
| controller.admissionWebhooks.createSecretJob.name | string | `"create"` | |
| controller.admissionWebhooks.createSecretJob.resources | object | `{}` | |
| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers |
| controller.admissionWebhooks.enabled | bool | `true` | |
| controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set |
| controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use |
| controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | |
| controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks |
| controller.admissionWebhooks.name | string | `"admission"` | |
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
@ -260,12 +262,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
| controller.admissionWebhooks.patch.podAnnotations | object | `{}` | |
| controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # |
| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` | |
| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` | |
| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` | |
| controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods |
| controller.admissionWebhooks.patch.tolerations | list | `[]` | |
| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | |
| controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers |
| controller.admissionWebhooks.port | int | `8443` | |
| controller.admissionWebhooks.service.annotations | object | `{}` | |
| controller.admissionWebhooks.service.externalIPs | list | `[]` | |
@ -288,6 +289,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
| controller.containerName | string | `"controller"` | Configures the controller container name |
| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
| controller.containerSecurityContext | object | `{}` | Security context for controller containers |
| controller.customTemplate.configMapKey | string | `""` | |
| controller.customTemplate.configMapName | string | `""` | |
| controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. |
@ -312,15 +314,18 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
| controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
| controller.hostname | object | `{}` | Optionally customize the pod hostname. |
| controller.image.allowPrivilegeEscalation | bool | `true` | |
| controller.image.allowPrivilegeEscalation | bool | `false` | |
| controller.image.chroot | bool | `false` | |
| controller.image.digest | string | `"sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98"` | |
| controller.image.digestChroot | string | `"sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86"` | |
| controller.image.digest | string | `"sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3"` | |
| controller.image.digestChroot | string | `"sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26"` | |
| controller.image.image | string | `"ingress-nginx/controller"` | |
| controller.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.image.readOnlyRootFilesystem | bool | `false` | |
| controller.image.registry | string | `"registry.k8s.io"` | |
| controller.image.runAsNonRoot | bool | `true` | |
| controller.image.runAsUser | int | `101` | |
| controller.image.tag | string | `"v1.9.3"` | |
| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.image.tag | string | `"v1.9.4"` | |
| controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
| controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass |
@ -376,12 +381,19 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | |
| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | |
| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | |
| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| controller.opentelemetry.distroless | bool | `true` | |
| controller.opentelemetry.enabled | bool | `false` | |
| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | |
| controller.opentelemetry.name | string | `"opentelemetry"` | |
| controller.opentelemetry.resources | object | `{}` | |
| controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
| controller.podLabels | object | `{}` | Labels to add to the pod container metadata |
| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods |
| controller.podSecurityContext | object | `{}` | Security context for controller pods |
| controller.priorityClassName | string | `""` | |
| controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers |
| controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. |
@ -431,7 +443,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| controller.service.targetPorts.https | string | `"https"` | |
| controller.service.type | string | `"LoadBalancer"` | |
| controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls |
| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |
| controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap |
| controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) |
| controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # |
@ -448,7 +460,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.autoscaling.minReplicas | int | `1` | |
| defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | |
| defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | |
| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers |
| defaultBackend.enabled | bool | `false` | |
| defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one |
| defaultBackend.extraArgs | object | `{}` | |
@ -462,6 +474,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.image.registry | string | `"registry.k8s.io"` | |
| defaultBackend.image.runAsNonRoot | bool | `true` | |
| defaultBackend.image.runAsUser | int | `65534` | |
| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | |
| defaultBackend.image.tag | string | `"1.5"` | |
| defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources |
| defaultBackend.livenessProbe.failureThreshold | int | `3` | |
@ -476,7 +489,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # |
| defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # |
| defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata |
| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # |
| defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods |
| defaultBackend.port | int | `8080` | |
| defaultBackend.priorityClassName | string | `""` | |
| defaultBackend.readinessProbe.failureThreshold | int | `6` | |
@ -498,6 +511,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # |
| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param |
| imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
| podSecurityPolicy.enabled | bool | `false` | |
| portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration |
| rbac.create | bool | `true` | |

8
charts/ingress-nginx/changelog/Changelog-4.8.3.md Normal file
View file

@ -0,0 +1,8 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### 4.8.3
* Update Ingress-Nginx version controller-v1.9.4
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3

18
charts/ingress-nginx/templates/NOTES.txt
View file

@ -6,24 +6,24 @@ Get the application URL by running these commands:
{{- if (not (empty .Values.controller.service.nodePorts.http)) }}
export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }}
{{- else }}
export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
export HTTP_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[0].nodePort}")
{{- end }}
{{- if (not (empty .Values.controller.service.nodePorts.https)) }}
export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }}
{{- else }}
export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
export HTTPS_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[1].nodePort}")
{{- end }}
export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}")
export NODE_IP="$(kubectl get nodes --output jsonpath="{.items[0].status.addresses[1].address}")"
echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP."
echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS."
echo "Visit http://${NODE_IP}:${HTTP_NODE_PORT} to access your application via HTTP."
echo "Visit https://${NODE_IP}:${HTTPS_NODE_PORT} to access your application via HTTPS."
{{- else if contains "LoadBalancer" .Values.controller.service.type }}
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}'
It may take a few minutes for the load balancer IP to be available.
You can watch the status by running 'kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output wide --watch'
{{- else if contains "ClusterIP" .Values.controller.service.type }}
Get the application URL by running these commands:
export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}")
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
export POD_NAME="$(kubectl get pods --namespace {{ include "ingress-nginx.namespace" . }} --selector app.kubernetes.io/name={{ include "ingress-nginx.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=controller --output jsonpath="{.items[0].metadata.name}")"
kubectl port-forward --namespace {{ include "ingress-nginx.namespace" . }} "${POD_NAME}" 8080:80
echo "Visit http://127.0.0.1:8080 to access your application."
{{- end }}

103
charts/ingress-nginx/templates/_helpers.tpl
View file

@ -30,25 +30,40 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{- end -}}
{{/*
Expand the namespace of the release.
Allows overriding it for multi-namespace deployments in combined charts.
*/}}
{{- define "ingress-nginx.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Container SecurityContext.
Controller container security context.
*/}}
{{- define "controller.containerSecurityContext" -}}
{{- define "ingress-nginx.controller.containerSecurityContext" -}}
{{- if .Values.controller.containerSecurityContext -}}
{{- toYaml .Values.controller.containerSecurityContext -}}
{{- else -}}
runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }}
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
{{- end }}
readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }}
{{- end -}}
{{- end -}}
{{/*
@ -102,7 +117,6 @@ By convention this will simply use the <namespace>/<controller-name> to match th
service generated.
Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride`
*/}}
{{- define "ingress-nginx.controller.publishServicePath" -}}
{{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}}
@ -110,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
@ -153,6 +159,38 @@ Create the name of the controller service account to use
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified admission webhook name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.admissionWebhooks.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified admission webhook secret creation job name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.admissionWebhooks.createSecretJob.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.createSecretJob.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified admission webhook patch job name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}}
@ -164,6 +202,26 @@ Create the name of the backend service account to use - only used when podsecuri
{{- end -}}
{{- end -}}
{{/*
Default backend container security context.
*/}}
{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}}
{{- if .Values.defaultBackend.containerSecurityContext -}}
{{- toYaml .Values.defaultBackend.containerSecurityContext -}}
{{- else -}}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
{{- if .Values.defaultBackend.image.seccompProfile }}
seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }}
{{- end }}
capabilities:
drop:
- ALL
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
@ -200,18 +258,21 @@ Extra modules.
{{- define "extraModules" -}}
- name: {{ .name }}
image: {{ .image }}
{{- if .distroless | default false }}
command: ['/init_module']
command:
{{- if .distroless }}
- /init_module
{{- else }}
command: ['sh', '-c', '/usr/local/bin/init_module.sh']
- sh
- -c
- /usr/local/bin/init_module.sh
{{- end }}
{{- if .containerSecurityContext }}
securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }}
securityContext: {{ toYaml .containerSecurityContext | nindent 4 }}
{{- end }}
{{- if .resources }}
resources: {{ .resources | toYaml | nindent 4 }}
resources: {{ toYaml .resources | nindent 4 }}
{{- end }}
volumeMounts:
- name: {{ toYaml "modules"}}
mountPath: {{ toYaml "/modules_mount"}}
- name: modules
mountPath: /modules_mount
{{- end -}}

16
charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml
View file

@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selfSigned: {}
---
@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-cert
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "ingress-nginx.fullname" . }}-root-issuer
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
ca:
secretName: {{ include "ingress-nginx.fullname" . }}-root-cert
@ -42,10 +42,10 @@ spec:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
issuerRef:
{{- if .Values.controller.admissionWebhooks.certManager.issuerRef }}
@ -55,8 +55,8 @@ spec:
{{- end }}
dnsNames:
- {{ include "ingress-nginx.controller.fullname" . }}-admission
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}
- {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc
subject:
organizations:
- ingress-nginx-admission

9
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -21,14 +21,13 @@ rules:
- get
- update
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: ['extensions']
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
{{- with .Values.controller.admissionWebhooks.existingPsp }}
- {{ . }}
resourceNames: [{{ . }}]
{{- else }}
- {{ include "ingress-nginx.fullname" . }}-admission
resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}]
{{- end }}
{{- end }}
{{- end }}

8
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
View file

@ -2,7 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -15,9 +15,9 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace | quote }}
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

13
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -2,8 +2,8 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -23,7 +23,7 @@ spec:
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
@ -50,7 +50,7 @@ spec:
- create
- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
- --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
env:
- name: POD_NAMESPACE
valueFrom:
@ -66,7 +66,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
@ -74,7 +74,6 @@ spec:
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext:
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- end }}
{{- end }}

15
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -2,8 +2,8 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -23,7 +23,7 @@ spec:
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
@ -48,10 +48,10 @@ spec:
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- patch
- --webhook-name={{ include "ingress-nginx.fullname" . }}-admission
- --webhook-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
- --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }}
- --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
env:
- name: POD_NAMESPACE
@ -68,7 +68,7 @@ spec:
resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }}
{{- end }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
@ -76,7 +76,6 @@ spec:
tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.patch.securityContext }}
securityContext:
{{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }}
{{- end }}
{{- end }}

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml
View file

@ -2,8 +2,8 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

55
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml
View file

@ -1,12 +1,13 @@
{{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }}
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
@ -14,28 +15,38 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux:
rule: RunAsAny
{{- end }}
{{- end }}

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
View file

@ -2,8 +2,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

10
charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
View file

@ -2,8 +2,8 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@ -16,9 +16,9 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace | quote }}
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
View file

@ -2,8 +2,8 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded

8
charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
View file

@ -6,8 +6,8 @@ kind: ValidatingWebhookConfiguration
metadata:
annotations:
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }}
certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
cert-manager.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.annotations }}
{{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }}
@ -18,7 +18,7 @@ metadata:
{{- with .Values.controller.admissionWebhooks.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-admission
name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
webhooks:
- name: validate.nginx.ingress.kubernetes.io
matchPolicy: Equivalent
@ -38,8 +38,8 @@ webhooks:
- v1
clientConfig:
service:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
namespace: {{ include "ingress-nginx.namespace" . }}
path: /networking/v1/ingresses
{{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}

2
charts/ingress-nginx/templates/clusterrolebinding.yaml
View file

@ -15,5 +15,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

2
charts/ingress-nginx/templates/controller-configmap-addheaders.yaml
View file

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
{{- end }}

2
charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml
View file

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }}
{{- end }}

2
charts/ingress-nginx/templates/controller-configmap-tcp.yaml
View file

@ -12,6 +12,6 @@ metadata:
annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-tcp
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
{{- end }}

2
charts/ingress-nginx/templates/controller-configmap-udp.yaml
View file

@ -12,6 +12,6 @@ metadata:
annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-udp
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
{{- end }}

8
charts/ingress-nginx/templates/controller-configmap.yaml
View file

@ -11,17 +11,17 @@ metadata:
annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data:
allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}"
{{- if .Values.controller.addHeaders }}
add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
{{- end }}
{{- if .Values.controller.proxySetHeaders }}
proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
{{- end }}
{{- if .Values.dhParam }}
ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }}
{{- range $key, $value := .Values.controller.config }}
{{- $key | nindent 2 }}: {{ $value | quote }}

34
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}
@ -60,7 +60,6 @@ spec:
{{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
{{- end }}
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }}
@ -71,6 +70,7 @@ spec:
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
{{- end }}
@ -83,9 +83,8 @@ spec:
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
args:
{{- include "ingress-nginx.params" . | nindent 12 }}
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
args: {{ include "ingress-nginx.params" . | nindent 12 }}
securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
env:
- name: POD_NAME
valueFrom:
@ -150,11 +149,11 @@ spec:
volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules
{{ if .Values.controller.image.chroot }}
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
{{ else }}
{{- else }}
mountPath: /modules_mount
{{ end }}
{{- end }}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
@ -174,24 +173,25 @@ spec:
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled}}
{{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
{{- end}}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
@ -227,7 +227,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt

34
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}
@ -63,7 +63,6 @@ spec:
{{- end }}
{{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }}
securityContext:
{{- end }}
{{- if .Values.controller.podSecurityContext }}
{{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }}
@ -74,6 +73,7 @@ spec:
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.controller.shareProcessNamespace }}
shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }}
{{- end }}
@ -86,9 +86,8 @@ spec:
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
args:
{{- include "ingress-nginx.params" . | nindent 12 }}
securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }}
args: {{ include "ingress-nginx.params" . | nindent 12 }}
securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }}
env:
- name: POD_NAME
valueFrom:
@ -153,11 +152,11 @@ spec:
volumeMounts:
{{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
- name: modules
{{ if .Values.controller.image.chroot }}
{{- if .Values.controller.image.chroot }}
mountPath: /chroot/modules_mount
{{ else }}
{{- else }}
mountPath: /modules_mount
{{ end }}
{{- end }}
{{- end }}
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
@ -177,24 +176,25 @@ spec:
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
{{- toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }}
initContainers:
{{- if .Values.controller.extraInitContainers }}
{{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraModules }}
{{- range .Values.controller.extraModules }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled }}
{{- with .Values.controller.opentelemetry }}
{{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{- include "extraModules" (dict "name" .name "image" .image "distroless" .distroless "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.opentelemetry.enabled}}
{{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }}
{{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }}
{{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}}
{{- end}}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
@ -230,7 +230,7 @@ spec:
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }}
{{- if .Values.controller.admissionWebhooks.certManager.enabled }}
items:
- key: tls.crt

2
charts/ingress-nginx/templates/controller-hpa.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
scaleTargetRef:
apiVersion: apps/v1

3
charts/ingress-nginx/templates/controller-keda.yaml
View file

@ -1,6 +1,4 @@
{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}}
# https://keda.sh/docs/
apiVersion: {{ .Values.controller.keda.apiVersion }}
kind: ScaledObject
metadata:
@ -11,6 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.keda.scaledObject.annotations }}
annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }}
{{- end }}

2
charts/ingress-nginx/templates/controller-networkpolicy.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
podSelector:
matchLabels:

2
charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.controller.annotations }}
annotations: {{ toYaml .Values.controller.annotations | nindent 4 }}
{{- end }}

4
charts/ingress-nginx/templates/controller-prometheusrules.yaml
View file

@ -4,7 +4,9 @@ kind: PrometheusRule
metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.metrics.prometheusRule.namespace }}
namespace: {{ .Values.controller.metrics.prometheusRule.namespace | quote }}
namespace: {{ .Values.controller.metrics.prometheusRule.namespace }}
{{- else }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}

142
charts/ingress-nginx/templates/controller-psp.yaml
View file

@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
@ -11,84 +13,88 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
privileged: false
hostPID: false
hostIPC: false
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
hostPorts:
{{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }}
# controller.containerPort.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- else if .Values.controller.hostPort.enabled }}
{{- range $key, $value := .Values.controller.hostPort.ports }}
# controller.hostPort.ports.{{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# controller.metrics.port
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# controller.admissionWebhooks.port
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# tcp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# udp.{{ $key }}
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
volumes:
- configMap
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }}
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
{{- if .Values.controller.image.chroot }}
{{- if .Values.controller.image.seccompProfile }}
- SYS_ADMIN
{{- end }}
- SYS_CHROOT
{{- end }}
seLinux:
rule: RunAsAny
{{- if .Values.controller.sysctls }}
allowedUnsafeSysctls:
{{- range $sysctl, $value := .Values.controller.sysctls }}
- {{ $sysctl }}
{{- end }}
{{- end }}
privileged: false
allowPrivilegeEscalation: true
# Allow core volume types.
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }}
hostPorts:
{{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }}
# {{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- else if .Values.controller.hostPort.enabled }}
{{- range $key, $value := .Values.controller.hostPort.ports }}
# {{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# metrics
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# admission webhooks
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# {{ $key }}-tcp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# {{ $key }}-udp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
seLinux:
rule: 'RunAsAny'
{{- end }}
{{- end }}

2
charts/ingress-nginx/templates/controller-role.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
rules:
- apiGroups:
- ""

4
charts/ingress-nginx/templates/controller-rolebinding.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@ -17,5 +17,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

2
charts/ingress-nginx/templates/controller-secret.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
data:
dhparam.pem: {{ .Values.dhParam }}
{{- end }}

5
charts/ingress-nginx/templates/controller-service-internal.yaml
View file

@ -13,9 +13,12 @@ metadata:
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-internal
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: "{{ .Values.controller.service.type }}"
{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.controller.service.internal.loadBalancerIP }}
loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }}
{{- end }}

2
charts/ingress-nginx/templates/controller-service-metrics.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml .Values.controller.metrics.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-metrics
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.metrics.service.type }}
{{- if .Values.controller.metrics.service.clusterIP }}

2
charts/ingress-nginx/templates/controller-service-webhook.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.admissionWebhooks.service.type }}
{{- if .Values.controller.admissionWebhooks.service.clusterIP }}

5
charts/ingress-nginx/templates/controller-service.yaml
View file

@ -13,9 +13,12 @@ metadata:
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.controller.service.type }}
{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }}
allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }}
{{- end }}
{{- if .Values.controller.service.clusterIP }}
clusterIP: {{ .Values.controller.service.clusterIP }}
{{- end }}

2
charts/ingress-nginx/templates/controller-serviceaccount.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- if .Values.serviceAccount.annotations }}
annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}

6
charts/ingress-nginx/templates/controller-servicemonitor.yaml
View file

@ -4,9 +4,9 @@ kind: ServiceMonitor
metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }}
namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }}
{{- else }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
@ -35,7 +35,7 @@ spec:
{{- else }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
- {{ include "ingress-nginx.namespace" . }}
{{- end }}
{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
targetLabels:

11
charts/ingress-nginx/templates/default-backend-deployment.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selector:
matchLabels:
@ -65,14 +65,7 @@ spec:
{{- end }}
{{- end }}
{{- end }}
securityContext:
capabilities:
drop:
- ALL
runAsUser: {{ .Values.defaultBackend.image.runAsUser }}
runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }}
allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }}
readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}}
securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }}
{{- if .Values.defaultBackend.extraEnvs }}
env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }}
{{- end }}

2
charts/ingress-nginx/templates/default-backend-hpa.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
scaleTargetRef:
apiVersion: apps/v1

2
charts/ingress-nginx/templates/default-backend-networkpolicy.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
podSelector:
matchLabels:

2
charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
View file

@ -10,7 +10,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
selector:
matchLabels:

52
charts/ingress-nginx/templates/default-backend-psp.yaml
View file

@ -4,6 +4,8 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-backend
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: default-backend
@ -11,28 +13,38 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
privileged: false
hostPID: false
hostIPC: false
hostNetwork: false
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- emptyDir
- secret
- projected
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
runAsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
seLinux:
rule: RunAsAny
{{- end }}
{{- end }}

2
charts/ingress-nginx/templates/default-backend-role.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
rules:
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']

4
charts/ingress-nginx/templates/default-backend-rolebinding.yaml
View file

@ -9,7 +9,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-backend
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@ -17,5 +17,5 @@ roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
namespace: {{ include "ingress-nginx.namespace" . }}
{{- end }}

2
charts/ingress-nginx/templates/default-backend-service.yaml
View file

@ -12,7 +12,7 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.defaultBackend.fullname" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
type: {{ .Values.defaultBackend.service.type }}
{{- if .Values.defaultBackend.service.clusterIP }}

2
charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
View file

@ -9,6 +9,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
namespace: {{ include "ingress-nginx.namespace" . }}
automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
{{- end }}

106
charts/ingress-nginx/values.yaml
View file

@ -7,6 +7,9 @@
# nameOverride:
# fullnameOverride:
# -- Override the deployment namespace; defaults to .Release.Namespace
namespaceOverride: ""
## Labels to apply to all resources
##
commonLabels: {}
@ -24,13 +27,17 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: "v1.9.3"
digest: sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
digestChroot: sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86
tag: "v1.9.4"
digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
pullPolicy: IfNotPresent
runAsNonRoot: true
# www-data -> uid 101
runAsUser: 101
allowPrivilegeEscalation: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: false
# -- Use an existing PSP instead of creating one
existingPsp: ""
# -- Configures the controller container name
@ -124,12 +131,15 @@ controller:
podLabels: {}
# key: value
# -- Security Context policies for controller pods
# -- Security context for controller pods
podSecurityContext: {}
# -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls
# -- sysctls for controller pods
## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
sysctls: {}
# sysctls:
# "net.core.somaxconn": "8192"
# -- Security context for controller containers
containerSecurityContext: {}
# -- Allows customization of the source of the IP address or FQDN to report
# in the ingress status field. By default, it reads the information provided
@ -170,6 +180,9 @@ controller:
extraArgs: {}
## extraArgs:
## default-ssl-certificate: "<namespace>/<secret_name>"
## time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
## length-buckets: "10,20,30,40,50,60,70,80,90,100"
## size-buckets: "10,100,1000,10000,100000,1e+06,1e+07"
# -- Additional environment variables to set
extraEnvs: []
@ -336,7 +349,7 @@ controller:
# -- Minimum available pods set in PodDisruptionBudget.
# Define either 'minAvailable' or 'maxUnavailable', never both.
minAvailable: 1
# -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
# -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
# maxUnavailable: 1
## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
@ -449,6 +462,9 @@ controller:
## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
##
externalIPs: []
# -- Set to false to disable loadbalancer node port allocation
# See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
# allocateLoadBalancerNodePorts: true
# -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
loadBalancerIP: ""
loadBalancerSourceRanges: []
@ -504,6 +520,9 @@ controller:
enabled: false
# -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
annotations: {}
# -- Set to false to disable loadbalancer node port allocation
# See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
# allocateLoadBalancerNodePorts: true
# -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
loadBalancerIP: ""
# -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
@ -569,8 +588,18 @@ controller:
extraModules: []
# - name: mytestmodule
# image: registry.k8s.io/ingress-nginx/mytestmodule
# distroless: false
# containerSecurityContext:
# runAsNonRoot: true
# runAsUser: <user-id>
# allowPrivilegeEscalation: false
# seccompProfile:
# type: RuntimeDefault
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# resources: {}
#
# The image must contain a `/usr/local/bin/init_module.sh` executable, which
# will be executed as initContainers, to move its config files within the
@ -578,11 +607,23 @@ controller:
opentelemetry:
enabled: false
name: opentelemetry
image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
distroless: true
containerSecurityContext:
runAsNonRoot: true
# -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
runAsUser: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
admissionWebhooks:
name: admission
annotations: {}
# ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
@ -619,8 +660,18 @@ controller:
servicePort: 443
type: ClusterIP
createSecretJob:
name: create
# -- Security context for secret creation containers
securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
# limits:
# cpu: 10m
@ -629,8 +680,18 @@ controller:
# cpu: 10m
# memory: 20Mi
patchWebhookJob:
name: patch
# -- Security context for webhook patch containers
securityContext:
runAsNonRoot: true
runAsUser: 65532
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources: {}
patch:
enabled: true
@ -652,10 +713,8 @@ controller:
tolerations: []
# -- Labels to be added to patch job resources
labels: {}
securityContext:
runAsNonRoot: true
runAsUser: 2000
fsGroup: 2000
# -- Security context for secret creation & webhook patch pods
securityContext: {}
# Use certmanager to generate webhook certs
certManager:
enabled: false
@ -699,7 +758,7 @@ controller:
## jobLabel: "app.kubernetes.io/name"
namespace: ""
namespaceSelector: {}
## Default: scrape .Release.Namespace only
## Default: scrape .Release.Namespace or namespaceOverride only
## To scrape all, use the following:
## namespaceSelector:
## any: true
@ -722,8 +781,13 @@ controller:
# annotations:
# description: bad ingress config - nginx config test failed
# summary: uninstall the latest ingress changes to allow config reloads to resume
# # By default a fake self-signed certificate is generated as default and
# # it is fine if it expires. If `--default-ssl-certificate` flag is used
# # and a valid certificate passed please do not filter for `host` label!
# # (i.e. delete `{host!="_"}` so also the default SSL certificate is
# # checked for expiration)
# - alert: NGINXCertificateExpiry
# expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800
# expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800
# for: 1s
# labels:
# severity: critical
@ -776,11 +840,13 @@ defaultBackend:
## repository:
tag: "1.5"
pullPolicy: IfNotPresent
runAsNonRoot: true
# nobody user -> uid 65534
runAsUser: 65534
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
# -- Use an existing PSP instead of creating one
existingPsp: ""
extraArgs: {}
@ -826,15 +892,9 @@ defaultBackend:
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
affinity: {}
# -- Security Context policies for controller pods
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
# -- Security context for default backend pods
podSecurityContext: {}
# -- Security Context policies for controller main container.
# See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
# notes on enabling and using sysctls
##
# -- Security context for default backend containers
containerSecurityContext: {}
# -- Labels to add to the pod container metadata
podLabels: {}

46
deploy/static/provider/aws/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -328,7 +328,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -344,7 +344,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -377,7 +377,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -400,7 +400,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -422,7 +422,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -446,7 +446,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -518,7 +518,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -529,7 +529,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -565,7 +565,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -576,7 +576,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -614,7 +614,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -627,7 +627,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -650,7 +650,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -335,7 +335,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -353,7 +353,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -386,7 +386,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -409,7 +409,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -431,7 +431,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -455,7 +455,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -530,7 +530,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -541,7 +541,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -577,7 +577,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -588,7 +588,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -626,7 +626,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -639,7 +639,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -662,7 +662,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/baremetal/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -328,7 +328,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -340,7 +340,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -372,7 +372,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -395,7 +395,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -417,7 +417,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -440,7 +440,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -512,7 +512,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -523,7 +523,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -559,7 +559,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -570,7 +570,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -608,7 +608,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -621,7 +621,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -644,7 +644,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/cloud/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -328,7 +328,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -340,7 +340,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -373,7 +373,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -396,7 +396,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -418,7 +418,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -442,7 +442,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -514,7 +514,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -525,7 +525,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -561,7 +561,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -572,7 +572,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -610,7 +610,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -623,7 +623,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -646,7 +646,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/do/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -329,7 +329,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -343,7 +343,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -376,7 +376,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -399,7 +399,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -421,7 +421,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -445,7 +445,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -517,7 +517,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -528,7 +528,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -564,7 +564,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -575,7 +575,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -613,7 +613,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -626,7 +626,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -649,7 +649,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/exoscale/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -328,7 +328,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -349,7 +349,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -382,7 +382,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -405,7 +405,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -423,7 +423,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -447,7 +447,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -523,7 +523,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -534,7 +534,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -570,7 +570,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -581,7 +581,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -619,7 +619,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -632,7 +632,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -655,7 +655,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/kind/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -328,7 +328,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -340,7 +340,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -372,7 +372,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -395,7 +395,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -417,7 +417,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -442,7 +442,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -524,7 +524,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -535,7 +535,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -571,7 +571,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -582,7 +582,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -620,7 +620,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -633,7 +633,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -656,7 +656,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/oracle/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -328,7 +328,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -344,7 +344,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -377,7 +377,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -400,7 +400,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -422,7 +422,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -446,7 +446,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -518,7 +518,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -529,7 +529,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -565,7 +565,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -576,7 +576,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -614,7 +614,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -627,7 +627,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -650,7 +650,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

46
deploy/static/provider/scw/deploy.yaml
View file

@ -15,7 +15,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
---
@ -27,7 +27,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
---
@ -39,7 +39,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
rules:
@ -129,7 +129,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
@ -148,7 +148,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
rules:
- apiGroups:
@ -230,7 +230,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
rules:
- apiGroups:
@ -249,7 +249,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
namespace: ingress-nginx
roleRef:
@ -269,7 +269,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
@ -288,7 +288,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -307,7 +307,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -329,7 +329,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
---
@ -343,7 +343,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -376,7 +376,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
@ -399,7 +399,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
@ -421,7 +421,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
spec:
containers:
- args:
@ -445,7 +445,7 @@ spec:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98
image: registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
@ -517,7 +517,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
@ -528,7 +528,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-create
spec:
containers:
@ -564,7 +564,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
@ -575,7 +575,7 @@ spec:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission-patch
spec:
containers:
@ -613,7 +613,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: nginx
spec:
controller: k8s.io/ingress-nginx
@ -626,7 +626,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
namespace: ingress-nginx
spec:
@ -649,7 +649,7 @@ metadata:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.9.3
app.kubernetes.io/version: 1.9.4
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:

110
docs/enhancements/20231001-split-containers.md Normal file
View file

@ -0,0 +1,110 @@
# Proposal to split containers
* All the NGINX files should live on one container
* No file other than NGINX files should exist on this container
* This includes not mounting the service account
* All the controller files should live on a different container
* Controller container should have bare minimum to work (just go program)
* ServiceAccount should be mounted just on controller
* Inside nginx container, there should be a really small http listener just able
to start, stop and reload NGINX
## Roadmap (what needs to be done)
* Map what needs to be done to mount the SA just on controller container
* Map all the required files for NGINX to work
* Map all the required network calls between controller and NGINX
* eg.: Dynamic lua reconfiguration
* Map problematic features that will need attention
* SSLPassthrough today happens on controller process and needs to happen on NGINX
### Ports and endpoints on NGINX container
* Public HTTP/HTTPs port - 80 and 443
* Lua configuration port - 10246 (HTTP) and 10247 (Stream)
* 3333 (temp) - Dataplane controller http server
* /reload - (POST) Reloads the configuration.
* "config" argument is the location of temporary file that should be used / moved to nginx.conf
* /test - (POST) Test the configuration of a given file location
* "config" argument is the location of temporary file that should be tested
### Mounting empty SA on controller container
```yaml
kind: Pod
apiVersion: v1
metadata:
name: test
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
- name: othernginx
image: alpine:latest
command: ["/bin/sh"]
args: ["-c", "while true; do date; sleep 3; done"]
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: emptysecret
volumes:
- name: emptysecret
emptyDir:
sizeLimit: 1Mi
```
### Mapped folders on NGINX configuration
**WARNING** We need to be aware of inter mount containers and inode problems. If we
mount a file instead of a directory, it may take time to reflect the file value on
the target container
* "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;"; - Lua scripts
* "/var/log/nginx" - NGINX logs
* "/tmp/nginx (nginx.pid)" - NGINX pid directory / file, fcgi socket, etc
* " /etc/nginx/geoip" - GeoIP database directory - OK - /etc/ingress-controller/geoip
* /etc/nginx/mime.types - Mime types
* /etc/ingress-controller/ssl - SSL directory (fake cert, auth cert)
* /etc/ingress-controller/auth - Authentication files
* /etc/nginx/modsecurity - Modsecurity configuration
* /etc/nginx/owasp-modsecurity-crs - Modsecurity rules
* /etc/nginx/tickets.key - SSL tickets - OK - /etc/ingress-controller/tickets.key
* /etc/nginx/opentelemetry.toml - OTEL config - OK - /etc/ingress-controller/telemetry
* /etc/nginx/opentracing.json - Opentracing config - OK - /etc/ingress-controller/telemetry
* /etc/nginx/modules - NGINX modules
* /etc/nginx/fastcgi_params (maybe) - fcgi params
* /etc/nginx/template - Template, may be used by controller only
##### List of modules
```
ngx_http_auth_digest_module.so ngx_http_modsecurity_module.so
ngx_http_brotli_filter_module.so ngx_http_opentracing_module.so
ngx_http_brotli_static_module.so ngx_stream_geoip2_module.so
ngx_http_geoip2_module.so
```
##### List of files that may be removed
```
-rw-r--r-- 1 www-data www-data 1077 Jun 23 19:44 fastcgi.conf
-rw-r--r-- 1 www-data www-data 1077 Jun 23 19:44 fastcgi.conf.default
-rw-r--r-- 1 www-data www-data 1007 Jun 23 19:44 fastcgi_params
-rw-r--r-- 1 www-data www-data 1007 Jun 23 19:44 fastcgi_params.default
drwxr-xr-x 2 www-data www-data 4096 Jun 23 19:34 geoip
-rw-r--r-- 1 www-data www-data 2837 Jun 23 19:44 koi-utf
-rw-r--r-- 1 www-data www-data 2223 Jun 23 19:44 koi-win
drwxr-xr-x 6 www-data www-data 4096 Sep 19 14:13 lua
-rw-r--r-- 1 www-data www-data 5349 Jun 23 19:44 mime.types
-rw-r--r-- 1 www-data www-data 5349 Jun 23 19:44 mime.types.default
drwxr-xr-x 2 www-data www-data 4096 Jun 23 19:44 modsecurity
drwxr-xr-x 2 www-data www-data 4096 Jun 23 19:44 modules
-rw-r--r-- 1 www-data www-data 18275 Oct 1 21:28 nginx.conf
-rw-r--r-- 1 www-data www-data 2656 Jun 23 19:44 nginx.conf.default
-rwx------ 1 www-data www-data 420 Oct 1 21:28 opentelemetry.toml
-rw-r--r-- 1 www-data www-data 2 Oct 1 21:28 opentracing.json
drwxr-xr-x 7 www-data www-data 4096 Jun 23 19:44 owasp-modsecurity-crs
-rw-r--r-- 1 www-data www-data 636 Jun 23 19:44 scgi_params
-rw-r--r-- 1 www-data www-data 636 Jun 23 19:44 scgi_params.default
drwxr-xr-x 2 www-data www-data 4096 Sep 19 14:13 template
-rw-r--r-- 1 www-data www-data 664 Jun 23 19:44 uwsgi_params
-rw-r--r-- 1 www-data www-data 664 Jun 23 19:44 uwsgi_params.default
-rw-r--r-- 1 www-data www-data 3610 Jun 23 19:44 win-utf
```

4
docs/how-it-works.md
View file

@ -58,13 +58,13 @@ In a relatively big cluster with frequently deploying apps this feature saves si
### Avoiding outage from wrong configuration
Because the ingress controller works using the [synchronization loop pattern](https://coreos.com/kubernetes/docs/latest/replication-controller.html#the-reconciliation-loop-in-detail), it is applying the configuration for all matching objects. In case some Ingress objects have a broken configuration, for example a syntax error in the `nginx.ingress.kubernetes.io/configuration-snippet` annotation, the generated configuration becomes invalid, does not reload and hence no more ingresses will be taken into account.
Because the ingress controller works using the [synchronization loop pattern][1], it is applying the configuration for all matching objects. In case some Ingress objects have a broken configuration, for example a syntax error in the `nginx.ingress.kubernetes.io/configuration-snippet` annotation, the generated configuration becomes invalid, does not reload and hence no more ingresses will be taken into account.
To prevent this situation to happen, the Ingress-Nginx Controller optionally exposes a [validating admission webhook server][8] to ensure the validity of incoming ingress objects.
This webhook appends the incoming ingress objects to the list of ingresses, generates the configuration and calls nginx to ensure the configuration has no syntax errors.
[0]: https://github.com/openresty/lua-nginx-module/pull/1259
[1]: https://coreos.com/kubernetes/docs/latest/replication-controller.html#the-reconciliation-loop-in-detail
[1]: https://github.com/coreos/docs/blob/master/kubernetes/replication-controller.md#the-reconciliation-loop-in-detail
[2]: https://godoc.org/k8s.io/client-go/informers#NewFilteredSharedInformerFactory
[3]: https://godoc.org/k8s.io/client-go/tools/cache#ResourceEventHandlerFuncs
[4]: https://github.com/kubernetes/ingress-nginx/blob/main/internal/task/queue.go#L38

2
docs/troubleshooting.md
View file

@ -419,6 +419,7 @@ spec:
operator: "Exists"
effect: NoSchedule
```
* update the namespace if applicable/desired
* replace `##_NODE_NAME_##` with the problematic node (or remove nodeSelector section if problem is not confined to one node)
* replace `##_CONTROLLER_IMAGE_##` with the same image as in use by your ingress-nginx deployment
@ -445,6 +446,7 @@ $ capsh --decode=0000000000000400
## Create a test pod as root
(Note, this may be restricted by PodSecurityPolicy, PodSecurityAdmission/Standards, OPA Gatekeeper, etc. in which case you will need to do the appropriate workaround for testing, e.g. deploy in a new namespace without the restrictions.)
To test further you may want to install additional utilities, etc. Modify the pod yaml by:
* changing runAsUser from 101 to 0
* removing the "drop..ALL" section from the capabilities.

9
docs/user-guide/nginx-configuration/configmap.md
View file

@ -39,6 +39,7 @@ The following table shows a configuration option's name, type, and the default v
|[http-access-log-path](#http-access-log-path)|string|""||
|[stream-access-log-path](#stream-access-log-path)|string|""||
|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"||
|[enable-auth-access-log](#enable-auth-access-log)|bool|"false"||
|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"||
|[enable-modsecurity](#enable-modsecurity)|bool|"false"||
|[modsecurity-snippet](#modsecurity-snippet)|string|""||
@ -61,7 +62,7 @@ The following table shows a configuration option's name, type, and the default v
|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128||
|[hsts](#hsts)|bool|"true"||
|[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"||
|[hsts-max-age](#hsts-max-age)|string|"15724800"||
|[hsts-max-age](#hsts-max-age)|string|"31536000"||
|[hsts-preload](#hsts-preload)|bool|"false"||
|[keep-alive](#keep-alive)|int|75||
|[keep-alive-requests](#keep-alive-requests)|int|1000||
@ -163,7 +164,7 @@ The following table shows a configuration option's name, type, and the default v
|[enable-opentelemetry](#enable-opentelemetry)|bool|"false"||
|[opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span)|bool|"true"||
|[opentelemetry-operation-name](#opentelemetry-operation-name)|string|""||
|[opentelemetry-config](#/etc/nginx/opentelemetry.toml)|string|"/etc/nginx/opentelemetry.toml"||
|[opentelemetry-config](#/etc/ingress-controller/telemetry/opentelemetry.toml)|string|"/etc/ingress-controller/telemetry/opentelemetry.toml"||
|[otlp-collector-host](#otlp-collector-host)|string|""||
|[otlp-collector-port](#otlp-collector-port)|int|4317||
|[otel-max-queuesize](#otel-max-queuesize)|int|||
@ -327,6 +328,10 @@ __Note:__ If not specified, the `access-log-path` will be used.
Enables logging access to default backend. _**default:**_ is disabled.
## enable-auth-access-log
Enables logging access to the authentication endpoint. _**default:**_ is disabled.
## error-log-path
Error log path. Goes to `/var/log/nginx/error.log` by default.

2
docs/user-guide/third-party-addons/opentelemetry.md
View file

@ -165,7 +165,7 @@ To install the example and collectors run:
kind: ConfigMap
data:
enable-opentelemetry: "true"
opentelemetry-config: "/etc/nginx/opentelemetry.toml"
opentelemetry-config: "/etc/ingress-controller/telemetry/opentelemetry.toml"
opentelemetry-operation-name: "HTTP $request_method $service_name $uri"
opentelemetry-trust-incoming-span: "true"
otlp-collector-host: "otel-coll-collector.otel.svc"

16
go.mod
View file

@ -6,7 +6,7 @@ require (
dario.cat/mergo v1.0.0
github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a
github.com/eapache/channels v1.1.0
github.com/fsnotify/fsnotify v1.6.0
github.com/fsnotify/fsnotify v1.7.0
github.com/json-iterator/go v1.1.12
github.com/kylelemons/godebug v1.1.0
github.com/mitchellh/go-ps v1.0.0
@ -15,18 +15,18 @@ require (
github.com/moul/pb v0.0.0-20220425114252-bca18df4138c
github.com/ncabatoff/process-exporter v0.7.10
github.com/onsi/ginkgo/v2 v2.13.0
github.com/opencontainers/runc v1.1.9
github.com/opencontainers/runc v1.1.10
github.com/pmezard/go-difflib v1.0.0
github.com/prometheus/client_golang v1.17.0
github.com/prometheus/client_model v0.5.0
github.com/prometheus/common v0.44.0
github.com/spf13/cobra v1.7.0
github.com/prometheus/common v0.45.0
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.8.4
github.com/yudai/gojsondiff v1.0.0
github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30
golang.org/x/crypto v0.14.0
google.golang.org/grpc v1.58.3
google.golang.org/grpc v1.59.0
google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7
gopkg.in/go-playground/pool.v3 v3.1.1
gopkg.in/mcuadros/go-syslog.v2 v2.3.0
@ -74,7 +74,7 @@ require (
github.com/google/gofuzz v1.1.0 // indirect
github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/google/uuid v1.3.1 // indirect
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
github.com/imdario/mergo v0.3.6 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
@ -82,7 +82,7 @@ require (
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/mmarkdown/mmark v2.0.40+incompatible // indirect
github.com/moby/sys/mountinfo v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@ -110,7 +110,7 @@ require (
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.14.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect

35
go.sum
View file

@ -61,7 +61,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/coreos/go-systemd/v22 v22.4.0 h1:y9YHcjnjynCd/DVbg5j9L/33jQM3MxJlbj/zWskzfGU=
github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
@ -85,8 +85,8 @@ github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJ
github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU=
github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
@ -191,8 +191,8 @@ github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0Z
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM=
@ -244,8 +244,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
@ -289,8 +289,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
github.com/opencontainers/runc v1.1.9 h1:XR0VIHTGce5eWPkaPesqTBrhW2yAcaraWfsEalNwQLM=
github.com/opencontainers/runc v1.1.9/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
github.com/opencontainers/runc v1.1.10 h1:EaL5WeO9lv9wmS6SASjszOeQdSctvpbu0DdBQBizE40=
github.com/opencontainers/runc v1.1.10/go.mod h1:+/R6+KmDlh+hOO8NkjmgkG9Qzvypzk0yXxAPYYR65+M=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
@ -318,8 +318,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@ -341,8 +341,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
@ -532,7 +532,6 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@ -657,8 +656,8 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D
google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@ -671,8 +670,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa
google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.58.3 h1:BjnpXut1btbtgN/6sp+brB2Kbm2LjNXnidYujAVbSoQ=
google.golang.org/grpc v1.58.3/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU=
google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=

29
go.work.sum
View file

@ -1,3 +1,4 @@
cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw=
cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
cloud.google.com/go/accessapproval v1.7.1/go.mod h1:JYczztsHRMK7NTXb6Xw+dwbs/WnOJxbo/2mTI+Kgg68=
@ -27,6 +28,7 @@ cloud.google.com/go/cloudtasks v1.11.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8o
cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI=
cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
cloud.google.com/go/compute v1.21.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
cloud.google.com/go/contactcenterinsights v1.9.1/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM=
cloud.google.com/go/container v1.22.1/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4=
@ -121,6 +123,8 @@ cloud.google.com/go/vpcaccess v1.7.1/go.mod h1:FogoD46/ZU+JUBX9D606X21EnxiszYi2t
cloud.google.com/go/webrisk v1.9.1/go.mod h1:4GCmXKcOa2BZcZPn6DCEvE7HypmEJcJkr4mtM+sqYPc=
cloud.google.com/go/websecurityscanner v1.6.1/go.mod h1:Njgaw3rttgRHXzwCB8kgCYqv5/rGpFCsBOvPbYgszpg=
cloud.google.com/go/workflows v1.11.1/go.mod h1:Z+t10G1wF7h8LgdY/EmRcQY8ptBD/nvofaL6FqlET6g=
github.com/alecthomas/kingpin/v2 v2.3.2/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
github.com/antlr/antlr4/runtime/Go/antlr v1.4.10/go.mod h1:F7bn7fEU90QkQ3tnmaTx3LTKLEDqnwWODIYppRQ5hnY=
github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
@ -153,6 +157,7 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.
github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g=
github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
@ -160,10 +165,13 @@ github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u1
github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ=
github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/cel-go v0.12.6/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw=
github.com/google/cel-go v0.12.7/go.mod h1:Jk7ljRzLBhkmiAwBoUxB1sZSCVBAzkqPF25olK/iRDw=
github.com/google/flatbuffers v2.0.8+incompatible/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8=
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
@ -174,6 +182,7 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe
github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3/go.mod h1:o//XUCC/F+yRGJoPO/VU0GSB0f8Nhgmxx0VIRUvaC0w=
github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@ -182,6 +191,8 @@ github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j
github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
@ -195,15 +206,24 @@ github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3
github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA=
go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY=
go.etcd.io/etcd/client/v2 v2.305.7/go.mod h1:GQGT5Z3TBuAQGvgPfhR7VPySu/SudxmEkRq9BgzFU6s=
go.etcd.io/etcd/client/v3 v3.5.7/go.mod h1:sOWmj9DZUMyAngS7QQwCyAXXAL6WhgTOPLNS/NabQgw=
go.etcd.io/etcd/pkg/v3 v3.5.7/go.mod h1:kcOfWt3Ov9zgYdOiJ/o1Y9zFfLhQjylTgL4Lru8opRo=
go.etcd.io/etcd/raft/v3 v3.5.7/go.mod h1:TflkAb/8Uy6JFBxcRaH2Fr6Slm9mCPVdI2efzxY96yU=
go.etcd.io/etcd/server/v3 v3.5.7/go.mod h1:gxBgT84issUVBRpZ3XkW1T55NjOb4vZZRI4wVvNhf4A=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.35.0/go.mod h1:h8TWwRAhQpOd0aM5nYsRD8+flnkj+526GEIVlarH7eY=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.35.1/go.mod h1:9NiG9I2aHTKkcxqCILhjtyNA1QEiCjdBACv4IvrFQ+c=
@ -246,6 +266,7 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@ -276,9 +297,12 @@ google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mR
google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g=
google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0=
google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4=
google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o=
google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
@ -290,11 +314,14 @@ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kms v0.27.6/go.mod h1:9YQuCFa+n88RWokHkl+4RHFQ9DATSip/ihBqxlDUBuw=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2/go.mod h1:+qG7ISXqCDVVcyO8hLn12AKVYYUjM7ftlqsqmrhMZE0=

4
images/kube-webhook-certgen/rootfs/go.mod
View file

@ -26,7 +26,7 @@ require (
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/gofuzz v1.1.0 // indirect
github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/google/uuid v1.3.1 // indirect
github.com/imdario/mergo v0.3.6 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
@ -42,7 +42,7 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
github.com/stretchr/testify v1.8.4 // indirect
github.com/tidwall/gjson v1.14.0 // indirect
golang.org/x/net v0.16.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/oauth2 v0.12.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/term v0.13.0 // indirect

8
images/kube-webhook-certgen/rootfs/go.sum
View file

@ -202,8 +202,8 @@ github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0Z
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
@ -527,8 +527,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.16.0 h1:7eBu7KsSvFDtSXUIDbh3aqlK4DPsZ1rByC8PFfBThos=
golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

1
images/nginx/rootfs/Dockerfile
View file

@ -39,7 +39,6 @@ RUN apk update \
openssl \
pcre \
zlib \
geoip \
ca-certificates \
patch \
yajl \

8
images/nginx/rootfs/build.sh
View file

@ -77,8 +77,8 @@ export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf
# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.11...openresty:master
export LUA_CJSON_VERSION=2.1.0.11
# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.3...master
export GEOIP2_VERSION=a26c6beed77e81553686852dceb6c7fdacc5970d
# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.4...master
export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425
# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20230410...v2.1-agentzh
export LUAJIT_VERSION=2.1-20230410
@ -164,7 +164,6 @@ apk add \
linux-headers \
libxslt-dev \
gd-dev \
geoip-dev \
perl-dev \
libedit-dev \
mercurial \
@ -263,7 +262,7 @@ fi
get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \
"https://github.com/DataDog/dd-opentracing-cpp/archive/v$DATADOG_CPP_VERSION.tar.gz"
get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \
get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \
"https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz"
get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \
@ -583,7 +582,6 @@ WITH_FLAGS="--with-debug \
--with-http_realip_module \
--with-http_auth_request_module \
--with-http_addition_module \
--with-http_geoip_module \
--with-http_gzip_static_module \
--with-http_sub_module \
--with-http_v2_module \

BIN
images/nginx/rootfs/etc/nginx/geoip/GeoIP.dat
View file

Binary file not shown.

BIN
images/nginx/rootfs/etc/nginx/geoip/GeoIPASNum.dat
View file

Binary file not shown.

BIN
images/nginx/rootfs/etc/nginx/geoip/GeoLiteCity.dat
View file

Binary file not shown.

3
internal/ingress/annotations/annotations.go
View file

@ -51,7 +51,6 @@ import (
"k8s.io/ingress-nginx/internal/ingress/annotations/loadbalancing"
"k8s.io/ingress-nginx/internal/ingress/annotations/log"
"k8s.io/ingress-nginx/internal/ingress/annotations/mirror"
"k8s.io/ingress-nginx/internal/ingress/annotations/opentracing"
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
"k8s.io/ingress-nginx/internal/ingress/annotations/portinredirect"
"k8s.io/ingress-nginx/internal/ingress/annotations/proxy"
@ -94,7 +93,6 @@ type Ingress struct {
ExternalAuth authreq.Config
EnableGlobalAuth bool
HTTP2PushPreload bool
Opentracing opentracing.Config
Opentelemetry opentelemetry.Config
Proxy proxy.Config
ProxySSL proxyssl.Config
@ -145,7 +143,6 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
"ExternalAuth": authreq.NewParser(cfg),
"EnableGlobalAuth": authreqglobal.NewParser(cfg),
"HTTP2PushPreload": http2pushpreload.NewParser(cfg),
"Opentracing": opentracing.NewParser(cfg),
"Opentelemetry": opentelemetry.NewParser(cfg),
"Proxy": proxy.NewParser(cfg),
"ProxySSL": proxyssl.NewParser(cfg),

4
internal/ingress/annotations/cors/main.go
View file

@ -201,6 +201,10 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) {
origins := strings.Split(unparsedOrigins, ",")
for _, origin := range origins {
origin = strings.TrimSpace(origin)
if origin == "" {
continue
}
if origin == "*" {
config.CorsAllowOrigin = []string{"*"}
break

31
internal/ingress/annotations/cors/main_test.go
View file

@ -17,6 +17,7 @@ limitations under the License.
package cors
import (
"reflect"
"testing"
api "k8s.io/api/core/v1"
@ -172,3 +173,33 @@ func TestIngressCorsConfigInvalid(t *testing.T) {
t.Errorf("expected %v but returned %v", defaultCorsMaxAge, nginxCors.CorsMaxAge)
}
}
func TestIngresCorsConfigAllowOriginWithTrailingComma(t *testing.T) {
ing := buildIngress()
data := map[string]string{}
data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true"
// Include a trailing comma and an empty value between the commas.
data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443, ,https://origin321.test.com:4443,"
ing.SetAnnotations(data)
corst, err := NewParser(&resolver.Mock{}).Parse(ing)
if err != nil {
t.Errorf("error parsing annotations: %v", err)
}
nginxCors, ok := corst.(*Config)
if !ok {
t.Errorf("expected a Config type but returned %t", corst)
}
if !nginxCors.CorsEnabled {
t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled)
}
expectedCorsAllowOrigins := []string{"https://origin123.test.com:4443", "https://origin321.test.com:4443"}
if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, expectedCorsAllowOrigins) {
t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin)
}
}

7
internal/ingress/annotations/fastcgi/main.go
View file

@ -36,7 +36,10 @@ const (
)
// fast-cgi valid parameters is just a single file name (like index.php)
var regexValidIndexAnnotationAndKey = regexp.MustCompile(`^[A-Za-z0-9.\-\_]+$`)
var (
regexValidIndexAnnotationAndKey = regexp.MustCompile(`^[A-Za-z0-9.\-\_]+$`)
validFCGIValue = regexp.MustCompile(`^[A-Za-z0-9\-\_\$\{\}/.]*$`)
)
var fastCGIAnnotations = parser.Annotation{
Group: "fastcgi",
@ -142,7 +145,7 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) {
}
for k, v := range cmap.Data {
if !regexValidIndexAnnotationAndKey.MatchString(k) || !parser.NGINXVariable.MatchString(v) {
if !regexValidIndexAnnotationAndKey.MatchString(k) || !validFCGIValue.MatchString(v) {
klog.ErrorS(fmt.Errorf("fcgi contains invalid key or value"), "fcgi annotation error", "configmap", cmap.Name, "namespace", cmap.Namespace, "key", k, "value", v)
return fcgiConfig, ing_errors.NewValidationError(fastCGIParamsAnnotation)
}

12
internal/ingress/annotations/fastcgi/main_test.go
View file

@ -371,6 +371,18 @@ func Test_fastcgi_Parse(t *testing.T) {
want: Config{Index: "indexxpto-92123.php"},
wantErr: true,
},
{
name: "invalid configmap values val",
index: "indexxpto-92123.php",
configmapname: "default/fcgiconfig",
configmap: map[string]string{
"SCRIPT_FILENAME": "/app/src/index.php",
},
want: Config{Index: "indexxpto-92123.php", Params: map[string]string{
"SCRIPT_FILENAME": "/app/src/index.php",
}},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {

113
internal/ingress/annotations/opentracing/main.go
View file

@ -1,113 +0,0 @@
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package opentracing
import (
networking "k8s.io/api/networking/v1"
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
"k8s.io/ingress-nginx/internal/ingress/resolver"
)
const (
enableOpentracingAnnotation = "enable-opentracing"
opentracingTrustSpanAnnotation = "opentracing-trust-incoming-span"
)
var opentracingAnnotations = parser.Annotation{
Group: "opentracing",
Annotations: parser.AnnotationFields{
enableOpentracingAnnotation: {
Validator: parser.ValidateBool,
Scope: parser.AnnotationScopeLocation,
Risk: parser.AnnotationRiskLow,
Documentation: `This annotation defines if Opentracing collector should be enable for this location. Opentracing should
already be configured by Ingress administrator`,
},
opentracingTrustSpanAnnotation: {
Validator: parser.ValidateBool,
Scope: parser.AnnotationScopeLocation,
Risk: parser.AnnotationRiskLow,
Documentation: `This annotation enables or disables using spans from incoming requests as parent for created ones`,
},
},
}
type opentracing struct {
r resolver.Resolver
annotationConfig parser.Annotation
}
// Config contains the configuration to be used in the Ingress
type Config struct {
Enabled bool `json:"enabled"`
Set bool `json:"set"`
TrustEnabled bool `json:"trust-enabled"`
TrustSet bool `json:"trust-set"`
}
// Equal tests for equality between two Config types
func (bd1 *Config) Equal(bd2 *Config) bool {
if bd1.Set != bd2.Set {
return false
}
if bd1.Enabled != bd2.Enabled {
return false
}
if bd1.TrustSet != bd2.TrustSet {
return false
}
if bd1.TrustEnabled != bd2.TrustEnabled {
return false
}
return true
}
// NewParser creates a new serviceUpstream annotation parser
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
return opentracing{
r: r,
annotationConfig: opentracingAnnotations,
}
}
func (o opentracing) Parse(ing *networking.Ingress) (interface{}, error) {
enabled, err := parser.GetBoolAnnotation(enableOpentracingAnnotation, ing, o.annotationConfig.Annotations)
if err != nil {
return &Config{}, nil
}
trustSpan, err := parser.GetBoolAnnotation(opentracingTrustSpanAnnotation, ing, o.annotationConfig.Annotations)
if err != nil {
return &Config{Set: true, Enabled: enabled}, nil
}
return &Config{Set: true, Enabled: enabled, TrustSet: true, TrustEnabled: trustSpan}, nil
}
func (o opentracing) GetDocumentation() parser.AnnotationFields {
return o.annotationConfig.Annotations
}
func (o opentracing) Validate(anns map[string]string) error {
maxrisk := parser.StringRiskToRisk(o.r.GetSecurityConfiguration().AnnotationsRiskLevel)
return parser.CheckAnnotationRisk(anns, maxrisk, opentracingAnnotations.Annotations)
}

159
internal/ingress/annotations/opentracing/main_test.go
View file

@ -1,159 +0,0 @@
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package opentracing
import (
"testing"
api "k8s.io/api/core/v1"
networking "k8s.io/api/networking/v1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
"k8s.io/ingress-nginx/internal/ingress/resolver"
)
const enableAnnotation = "true"
func buildIngress() *networking.Ingress {
defaultBackend := networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: "default-backend",
Port: networking.ServiceBackendPort{
Number: 80,
},
},
}
return &networking.Ingress{
ObjectMeta: meta_v1.ObjectMeta{
Name: "foo",
Namespace: api.NamespaceDefault,
},
Spec: networking.IngressSpec{
DefaultBackend: &networking.IngressBackend{
Service: &networking.IngressServiceBackend{
Name: "default-backend",
Port: networking.ServiceBackendPort{
Number: 80,
},
},
},
Rules: []networking.IngressRule{
{
Host: "foo.bar.com",
IngressRuleValue: networking.IngressRuleValue{
HTTP: &networking.HTTPIngressRuleValue{
Paths: []networking.HTTPIngressPath{
{
Path: "/foo",
Backend: defaultBackend,
},
},
},
},
},
},
},
}
}
func TestIngressAnnotationOpentracingSetTrue(t *testing.T) {
ing := buildIngress()
data := map[string]string{}
data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = enableAnnotation
ing.SetAnnotations(data)
val, err := NewParser(&resolver.Mock{}).Parse(ing)
if err != nil {
t.Errorf("unexpected error %v", err)
}
openTracing, ok := val.(*Config)
if !ok {
t.Errorf("expected a Config type")
}
if !openTracing.Enabled {
t.Errorf("expected annotation value to be true, got false")
}
}
func TestIngressAnnotationOpentracingSetFalse(t *testing.T) {
ing := buildIngress()
// Test with explicitly set to false
data := map[string]string{}
data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "false"
ing.SetAnnotations(data)
val, err := NewParser(&resolver.Mock{}).Parse(ing)
if err != nil {
t.Errorf("unexpected error %v", err)
}
openTracing, ok := val.(*Config)
if !ok {
t.Errorf("expected a Config type")
}
if openTracing.Enabled {
t.Errorf("expected annotation value to be false, got true")
}
}
func TestIngressAnnotationOpentracingTrustSetTrue(t *testing.T) {
ing := buildIngress()
data := map[string]string{}
data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = enableAnnotation
data[parser.GetAnnotationWithPrefix(opentracingTrustSpanAnnotation)] = enableAnnotation
ing.SetAnnotations(data)
val, err := NewParser(&resolver.Mock{}).Parse(ing)
if err != nil {
t.Errorf("unexpected error %v", err)
}
openTracing, ok := val.(*Config)
if !ok {
t.Errorf("expected a Config type")
}
if !openTracing.Enabled {
t.Errorf("expected annotation value to be true, got false")
}
if !openTracing.TrustEnabled {
t.Errorf("expected annotation value to be true, got false")
}
}
func TestIngressAnnotationOpentracingUnset(t *testing.T) {
ing := buildIngress()
// Test with no annotation specified
data := map[string]string{}
ing.SetAnnotations(data)
val, err := NewParser(&resolver.Mock{}).Parse(ing)
if err != nil {
t.Errorf("unexpected error: %v", err)
}
_, ok := val.(*Config)
if !ok {
t.Errorf("expected a Config type")
}
}

2
internal/ingress/annotations/parser/validators.go
View file

@ -71,7 +71,7 @@ var (
NGINXVariable = regexp.MustCompile(`^[A-Za-z0-9\-\_\$\{\}]*$`)
// RegexPathWithCapture allows entries that SHOULD start with "/" and may contain alphanumeric + capture
// character for regex based paths, like /something/$1/anything/$2
RegexPathWithCapture = regexp.MustCompile(`^/[` + alphaNumericChars + `\/\$]*$`)
RegexPathWithCapture = regexp.MustCompile(`^/?[` + alphaNumericChars + `\/\$]*$`)
// HeadersVariable defines a regex that allows headers separated by comma
HeadersVariable = regexp.MustCompile(`^[A-Za-z0-9-_, ]*$`)
// URLWithNginxVariableRegex defines a url that can contain nginx variables.

2
internal/ingress/annotations/sessionaffinity/main.go
View file

@ -129,7 +129,7 @@ var sessionAffinityAnnotations = parser.Annotation{
Documentation: `This annotation defines the Domain attribute of the sticky cookie.`,
},
annotationAffinityCookieSameSite: {
Validator: parser.ValidateOptions([]string{"None", "Lax", "Strict"}, false, true),
Validator: parser.ValidateOptions([]string{"none", "lax", "strict"}, false, true),
Scope: parser.AnnotationScopeIngress,
Risk: parser.AnnotationRiskLow,
Documentation: `This annotation is used to apply a SameSite attribute to the sticky cookie.

5
internal/ingress/annotations/sessionaffinity/main_test.go
View file

@ -79,6 +79,7 @@ func TestIngressAffinityCookieConfig(t *testing.T) {
data[parser.GetAnnotationWithPrefix(annotationAffinityCookieMaxAge)] = "3000"
data[parser.GetAnnotationWithPrefix(annotationAffinityCookiePath)] = "/foo"
data[parser.GetAnnotationWithPrefix(annotationAffinityCookieDomain)] = "foo.bar"
data[parser.GetAnnotationWithPrefix(annotationAffinityCookieSameSite)] = "Strict"
data[parser.GetAnnotationWithPrefix(annotationAffinityCookieChangeOnFailure)] = "true"
data[parser.GetAnnotationWithPrefix(annotationAffinityCookieSecure)] = "true"
ing.SetAnnotations(data)
@ -121,6 +122,10 @@ func TestIngressAffinityCookieConfig(t *testing.T) {
t.Errorf("expected foo.bar as session-cookie-domain but returned %v", nginxAffinity.Cookie.Domain)
}
if nginxAffinity.Cookie.SameSite != "Strict" {
t.Errorf("expected Strict as session-cookie-same-site but returned %v", nginxAffinity.Cookie.SameSite)
}
if !nginxAffinity.Cookie.ChangeOnFailure {
t.Errorf("expected change of failure parameter set to true but returned %v", nginxAffinity.Cookie.ChangeOnFailure)
}

7
internal/ingress/annotations/xforwardedprefix/main.go
View file

@ -31,10 +31,11 @@ var xForwardedForAnnotations = parser.Annotation{
Group: "backend",
Annotations: parser.AnnotationFields{
xForwardedForPrefixAnnotation: {
Validator: parser.ValidateRegex(parser.BasicCharsRegex, true),
Validator: parser.ValidateRegex(parser.RegexPathWithCapture, true),
Scope: parser.AnnotationScopeLocation,
Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set
Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value`,
Risk: parser.AnnotationRiskMedium,
Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value. It can
contain regular characters and captured groups specified as '$1', '$2', etc.`,
},
},
}

1
internal/ingress/annotations/xforwardedprefix/main_test.go
View file

@ -40,6 +40,7 @@ func TestParse(t *testing.T) {
{map[string]string{annotation: "true"}, "true"},
{map[string]string{annotation: "1"}, "1"},
{map[string]string{annotation: ""}, ""},
{map[string]string{annotation: "/$1"}, "/$1"},
{map[string]string{}, ""},
{nil, ""},
}

124
internal/ingress/controller/config/config.go
View file

@ -46,7 +46,7 @@ const (
// that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
// https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
// max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS.
hstsMaxAge = "15724800"
hstsMaxAge = "31536000"
gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"
@ -572,22 +572,6 @@ type Configuration struct {
// Default: true
ProxyAddOriginalURIHeader bool `json:"proxy-add-original-uri-header"`
// EnableOpentracing enables the nginx Opentracing extension
// https://github.com/opentracing-contrib/nginx-opentracing
// By default this is disabled
EnableOpentracing bool `json:"enable-opentracing"`
// OpentracingOperationName specifies a custom name for the server span
OpentracingOperationName string `json:"opentracing-operation-name"`
// OpentracingOperationName specifies a custom name for the location span
OpentracingLocationOperationName string `json:"opentracing-location-operation-name"`
// OpentracingTrustIncomingSpan sets whether or not to trust incoming trace spans
// If false, incoming span headers will be rejected
// Default: true
OpentracingTrustIncomingSpan bool `json:"opentracing-trust-incoming-span"`
// EnableOpentelemetry enables the nginx Opentelemetry extension
// By default this is disabled
EnableOpentelemetry bool `json:"enable-opentelemetry"`
@ -639,94 +623,6 @@ type Configuration struct {
// Default: 512
OtelMaxExportBatchSize int32 `json:"otel-max-export-batch-size"`
// ZipkinCollectorHost specifies the host to use when uploading traces
ZipkinCollectorHost string `json:"zipkin-collector-host"`
// ZipkinCollectorPort specifies the port to use when uploading traces
// Default: 9411
ZipkinCollectorPort int `json:"zipkin-collector-port"`
// ZipkinServiceName specifies the service name to use for any traces created
// Default: nginx
ZipkinServiceName string `json:"zipkin-service-name"`
// ZipkinSampleRate specifies sampling rate for traces
// Default: 1.0
ZipkinSampleRate float32 `json:"zipkin-sample-rate"`
// JaegerCollectorHost specifies the host to use when uploading traces
JaegerCollectorHost string `json:"jaeger-collector-host"`
// JaegerCollectorPort specifies the port to use when uploading traces
// Default: 6831
JaegerCollectorPort int `json:"jaeger-collector-port"`
// JaegerEndpoint specifies the enpoint to use when uploading traces to a collector over TCP
JaegerEndpoint string `json:"jaeger-endpoint"`
// JaegerServiceName specifies the service name to use for any traces created
// Default: nginx
JaegerServiceName string `json:"jaeger-service-name"`
// JaegerPropagationFormat specifies the traceparent/tracestate propagation format
JaegerPropagationFormat string `json:"jaeger-propagation-format"`
// JaegerSamplerType specifies the sampler to be used when sampling traces.
// The available samplers are: const, probabilistic, ratelimiting, remote
// Default: const
JaegerSamplerType string `json:"jaeger-sampler-type"`
// JaegerSamplerParam specifies the argument to be passed to the sampler constructor
// Default: 1
JaegerSamplerParam string `json:"jaeger-sampler-param"`
// JaegerSamplerHost specifies the host used for remote sampling consultation
// Default: http://127.0.0.1
JaegerSamplerHost string `json:"jaeger-sampler-host"`
// JaegerSamplerHost specifies the host used for remote sampling consultation
// Default: 5778
JaegerSamplerPort int `json:"jaeger-sampler-port"`
// JaegerTraceContextHeaderName specifies the header name used for passing trace context
// Default: uber-trace-id
JaegerTraceContextHeaderName string `json:"jaeger-trace-context-header-name"`
// JaegerDebugHeader specifies the header name used for force sampling
// Default: jaeger-debug-id
JaegerDebugHeader string `json:"jaeger-debug-header"`
// JaegerBaggageHeader specifies the header name used to submit baggage if there is no root span
// Default: jaeger-baggage
JaegerBaggageHeader string `json:"jaeger-baggage-header"`
// TraceBaggageHeaderPrefix specifies the header prefix used to propagate baggage
// Default: uberctx-
JaegerTraceBaggageHeaderPrefix string `json:"jaeger-tracer-baggage-header-prefix"`
// DatadogCollectorHost specifies the datadog agent host to use when uploading traces
DatadogCollectorHost string `json:"datadog-collector-host"`
// DatadogCollectorPort specifies the port to use when uploading traces
// Default: 8126
DatadogCollectorPort int `json:"datadog-collector-port"`
// DatadogEnvironment specifies the environment this trace belongs to.
// Default: prod
DatadogEnvironment string `json:"datadog-environment"`
// DatadogServiceName specifies the service name to use for any traces created
// Default: nginx
DatadogServiceName string `json:"datadog-service-name"`
// DatadogOperationNameOverride overrides the operation naem to use for any traces crated
// Default: nginx.handle
DatadogOperationNameOverride string `json:"datadog-operation-name-override"`
// DatadogSampleRate specifies sample rate for any traces created.
// Default: use a dynamic rate instead
DatadogSampleRate *float32 `json:"datadog-sample-rate,omitempty"`
// MainSnippet adds custom configuration to the main section of the nginx configuration
MainSnippet string `json:"main-snippet"`
@ -991,9 +887,8 @@ func NewDefault() Configuration {
LimitConnZoneVariable: defaultLimitConnZoneVariable,
BindAddressIpv4: defBindAddress,
BindAddressIpv6: defBindAddress,
OpentracingTrustIncomingSpan: true,
OpentelemetryTrustIncomingSpan: true,
OpentelemetryConfig: "/etc/nginx/opentelemetry.toml",
OpentelemetryConfig: "/etc/ingress-controller/telemetry/opentelemetry.toml",
OtlpCollectorPort: "4317",
OtelServiceName: "nginx",
OtelSampler: "AlwaysOn",
@ -1002,21 +897,6 @@ func NewDefault() Configuration {
OtelScheduleDelayMillis: 5000,
OtelMaxExportBatchSize: 512,
OtelMaxQueueSize: 2048,
ZipkinCollectorPort: 9411,
ZipkinServiceName: "nginx",
ZipkinSampleRate: 1.0,
JaegerCollectorPort: 6831,
JaegerPropagationFormat: "jaeger",
JaegerServiceName: "nginx",
JaegerSamplerType: "const",
JaegerSamplerParam: "1",
JaegerSamplerPort: 5778,
JaegerSamplerHost: "http://127.0.0.1",
DatadogServiceName: "nginx",
DatadogEnvironment: "prod",
DatadogCollectorPort: 8126,
DatadogOperationNameOverride: "nginx.handle",
DatadogSampleRate: nil,
LimitReqStatusCode: 503,
LimitConnStatusCode: 503,
SyslogPort: 514,

1
internal/ingress/controller/controller.go
View file

@ -1507,7 +1507,6 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress)
loc.ExternalAuth = anns.ExternalAuth
loc.EnableGlobalAuth = anns.EnableGlobalAuth
loc.HTTP2PushPreload = anns.HTTP2PushPreload
loc.Opentracing = anns.Opentracing
loc.Opentelemetry = anns.Opentelemetry
loc.Proxy = anns.Proxy
loc.ProxySSL = anns.ProxySSL

Some files were not shown because too many files have changed in this diff Show more