DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'base/master' into fix/collect-metrics-if-metrics-per-host-false

Browse source
This commit is contained in:
Christian Hoffmeister 2020-03-13 07:17:49 +01:00
commit 19770f5b41
2674 changed files with 371760 additions and 171868 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.dockerignore
View file

@ -1,2 +0,0 @@
core

49
.github/ISSUE_TEMPLATE.md vendored
View file

@ -1,49 +0,0 @@
<!-- Thanks for filing an issue! Before hitting the button, please answer these questions.-->
**Is this a request for help?** (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
**What keywords did you search in NGINX Ingress controller issues before filing this one?** (If you have found any duplicates, you should instead reply there.):
---
**Is this a BUG REPORT or FEATURE REQUEST?** (choose one):
<!--
If this is a BUG REPORT, please:
- Fill in as much of the template below as you can. If you leave out
information, we can't help you as well.
If this is a FEATURE REQUEST, please:
- Describe *in detail* the feature/behavior/change you'd like to see.
In both cases, be ready for followup questions, and please respond in a timely
manner. If we can't reproduce a bug or think a feature already exists, we
might close your issue. If we're wrong, PLEASE feel free to reopen it and
explain why.
-->
**NGINX Ingress controller version**:
**Kubernetes version** (use `kubectl version`):
**Environment**:
- **Cloud provider or hardware configuration**:
- **OS** (e.g. from /etc/os-release):
- **Kernel** (e.g. `uname -a`):
- **Install tools**:
- **Others**:
**What happened**:
**What you expected to happen**:
**How to reproduce it** (as minimally and precisely as possible):
**Anything else we need to know**:

99
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View file

@ -0,0 +1,99 @@
---
name: Bug report
about: Problems and issues with code or docs
title: ''
labels: kind/bug
assignees: ''
---
<!--
Welcome to ingress-nginx! For a smooth issue process, try to answer the following questions.
Don't worry if they're not all applicable; just try to include what you can :-)
If you need to include code snippets or logs, please put them in fenced code
blocks. If they're super-long, please use the details tag like
<details><summary>super-long log</summary> lots of stuff </details>
-->
<!--
IMPORTANT!!!
Please complete the next sections or the issue will be closed.
This questions are the first thing we need to know to understand the context.
-->
**NGINX Ingress controller version**:
**Kubernetes version** (use `kubectl version`):
**Environment**:
- **Cloud provider or hardware configuration**:
- **OS** (e.g. from /etc/os-release):
- **Kernel** (e.g. `uname -a`):
- **Install tools**:
- **Others**:
**What happened**:
<!-- (please include exact error messages if you can) -->
**What you expected to happen**:
<!-- What do you think went wrong? -->
**How to reproduce it**:
<!---
As minimally and precisely as possible. Keep in mind we do not have access to your cluster or application.
Help up us (if possible) reproducing the issue using minikube or kind.
## Install minikube/kind
- Minikube https://minikube.sigs.k8s.io/docs/start/
- Kind https://kind.sigs.k8s.io/docs/user/quick-start/
## Install the ingress controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/service-nodeport.yaml
## Install an application that will act as default backend (is just an echo app)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
## Create an ingress (please add any additional annotation required)
echo "
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: foo-bar
spec:
rules:
- host: foo.bar
http:
paths:
- backend:
serviceName: http-svc
servicePort: 80
path: /
" | kubectl apply -f -
## make a request
POD_NAME=$(k get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o NAME)
kubectl exec -it -n ingress-nginx $POD_NAME -- curl -H 'Host: foo.bar' localhost
--->
**Anything else we need to know**:
<!-- If this is actually about documentation, add `/kind documentation` below -->
/kind bug

30
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View file

@ -0,0 +1,30 @@
---
name: Feature request
about: Suggest an idea for this project or its docs
title: ''
labels: kind/feature
assignees: ''
---
<!--
Welcome to ingress-nginx! For a smooth feature request process, try to
answer the following questions. Don't worry if they're not all applicable; just
try to include what you can :-)
If you need to include code snippets or logs, please put them in fenced code
blocks. If they're super-long, please use the details tag like
<details><summary>super-long log</summary> lots of stuff </details>
-->
<!-- What do you want to happen? -->
<!-- Is there currently another issue associated with this? -->
<!-- Does it require a particular kubernetes version? -->
<!-- If this is actually about documentation, add `/kind documentation` below -->
/kind feature

37
.github/ISSUE_TEMPLATE/support-question.md vendored Normal file
View file

@ -0,0 +1,37 @@
---
name: Question
about: Any questions you might have.
title: ''
labels: triage/support
assignees: ''
---
<!--
Welcome to ingress-nginx!
You probably didn't want to be one this page. It shouldn't really be here anyway.
* If you want a quick response to a question, ask on the Kubernetes Slack instance in #ingress-nginx.
* If this is actually a bug or a feature request, file one of those. If you're
not sure which, just take a guess and we can always re-label.
* If you think this might turn into a bug or feature request, but you're not
sure, try asking in Slack first.
-->
<!--
Still here? Double-check that this hasn't been asked before, then put your question below
with as many details as possible.
If you need to include code snippets or logs, please put them in fenced code
blocks. If they're super-long, please use the details tag like
<details><summary>super-long log</summary> lots of stuff </details>
-->
/triage support

37
.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -1,10 +1,33 @@
<!-- Thanks for sending a pull request! Here are some tips for you:
1. If this is your first time, read our contributor guidelines https://git.k8s.io/community/contributors/guide/pull-requests.md#the-pull-request-submit-process and developer guide https://git.k8s.io/community/contributors/devel/development.md#development-guide
2. If you want *faster* PR reviews, read how: https://git.k8s.io/community/contributors/guide/pull-requests.md#best-practices-for-faster-reviews
<!--- Provide a general summary of your changes in the Title above --->
<!--- Please don't @-mention people in PR or commit messages (do so in an additional comment). --->
## What this PR does / why we need it:
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here. -->
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
## Which issue/s this PR fixes
<!--
(optional, in `fixes #<issue number>` format, will close that issue when PR gets merged):
fixes #
-->
**What this PR does / why we need it**:
## How Has This Been Tested?
<!--- Please describe in detail how you tested your changes. -->
<!--- Include details of your testing environment, and the tests you ran to -->
<!--- see how your change affects other areas of the code, etc. -->
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
**Special notes for your reviewer**:
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [ ] My change requires a change to the documentation.
- [ ] I have updated the documentation accordingly.
- [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md) guide
- [ ] I have added tests to cover my changes.
- [ ] All new and existing tests passed.

8
.github/actions/mkdocs/Dockerfile vendored Normal file
View file

@ -0,0 +1,8 @@
FROM squidfunk/mkdocs-material:4.6.3
COPY action.sh /action.sh
RUN apk add --no-cache bash \
&& chmod +x /action.sh
ENTRYPOINT ["/action.sh"]

53
.github/actions/mkdocs/action.sh vendored Normal file
View file

@ -0,0 +1,53 @@
#!/bin/bash
# Copyright 2020 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
REQUIREMENTS="${GITHUB_WORKSPACE}/requirements.txt"
if [ -f "${REQUIREMENTS}" ]; then
pip install -r "${REQUIREMENTS}"
fi
if [ -n "${GITHUB_TOKEN}" ]; then
remote_repo="https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
elif [ -n "${PERSONAL_TOKEN}" ]; then
remote_repo="https://x-access-token:${PERSONAL_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
fi
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
mkdocs build --config-file "${GITHUB_WORKSPACE}/mkdocs.yml"
git clone --branch=gh-pages --depth=1 "${remote_repo}" gh-pages
cd gh-pages
# TODO: enable before release of helm chart
# copy current index file index.yaml before any change
#temp_worktree=$(mktemp -d)
#cp --force "index.yaml" "$temp_worktree/index.yaml"
# remove current content in branch gh-pages
git rm -r .
# copy new doc.
cp -r ../site/* .
# restore chart index
# TODO: enable before release of helm chart
#cp "$temp_worktree/index.yaml" .
# commit changes
git add .
git commit -m "Deploy GitHub Pages"
git push --force --quiet "${remote_repo}" gh-pages > /dev/null 2>&1

9
.github/actions/mkdocs/action.yml vendored Normal file
View file

@ -0,0 +1,9 @@
# action.yml
name: 'Deploy MkDocs'
description: 'Deploys MkDocs site'
branding:
icon: 'arrow-up-circle'
color: 'orange'
runs:
using: 'docker'
image: 'Dockerfile'

23
.github/workflows/main.yaml vendored Normal file
View file

@ -0,0 +1,23 @@
name: docs and Helm chart
on:
push:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout master
uses: actions/checkout@v1
#- name: Run chart-releaser
# uses: helm/chart-releaser-action@v1.0.0-alpha.2
# env:
# CR_TOKEN: "${{ secrets.PERSONAL_TOKEN }}"
- name: Deploy docs
uses: ./.github/actions/mkdocs
env:
PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }}

34
.gitignore vendored
View file

@ -25,15 +25,6 @@
Session.vim
.netrwhist
# coverage artifacts
.coverprofile
/gover.coverprofile
e2e-tests
coverage.txt
test/e2e/e2e\.test
# mkdocs
site
@ -41,9 +32,24 @@ site
gh-pages
# Docker-based builds
/test/binaries
/.env
/.gocache/
/bin/
test/binaries
test/e2e-image/wait-for-nginx\.sh
# coverage artifacts
.coverprofile
gover.coverprofile
e2e-tests
coverage.txt
test/e2e/e2e\.test
.env
.gocache/
bin
test/e2e-image/wait-for-nginx.sh
.cache
cover.out
# secret terraform variables
build/images/nginx/aws.tfvars
build/images/nginx/env.tfvars
images/fastcgi-helloserver/rootfs/fastcgi-helloserver

2
.luacheckrc
View file

@ -2,7 +2,7 @@ std = 'ngx_lua'
globals = {
'_TEST'
}
exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua'}
exclude_files = {'./rootfs/etc/nginx/lua/test/**/*.lua', './rootfs/etc/nginx/lua/plugins/**/test/**/*.lua'}
files["rootfs/etc/nginx/lua/lua_ingress.lua"] = {
ignore = { "122" },
-- TODO(elvinefendi) figure out why this does not work

29
.travis.yml
View file

@ -1,29 +0,0 @@
dist: trusty
sudo: required
services:
- docker
language: generic
notifications:
email:
on_failure: always
on_success: never
# New secure variables can be added using travis encrypt -r kubernetes/ingress-nginx --add K=V
env:
global:
- GH_REF=github.com/kubernetes/ingress-nginx
- secure: LIS2XpZufWTcJ53jiRsSZy2Gi1EUJ1XmLg7z3f2ZHeMnyG2Jhk3GW4vod1FNru+PY4PWgddLdCdIl+jqOYXndFlbdAWF3/Oy5fEkYLXdYV7tdlHcPWDkqNFrfiyZ4guChN+b2Nk6FqU7o5fsZAIR7VAbgqNRF5XMo9Mhn/vhDCQRcnbXy7uq7JTrYUkqDbQoyYvT6b480GCY5gags1zp/xZfPDNZEe936o8i5IPTyiykRyNOXN/AH6kd3pR5e1xYgcvJ9KpSVPghcwFE7kJ4fOVMRhRG5ML+IyML+xD0jX43EMNoqRKZ/HS42kIMCInFbJEcxVde7DPNBZ7Y3GAqh7HO6qrE70Dn3ha6DID6zCoH2ArW39BxG4zempjn2VxYoMRGREyZszWQb++dwGoHmo5FHt6zvIrYBG0dA0H8ja9VkZkjFwtYTGHU1ooPzUfJK4O4VBayV8LqZibyZQR+GrmyQc0aagUY7J/fe4A2PJyI4DbkeZ7GX1ELj0ciDz4urQSzUc8l/T3aU3X+FuJItjgYtMLPmqcjA5uifDCtutE8Z9L2gSpanqUdvLSOozuxPho/KNl+2YlF7fXqPW3LnRf5mHD+NbOff306pvKlHJOb2Vmth+HBQ1XDzt/Cy5+sfwS3E0Vmh6UTq/NtkUXxwH10BDMF7FMVlQ4zdHQvyZ0=
- secure: rKDoy9IYYYy0fYBs4+9mwuBVq/TcxfFwMfE0ywYWhUUdgzrUYSJAwpoe/96EQ4YmESUefwC2nDNq4G3XzJKYOWf83PaIveb9Z//zmMrCQXjDuDBDLpwV3sXSh7evXiVDohJz4ogBCeMRUCMKYsyKBM9yWfa/iu+yI92dbphpK9peOKW6yBc0uspJlln4swN3GS2WT9LVuPY2Azv9U2UqrXufOPDKG/qEb/Vrn4yZ2lR/50r2k45e9nSvDoByvr10V8ubM5Zc0iP0vBuAUVRdByv6N53Q4gaBGapY6SxhIjIPC/h0rNnuT9EXp7MWaPT5FmBxLt9wnyleT9QhZJnFyaBYqFgcz/DKifYQkryY4M5dLMo/Rt3yATyAy8Y0df1TOoV2dKdqwOOwQ8bXB1wDfyrGxmQj9HY4Ffnphx3wPE1a+Sjuh+S5Epm7XJbPx5pZJqNO2hd4sTbk0Xp3gpPbihny2r/jtNwHl0wpFCfOM68RNrsVRlIwG3UhzbZvblbQ/M/mmWCdgzINjt07I2SGCJxfKG0e98Q49SKUoDoOgQTTRDqTC9IgOEDxyfAkT0Vr6BtlP88Nsgnf6kmboyigBrRAiaDQGTxn3SP6LnQI3CeopaRDYvFZe/rTwPXE9XlKoTn9FTWnAqF3MuWaLslDcDKYEh7OaYJjF01piu6g4Nc=
- secure: qCCk7HIEnOph2q8mQ55MKS2MM0RSpCbwDZx7csF6NHRr5khVRyhg2r8jN0iUW+peoAChRYV91YOnl5v8K49O38IEQpzgADixiLu4VPFcYddwKrtTJF+AGvFGzBKtqDksRuUTqfJ+PdxGnO9iNkS0MFzF1ImSQGp1QfkegC8wSrZF8svAedjNOC9XV+FX0tTyj14eTSy3KUYafIyuhjG+nSjhlQxAI1Tq4EClcTZOzAIYNhkeZ4Gcu1nHPQMTQT5AQgRAhG8i7rNKfghqX8OccKNWUhvFB3eOFFf4dlb02IA2L/b8Fl4NnZpyAWcwF+CBZrzQoFARBE1xIvGfaNa9i6noyrpJ/g+0g7EyKgTsixaQInBmZ7ECVpQkSO+/3leWfwssZs7H4cqy2HeXH6dkE+JUeI0WDjYV7YwdVNoFm8wXszDu+MCQTGXJ4moO4F/jMvY4w+tNo8ISJiNZ/+uQaIlPaijCdwu9FPvAY59lJXORGVHd1Fq2pKkGkNjQVHtu9BH7ufO1fX5a6FtYbclMwm7w9BE5jnJNoP+y8Yq0bVwbGONSUFTyMWCbSCYDsyUPzmaZLkFpZPbnJua5y9c1x0/OYijNizBW0UVQDZauortsTPzwYlZ1J7TywVtpUEoI8CGuUb2QEWh+O/IwrogtiKvFtPrrYakIwV/lr7mO294=
- secure: ZZlcwdr4X2ZeIuA4f5wiT04qNCpSiNQb9d3dITG7MdtxIpiC1mi9rUFAkMDDlNjKumHO82O/a/X4RYKjXny7eixeHl5lgQ++IV9APwvWfsCiREFhiQFspfL+j0d9sZ5I4pfyPC671984We1T4G+ltuMcN3nQdPm3mP4xPT3h0IBQ9iAHonKck0TdLieNZ47vPPB8C8oxbx5NpdW8aSfQJGo3bFGiXNxWWFZ4P7BsMBDrBZaXuh0rAml/0nCJBGohgSqC8h/UObBOHeehEWnF1zzfQPRezHwVkUaMf2+xQtLGhB5rPjFhBKX0C/JZeqDgHEQ0auC2bLbfG5QCYQauy7jCq5kc6XPT7xFxCUd/sS7Wu2gg6KcgFeTE+Rnn4KWFZx2jMP2EPQYP2+LrM/VbfY1HW4QkpIkPVSFBatciuePUnIkEX6+jVM+GEZOhOOEqZ89zwjsGpa2GkFAJrwX/dphXXtn6oS20mLbu1kqocWTbGUJl/fYztTxCdOt/NoH/hiQMxy+TOGFF3Dx85MJiMUOlgk/NbPqUwBn5RbuD71L69vFZZLpU09V4PuablWW8ACQxgp8BMeqLhaLRn/I3r0ntRc8AdQ1xubPlrVWO9DDbhGfj44YPNoLUAC/7QHkRyCbP98Yv2FTXrJFcx9isA2viFx2UxzTsvXcAKHbCSAw=
jobs:
include:
- stage: Publish docs
if: type = api AND branch = master AND repo = kubernetes/ingress-nginx AND env(COMPONENT) = "docs"
script:
- .travis/publish-docs.sh

90
.travis/common.sh
View file

@ -1,90 +0,0 @@
#!/usr/bin/env bash
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if ! [ -z $DEBUG ]; then
set -x
fi
if [ -z $ARCH ]; then
echo "Environment variable ARCH is not defined. Aborting.";
exit 0;
fi
echo "COMPONENT: $COMPONENT"
echo "PLATFORM: $ARCH"
echo "TRAVIS_REPO_SLUG: $TRAVIS_REPO_SLUG"
echo "TRAVIS_PULL_REQUEST: $TRAVIS_PULL_REQUEST"
echo "TRAVIS_EVENT_TYPE: $TRAVIS_EVENT_TYPE"
echo "TRAVIS_PULL_REQUEST_BRANCH: $TRAVIS_PULL_REQUEST_BRANCH"
set -o errexit
set -o nounset
set -o pipefail
# Check if jq binary is installed
if ! [ -x "$(command -v jq)" ]; then
echo "Installing jq..."
sudo apt-get install -y jq
fi
if [ "$TRAVIS_REPO_SLUG" != "kubernetes/ingress-nginx" ];
then
echo "Only builds from kubernetes/ingress-nginx repository is allowed.";
exit 0;
fi
SKIP_MESSAGE="Publication of docker image to quay.io registry skipped."
if [ "$TRAVIS_EVENT_TYPE" != "api" ];
then
echo "Only builds triggered from travis-ci API is allowed. $SKIP_MESSAGE";
exit 0;
fi
if [ "$TRAVIS_PULL_REQUEST" != "false" ];
then
echo "This is a pull request. $SKIP_MESSAGE";
exit 0;
fi
if [ "$TRAVIS_PULL_REQUEST_BRANCH" != "" ];
then
echo "Only images build from master branch are allowed. $SKIP_MESSAGE";
exit 0;
fi
# variables QUAY_USERNAME and QUAY_PASSWORD are required to push docker images
if [ "$QUAY_USERNAME" == "" ];
then
echo "Environment variable QUAY_USERNAME is missing.";
exit 0;
fi
if [ "$QUAY_PASSWORD" == "" ];
then
echo "Environment variable QUAY_PASSWORD is missing.";
exit 0;
fi
function docker_tag_exists() {
TAG=${2//\"/}
IMAGES=$(curl -s -H "Authorization: Bearer ${QUAY_PASSWORD}" https://quay.io/api/v1/repository/$1-$3/image/ | jq '.images | sort_by(.sort_index) | .[] .tags | select(.[] !=null) | .[0]' | sed s/\"//g)
if echo "$IMAGES" | grep -q -P "(^|\s)$TAG(?=\s|$)" ; then
return 0
fi
return 1
}

45
.travis/publish-docs.sh
View file

@ -1,45 +0,0 @@
#!/usr/bin/env bash
# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o pipefail
if ! [ -z $DEBUG ]; then
set -x
fi
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
if [ "$COMPONENT" != "docs" ]; then
echo "This task runs only to publish docs"
exit 0
fi
make -C ${DIR}/.. build-docs
git config --global user.email "travis@travis-ci.com"
git config --global user.name "Travis Bot"
git clone --branch=gh-pages --depth=1 https://${GH_REF} ${DIR}/gh-pages
cd ${DIR}/gh-pages
git rm -r .
cp -r ${DIR}/../site/* .
git add .
git commit -m "Deploy GitHub Pages"
git push --force --quiet "https://${GH_TOKEN}@${GH_REF}" gh-pages > /dev/null 2>&1

639
Changelog.md
View file

@ -1,5 +1,640 @@
# Changelog
### 0.30.0
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0`
- Allow service type ExternalName with different port and targetPort
- Update datadog tracer to v1.1.3
- Update default variables_hash_bucket_size value to 256
- Enable Opentracing for authentication subrequests (auth_request)
_Changes:_
- [X] [#5080](https://github.com/kubernetes/ingress-nginx/pull/5080) Add label selector for plugin
- [X] [#5083](https://github.com/kubernetes/ingress-nginx/pull/5083) Cleanup docker build
- [X] [#5084](https://github.com/kubernetes/ingress-nginx/pull/5084) Cleanup docker build
- [X] [#5085](https://github.com/kubernetes/ingress-nginx/pull/5085) Cleanup build of nginx image
- [X] [#5086](https://github.com/kubernetes/ingress-nginx/pull/5086) Migration e2e installation to helm
- [X] [#5087](https://github.com/kubernetes/ingress-nginx/pull/5087) Fox docker opencontainers version label
- [X] [#5088](https://github.com/kubernetes/ingress-nginx/pull/5088) Remove .cache directory with make clean.
- [X] [#5089](https://github.com/kubernetes/ingress-nginx/pull/5089) Abort any task in case of errors running shell commands
- [X] [#5090](https://github.com/kubernetes/ingress-nginx/pull/5090) Cleanup and standardization of e2e test definitions
- [X] [#5091](https://github.com/kubernetes/ingress-nginx/pull/5091) Add case for when user agent is nil
- [X] [#5092](https://github.com/kubernetes/ingress-nginx/pull/5092) Print information about e2e suite tests
- [X] [#5094](https://github.com/kubernetes/ingress-nginx/pull/5094) Remove comment from e2e_test.go
- [X] [#5095](https://github.com/kubernetes/ingress-nginx/pull/5095) Update datadog tracer to v1.1.3
- [X] [#5097](https://github.com/kubernetes/ingress-nginx/pull/5097) New e2e test: log-format-escape-json and log-format-upstream
- [X] [#5098](https://github.com/kubernetes/ingress-nginx/pull/5098) Fix make dev-env
- [X] [#5100](https://github.com/kubernetes/ingress-nginx/pull/5100) Ensure make dev-env support rolling updates
- [X] [#5101](https://github.com/kubernetes/ingress-nginx/pull/5101) Add keep-alive config check test
- [X] [#5102](https://github.com/kubernetes/ingress-nginx/pull/5102) Migrate e2e libaries
- [X] [#5103](https://github.com/kubernetes/ingress-nginx/pull/5103) Added configmap test for no-tls-redirect-locations
- [X] [#5105](https://github.com/kubernetes/ingress-nginx/pull/5105) Reuse-port check e2e tc (config check only)
- [X] [#5109](https://github.com/kubernetes/ingress-nginx/pull/5109) Added basic limit-rate configmap test.
- [X] [#5111](https://github.com/kubernetes/ingress-nginx/pull/5111) ingress-path-matching: doc typo
- [X] [#5117](https://github.com/kubernetes/ingress-nginx/pull/5117) Hash size e2e check test case
- [X] [#5122](https://github.com/kubernetes/ingress-nginx/pull/5122) refactor ssl handling in preparation of OCSP stapling
- [X] [#5123](https://github.com/kubernetes/ingress-nginx/pull/5123) Ensure helm repository and charts are available
- [X] [#5124](https://github.com/kubernetes/ingress-nginx/pull/5124) make dev-env improvements
- [X] [#5125](https://github.com/kubernetes/ingress-nginx/pull/5125) Added tc for limit-connection annotation
- [X] [#5131](https://github.com/kubernetes/ingress-nginx/pull/5131) Add request handling performance dashboard
- [X] [#5132](https://github.com/kubernetes/ingress-nginx/pull/5132) Lint go code
- [X] [#5134](https://github.com/kubernetes/ingress-nginx/pull/5134) Update list of e2e tests
- [X] [#5136](https://github.com/kubernetes/ingress-nginx/pull/5136) Add upstream keep alive tests
- [X] [#5139](https://github.com/kubernetes/ingress-nginx/pull/5139) Fixes https://github.com/kubernetes/ingress-nginx/issues/5120
- [X] [#5140](https://github.com/kubernetes/ingress-nginx/pull/5140) Added configmap test for ssl-ciphers.
- [X] [#5141](https://github.com/kubernetes/ingress-nginx/pull/5141) Allow service type ExternalName with different port and targetPort
- [X] [#5145](https://github.com/kubernetes/ingress-nginx/pull/5145) Refactor the HSTS related test file and add config check to the HSTS tests
- [X] [#5149](https://github.com/kubernetes/ingress-nginx/pull/5149) Use helm template instead of update to install dev cluster
- [X] [#5150](https://github.com/kubernetes/ingress-nginx/pull/5150) Update default VariablesHashBucketSize value to 256
- [X] [#5151](https://github.com/kubernetes/ingress-nginx/pull/5151) Check there is a difference in the template besides the checksum
- [X] [#5152](https://github.com/kubernetes/ingress-nginx/pull/5152) Clean template
- [X] [#5153](https://github.com/kubernetes/ingress-nginx/pull/5153) Update nginx and e2e images
_Documentation:_
- [X] [#5018](https://github.com/kubernetes/ingress-nginx/pull/5018) Update developer document on dependency updates
- [X] [#5081](https://github.com/kubernetes/ingress-nginx/pull/5081) Fixed incorrect documentation of cli flag --default-backend-service
- [X] [#5093](https://github.com/kubernetes/ingress-nginx/pull/5093) Generate doc with list of e2e tests
- [X] [#5135](https://github.com/kubernetes/ingress-nginx/pull/5135) Correct spelling of the word "Original" in annotations documentation
### 0.29.0
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.29.0`
_New Features:_
- NGINX 1.17.8
- Add SameSite support for [Cookie Affinity](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#cookie-affinity) https://www.chromium.org/updates/same-site
- Refactor of [mirror](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#mirror) feature to remove additional annotations
_Changes:_
- [X] [#4949](https://github.com/kubernetes/ingress-nginx/pull/4949) Add SameSite support - omit None for old browsers
- [X] [#4973](https://github.com/kubernetes/ingress-nginx/pull/4973) Fix release script
- [X] [#4975](https://github.com/kubernetes/ingress-nginx/pull/4975) Fix docker installation in travis script
- [X] [#4976](https://github.com/kubernetes/ingress-nginx/pull/4976) Fix travis
- [X] [#4977](https://github.com/kubernetes/ingress-nginx/pull/4977) Fix image version
- [X] [#4983](https://github.com/kubernetes/ingress-nginx/pull/4983) Fix enable opentracing per location
- [X] [#4987](https://github.com/kubernetes/ingress-nginx/pull/4987) Dump kind logs after e2e tests
- [X] [#4993](https://github.com/kubernetes/ingress-nginx/pull/4993) Calculation algorithm for server_names_hash_bucket_size should consid…
- [X] [#4995](https://github.com/kubernetes/ingress-nginx/pull/4995) Cleanup main makefile and remove the need of sed
- [X] [#4996](https://github.com/kubernetes/ingress-nginx/pull/4996) Fix status update for clusters where networking.k8s.io is not available
- [X] [#4999](https://github.com/kubernetes/ingress-nginx/pull/4999) Fix limitrange definition
- [X] [#5000](https://github.com/kubernetes/ingress-nginx/pull/5000) Update python syntax in OAuth2 example
- [X] [#5003](https://github.com/kubernetes/ingress-nginx/pull/5003) Fix server aliases
- [X] [#5008](https://github.com/kubernetes/ingress-nginx/pull/5008) Fix docker buildx check in Makefile
- [X] [#5009](https://github.com/kubernetes/ingress-nginx/pull/5009) Move mod-security logic from template to go code
- [X] [#5010](https://github.com/kubernetes/ingress-nginx/pull/5010) Update nginx image
- [X] [#5011](https://github.com/kubernetes/ingress-nginx/pull/5011) Update nginx image, go to 1.13.7 and e2e image
- [X] [#5015](https://github.com/kubernetes/ingress-nginx/pull/5015) Refactor mirror feature
- [X] [#5016](https://github.com/kubernetes/ingress-nginx/pull/5016) Fix dep-ensure task
- [X] [#5023](https://github.com/kubernetes/ingress-nginx/pull/5023) Update metric dependencies and restore default Objectives
- [X] [#5028](https://github.com/kubernetes/ingress-nginx/pull/5028) Add echo image to avoid building and installing dependencies in each …
- [X] [#5031](https://github.com/kubernetes/ingress-nginx/pull/5031) Update kindest/node version to v1.17.2
- [X] [#5032](https://github.com/kubernetes/ingress-nginx/pull/5032) Fix fortune-teller app manifest
- [X] [#5035](https://github.com/kubernetes/ingress-nginx/pull/5035) Update github.com/paultag/sniff dependency
- [X] [#5036](https://github.com/kubernetes/ingress-nginx/pull/5036) Disable DIND in script run-in-docker.sh
- [X] [#5038](https://github.com/kubernetes/ingress-nginx/pull/5038) Update code to use pault.ag/go/sniff package
- [X] [#5042](https://github.com/kubernetes/ingress-nginx/pull/5042) Fix X-Forwarded-Proto based on proxy-protocol server port
- [X] [#5050](https://github.com/kubernetes/ingress-nginx/pull/5050) Add flag to allow custom ingress status update intervals
- [X] [#5052](https://github.com/kubernetes/ingress-nginx/pull/5052) Change the handling of ConfigMap creation
- [X] [#5053](https://github.com/kubernetes/ingress-nginx/pull/5053) Validation of header in authreq should be done only in the key
- [X] [#5055](https://github.com/kubernetes/ingress-nginx/pull/5055) Only set mirror source when a target is configured
- [X] [#5059](https://github.com/kubernetes/ingress-nginx/pull/5059) Remove minikube and only use kind
- [X] [#5060](https://github.com/kubernetes/ingress-nginx/pull/5060) Cleanup e2e tests
- [X] [#5061](https://github.com/kubernetes/ingress-nginx/pull/5061) Fix scripts to run in osx
- [X] [#5062](https://github.com/kubernetes/ingress-nginx/pull/5062) Ensure scripts and dev-env works in osx
- [X] [#5067](https://github.com/kubernetes/ingress-nginx/pull/5067) Make sure set-cookie is retained from external auth endpoint
- [X] [#5069](https://github.com/kubernetes/ingress-nginx/pull/5069) Enable grpc e2e tests
- [X] [#5070](https://github.com/kubernetes/ingress-nginx/pull/5070) Update go to 1.13.8
- [X] [#5071](https://github.com/kubernetes/ingress-nginx/pull/5071) Add gzip-min-length as a Configuration Option
_Documentation:_
- [X] [#4974](https://github.com/kubernetes/ingress-nginx/pull/4974) Add travis script for docs
- [X] [#4991](https://github.com/kubernetes/ingress-nginx/pull/4991) doc: added hint why regular expressions might not be accepted
- [X] [#5018](https://github.com/kubernetes/ingress-nginx/pull/5018) Update developer document on dependency updates
- [X] [#5020](https://github.com/kubernetes/ingress-nginx/pull/5020) docs(deploy): fix helm install command for helm v3
- [X] [#5037](https://github.com/kubernetes/ingress-nginx/pull/5037) Cleanup README.md
- [X] [#5040](https://github.com/kubernetes/ingress-nginx/pull/5040) Update documentation and remove hack fixed by upstream cookie library
- [X] [#5041](https://github.com/kubernetes/ingress-nginx/pull/5041) 36.94% size reduction of image assets using lossless compression from ImgBot
- [X] [#5043](https://github.com/kubernetes/ingress-nginx/pull/5043) Cleanup docs
- [X] [#5068](https://github.com/kubernetes/ingress-nginx/pull/5068) docs: reference buildx as a requirement for docker builds
- [X] [#5073](https://github.com/kubernetes/ingress-nginx/pull/5073) oauth-external-auth: README.md: Link to oauth2-proxy, dashboard-ingress.yaml
### 0.28.0
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.28.0`
Fix occasional prometheus `http: superfluous response.WriteHeader call...` error [#4943](https://github.com/kubernetes/ingress-nginx/pull/4943)
Remove prometheus socket before the start of metrics collector [#4961](https://github.com/kubernetes/ingress-nginx/pull/4961)
Reduce CPU utilization when the ingress controller is shutting down [#4959](https://github.com/kubernetes/ingress-nginx/pull/4959)
Fixes a flaw (CVE-2019-11251) when auth-type basic annotation is used [#4960](https://github.com/kubernetes/ingress-nginx/pull/4960)
_Changes:_
- [X] [#4912](https://github.com/kubernetes/ingress-nginx/pull/4912) Update README.md
- [X] [#4914](https://github.com/kubernetes/ingress-nginx/pull/4914) Disable docker in docker tasks in terraform release script
- [X] [#4932](https://github.com/kubernetes/ingress-nginx/pull/4932) Cleanup dev-env script
- [X] [#4943](https://github.com/kubernetes/ingress-nginx/pull/4943) Update client_golang dependency to v1.3.0
- [X] [#4956](https://github.com/kubernetes/ingress-nginx/pull/4956) Fix proxy protocol support for X-Forwarded-Port
- [X] [#4959](https://github.com/kubernetes/ingress-nginx/pull/4959) Refactor how to handle sigterm and nginx process goroutine
- [X] [#4960](https://github.com/kubernetes/ingress-nginx/pull/4960) Avoid overlap of configuration definitions
- [X] [#4961](https://github.com/kubernetes/ingress-nginx/pull/4961) Remove prometheus socket before listen
- [X] [#4962](https://github.com/kubernetes/ingress-nginx/pull/4962) Cleanup of e2e docker images
- [X] [#4965](https://github.com/kubernetes/ingress-nginx/pull/4965) Move opentracing configuration for location to go
- [X] [#4966](https://github.com/kubernetes/ingress-nginx/pull/4966) Add verification of docker buildx support
- [X] [#4967](https://github.com/kubernetes/ingress-nginx/pull/4967) Update go dependencies
### 0.27.1
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.27.1`
Fix regression in Jaeger opentracing module, incorrect UID in webhook AdmissionResponse in Kubernetes > 1.16.0.
_Changes:_
- [X] [#4920](https://github.com/kubernetes/ingress-nginx/pull/4920) Rollback jaeger module version
- [X] [#4922](https://github.com/kubernetes/ingress-nginx/pull/4922) Use docker buildx and remove qemu-static
- [X] [#4927](https://github.com/kubernetes/ingress-nginx/pull/4927) Fix incorrect UID in webhook AdmissionResponse
### 0.27.0
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.27.0`
_New Features:_
- NGINX 1.17.7
- Migration to alpinelinux.
- Global [Modsecurity Snippet via ConfigMap](https://github.com/kubernetes/ingress-nginx/pull/4087)
- Support Datadog sample rate with global trace sampling from configmap [#4897](https://github.com/kubernetes/ingress-nginx/pull/4897)
- Modsecurity CRS v3.2.0 [#4829](https://github.com/kubernetes/ingress-nginx/pull/4829)
- Modsecurity-nginx v1.0.1 [#4842](https://github.com/kubernetes/ingress-nginx/pull/4842)
- Allow enabling/disabling opentracing for ingresses [#4732](https://github.com/kubernetes/ingress-nginx/pull/4732)
_Breaking Changes:_
- Enable download of GeoLite2 databases [#4896](https://github.com/kubernetes/ingress-nginx/pull/4896)
_From maxmind website:_
```
Due to upcoming data privacy regulations, we are making significant changes to how you access free GeoLite2 databases starting December 30, 2019.
Learn more on our blog https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
```
Because of this change, it is not clear we can provide the databases directly from the docker image.
To enable the feature, we provide two options:
- Add the flag `--maxmind-license-key` to download the databases when the ingress controller starts.
- or add a volume to mount the files `GeoLite2-City.mmdb` and `GeoLite2-ASN.mmdb` in the directory `/etc/nginx/geoip`.
**If any of these conditions are not met, the geoip2 module will be disabled**
- The feature `lua-resty-waf` was removed.
- Due to the migration to alpinelinux the uid of the user is different. Please make sure to update it `runAsUser: 101` or the ingress controller will not start (CrashLoopBackOff).
_Changes:_
- [X] [#4087](https://github.com/kubernetes/ingress-nginx/pull/4087) Define Modsecurity Snippet via ConfigMap
- [X] [#4603](https://github.com/kubernetes/ingress-nginx/pull/4603) optimize: local cache global variable and reduce string object creation.
- [X] [#4613](https://github.com/kubernetes/ingress-nginx/pull/4613) Terraform release
- [X] [#4619](https://github.com/kubernetes/ingress-nginx/pull/4619) Issue 4244
- [X] [#4620](https://github.com/kubernetes/ingress-nginx/pull/4620) ISSUE-4244 e2e test
- [X] [#4645](https://github.com/kubernetes/ingress-nginx/pull/4645) Bind ingress controller to linux nodes to avoid Windows scheduling on kubernetes cluster includes linux nodes and windows nodes
- [X] [#4650](https://github.com/kubernetes/ingress-nginx/pull/4650) Expose GeoIP2 Organization as variable $geoip2_org
- [X] [#4658](https://github.com/kubernetes/ingress-nginx/pull/4658) Need to quote expansion of `$cfg.LogFormatStream` in `log_stream` access log
- [X] [#4664](https://github.com/kubernetes/ingress-nginx/pull/4664) warn when ConfigMap is missing or not parsable instead of erroring
- [X] [#4669](https://github.com/kubernetes/ingress-nginx/pull/4669) Simplify initialization function of bytes.Buffer
- [X] [#4671](https://github.com/kubernetes/ingress-nginx/pull/4671) Discontinue use of a single DNS query to validate an endpoint name
- [X] [#4673](https://github.com/kubernetes/ingress-nginx/pull/4673) More helpful dns error
- [X] [#4678](https://github.com/kubernetes/ingress-nginx/pull/4678) Increase the kubernetes 1.14 version to the installation prompt
- [X] [#4689](https://github.com/kubernetes/ingress-nginx/pull/4689) Server-only authentication of backends and per-location SSL config
- [X] [#4693](https://github.com/kubernetes/ingress-nginx/pull/4693) Adding some documentation about the use of metrics-per-host and enabl…
- [X] [#4694](https://github.com/kubernetes/ingress-nginx/pull/4694) Enhancement : add remote_addr in TCP access log
- [X] [#4695](https://github.com/kubernetes/ingress-nginx/pull/4695) Removing secure-verify-ca-secret support
- [X] [#4700](https://github.com/kubernetes/ingress-nginx/pull/4700) adds hability to use externalIP when controller service is of type NodePort
- [X] [#4730](https://github.com/kubernetes/ingress-nginx/pull/4730) add configuration for http2_max_concurrent_streams
- [X] [#4732](https://github.com/kubernetes/ingress-nginx/pull/4732) Allow enabling/disabling opentracing for ingresses
- [X] [#4745](https://github.com/kubernetes/ingress-nginx/pull/4745) add cmluciano to owners
- [X] [#4747](https://github.com/kubernetes/ingress-nginx/pull/4747) Docker image: Add source code reference label
- [X] [#4766](https://github.com/kubernetes/ingress-nginx/pull/4766) dev-env.sh: fix for parsing `minikube status` output of newer versions, fix shellcheck lints
- [X] [#4779](https://github.com/kubernetes/ingress-nginx/pull/4779) Remove lua-resty-waf feature
- [X] [#4780](https://github.com/kubernetes/ingress-nginx/pull/4780) Update nginx image to use openresty master
- [X] [#4785](https://github.com/kubernetes/ingress-nginx/pull/4785) Update nginx image and Go to 1.13.4
- [X] [#4791](https://github.com/kubernetes/ingress-nginx/pull/4791) deploy: add protocol to all Container/ServicePorts
- [X] [#4793](https://github.com/kubernetes/ingress-nginx/pull/4793) Fix issue in logic of modsec template
- [X] [#4794](https://github.com/kubernetes/ingress-nginx/pull/4794) Remove extra annotation when Enabling ModSecurity
- [X] [#4797](https://github.com/kubernetes/ingress-nginx/pull/4797) Add a datasource variable $DS_PROMETHEUS
- [X] [#4803](https://github.com/kubernetes/ingress-nginx/pull/4803) Update nginx image to fix regression in jaeger tracing
- [X] [#4805](https://github.com/kubernetes/ingress-nginx/pull/4805) Update nginx and e2e images
- [X] [#4806](https://github.com/kubernetes/ingress-nginx/pull/4806) Add log to parallel command to dump logs in case of errors
- [X] [#4807](https://github.com/kubernetes/ingress-nginx/pull/4807) Allow custom CA certificate when flag --api-server is specified
- [X] [#4813](https://github.com/kubernetes/ingress-nginx/pull/4813) Update default SSL ciphers
- [X] [#4816](https://github.com/kubernetes/ingress-nginx/pull/4816) apply default certificate again in cases of invalid or incomplete cert config
- [X] [#4823](https://github.com/kubernetes/ingress-nginx/pull/4823) Update go dependencies to v1.17.0
- [X] [#4826](https://github.com/kubernetes/ingress-nginx/pull/4826) regression test and fix for duplicate hsts bug
- [X] [#4827](https://github.com/kubernetes/ingress-nginx/pull/4827) Migrate ingress definitions from extensions to networking.k8s.io
- [X] [#4829](https://github.com/kubernetes/ingress-nginx/pull/4829) Update modsecurity crs to v3.2.0
- [X] [#4840](https://github.com/kubernetes/ingress-nginx/pull/4840) Return specific type
- [X] [#4842](https://github.com/kubernetes/ingress-nginx/pull/4842) Update Modsecurity-nginx to latest (v1.0.1)
- [X] [#4843](https://github.com/kubernetes/ingress-nginx/pull/4843) Define minimum limits to run the ingress controller
- [X] [#4848](https://github.com/kubernetes/ingress-nginx/pull/4848) Update nginx image
- [X] [#4859](https://github.com/kubernetes/ingress-nginx/pull/4859) Use a named location for authSignURL
- [X] [#4862](https://github.com/kubernetes/ingress-nginx/pull/4862) Update nginx image
- [X] [#4863](https://github.com/kubernetes/ingress-nginx/pull/4863) Switch to nginx again
- [X] [#4866](https://github.com/kubernetes/ingress-nginx/pull/4866) Improve issue and pull request template
- [X] [#4867](https://github.com/kubernetes/ingress-nginx/pull/4867) Fix sticky session for ingress without host
- [X] [#4870](https://github.com/kubernetes/ingress-nginx/pull/4870) Default backend protocol only supports http
- [X] [#4871](https://github.com/kubernetes/ingress-nginx/pull/4871) Fix ingress status regression introduced in #4490
- [X] [#4875](https://github.com/kubernetes/ingress-nginx/pull/4875) Remove /build endpoint
- [X] [#4880](https://github.com/kubernetes/ingress-nginx/pull/4880) Remove download of geoip databases
- [X] [#4882](https://github.com/kubernetes/ingress-nginx/pull/4882) Use yaml files from a particular tag, not from master
- [X] [#4883](https://github.com/kubernetes/ingress-nginx/pull/4883) Update e2e image
- [X] [#4884](https://github.com/kubernetes/ingress-nginx/pull/4884) Update e2e image
- [X] [#4886](https://github.com/kubernetes/ingress-nginx/pull/4886) Fix flaking e2e tests
- [X] [#4887](https://github.com/kubernetes/ingress-nginx/pull/4887) Master branch uses a master tag image
- [X] [#4891](https://github.com/kubernetes/ingress-nginx/pull/4891) Add help task
- [X] [#4893](https://github.com/kubernetes/ingress-nginx/pull/4893) Use docker to run makefile tasks
- [X] [#4894](https://github.com/kubernetes/ingress-nginx/pull/4894) Remove todo from lua test
- [X] [#4896](https://github.com/kubernetes/ingress-nginx/pull/4896) Enable download of GeoLite2 databases
- [X] [#4897](https://github.com/kubernetes/ingress-nginx/pull/4897) Support Datadog sample rate with global trace sampling from configmap
- [X] [#4907](https://github.com/kubernetes/ingress-nginx/pull/4907) Add script to check go version and fix output directory permissions
_Documentation:_
- [X] [#4623](https://github.com/kubernetes/ingress-nginx/pull/4623) remove duplicated line in docs
- [X] [#4681](https://github.com/kubernetes/ingress-nginx/pull/4681) Fix docs/development.md describing inaccurate issues
- [X] [#4683](https://github.com/kubernetes/ingress-nginx/pull/4683) Fixed upgrading example command
- [X] [#4708](https://github.com/kubernetes/ingress-nginx/pull/4708) add proxy-max-temp-file-size doc
- [X] [#4727](https://github.com/kubernetes/ingress-nginx/pull/4727) update docs, remove output in prometheus deploy command
- [X] [#4744](https://github.com/kubernetes/ingress-nginx/pull/4744) Fix generation of sitemap.xml file
- [X] [#4746](https://github.com/kubernetes/ingress-nginx/pull/4746) Fix broken links in documentation
- [X] [#4748](https://github.com/kubernetes/ingress-nginx/pull/4748) Update documentation for static ip example
- [X] [#4749](https://github.com/kubernetes/ingress-nginx/pull/4749) Update documentation for rate limiting
- [X] [#4765](https://github.com/kubernetes/ingress-nginx/pull/4765) Fix extra word
- [X] [#4777](https://github.com/kubernetes/ingress-nginx/pull/4777) [docs] Add info about x-forwarded-prefix breaking change
- [X] [#4800](https://github.com/kubernetes/ingress-nginx/pull/4800) Update sysctl example
- [X] [#4801](https://github.com/kubernetes/ingress-nginx/pull/4801) Fix markdown list
- [X] [#4849](https://github.com/kubernetes/ingress-nginx/pull/4849) Fixed documentation for FCGI annotation.
- [X] [#4885](https://github.com/kubernetes/ingress-nginx/pull/4885) Correct MetalLB setup instructions.
### 0.26.2
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.2`
_Changes:_
- [X] [#4859](https://github.com/kubernetes/ingress-nginx/pull/4859) Use a named location for authSignURL
### 0.26.1
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.1`
_Changes:_
- [X] [#4617](https://github.com/kubernetes/ingress-nginx/pull/4617) Fix ports collision when hostNetwork=true
- [X] [#4619](https://github.com/kubernetes/ingress-nginx/pull/4619) Fix issue #4244
### 0.26.0
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.26.0`
_New Features:_
- Add support for NGINX [proxy_ssl_* directives](https://github.com/kubernetes/ingress-nginx/pull/4327)
- Add support for [FastCGI backends](https://github.com/kubernetes/ingress-nginx/pull/4344)
- [Only support SSL dynamic mode](https://github.com/kubernetes/ingress-nginx/pull/4356)
- [Add nginx ssl_early_data option support](https://github.com/kubernetes/ingress-nginx/pull/4412)
- [Add support for multiple alias and remove duplication of SSL certificates](https://github.com/kubernetes/ingress-nginx/pull/4472)
- [Support configuring basic auth credentials as a map of user/password hashes](https://github.com/kubernetes/ingress-nginx/pull/4560)
- Caching support for external authentication annotation with new annotations [auth-cache-key and auth-cache-duration](https://github.com/kubernetes/ingress-nginx/pull/4278)
- Allow Requests to be [Mirrored to different backends](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#mirror) [#4379](https://github.com/kubernetes/ingress-nginx/pull/4379)
- Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
With this new hook, we increased the default `terminationGracePeriodSeconds` from 30 seconds to 300, allowing the draining of connections up to five minutes.
If the active connections end before that, the pod will terminate gracefully at that time.
To efectively take advantage of this feature, the Configmap feature [worker-shutdown-timeout](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#worker-shutdown-timeout) new value is `240s` instead of `10s`.
**IMPORTANT:** this value has a side effect during reloads, consuming more memory until the old NGINX workers are replaced.
```yaml
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
```
- [mimalloc](https://github.com/microsoft/mimalloc) as a drop-in replacement for malloc.
This feature can be enabled using the [LD_PRELOAD](http://man7.org/linux/man-pages/man8/ld.so.8.html) environment variable in the ingress controller deployment
Example:
```yaml
env:
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
```
Please check the additional [options](https://github.com/microsoft/mimalloc#environment-options) it provides.
_Breaking Changes:_
- The variable [$the_real_ip variable](https://github.com/kubernetes/ingress-nginx/pull/4557) was removed from template and default `log_format`.
- The default value of configmap setting [proxy-add-original-uri-header](https://github.com/kubernetes/ingress-nginx/pull/4604) is now `"false"`.
When the setting `proxy-add-original-uri-header` is `"true"`, the ingress controller adds a new header `X-Original-Uri` with the value of NGINX variable `$request_uri`.
In most of the cases this is not an issue but with request with long URLs it could lead to unexpected errors in the application defined in the Ingress serviceName,
like issue 4593 - [431 Request Header Fields Too Large](https://github.com/kubernetes/ingress-nginx/issues/4593)
_Non-functional improvements:_
- [Removal of internal NGINX unix sockets](https://github.com/kubernetes/ingress-nginx/pull/4531)
- Automation of NGINX image using [terraform scripts](https://github.com/kubernetes/ingress-nginx/pull/4484)
- Removal of Go profiling on port `:10254` to use `localhost:10245`
To profile the ingress controller Go binary, use:
```console
INGRESS_PODS=($(kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o 'jsonpath={..metadata.name}'))
kubectl port-forward -n ingress-nginx pod/${INGRESS_PODS[0]} 10245
```
Using the URL http://localhost:10245/debug/pprof/ to reach the profiler.
_Changes:_
- [X] [#3164](https://github.com/kubernetes/ingress-nginx/pull/3164) Initial support for CRL in Ingress Controller
- [X] [#4086](https://github.com/kubernetes/ingress-nginx/pull/4086) Resolve #4038, move X-Forwarded-Port variable to the location context
- [X] [#4278](https://github.com/kubernetes/ingress-nginx/pull/4278) feat: auth-req caching
- [X] [#4286](https://github.com/kubernetes/ingress-nginx/pull/4286) fix lua lints
- [X] [#4287](https://github.com/kubernetes/ingress-nginx/pull/4287) Add script for luacheck
- [X] [#4288](https://github.com/kubernetes/ingress-nginx/pull/4288) added proxy-http-version annotation to override the HTTP/1.1 default …
- [X] [#4289](https://github.com/kubernetes/ingress-nginx/pull/4289) Apply fixes suggested by staticcheck
- [X] [#4290](https://github.com/kubernetes/ingress-nginx/pull/4290) Make dev-env.sh script work on Linux
- [X] [#4291](https://github.com/kubernetes/ingress-nginx/pull/4291) hack scripts do not need PKG var
- [X] [#4298](https://github.com/kubernetes/ingress-nginx/pull/4298) Fix RBAC issues with networking.k8s.io
- [X] [#4299](https://github.com/kubernetes/ingress-nginx/pull/4299) Fix scripts to be able to run tests in docker
- [X] [#4302](https://github.com/kubernetes/ingress-nginx/pull/4302) Squash rules regarding ingresses
- [X] [#4306](https://github.com/kubernetes/ingress-nginx/pull/4306) Remove unnecessary output
- [X] [#4307](https://github.com/kubernetes/ingress-nginx/pull/4307) Disable access log in stream section for configuration socket
- [X] [#4313](https://github.com/kubernetes/ingress-nginx/pull/4313) avoid warning during lua unit test
- [X] [#4322](https://github.com/kubernetes/ingress-nginx/pull/4322) Update go dependencies
- [X] [#4327](https://github.com/kubernetes/ingress-nginx/pull/4327) Add proxy_ssl_* directives
- [X] [#4333](https://github.com/kubernetes/ingress-nginx/pull/4333) Add [$proxy_alternative_upstream_name]
- [X] [#4334](https://github.com/kubernetes/ingress-nginx/pull/4334) Refactor http client for unix sockets
- [X] [#4341](https://github.com/kubernetes/ingress-nginx/pull/4341) duplicate argument "--disable-catch-all"
- [X] [#4344](https://github.com/kubernetes/ingress-nginx/pull/4344) Add FastCGI backend support (#2982)
- [X] [#4356](https://github.com/kubernetes/ingress-nginx/pull/4356) Only support SSL dynamic mode
- [X] [#4365](https://github.com/kubernetes/ingress-nginx/pull/4365) memoize balancer for a request
- [X] [#4369](https://github.com/kubernetes/ingress-nginx/pull/4369) Fix broken test's filenames
- [X] [#4371](https://github.com/kubernetes/ingress-nginx/pull/4371) Update datadog tracing plugin to v1.0.1
- [X] [#4379](https://github.com/kubernetes/ingress-nginx/pull/4379) Allow Requests to be Mirrored to different backends
- [X] [#4383](https://github.com/kubernetes/ingress-nginx/pull/4383) Add support for psp
- [X] [#4386](https://github.com/kubernetes/ingress-nginx/pull/4386) Update go dependencies
- [X] [#4405](https://github.com/kubernetes/ingress-nginx/pull/4405) Lua shared cfg
- [X] [#4409](https://github.com/kubernetes/ingress-nginx/pull/4409) sort ingress by namespace and name when ingress.CreationTimestamp identical
- [X] [#4410](https://github.com/kubernetes/ingress-nginx/pull/4410) fix dev-env script
- [X] [#4412](https://github.com/kubernetes/ingress-nginx/pull/4412) Add nginx ssl_early_data option support
- [X] [#4415](https://github.com/kubernetes/ingress-nginx/pull/4415) more dev-env script improvements
- [X] [#4416](https://github.com/kubernetes/ingress-nginx/pull/4416) Remove invalid log "Failed to executing diff command: exit status 1"
- [X] [#4418](https://github.com/kubernetes/ingress-nginx/pull/4418) Remove dynamic TLS records
- [X] [#4420](https://github.com/kubernetes/ingress-nginx/pull/4420) Cleanup
- [X] [#4422](https://github.com/kubernetes/ingress-nginx/pull/4422) teach lua about search and ndots settings in resolv.conf
- [X] [#4423](https://github.com/kubernetes/ingress-nginx/pull/4423) Add quote function in template
- [X] [#4426](https://github.com/kubernetes/ingress-nginx/pull/4426) Update klog
- [X] [#4428](https://github.com/kubernetes/ingress-nginx/pull/4428) Add timezone value into $geoip2_time_zone variable
- [X] [#4435](https://github.com/kubernetes/ingress-nginx/pull/4435) Add option to use existing images
- [X] [#4437](https://github.com/kubernetes/ingress-nginx/pull/4437) Refactor version helper
- [X] [#4438](https://github.com/kubernetes/ingress-nginx/pull/4438) Add helper to extract prometheus metrics in e2e tests
- [X] [#4439](https://github.com/kubernetes/ingress-nginx/pull/4439) Move listen logic to go
- [X] [#4440](https://github.com/kubernetes/ingress-nginx/pull/4440) Fixes for CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516
- [X] [#4443](https://github.com/kubernetes/ingress-nginx/pull/4443) Lua resolv conf parser
- [X] [#4445](https://github.com/kubernetes/ingress-nginx/pull/4445) use latest openresty with CVE patches
- [X] [#4446](https://github.com/kubernetes/ingress-nginx/pull/4446) lua-shared-dicts improvements, fixes and documentation
- [X] [#4448](https://github.com/kubernetes/ingress-nginx/pull/4448) ewma improvements
- [X] [#4449](https://github.com/kubernetes/ingress-nginx/pull/4449) Fix service type external name using the name
- [X] [#4450](https://github.com/kubernetes/ingress-nginx/pull/4450) Add nginx proxy_max_temp_file_size configuration option
- [X] [#4451](https://github.com/kubernetes/ingress-nginx/pull/4451) post data to Lua only if it changes
- [X] [#4452](https://github.com/kubernetes/ingress-nginx/pull/4452) Fix test description on error
- [X] [#4456](https://github.com/kubernetes/ingress-nginx/pull/4456) Fix file permissions to support volumes
- [X] [#4458](https://github.com/kubernetes/ingress-nginx/pull/4458) implementation proposal for zone aware routing
- [X] [#4459](https://github.com/kubernetes/ingress-nginx/pull/4459) cleanup logging message typos in rewrite.go
- [X] [#4460](https://github.com/kubernetes/ingress-nginx/pull/4460) cleanup: fix typos in framework.go
- [X] [#4463](https://github.com/kubernetes/ingress-nginx/pull/4463) Always set headers with add-headers option
- [X] [#4466](https://github.com/kubernetes/ingress-nginx/pull/4466) Add rate limit units and error status
- [X] [#4471](https://github.com/kubernetes/ingress-nginx/pull/4471) Lint code using staticcheck
- [X] [#4472](https://github.com/kubernetes/ingress-nginx/pull/4472) Add support for multiple alias and remove duplication of SSL certificates
- [X] [#4476](https://github.com/kubernetes/ingress-nginx/pull/4476) Initialize nginx process error channel
- [X] [#4478](https://github.com/kubernetes/ingress-nginx/pull/4478) Re-add Support for Wildcard Hosts with Sticky Sessions
- [X] [#4484](https://github.com/kubernetes/ingress-nginx/pull/4484) Add terraform scripts to build nginx image
- [X] [#4487](https://github.com/kubernetes/ingress-nginx/pull/4487) Refactor health checks and wait until NGINX process ends
- [X] [#4489](https://github.com/kubernetes/ingress-nginx/pull/4489) Fix log format markdown
- [X] [#4490](https://github.com/kubernetes/ingress-nginx/pull/4490) Refactor ingress status IP address
- [X] [#4492](https://github.com/kubernetes/ingress-nginx/pull/4492) fix lua certificate handling tests
- [X] [#4495](https://github.com/kubernetes/ingress-nginx/pull/4495) point users to kubectl ingress-nginx plugin
- [X] [#4500](https://github.com/kubernetes/ingress-nginx/pull/4500) Fix nginx variable service_port (nginx)
- [X] [#4501](https://github.com/kubernetes/ingress-nginx/pull/4501) Move nginx helper
- [X] [#4502](https://github.com/kubernetes/ingress-nginx/pull/4502) Remove hard-coded names from e2e test and use local docker dependencies
- [X] [#4506](https://github.com/kubernetes/ingress-nginx/pull/4506) Fix panic on multiple ingress mess up upstream is primary or not
- [X] [#4509](https://github.com/kubernetes/ingress-nginx/pull/4509) Update openresty and third party modules
- [X] [#4520](https://github.com/kubernetes/ingress-nginx/pull/4520) fix typo
- [X] [#4521](https://github.com/kubernetes/ingress-nginx/pull/4521) backward compatibility for k8s version < 1.14
- [X] [#4522](https://github.com/kubernetes/ingress-nginx/pull/4522) Fix relative links
- [X] [#4524](https://github.com/kubernetes/ingress-nginx/pull/4524) Update go dependencies
- [X] [#4527](https://github.com/kubernetes/ingress-nginx/pull/4527) Switch to official kind images
- [X] [#4528](https://github.com/kubernetes/ingress-nginx/pull/4528) Cleanup of docker images
- [X] [#4530](https://github.com/kubernetes/ingress-nginx/pull/4530) Update nginx image to 0.92
- [X] [#4531](https://github.com/kubernetes/ingress-nginx/pull/4531) Remove nginx unix sockets
- [X] [#4534](https://github.com/kubernetes/ingress-nginx/pull/4534) Show current reloads count, not total
- [X] [#4535](https://github.com/kubernetes/ingress-nginx/pull/4535) Improve the time to run e2e tests
- [X] [#4543](https://github.com/kubernetes/ingress-nginx/pull/4543) Correctly format ipv6 resolver config for lua
- [X] [#4545](https://github.com/kubernetes/ingress-nginx/pull/4545) Rollback luarocks version to 3.1.3
- [X] [#4547](https://github.com/kubernetes/ingress-nginx/pull/4547) Fix terraform build of nginx images
- [X] [#4548](https://github.com/kubernetes/ingress-nginx/pull/4548) regression test for the issue fixed in #4543
- [X] [#4549](https://github.com/kubernetes/ingress-nginx/pull/4549) Cleanup of docker build
- [X] [#4556](https://github.com/kubernetes/ingress-nginx/pull/4556) Allow multiple CA Certificates
- [X] [#4557](https://github.com/kubernetes/ingress-nginx/pull/4557) Remove the_real_ip variable
- [X] [#4560](https://github.com/kubernetes/ingress-nginx/pull/4560) Support configuring basic auth credentials as a map of user/password hashes
- [X] [#4569](https://github.com/kubernetes/ingress-nginx/pull/4569) allow to configure jaeger header names
- [X] [#4570](https://github.com/kubernetes/ingress-nginx/pull/4570) Update nginx image
- [X] [#4571](https://github.com/kubernetes/ingress-nginx/pull/4571) Increase log level for identical CreationTimestamp warning
- [X] [#4572](https://github.com/kubernetes/ingress-nginx/pull/4572) Fix log format after #4557
- [X] [#4575](https://github.com/kubernetes/ingress-nginx/pull/4575) Update go dependencies for kubernetes 1.16.0
- [X] [#4583](https://github.com/kubernetes/ingress-nginx/pull/4583) Disable go modules
- [X] [#4584](https://github.com/kubernetes/ingress-nginx/pull/4584) Remove retries to ExternalName
- [X] [#4586](https://github.com/kubernetes/ingress-nginx/pull/4586) Fix reload when a configmap changes
- [X] [#4587](https://github.com/kubernetes/ingress-nginx/pull/4587) Avoid unnecessary reloads generating lua_shared_dict directives
- [X] [#4591](https://github.com/kubernetes/ingress-nginx/pull/4591) optimize: local cache global variable and avoid single lines over 80
- [X] [#4592](https://github.com/kubernetes/ingress-nginx/pull/4592) refactor force ssl redirect logic
- [X] [#4594](https://github.com/kubernetes/ingress-nginx/pull/4594) cleanup unused certificates
- [X] [#4595](https://github.com/kubernetes/ingress-nginx/pull/4595) Rollback change of ModSecurity setting SecAuditLog
- [X] [#4596](https://github.com/kubernetes/ingress-nginx/pull/4596) sort auth proxy headers from configmap
- [X] [#4597](https://github.com/kubernetes/ingress-nginx/pull/4597) more meaningful assertion for tls hsts test
- [X] [#4598](https://github.com/kubernetes/ingress-nginx/pull/4598) delete redundant config
- [X] [#4600](https://github.com/kubernetes/ingress-nginx/pull/4600) Update nginx image
- [X] [#4601](https://github.com/kubernetes/ingress-nginx/pull/4601) Hsts refactoring
- [X] [#4602](https://github.com/kubernetes/ingress-nginx/pull/4602) fix bug with new and running configuration comparison
- [X] [#4604](https://github.com/kubernetes/ingress-nginx/pull/4604) Change default for proxy-add-original-uri-header
- [X] [#4606](https://github.com/kubernetes/ingress-nginx/pull/4606) Mount temporal directory volume for ingress controller
- [X] [#4611](https://github.com/kubernetes/ingress-nginx/pull/4611) Fix custom default backend switch to default
_Documentation:_
- [X] [#4277](https://github.com/kubernetes/ingress-nginx/pull/4277) doc: fix image link.
- [X] [#4316](https://github.com/kubernetes/ingress-nginx/pull/4316) Update how-it-works.md
- [X] [#4329](https://github.com/kubernetes/ingress-nginx/pull/4329) Update references to oauth2_proxy
- [X] [#4348](https://github.com/kubernetes/ingress-nginx/pull/4348) KEP process
- [X] [#4351](https://github.com/kubernetes/ingress-nginx/pull/4351) KEP: Remove static SSL configuration mode
- [X] [#4389](https://github.com/kubernetes/ingress-nginx/pull/4389) Fix docs build due to an invalid link
- [X] [#4455](https://github.com/kubernetes/ingress-nginx/pull/4455) KEP: availability zone aware routing
- [X] [#4581](https://github.com/kubernetes/ingress-nginx/pull/4581) Fix spelling and remove local reference of 404 docker image
- [X] [#4582](https://github.com/kubernetes/ingress-nginx/pull/4582) Update kubectl-plugin docs
- [X] [#4588](https://github.com/kubernetes/ingress-nginx/pull/4588) tls user guide --default-ssl-certificate clarification
### 0.25.1
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.1`
_Changes:_
- [X] [#4440](https://github.com/kubernetes/ingress-nginx/pull/4440) Fixes for CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516
### 0.25.0
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0`
_New Features:_
- Validating webhook for ingress sanity check [documentation](https://kubernetes.github.io/ingress-nginx/deploy/validating-webhook/)
- Migration from NGINX to [OpenResty](https://openresty.org/en/) 1.15.8
- [ARM image](https://quay.io/repository/kubernetes-ingress-controller/nginx-ingress-controller-arm?tab=logs)
- Improve external authorization concept from opt-in to secure-by-default [3506](https://github.com/kubernetes/ingress-nginx/pull/3506)
- Reduce memory footprint and cpu usage when modsecurity is enabled [4091](https://github.com/kubernetes/ingress-nginx/pull/4091)
- Support new `networking.k8s.io/v1beta1` package (for Kubernetes cluster > v1.14.0) [4127](https://github.com/kubernetes/ingress-nginx/pull/4127)
- New variable `$proxy_alternative_upstream_name` in the log to show a hit in a canary endpoint [#4246](https://github.com/kubernetes/ingress-nginx/pull/4246)
_Non-functional improvements:_
- Migration from travis-ci to [Prow](https://prow.k8s.io/tide-history?repo=kubernetes%2Fingress-nginx&branch=master)
- [Testgrid dashboards](https://testgrid.k8s.io/sig-network-ingress-nginx#Summary) for ingress-nginx
- Update kind to [v0.4.0](https://github.com/kubernetes-sigs/kind/releases/tag/v0.4.0)
- Switch to go modules
- Go v1.12.6
- Docker size image reduced by 20%
_Changes:_
- [X] [#3506](https://github.com/kubernetes/ingress-nginx/pull/3506) Improve the external authorization concept from opt-in to secure-by-default
- [X] [#3802](https://github.com/kubernetes/ingress-nginx/pull/3802) Add a validating webhook for ingress sanity check
- [X] [#3803](https://github.com/kubernetes/ingress-nginx/pull/3803) use nkeys for counting lua table elements
- [X] [#3852](https://github.com/kubernetes/ingress-nginx/pull/3852) Enable arm again
- [X] [#4004](https://github.com/kubernetes/ingress-nginx/pull/4004) Remove valgrind
- [X] [#4005](https://github.com/kubernetes/ingress-nginx/pull/4005) Support proxy_next_upstream_timeout
- [X] [#4008](https://github.com/kubernetes/ingress-nginx/pull/4008) refactor GetFakeSSLCert
- [X] [#4009](https://github.com/kubernetes/ingress-nginx/pull/4009) Update nginx to 1.15.12
- [X] [#4010](https://github.com/kubernetes/ingress-nginx/pull/4010) Update nginx image and Go to 1.12.4
- [X] [#4012](https://github.com/kubernetes/ingress-nginx/pull/4012) Switch to go modules
- [X] [#4022](https://github.com/kubernetes/ingress-nginx/pull/4022) Add e2e test coverage for mult-auth
- [X] [#4042](https://github.com/kubernetes/ingress-nginx/pull/4042) Release custom error pages image v0.4 [skip-ci]
- [X] [#4048](https://github.com/kubernetes/ingress-nginx/pull/4048) Change upstream on error when sticky session balancer is used
- [X] [#4055](https://github.com/kubernetes/ingress-nginx/pull/4055) Rearrange deployment files into kustomizations
- [X] [#4064](https://github.com/kubernetes/ingress-nginx/pull/4064) Update go to 1.12.5, kubectl to 1.14.1 and kind to 0.2.1
- [X] [#4067](https://github.com/kubernetes/ingress-nginx/pull/4067) Trim spaces from annotations that can contain multiple lines
- [X] [#4069](https://github.com/kubernetes/ingress-nginx/pull/4069) fix e2e-test make target
- [X] [#4070](https://github.com/kubernetes/ingress-nginx/pull/4070) Don't try to create e2e runner rbac resources twice
- [X] [#4080](https://github.com/kubernetes/ingress-nginx/pull/4080) Load modsecurity config with OWASP core rules
- [X] [#4088](https://github.com/kubernetes/ingress-nginx/pull/4088) Migrate to Prow
- [X] [#4091](https://github.com/kubernetes/ingress-nginx/pull/4091) reduce memory footprint and cpu usage when modsecurity and owasp rule
- [X] [#4100](https://github.com/kubernetes/ingress-nginx/pull/4100) Remove stop controller endpoint
- [X] [#4101](https://github.com/kubernetes/ingress-nginx/pull/4101) Refactor whitelist from map to standard allow directives
- [X] [#4102](https://github.com/kubernetes/ingress-nginx/pull/4102) Refactor ListIngresses to add filters
- [X] [#4105](https://github.com/kubernetes/ingress-nginx/pull/4105) UPT: Add variable to define custom sampler host and port
- [X] [#4108](https://github.com/kubernetes/ingress-nginx/pull/4108) Add retry to LookupHost used to check the content of ExternalName
- [X] [#4109](https://github.com/kubernetes/ingress-nginx/pull/4109) Use real apiserver
- [X] [#4110](https://github.com/kubernetes/ingress-nginx/pull/4110) Update e2e images
- [X] [#4113](https://github.com/kubernetes/ingress-nginx/pull/4113) Force GOOS to linux
- [X] [#4119](https://github.com/kubernetes/ingress-nginx/pull/4119) Only load module ngx_http_modsecurity_module.so when option enable-mo…
- [X] [#4120](https://github.com/kubernetes/ingress-nginx/pull/4120) log info when endpoints change for a balancer
- [X] [#4122](https://github.com/kubernetes/ingress-nginx/pull/4122) Update Nginx to 1.17.0 and upgrade some other modules
- [X] [#4123](https://github.com/kubernetes/ingress-nginx/pull/4123) Update nginx image to 0.86
- [X] [#4127](https://github.com/kubernetes/ingress-nginx/pull/4127) Migrate to new networking.k8s.io/v1beta1 package
- [X] [#4128](https://github.com/kubernetes/ingress-nginx/pull/4128) feature(collectors): Added services to collectorLabels
- [X] [#4133](https://github.com/kubernetes/ingress-nginx/pull/4133) Run PodSecurityPolicy E2E test in parallel
- [X] [#4135](https://github.com/kubernetes/ingress-nginx/pull/4135) Use apps/v1 api group in e2e tests
- [X] [#4140](https://github.com/kubernetes/ingress-nginx/pull/4140) update modsecurity to latest, libmodsecurity to v3.0.3 and owasp-scrs…
- [X] [#4150](https://github.com/kubernetes/ingress-nginx/pull/4150) Update nginx
- [X] [#4160](https://github.com/kubernetes/ingress-nginx/pull/4160) SSL expiration metrics cannot be tied to dynamic updates
- [X] [#4162](https://github.com/kubernetes/ingress-nginx/pull/4162) Add "text/javascript" to compressible MIME types
- [X] [#4164](https://github.com/kubernetes/ingress-nginx/pull/4164) fix source file mods
- [X] [#4166](https://github.com/kubernetes/ingress-nginx/pull/4166) Session Affinity ChangeOnFailure should be boolean
- [X] [#4169](https://github.com/kubernetes/ingress-nginx/pull/4169) simplify sticky balancer and fix a bug
- [X] [#4180](https://github.com/kubernetes/ingress-nginx/pull/4180) Service type=ExternalName can be defined with ports
- [X] [#4185](https://github.com/kubernetes/ingress-nginx/pull/4185) Fix: fillout missing health check timeout on health check.
- [X] [#4187](https://github.com/kubernetes/ingress-nginx/pull/4187) Add unit test cases for balancer lua module
- [X] [#4191](https://github.com/kubernetes/ingress-nginx/pull/4191) increase lua_shared_dict config data
- [X] [#4204](https://github.com/kubernetes/ingress-nginx/pull/4204) Add e2e test for service type=ExternalName
- [X] [#4212](https://github.com/kubernetes/ingress-nginx/pull/4212) Add e2e tests for grpc
- [X] [#4214](https://github.com/kubernetes/ingress-nginx/pull/4214) Update go dependencies
- [X] [#4219](https://github.com/kubernetes/ingress-nginx/pull/4219) Get AuthTLS annotation unit tests to 100%
- [X] [#4220](https://github.com/kubernetes/ingress-nginx/pull/4220) Migrate to openresty
- [X] [#4221](https://github.com/kubernetes/ingress-nginx/pull/4221) Switch to openresty image
- [X] [#4223](https://github.com/kubernetes/ingress-nginx/pull/4223) Remove travis-ci badge
- [X] [#4224](https://github.com/kubernetes/ingress-nginx/pull/4224) fix monitor test after move to openresty
- [X] [#4225](https://github.com/kubernetes/ingress-nginx/pull/4225) Update image dependencies
- [X] [#4226](https://github.com/kubernetes/ingress-nginx/pull/4226) Update nginx image
- [X] [#4227](https://github.com/kubernetes/ingress-nginx/pull/4227) Fix misspelled and e2e check
- [X] [#4229](https://github.com/kubernetes/ingress-nginx/pull/4229) Do not send empty certificates to nginx
- [X] [#4232](https://github.com/kubernetes/ingress-nginx/pull/4232) override least recently used entries when certificate_data dict is full
- [X] [#4233](https://github.com/kubernetes/ingress-nginx/pull/4233) Update nginx image to 0.90
- [X] [#4235](https://github.com/kubernetes/ingress-nginx/pull/4235) Add new lints
- [X] [#4236](https://github.com/kubernetes/ingress-nginx/pull/4236) Add e2e test suite to detect memory leaks in lua
- [X] [#4237](https://github.com/kubernetes/ingress-nginx/pull/4237) Update go dependencies
- [X] [#4246](https://github.com/kubernetes/ingress-nginx/pull/4246) introduce proxy_alternative_upstream_name Nginx var
- [X] [#4249](https://github.com/kubernetes/ingress-nginx/pull/4249) test to make sure dynamic cert works trailing dot in domains
- [X] [#4250](https://github.com/kubernetes/ingress-nginx/pull/4250) Lint shell scripts
- [X] [#4251](https://github.com/kubernetes/ingress-nginx/pull/4251) Refactor prometheus leader helper
- [X] [#4253](https://github.com/kubernetes/ingress-nginx/pull/4253) Remove kubeclient configuration
- [X] [#4254](https://github.com/kubernetes/ingress-nginx/pull/4254) Update kind to 0.4.0
- [X] [#4257](https://github.com/kubernetes/ingress-nginx/pull/4257) Fix error deleting temporal directory in case of errors
- [X] [#4258](https://github.com/kubernetes/ingress-nginx/pull/4258) Fix go imports
- [X] [#4267](https://github.com/kubernetes/ingress-nginx/pull/4267) More e2e tests
- [X] [#4270](https://github.com/kubernetes/ingress-nginx/pull/4270) GetLbAlgorithm helper func for e2e
- [X] [#4272](https://github.com/kubernetes/ingress-nginx/pull/4272) introduce ngx.var.balancer_ewma_score
- [X] [#4273](https://github.com/kubernetes/ingress-nginx/pull/4273) Check and complete intermediate SSL certificates
- [X] [#4274](https://github.com/kubernetes/ingress-nginx/pull/4274) Support trailing dot
_Documentation:_
- [X] [#3966](https://github.com/kubernetes/ingress-nginx/pull/3966) Documentation example code fix
- [X] [#3978](https://github.com/kubernetes/ingress-nginx/pull/3978) Fix CA certificate example docs
- [X] [#3981](https://github.com/kubernetes/ingress-nginx/pull/3981) Add missing PR in changelog [skip ci]
- [X] [#3982](https://github.com/kubernetes/ingress-nginx/pull/3982) Add kubectl plugin docs
- [X] [#3987](https://github.com/kubernetes/ingress-nginx/pull/3987) Link to kubectl plugin docs in nav
- [X] [#4014](https://github.com/kubernetes/ingress-nginx/pull/4014) Update plugin krew manifest
- [X] [#4034](https://github.com/kubernetes/ingress-nginx/pull/4034) 🔧 fix navigation error in file baremetal.md
- [X] [#4036](https://github.com/kubernetes/ingress-nginx/pull/4036) Docs have incorrect command in baremetal.md
- [X] [#4037](https://github.com/kubernetes/ingress-nginx/pull/4037) [doc] fixing regex in example of rewrite
- [X] [#4040](https://github.com/kubernetes/ingress-nginx/pull/4040) Fix default Content-Type for custom-error-pages example
- [X] [#4068](https://github.com/kubernetes/ingress-nginx/pull/4068) fix typo: deployement->deployment
- [X] [#4082](https://github.com/kubernetes/ingress-nginx/pull/4082) Explain references in custom-headers documentation
- [X] [#4089](https://github.com/kubernetes/ingress-nginx/pull/4089) Docs: configmap: use-gzip
- [X] [#4099](https://github.com/kubernetes/ingress-nginx/pull/4099) Docs - Update capture group `placeholder`
- [X] [#4098](https://github.com/kubernetes/ingress-nginx/pull/4098) Update configmap about adding custom locations
- [X] [#4107](https://github.com/kubernetes/ingress-nginx/pull/4107) Clear up some inconsistent / unclear wording
- [X] [#4132](https://github.com/kubernetes/ingress-nginx/pull/4132) Update README.md for external-auth Test 4
- [X] [#4153](https://github.com/kubernetes/ingress-nginx/pull/4153) Add clarification on how to enable path matching
- [X] [#4159](https://github.com/kubernetes/ingress-nginx/pull/4159) Partially revert usage of kustomize for installation
- [X] [#4217](https://github.com/kubernetes/ingress-nginx/pull/4217) Fix typo in annotations
- [X] [#4228](https://github.com/kubernetes/ingress-nginx/pull/4228) Add notes on timeouts while using long GRPC streams
### 0.24.1
**Image:** `quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1`
@ -19,6 +654,10 @@ _New Features:_
- NGINX 1.15.10
_Breaking changes:_
- `x-forwarded-prefix` annotation changed from a boolean to a string, see [#3786](https://github.com/kubernetes/ingress-nginx/pull/3786)
_Changes:_
- [X] [#3743](https://github.com/kubernetes/ingress-nginx/pull/3743) Remove session-cookie-hash annotation

305
Makefile
View file

@ -12,15 +12,35 @@
# See the License for the specific language governing permissions and
# limitations under the License.
.PHONY: all
all: all-container
# Add the following 'help' target to your Makefile
# And add help text after each target name starting with '\#\#'
ifeq ($(shell which go >/dev/null 2>&1; echo $$?), 1)
$(error Can't find 'go' in PATH, please fix and retry. See http://golang.org/doc/install for installation instructions.)
endif
.DEFAULT_GOAL:=help
.EXPORT_ALL_VARIABLES:
ifndef VERBOSE
.SILENT:
endif
# set default shell
SHELL=/bin/bash -o pipefail -o errexit
# Use the 0.0 tag for testing, it shouldn't clobber any release builds
TAG ?= 0.24.1
REGISTRY ?= quay.io/kubernetes-ingress-controller
DOCKER ?= docker
SED_I ?= sed -i
GOHOSTOS ?= $(shell go env GOHOSTOS)
TAG ?= 0.30.0
# Use docker to run makefile tasks
USE_DOCKER ?= true
# Disable run docker tasks if running in prow.
# only checks the existence of the variable, not the value.
ifdef DIND_TASKS
USE_DOCKER=false
endif
# e2e settings
# Allow limiting the scope of the e2e tests. By default run everything
@ -29,179 +49,175 @@ FOCUS ?= .*
E2E_NODES ?= 10
# slow test only if takes > 50s
SLOW_E2E_THRESHOLD ?= 50
K8S_VERSION ?= v1.14.1
ifeq ($(GOHOSTOS),darwin)
SED_I=sed -i ''
endif
# run e2e test suite with tests that check for memory leaks? (default is false)
E2E_CHECK_LEAKS ?=
REPO_INFO ?= $(shell git config --get remote.origin.url)
GIT_COMMIT ?= git-$(shell git rev-parse --short HEAD)
PKG = k8s.io/ingress-nginx
ARCH ?= $(shell go env GOARCH)
GOARCH = ${ARCH}
DUMB_ARCH = ${ARCH}
GOBUILD_FLAGS := -v
ALL_ARCH = amd64 arm64
QEMUVERSION = v4.0.0
BUSTED_ARGS =-v --pattern=_test
GOOS = linux
ARCH ?= $(shell go env GOARCH)
export ARCH
export DUMB_ARCH
export TAG
export PKG
export GOARCH
export GOOS
export GIT_COMMIT
export GOBUILD_FLAGS
export REPO_INFO
export BUSTED_ARGS
REGISTRY ?= quay.io/kubernetes-ingress-controller
IMGNAME = nginx-ingress-controller
IMAGE = $(REGISTRY)/$(IMGNAME)
MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)
BASE_IMAGE ?= quay.io/kubernetes-ingress-controller/nginx
BASE_TAG ?= 7b6e2dd312f1808e43fb39992ea814035557c7f3
# Set default base image dynamically for each arch
BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.86
GOARCH=$(ARCH)
GOBUILD_FLAGS := -v
ifeq ($(ARCH),arm64)
QEMUARCH=aarch64
endif
# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
GO111MODULE=off
TEMP_DIR := $(shell mktemp -d)
DOCKERFILE := $(TEMP_DIR)/rootfs/Dockerfile
help: ## Display this help
@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
# internal task
.PHONY: sub-container-%
sub-container-%:
$(MAKE) ARCH=$* build container
# internal task
.PHONY: sub-push-%
sub-push-%:
sub-push-%: ## Publish image for a particular arch.
$(MAKE) ARCH=$* push
.PHONY: all-container
all-container: $(addprefix sub-container-,$(ALL_ARCH))
.PHONY: all-push
all-push: $(addprefix sub-push-,$(ALL_ARCH))
.PHONY: container
container: clean-container .container-$(ARCH)
container: clean-container .container-$(ARCH) ## Build image for a particular arch.
# internal task to build image for a particular arch.
.PHONY: .container-$(ARCH)
.container-$(ARCH):
.container-$(ARCH): init-docker-buildx
mkdir -p $(TEMP_DIR)/rootfs
cp bin/$(ARCH)/nginx-ingress-controller $(TEMP_DIR)/rootfs/nginx-ingress-controller
cp bin/$(ARCH)/dbg $(TEMP_DIR)/rootfs/dbg
cp bin/$(ARCH)/wait-shutdown $(TEMP_DIR)/rootfs/wait-shutdown
cp -RP ./* $(TEMP_DIR)
$(SED_I) "s|BASEIMAGE|$(BASEIMAGE)|g" $(DOCKERFILE)
$(SED_I) "s|QEMUARCH|$(QEMUARCH)|g" $(DOCKERFILE)
$(SED_I) "s|DUMB_ARCH|$(DUMB_ARCH)|g" $(DOCKERFILE)
cp -RP rootfs/* $(TEMP_DIR)/rootfs
ifeq ($(ARCH),amd64)
# When building "normally" for amd64, remove the whole line, it has no part in the amd64 image
$(SED_I) "/CROSS_BUILD_/d" $(DOCKERFILE)
else
# When cross-building, only the placeholder "CROSS_BUILD_" should be removed
curl -sSL https://github.com/multiarch/qemu-user-static/releases/download/$(QEMUVERSION)/x86_64_qemu-$(QEMUARCH)-static.tar.gz | tar -xz -C $(TEMP_DIR)/rootfs
$(SED_I) "s/CROSS_BUILD_//g" $(DOCKERFILE)
endif
@$(DOCKER) build --no-cache --pull -t $(MULTI_ARCH_IMG):$(TAG) $(TEMP_DIR)/rootfs
ifeq ($(ARCH), amd64)
# This is for maintaining backward compatibility
@$(DOCKER) tag $(MULTI_ARCH_IMG):$(TAG) $(IMAGE):$(TAG)
endif
echo "Building docker image ($(ARCH))..."
# buildx assumes images are multi-arch
docker buildx build \
--pull \
--load \
--no-cache \
--progress plain \
--platform linux/$(ARCH) \
--build-arg BASE_IMAGE="$(BASE_IMAGE)-$(ARCH):$(BASE_TAG)" \
--build-arg VERSION="$(TAG)" \
-t $(REGISTRY)/nginx-ingress-controller-${ARCH}:$(TAG) $(TEMP_DIR)/rootfs
.PHONY: clean-container
clean-container:
@$(DOCKER) rmi -f $(MULTI_ARCH_IMG):$(TAG) || true
.PHONY: register-qemu
register-qemu:
# Register /usr/bin/qemu-ARCH-static as the handler for binaries in multiple platforms
@$(DOCKER) run --rm --privileged multiarch/qemu-user-static:register --reset
clean-container: ## Removes local image
echo "removing old image $(BASE_IMAGE)-$(ARCH):$(TAG)"
@docker rmi -f $(BASE_IMAGE)-$(ARCH):$(TAG) || true
.PHONY: push
push: .push-$(ARCH)
push: .push-$(ARCH) ## Publish image for a particular arch.
# internal task
.PHONY: .push-$(ARCH)
.push-$(ARCH):
$(DOCKER) push $(MULTI_ARCH_IMG):$(TAG)
ifeq ($(ARCH), amd64)
$(DOCKER) push $(IMAGE):$(TAG)
endif
docker push $(REGISTRY)/nginx-ingress-controller-${ARCH}:$(TAG)
.PHONY: build
build:
build: check-go-version ## Build ingress controller, debug tool and pre-stop hook.
ifeq ($(USE_DOCKER), true)
@build/run-in-docker.sh \
PKG=$(PKG) \
ARCH=$(ARCH) \
GIT_COMMIT=$(GIT_COMMIT) \
REPO_INFO=$(REPO_INFO) \
TAG=$(TAG) \
GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
build/build.sh
else
@build/build.sh
endif
.PHONY: build-plugin
build-plugin:
build-plugin: check-go-version ## Build ingress-nginx krew plugin.
ifeq ($(USE_DOCKER), true)
@build/run-in-docker.sh \
PKG=$(PKG) \
ARCH=$(ARCH) \
GIT_COMMIT=$(GIT_COMMIT) \
REPO_INFO=$(REPO_INFO) \
TAG=$(TAG) \
GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
build/build-plugin.sh
else
@build/build-plugin.sh
endif
.PHONY: clean
clean:
rm -rf bin/ .gocache/
clean: ## Remove .gocache directory.
rm -rf bin/ .gocache/ .cache/
.PHONY: static-check
static-check:
@build/static-check.sh
static-check: ## Run verification script for boilerplate, codegen, gofmt, golint, lualint and chart-lint.
ifeq ($(USE_DOCKER), true)
@build/run-in-docker.sh \
hack/verify-all.sh
else
@hack/verify-all.sh
endif
.PHONY: test
test:
test: check-go-version ## Run go unit tests.
ifeq ($(USE_DOCKER), true)
@build/run-in-docker.sh \
PKG=$(PKG) \
ARCH=$(ARCH) \
GIT_COMMIT=$(GIT_COMMIT) \
REPO_INFO=$(REPO_INFO) \
TAG=$(TAG) \
GOBUILD_FLAGS=$(GOBUILD_FLAGS) \
build/test.sh
else
@build/test.sh
endif
.PHONY: lua-test
lua-test:
lua-test: ## Run lua unit tests.
ifeq ($(USE_DOCKER), true)
@build/run-in-docker.sh \
BUSTED_ARGS=$(BUSTED_ARGS) \
build/test-lua.sh
else
@build/test-lua.sh
endif
.PHONY: e2e-test
e2e-test:
echo "Granting permissions to ingress-nginx e2e service account..."
kubectl create serviceaccount ingress-nginx-e2e || true
kubectl create clusterrolebinding permissive-binding \
--clusterrole=cluster-admin \
--user=admin \
--user=kubelet \
--serviceaccount=default:ingress-nginx-e2e || true
until kubectl get secret | grep -q ^ingress-nginx-e2e-token; do \
echo "waiting for api token"; \
sleep 3; \
done
kubectl run --rm \
--attach \
--restart=Never \
--generator=run-pod/v1 \
--env="E2E_NODES=$(E2E_NODES)" \
--env="FOCUS=$(FOCUS)" \
--env="SLOW_E2E_THRESHOLD=$(SLOW_E2E_THRESHOLD)" \
--overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \
e2e --image=nginx-ingress-controller:e2e
e2e-test: check-go-version ## Run e2e tests (expects access to a working Kubernetes cluster).
@build/run-e2e-suite.sh
.PHONY: e2e-test-image
e2e-test-image: e2e-test-binary
make -C test/e2e-image
e2e-test-image: ## Build image for e2e tests.
@make -C test/e2e-image
.PHONY: e2e-test-binary
e2e-test-binary:
e2e-test-binary: check-go-version ## Build ginkgo binary for e2e tests.
ifeq ($(USE_DOCKER), true)
@build/run-in-docker.sh \
ginkgo build ./test/e2e
else
@ginkgo build ./test/e2e
endif
.PHONY: print-e2e-suite
print-e2e-suite: e2e-test-binary ## Prints information about the suite of e2e tests.
@build/run-in-docker.sh \
hack/print-e2e-suite.sh
.PHONY: cover
cover:
cover: check-go-version ## Run go coverage unit tests.
@build/cover.sh
echo "Uploading coverage results..."
@curl -s https://codecov.io/bash | bash
@ -210,44 +226,63 @@ cover:
vet:
@go vet $(shell go list ${PKG}/internal/... | grep -v vendor)
.PHONY: release
release: all-container all-push
echo "done"
.PHONY: check_dead_links
check_dead_links:
check_dead_links: ## Check if the documentation contains dead links.
@docker run -t \
-v $$PWD:/tmp aledbf/awesome_bot:0.1 \
--allow-dupe \
--allow-redirect $(shell find $$PWD -mindepth 1 -name "*.md" -printf '%P\n' | grep -v vendor | grep -v Changelog.md)
.PHONY: dep-ensure
dep-ensure:
dep-ensure: check-go-version ## Update and vendo go dependencies.
GO111MODULE=on go mod tidy -v
find vendor -name '*_test.go' -delete
GO111MODULE=on go mod vendor
.PHONY: dev-env
dev-env:
dev-env: check-go-version ## Starts a local Kubernetes cluster using kind, building and deploying the ingress controller.
@build/dev-env.sh
.PHONY: dev-env-stop
dev-env-stop: ## Deletes local Kubernetes cluster created by kind.
@kind delete cluster --name ingress-nginx-dev
.PHONY: live-docs
live-docs:
@docker build --pull -t ingress-nginx/mkdocs build/mkdocs
live-docs: ## Build and launch a local copy of the documentation website in http://localhost:3000
@docker buildx build \
--pull \
--load \
--progress plain \
-t ingress-nginx/mkdocs images/mkdocs
@docker run --rm -it -p 3000:3000 -v ${PWD}:/docs ingress-nginx/mkdocs
.PHONY: build-docs
build-docs:
@docker build --pull -t ingress-nginx/mkdocs build/mkdocs
@docker run --rm -v ${PWD}:/docs ingress-nginx/mkdocs build
.PHONY: misspell
misspell:
misspell: check-go-version ## Check for spelling errors.
@go get github.com/client9/misspell/cmd/misspell
misspell \
-locale US \
-error \
cmd/* internal/* deploy/* docs/* design/* test/* README.md
.PHONE: kind-e2e-test
kind-e2e-test:
test/e2e/run.sh
.PHONY: kind-e2e-test
kind-e2e-test: check-go-version ## Run e2e tests using kind.
@test/e2e/run.sh
.PHONY: run-ingress-controller
run-ingress-controller: ## Run the ingress controller locally using a kubectl proxy connection.
@build/run-ingress-controller.sh
.PHONY: check-go-version
check-go-version:
@hack/check-go-version.sh
.PHONY: init-docker-buildx
init-docker-buildx:
ifeq ($(DIND_TASKS),)
ifneq ($(shell docker buildx 2>&1 >/dev/null; echo $?),)
$(error "buildx not available. Docker 19.03 or higher is required with experimental features enabled")
endif
docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d
docker buildx create --name ingress-nginx --use || true
docker buildx inspect --bootstrap
endif

1
OWNERS
View file

@ -8,3 +8,4 @@ approvers:
reviewers:
- aledbf
- ElvinEfendi
- cmluciano

72
README.md
View file

@ -4,7 +4,6 @@
# NGINX Ingress Controller
[![Build Status](https://travis-ci.org/kubernetes/ingress-nginx.svg?branch=master)](https://travis-ci.org/kubernetes/ingress-nginx)
[![Coverage Status](https://codecov.io/gh/kubernetes/ingress-nginx/branch/master/graph/badge.svg)](https://codecov.io/gh/kubernetes/ingress-nginx)
[![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes/ingress-nginx)](https://goreportcard.com/report/github.com/kubernetes/ingress-nginx)
[![GitHub license](https://img.shields.io/github/license/kubernetes/ingress-nginx.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/LICENSE)
@ -12,55 +11,46 @@
[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md)
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fkubernetes%2Fingress-nginx?ref=badge_shield)
## Overview
ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer.
Learn more about Ingress on the main [Kubernetes](https://kubernetes.io/docs/concepts/services-networking/ingress/) documentation site.
## Get started
See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) document.
## Troubleshooting
If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), [file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server.
## Contributing
Thanks for taking the time to join our community and start contributing!
- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms.
- See [CONTRIBUTING.md](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require.
- Check out the [open issues](https://github.com/kubernetes/ingress-nginx).
- Join our Kubernetes Slack channel: [#ingress-nginx](https://kubernetes.slack.com/messages/CANQGM8BA/)
## Changelog
See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes
For detailed changes for each release; please check the [Changelog.md](Changelog.md)
# Get Involved
- **Contributing**: Pull requests are welcome!
- Read [`CONTRIBUTING.md`](CONTRIBUTING.md) and check out [help-wanted](https://github.com/kubernetes/ingress-nginx/labels/help%20wanted) issues
- Submit github issues for any feature enhancements, bugs or documentation problems
- **Support**: Join to [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions to get support from the maintainers and other developers
- Questions/comments can also be posted as [github issues](https://github.com/kubernetes/ingress-nginx/issues)
- **Support**: Join to [Kubernetes Slack](http://slack.kubernetes.io/) in the [#ingress-nginx](https://kubernetes.slack.com/messages/CANQGM8BA/) channel to ask questions to get support from the maintainers and other users
- The [github issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests.
- **Discuss**: Tweet using the `#IngressNginx` hashtag
## Description
This repository contains the NGINX controller built around the [Kubernetes Ingress resource](http://kubernetes.io/docs/user-guide/ingress/) that uses [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#understanding-configmaps-and-pods) to store the NGINX configuration. [Make Ingress-Nginx Work for you, and the Community](https://youtu.be/GDm-7BlmPPg) from KubeCon Europe 2018 is a great video to get you started!!
Learn more about using Ingress on [k8s.io](https://kubernetes.io/docs/concepts/services-networking/ingress/)
### What is an Ingress Controller?
Configuring a webserver or loadbalancer is harder than it should be. Most webserver configuration files are very similar. There are some applications that have weird little quirks that tend to throw a wrench in things, but for the most part you can apply the same logic to them and achieve a desired result.
The Ingress resource embodies this idea, and an Ingress controller is meant to handle all the quirks associated with a specific "class" of Ingress.
An Ingress Controller is a daemon, deployed as a Kubernetes Pod, that watches the apiserver's `/ingresses` endpoint for updates to the [Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/). Its job is to satisfy requests for Ingresses.
## Documentation
To check out [Live Docs](https://kubernetes.github.io/ingress-nginx/)
## Questions
For questions and support please use the [#ingress-nginx](https://kubernetes.slack.com/messages/CANQGM8BA/) channel in the [Kubernetes Slack](http://slack.kubernetes.io/) or post to the [Kubernetes Forum](https://discuss.kubernetes.io). The issue list of this repo is **exclusively** for bug reports and feature requests.
## Issues
Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines may be closed immediately.
## Changelog
Detailed changes for each release are documented in the [Changelog.md](Changelog.md)
## Contribution
Please make sure to read the [Contributing Guide](CONTRIBUTING.md) before making a pull request.
Thank you to all the people who already contributed to NGINX Ingress Controller!
## Code of Conduct
This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md).
By participating in this project you agree to abide by its terms.
Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/master/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**.
## License

55
build/build-ingress-controller.sh Executable file
View file

@ -0,0 +1,55 @@
#!/bin/bash
# Copyright 2019 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if [ -n "$DEBUG" ]; then
set -x
fi
set -o errexit
set -o nounset
set -o pipefail
DIR=$(cd $(dirname "${BASH_SOURCE}") && pwd -P)
AWS_FILE="${DIR}/images/nginx/aws.tfvars"
ENV_FILE="${DIR}/images/nginx/env.tfvars"
if [ ! -f "${AWS_FILE}" ]; then
echo "File $AWS_FILE does not exist. Please create this file with keys access_key an secret_key"
exit 1
fi
if [ ! -f "${ENV_FILE}" ]; then
echo "File $ENV_FILE does not exist. Please create this file with keys docker_username and docker_password"
exit 1
fi
# build local terraform image to build nginx
docker buildx build \
--load \
--platform linux/amd64 \
--tag build-ingress-controller-terraform $DIR/images/ingress-controller
# build nginx and publish docker images to quay.io.
# this can take up to two hours.
docker run --rm -it \
--volume $DIR/images/ingress-controller:/tf \
-w /tf \
-v ${AWS_FILE}:/root/aws.tfvars:ro \
-v ${ENV_FILE}:/root/env.tfvars:ro \
build-ingress-controller-terraform
docker rmi -f build-ingress-controller-terraform

57
build/build-nginx-image.sh Executable file
View file

@ -0,0 +1,57 @@
#!/bin/bash
# Copyright 2019 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if [ -n "$DEBUG" ]; then
set -x
fi
set -o errexit
set -o nounset
set -o pipefail
DIR=$(cd $(dirname "${BASH_SOURCE}") && pwd -P)
AWS_FILE="${DIR}/images/nginx/aws.tfvars"
ENV_FILE="${DIR}/images/nginx/env.tfvars"
if [ ! -f "${AWS_FILE}" ]; then
echo "File $AWS_FILE does not exist. Please create this file with keys access_key an secret_key"
exit 1
fi
if [ ! -f "${ENV_FILE}" ]; then
echo "File $ENV_FILE does not exist. Please create this file with keys docker_username and docker_password"
exit 1
fi
# build local terraform image to build nginx
export DOCKER_CLI_EXPERIMENTAL=enabled
docker buildx build \
--load \
--no-cache \
--platform linux/amd64 \
--tag build-nginx-terraform $DIR/images/nginx
# build nginx and publish docker images to quay.io.
# this can take up to two hours.
docker run --rm -it \
--volume $DIR/images/nginx:/tf \
-w /tf \
-v ${AWS_FILE}:/root/aws.tfvars:ro \
-v ${ENV_FILE}:/root/env.tfvars:ro \
build-nginx-terraform
docker rmi -f build-nginx-terraform

30
build/build-plugin.sh
View file

@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
if ! [ -z $DEBUG ]; then
if [ -n "$DEBUG" ]; then
set -x
fi
@ -44,6 +44,8 @@ if [ "$missing" = true ]; then
fi
export CGO_ENABLED=0
# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
export GO111MODULE=off
release=cmd/plugin/release
@ -52,24 +54,24 @@ function build_for_arch(){
arch=$2
extension=$3
env GOOS=${os} GOARCH=${arch} go build \
${GOBUILD_FLAGS} \
env GOOS="${os}" GOARCH="${arch}" go build \
"${GOBUILD_FLAGS}" \
-ldflags "-s -w \
-X ${PKG}/version.RELEASE=${TAG} \
-X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-X ${PKG}/version.REPO=${REPO_INFO}" \
-o ${release}/kubectl-ingress_nginx${extension} ${PKG}/cmd/plugin
-X ${PKG}/version.RELEASE=${TAG} \
-X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-X ${PKG}/version.REPO=${REPO_INFO}" \
-o "${release}/kubectl-ingress_nginx${extension}" "${PKG}/cmd/plugin"
tar -C ${release} -zcvf ${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz kubectl-ingress_nginx${extension}
rm ${release}/kubectl-ingress_nginx${extension}
hash=`sha256sum ${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz | awk '{ print $1 }'`
sed -i "s/%%%shasum_${os}_${arch}%%%/${hash}/g" ${release}/ingress-nginx.yaml
tar -C "${release}" -zcvf "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" "kubectl-ingress_nginx${extension}"
rm "${release}/kubectl-ingress_nginx${extension}"
hash=$(sha256sum "${release}/kubectl-ingress_nginx-${os}-${arch}.tar.gz" | awk '{ print $1 }')
sed -i "s/%%%shasum_${os}_${arch}%%%/${hash}/g" "${release}/ingress-nginx.yaml"
}
rm -rf ${release}
mkdir ${release}
rm -rf "${release}"
mkdir "${release}"
cp cmd/plugin/ingress-nginx.yaml.tmpl ${release}/ingress-nginx.yaml
cp cmd/plugin/ingress-nginx.yaml.tmpl "${release}/ingress-nginx.yaml"
sed -i "s/%%%tag%%%/${TAG}/g" ${release}/ingress-nginx.yaml

36
build/build.sh
View file

@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
if ! [ -z $DEBUG ]; then
if [ -n "$DEBUG" ]; then
set -x
fi
@ -44,19 +44,29 @@ if [ "$missing" = true ]; then
fi
export CGO_ENABLED=0
export GOARCH=${ARCH}
go build \
${GOBUILD_FLAGS} \
-ldflags "-s -w \
-X ${PKG}/version.RELEASE=${TAG} \
-X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-X ${PKG}/version.REPO=${REPO_INFO}" \
-o bin/${ARCH}/nginx-ingress-controller ${PKG}/cmd/nginx
"${GOBUILD_FLAGS}" \
-ldflags "-s -w \
-X ${PKG}/version.RELEASE=${TAG} \
-X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-X ${PKG}/version.REPO=${REPO_INFO}" \
-o "bin/${ARCH}/nginx-ingress-controller" "${PKG}/cmd/nginx"
go build \
${GOBUILD_FLAGS} \
-ldflags "-s -w \
-X ${PKG}/version.RELEASE=${TAG} \
-X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-X ${PKG}/version.REPO=${REPO_INFO}" \
-o bin/${ARCH}/dbg ${PKG}/cmd/dbg
"${GOBUILD_FLAGS}" \
-ldflags "-s -w \
-X ${PKG}/version.RELEASE=${TAG} \
-X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-X ${PKG}/version.REPO=${REPO_INFO}" \
-o "bin/${ARCH}/dbg" "${PKG}/cmd/dbg"
go build \
"${GOBUILD_FLAGS}" \
-ldflags "-s -w \
-X ${PKG}/version.RELEASE=${TAG} \
-X ${PKG}/version.COMMIT=${GIT_COMMIT} \
-X ${PKG}/version.REPO=${REPO_INFO}" \
-o "bin/${ARCH}/wait-shutdown" "${PKG}/cmd/waitshutdown"

27
build/cover.sh
View file

@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
if ! [ -z $DEBUG ]; then
if [ -n "$DEBUG" ]; then
set -x
fi
@ -23,17 +23,22 @@ set -o nounset
set -o pipefail
if [ -z "${PKG}" ]; then
echo "PKG must be set"
exit 1
echo "PKG must be set"
exit 1
fi
export CGO_ENABLED=1
export GODEBUG=netdns=cgo+2
# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
export GO111MODULE=off
rm -rf coverage.txt
for d in `go list ${PKG}/... | grep -v vendor | grep -v '/test/e2e' | grep -v images`; do
t=$(date +%s);
go test -coverprofile=cover.out -covermode=atomic $d || exit 1;
echo "Coverage test $d took $(($(date +%s)-$t)) seconds";
if [ -f cover.out ]; then
cat cover.out >> coverage.txt;
rm cover.out;
fi;
for d in $(go list "${PKG}/..." | grep -v vendor | grep -v '/test/e2e' | grep -v images); do
t=$(date +%s);
go test -coverprofile=cover.out -covermode=atomic "$d" || exit 1;
echo "Coverage test $d took $(($(date +%s)-$t)) seconds";
if [ -f cover.out ]; then
cat cover.out >> coverage.txt;
rm cover.out;
fi;
done

122
build/dev-env.sh
View file

@ -14,7 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
if ! [ -z $DEBUG ]; then
if [ -n "$DEBUG" ]; then
set -x
fi
@ -22,46 +22,116 @@ set -o errexit
set -o nounset
set -o pipefail
SKIP_MINIKUBE_START=${SKIP_MINIKUBE_START:-}
NAMESPACE="${NAMESPACE:-ingress-nginx}"
echo "NAMESPACE is set to ${NAMESPACE}"
DIR=$(cd $(dirname "${BASH_SOURCE}") && pwd -P)
kubectl config use-context minikube
export TAG=dev
export TAG=1.0.0-dev
export ARCH=amd64
export REGISTRY=${REGISTRY:-ingress-controller}
DEV_IMAGE=${REGISTRY}/nginx-ingress-controller:${TAG}
if [ -z "${SKIP_MINIKUBE_START}" ]; then
test $(minikube status | grep Running | wc -l) -ge 2 && $(minikube status | grep -q 'Correctly Configured') || minikube start \
--extra-config=kubelet.sync-frequency=1s \
--extra-config=apiserver.authorization-mode=RBAC
if ! command -v kind &> /dev/null; then
echo "kind is not installed"
echo "Use a package manager (i.e 'brew install kind') or visit the official site https://kind.sigs.k8s.io"
exit 1
fi
eval $(minikube docker-env --shell bash)
if ! command -v kubectl &> /dev/null; then
echo "Please install kubectl 1.15 or higher"
exit 1
fi
if ! docker buildx version &> /dev/null; then
echo "Make sure you have Docker 19.03 or higher and experimental features enabled"
exit 1
fi
if ! command -v helm &> /dev/null; then
echo "Please install helm"
exit 1
fi
KUBE_CLIENT_VERSION=$(kubectl version --client --short | awk '{print $3}' | cut -d. -f2) || true
if [[ ${KUBE_CLIENT_VERSION} -lt 14 ]]; then
echo "Please update kubectl to 1.15 or higher"
exit 1
fi
echo "[dev-env] building container"
make build container
docker tag "${REGISTRY}/nginx-ingress-controller-${ARCH}:${TAG}" "${DEV_IMAGE}"
docker save "${DEV_IMAGE}" | (eval $(minikube docker-env --shell bash) && docker load) || true
export K8S_VERSION=${K8S_VERSION:-v1.17.2@sha256:59df31fc61d1da5f46e8a61ef612fa53d3f9140f82419d1ef1a6b9656c6b737c}
for tool in kubectl kustomize; do
echo "[dev-env] installing $tool"
$tool version || brew install $tool
done
export DOCKER_CLI_EXPERIMENTAL=enabled
if ! kubectl get namespace $NAMESPACE; then
kubectl create namespace $NAMESPACE
KIND_CLUSTER_NAME="ingress-nginx-dev"
if ! kind get clusters -q | grep -q ${KIND_CLUSTER_NAME}; then
echo "[dev-env] creating Kubernetes cluster with kind"
cat <<EOF | kind create cluster --name ${KIND_CLUSTER_NAME} --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
authorization-mode: "AlwaysAllow"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
EOF
else
echo "[dev-env] using existing Kubernetes kind cluster"
fi
ROOT=./deploy/minikube
echo "[dev-env] copying docker images to cluster..."
kind load docker-image --name="${KIND_CLUSTER_NAME}" "${DEV_IMAGE}"
pushd $ROOT
kustomize edit set namespace $NAMESPACE
kustomize edit set image quay.io/kubernetes-ingress-controller/nginx-ingress-controller=${DEV_IMAGE}
popd
echo "[dev-env] deploying NGINX Ingress controller..."
kubectl create namespace ingress-nginx &> /dev/null || true
echo "[dev-env] deploying NGINX Ingress controller in namespace $NAMESPACE"
kustomize build $ROOT | kubectl apply -f -
cat << EOF | helm template ingress-nginx ${DIR}/../charts/ingress-nginx --namespace=ingress-nginx --values - | kubectl apply -n ingress-nginx -f -
controller:
image:
repository: ${REGISTRY}/nginx-ingress-controller
tag: ${TAG}
config:
worker-processes: "1"
podLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
deploy-date: "$(date +%s)"
service:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
# change this when deployment supports hostPort without kubectl patch
kind: DaemonSet
daemonset:
useHostPort: true
terminationGracePeriodSeconds: 0
defaultBackend:
enabled: false
EOF
cat <<EOF
Kubernetes cluster ready and ingress-nginx listening in localhost using ports 80 and 443
To delete the dev cluster execute: 'kind delete cluster --name ingress-nginx-dev'
EOF

1
build/images/ingress-controller/.dockerignore Normal file
View file

@ -0,0 +1 @@
*.tfvars

7
build/images/ingress-controller/.gitignore vendored Normal file
View file

@ -0,0 +1,7 @@
.terraform*
terraform*
*.tfstate
*.tfstate.backup
id_rsa*
aws.tfvars
env.tfvars

19
build/images/ingress-controller/Dockerfile Normal file
View file

@ -0,0 +1,19 @@
FROM k8s.gcr.io/debian-base:v2.0.0
ENV TERRAFORM_VERSION 0.12.19
RUN clean-install \
bash \
curl \
ca-certificates \
unzip \
git \
openssh-client
RUN curl -sSL -o /terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" \
&& unzip /terraform.zip -d /usr/bin \
&& rm -rf /terraform.zip
COPY entrypoint.sh /
CMD [ "/entrypoint.sh" ]

98
build/images/ingress-controller/build-ingress-controller.sh Normal file
View file

@ -0,0 +1,98 @@
#!/bin/bash
# Copyright 2019 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o nounset
set -o pipefail
function source_tfvars() {
eval "$(
awk 'BEGIN {FS=OFS="="}
!/^(#| *$)/ && /^.+=.+$/ {
gsub(/^[ \t]+|[ \t]+$/, "", $1);
gsub(/\./, "_", $1);
gsub(/^[ \t]+|[ \t]+$/, "", $2);
if ($1 && $2) print $0
}' "$@"
)"
}
source_tfvars /tmp/env
export DEBIAN_FRONTEND=noninteractive
apt -q=3 update
apt -q=3 dist-upgrade --yes
add-apt-repository universe --yes
add-apt-repository multiverse --yes
apt -q=3 update
apt -q=3 install \
apt-transport-https \
ca-certificates \
curl \
make \
htop \
software-properties-common --yes
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable" --yes
apt -q=3 update
apt -q=3 install docker-ce --yes
echo ${docker_password} | docker login -u ${docker_username} --password-stdin quay.io
curl -sL -o /usr/local/bin/gimme https://raw.githubusercontent.com/travis-ci/gimme/master/gimme
chmod +x /usr/local/bin/gimme
eval "$(gimme 1.14)"
export GOPATH="/tmp/go"
INGRESS_DIRECTORY="${GOPATH}/src/k8s.io"
mkdir -p ${INGRESS_DIRECTORY}
cd ${INGRESS_DIRECTORY}
git clone https://github.com/kubernetes/ingress-nginx
cd ingress-nginx
export DOCKER_CLI_EXPERIMENTAL=enabled
make init-docker-buildx
docker buildx use ingress-nginx --default --global
# disable docker in docker tasks
export DIND_TASKS=0
echo "Building NGINX image..."
ARCH=amd64 make build container push
ARCH=arm make build container push
ARCH=arm64 make build container push
# Requires https://github.com/kubernetes/ingress-nginx/pull/4271
#echo "Creating multi-arch images..."
#make push-manifest

54
build/images/ingress-controller/entrypoint.sh Executable file
View file

@ -0,0 +1,54 @@
#!/bin/bash
# Copyright 2019 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o nounset
set -o pipefail
catch() {
if [ "$1" == "0" ]; then
exit 0
fi
echo "Error $1 occurred on $2"
echo "Removing temporal resources..."
terraform destroy -auto-approve \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"
}
trap 'catch $? $LINENO' ERR
terraform init
# destroy spot instance after two hours
EC2_VALID_UNTIL=$(date -d "+2 hours" +%Y-%m-%dT%H:%M:%SZ)
terraform plan \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"
terraform apply -auto-approve \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"
terraform destroy -auto-approve \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"

184
build/images/ingress-controller/main.tf Normal file
View file

@ -0,0 +1,184 @@
terraform {
backend "local" {
path = "terraform.tfstate"
}
}
provider "aws" {
access_key = var.access_key
secret_key = var.secret_key
region = var.region
}
resource "aws_vpc" "vpc" {
cidr_block = var.cidr_vpc
enable_dns_support = true
enable_dns_hostnames = true
tags = {
"Project" = var.project_tag
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc.id
tags = {
"Project" = var.project_tag
}
}
resource "aws_subnet" "subnet_public" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.cidr_subnet
map_public_ip_on_launch = "true"
availability_zone = var.availability_zone
tags = {
"Project" = var.project_tag
}
}
resource "aws_route_table" "rtb_public" {
vpc_id = aws_vpc.vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
tags = {
"Project" = var.project_tag
}
}
resource "aws_route_table_association" "rta_subnet_public" {
subnet_id = aws_subnet.subnet_public.id
route_table_id = aws_route_table.rtb_public.id
}
resource "aws_security_group" "allow_ssh" {
name = "ssh"
vpc_id = aws_vpc.vpc.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
"Project" = var.project_tag
}
}
resource "tls_private_key" "bootstrap_private_key" {
algorithm = "RSA"
rsa_bits = "4096"
}
resource "aws_key_pair" "ssh_key" {
key_name = "ssh-key_${var.project_tag}"
public_key = chomp(tls_private_key.bootstrap_private_key.public_key_openssh)
}
resource "local_file" "public_key_openssh" {
count = 1
depends_on = [tls_private_key.bootstrap_private_key]
content = tls_private_key.bootstrap_private_key.public_key_pem
filename = "id_rsa.pub"
}
resource "local_file" "private_key_openssh" {
count = 1
depends_on = [tls_private_key.bootstrap_private_key]
content = tls_private_key.bootstrap_private_key.private_key_pem
filename = "id_rsa"
}
data "aws_ami" "latest-ubuntu" {
most_recent = true
owners = ["099720109477"]
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "block-device-mapping.volume-type"
values = ["gp2"]
}
}
resource "aws_spot_instance_request" "build_worker" {
ami = data.aws_ami.latest-ubuntu.id
instance_type = var.instance_type
subnet_id = aws_subnet.subnet_public.id
vpc_security_group_ids = [aws_security_group.allow_ssh.id]
valid_until = var.valid_until
key_name = aws_key_pair.ssh_key.key_name
spot_price = "2"
spot_type = "one-time"
ebs_optimized = true
root_block_device {
volume_size = 32
volume_type = "gp2"
delete_on_termination = true
}
wait_for_fulfillment = true
instance_initiated_shutdown_behavior = "terminate"
associate_public_ip_address = true
tags = {
"Project" = var.project_tag
}
connection {
host = coalesce(self.public_ip, self.private_ip)
type = "ssh"
user = "ubuntu"
private_key = tls_private_key.bootstrap_private_key.private_key_pem
}
provisioner "file" {
source = "build-ingress-controller.sh"
destination = "/tmp/build-ingress-controller.sh"
}
provisioner "file" {
source = "/root/env.tfvars"
destination = "/tmp/env"
}
provisioner "remote-exec" {
inline = [
"echo Building ingress controller images...",
"chmod +x /tmp/build-ingress-controller.sh",
"sudo /tmp/build-ingress-controller.sh",
]
}
}

52
build/images/ingress-controller/variables.tf Normal file
View file

@ -0,0 +1,52 @@
variable "access_key" {
}
variable "secret_key" {
}
variable "valid_until" {
}
variable "docker_username" {
}
variable "docker_password" {
}
variable "region" {
default = "us-west-2"
}
variable "cidr_vpc" {
description = "CIDR block for the VPC"
default = "10.4.0.0/16"
}
variable "cidr_subnet" {
description = "CIDR block for the subnet"
default = "10.4.0.0/24"
}
variable "availability_zone" {
description = "availability zone to create subnet"
default = "us-west-2b"
}
variable "ssh_key_path" {
description = "Path to the SSH key"
default = "~/.ssh/id_rsa"
}
variable "ssh_public_key_path" {
description = "Path to the public SSH key"
default = "~/.ssh/id_rsa.pub"
}
variable "instance_type" {
description = "EC2 instance"
default = "c5.18xlarge"
}
variable "project_tag" {
default = "kubernetes/ingress-nginx"
}

11
build/images/ingress-controller/versions.tf Normal file
View file

@ -0,0 +1,11 @@
terraform {
required_version = ">= 0.12"
required_providers {
aws = "~> 2.0"
tls = "~> 2.0"
local = "~> 1.3"
null = "~> 2.1"
}
}

1
build/images/nginx/.dockerignore Normal file
View file

@ -0,0 +1 @@
*.tfvars

7
build/images/nginx/.gitignore vendored Normal file
View file

@ -0,0 +1,7 @@
.terraform*
terraform*
*.tfstate
*.tfstate.backup
id_rsa*
aws.tfvars
env.tfvars

19
build/images/nginx/Dockerfile Normal file
View file

@ -0,0 +1,19 @@
FROM k8s.gcr.io/debian-base:v2.0.0
ENV TERRAFORM_VERSION 0.12.19
RUN clean-install \
bash \
curl \
ca-certificates \
unzip \
git \
openssh-client
RUN curl -sSL -o /terraform.zip "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip" \
&& unzip /terraform.zip -d /usr/bin \
&& rm -rf /terraform.zip
COPY entrypoint.sh /
CMD [ "/entrypoint.sh" ]

85
build/images/nginx/build-nginx.sh Normal file
View file

@ -0,0 +1,85 @@
#!/bin/bash
# Copyright 2019 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o nounset
set -o pipefail
function source_tfvars() {
eval "$(
awk 'BEGIN {FS=OFS="="}
!/^(#| *$)/ && /^.+=.+$/ {
gsub(/^[ \t]+|[ \t]+$/, "", $1);
gsub(/\./, "_", $1);
gsub(/^[ \t]+|[ \t]+$/, "", $2);
if ($1 && $2) print $0
}' "$@"
)"
}
source_tfvars /tmp/env
export DEBIAN_FRONTEND=noninteractive
export AR_FLAGS=cr
apt -q=3 update
apt -q=3 dist-upgrade --yes
add-apt-repository universe --yes
add-apt-repository multiverse --yes
apt -q=3 update
apt -q=3 install \
apt-transport-https \
ca-certificates \
curl \
make \
htop \
software-properties-common --yes
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable" --yes
apt -q=3 update
apt -q=3 install docker-ce --yes
export DOCKER_CLI_EXPERIMENTAL=enabled
echo ${docker_password} | docker login -u ${docker_username} --password-stdin quay.io
curl -sL -o /usr/local/bin/gimme https://raw.githubusercontent.com/travis-ci/gimme/master/gimme
chmod +x /usr/local/bin/gimme
eval "$(gimme 1.14)"
git clone https://github.com/kubernetes/ingress-nginx
cd ingress-nginx/images/nginx
export TAG=$(git rev-parse HEAD)
make init-docker-buildx
docker buildx use ingress-nginx --default --global
echo "Building NGINX images..."
make release

54
build/images/nginx/entrypoint.sh Executable file
View file

@ -0,0 +1,54 @@
#!/bin/bash
# Copyright 2019 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o nounset
set -o pipefail
catch() {
if [ "$1" == "0" ]; then
exit 0
fi
echo "Error $1 occurred on $2"
echo "Removing temporal resources..."
terraform destroy -auto-approve \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"
}
trap 'catch $? $LINENO' ERR
terraform init
# destroy spot instance after two hours
EC2_VALID_UNTIL=$(date -d "+2 hours" +%Y-%m-%dT%H:%M:%SZ)
terraform plan \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"
terraform apply -auto-approve \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"
terraform destroy -auto-approve \
-var-file /root/aws.tfvars \
-var-file /root/env.tfvars \
-var valid_until="${EC2_VALID_UNTIL}"

184
build/images/nginx/main.tf Normal file
View file

@ -0,0 +1,184 @@
terraform {
backend "local" {
path = "terraform.tfstate"
}
}
provider "aws" {
access_key = var.access_key
secret_key = var.secret_key
region = var.region
}
resource "aws_vpc" "vpc" {
cidr_block = var.cidr_vpc
enable_dns_support = true
enable_dns_hostnames = true
tags = {
"Project" = var.project_tag
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc.id
tags = {
"Project" = var.project_tag
}
}
resource "aws_subnet" "subnet_public" {
vpc_id = aws_vpc.vpc.id
cidr_block = var.cidr_subnet
map_public_ip_on_launch = "true"
availability_zone = var.availability_zone
tags = {
"Project" = var.project_tag
}
}
resource "aws_route_table" "rtb_public" {
vpc_id = aws_vpc.vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
tags = {
"Project" = var.project_tag
}
}
resource "aws_route_table_association" "rta_subnet_public" {
subnet_id = aws_subnet.subnet_public.id
route_table_id = aws_route_table.rtb_public.id
}
resource "aws_security_group" "allow_ssh" {
name = "ssh"
vpc_id = aws_vpc.vpc.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
"Project" = var.project_tag
}
}
resource "tls_private_key" "bootstrap_private_key" {
algorithm = "RSA"
rsa_bits = "4096"
}
resource "aws_key_pair" "ssh_key" {
key_name = "ssh-key_${var.project_tag}"
public_key = chomp(tls_private_key.bootstrap_private_key.public_key_openssh)
}
resource "local_file" "public_key_openssh" {
count = 1
depends_on = [tls_private_key.bootstrap_private_key]
content = tls_private_key.bootstrap_private_key.public_key_pem
filename = "id_rsa.pub"
}
resource "local_file" "private_key_openssh" {
count = 1
depends_on = [tls_private_key.bootstrap_private_key]
content = tls_private_key.bootstrap_private_key.private_key_pem
filename = "id_rsa"
}
data "aws_ami" "latest-ubuntu" {
most_recent = true
owners = ["099720109477"]
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "block-device-mapping.volume-type"
values = ["gp2"]
}
}
resource "aws_spot_instance_request" "build_worker" {
ami = data.aws_ami.latest-ubuntu.id
instance_type = var.instance_type
subnet_id = aws_subnet.subnet_public.id
vpc_security_group_ids = [aws_security_group.allow_ssh.id]
valid_until = var.valid_until
key_name = aws_key_pair.ssh_key.key_name
spot_price = "2"
spot_type = "one-time"
ebs_optimized = true
root_block_device {
volume_size = 32
volume_type = "gp2"
delete_on_termination = true
}
wait_for_fulfillment = true
instance_initiated_shutdown_behavior = "terminate"
associate_public_ip_address = true
tags = {
"Project" = var.project_tag
}
connection {
host = coalesce(self.public_ip, self.private_ip)
type = "ssh"
user = "ubuntu"
private_key = tls_private_key.bootstrap_private_key.private_key_pem
}
provisioner "file" {
source = "build-nginx.sh"
destination = "/tmp/build-nginx.sh"
}
provisioner "file" {
source = "/root/env.tfvars"
destination = "/tmp/env"
}
provisioner "remote-exec" {
inline = [
"echo Building nginx images...",
"chmod +x /tmp/build-nginx.sh",
"sudo /tmp/build-nginx.sh",
]
}
}

52
build/images/nginx/variables.tf Normal file
View file

@ -0,0 +1,52 @@
variable "access_key" {
}
variable "secret_key" {
}
variable "valid_until" {
}
variable "docker_username" {
}
variable "docker_password" {
}
variable "region" {
default = "us-west-2"
}
variable "cidr_vpc" {
description = "CIDR block for the VPC"
default = "10.4.0.0/16"
}
variable "cidr_subnet" {
description = "CIDR block for the subnet"
default = "10.4.0.0/24"
}
variable "availability_zone" {
description = "availability zone to create subnet"
default = "us-west-2b"
}
variable "ssh_key_path" {
description = "Path to the SSH key"
default = "~/.ssh/id_rsa"
}
variable "ssh_public_key_path" {
description = "Path to the public SSH key"
default = "~/.ssh/id_rsa.pub"
}
variable "instance_type" {
description = "EC2 instance"
default = "c5.18xlarge"
}
variable "project_tag" {
default = "kubernetes/ingress-nginx"
}

11
build/images/nginx/versions.tf Normal file
View file

@ -0,0 +1,11 @@
terraform {
required_version = ">= 0.12"
required_providers {
aws = "~> 2.0"
tls = "~> 2.0"
local = "~> 1.3"
null = "~> 2.1"
}
}

83
build/run-e2e-suite.sh Executable file
View file

@ -0,0 +1,83 @@
#!/bin/bash
# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if ! [ -z "$DEBUG" ]; then
set -x
fi
set -o errexit
set -o nounset
set -o pipefail
RED='\e[35m'
NC='\e[0m'
BGREEN='\e[32m'
declare -a mandatory
mandatory=(
E2E_NODES
SLOW_E2E_THRESHOLD
)
missing=false
for var in "${mandatory[@]}"; do
if [[ -z "${!var:-}" ]]; then
echo -e "${RED}Environment variable $var must be set${NC}"
missing=true
fi
done
if [ "$missing" = true ]; then
exit 1
fi
function cleanup {
kubectl delete pod e2e 2>/dev/null || true
}
trap cleanup EXIT
E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-}
FOCUS=${FOCUS:-.*}
export E2E_CHECK_LEAKS
export FOCUS
echo -e "${BGREEN}Granting permissions to ingress-nginx e2e service account...${NC}"
kubectl create serviceaccount ingress-nginx-e2e || true
kubectl create clusterrolebinding permissive-binding \
--clusterrole=cluster-admin \
--user=admin \
--user=kubelet \
--serviceaccount=default:ingress-nginx-e2e || true
echo -e "${BGREEN}Waiting service account...${NC}"; \
until kubectl get secret | grep -q -e ^ingress-nginx-e2e-token; do \
echo -e "waiting for api token"; \
sleep 3; \
done
echo -e "Starting the e2e test pod"
kubectl run --rm \
--attach \
--restart=Never \
--generator=run-pod/v1 \
--env="E2E_NODES=${E2E_NODES}" \
--env="FOCUS=${FOCUS}" \
--env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \
--env="SLOW_E2E_THRESHOLD=${SLOW_E2E_THRESHOLD}" \
--overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \
e2e --image=nginx-ingress-controller:e2e

57
build/run-in-docker.sh
View file

@ -14,39 +14,52 @@
# See the License for the specific language governing permissions and
# limitations under the License.
if ! [ -z $DEBUG ]; then
set -x
if [ -n "$DEBUG" ]; then
set -x
fi
set -o errexit
set -o nounset
set -o pipefail
E2E_IMAGE=quay.io/kubernetes-ingress-controller/e2e:v05262019-c7df84866
# temporal directory for the /etc/ingress-controller directory
INGRESS_VOLUME=$(mktemp -d)
DOCKER_OPTS=${DOCKER_OPTS:-""}
if [[ "$OSTYPE" == darwin* ]]; then
INGRESS_VOLUME=/private$INGRESS_VOLUME
fi
function cleanup {
rm -rf "${INGRESS_VOLUME}"
}
trap cleanup EXIT
E2E_IMAGE=quay.io/kubernetes-ingress-controller/e2e:v03062020-7b6e2dd31
DOCKER_OPTS=${DOCKER_OPTS:-}
KUBE_ROOT=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)
FLAGS=$@
PKG=k8s.io/ingress-nginx
ARCH=$(go env GOARCH)
MINIKUBE_PATH=${HOME}/.minikube
MINIKUBE_VOLUME="-v ${MINIKUBE_PATH}:${MINIKUBE_PATH}"
if [ ! -d ${MINIKUBE_PATH} ]; then
echo "Minikube directory not found! Volume will be excluded from docker build."
MINIKUBE_VOLUME=""
fi
# create output directory as current user to avoid problem with docker.
mkdir -p "${KUBE_ROOT}/bin" "${KUBE_ROOT}/bin/${ARCH}"
docker run \
--tty \
--rm \
${DOCKER_OPTS} \
-v ${HOME}/.kube:/${HOME}/.kube \
-v ${PWD}:/go/src/${PKG} \
-v ${PWD}/.gocache:${HOME}/.cache/go-build \
-v ${PWD}/bin/${ARCH}:/go/bin/linux_${ARCH} \
-v /var/run/docker.sock:/var/run/docker.sock \
${MINIKUBE_VOLUME} \
-w /go/src/${PKG} \
${E2E_IMAGE} ${FLAGS}
docker run \
--tty \
--rm \
${DOCKER_OPTS} \
-e GOCACHE="/go/src/${PKG}/.cache" \
-e GO111MODULE=off \
-e DIND_TASKS=0 \
-v "${HOME}/.kube:${HOME}/.kube" \
-v "${KUBE_ROOT}:/go/src/${PKG}" \
-v "${KUBE_ROOT}/bin/${ARCH}:/go/bin/linux_${ARCH}" \
-v "/var/run/docker.sock:/var/run/docker.sock" \
-v "${INGRESS_VOLUME}:/etc/ingress-controller/" \
-w "/go/src/${PKG}" \
-u $(id -u ${USER}):$(id -g ${USER}) \
${E2E_IMAGE} /bin/bash -c "${FLAGS}"

111
build/run-ingress-controller.sh Executable file
View file

@ -0,0 +1,111 @@
#!/bin/bash
# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if [ -n "$DEBUG" ]; then
set -x
fi
set -o errexit
set -o nounset
set -o pipefail
RED='\e[35m'
NC='\e[0m'
BGREEN='\e[32m'
declare -a mandatory
mandatory=(
IMAGE
ARCH
TAG
)
missing=false
for var in "${mandatory[@]}"; do
if [[ -z "${!var:-}" ]]; then
echo "${RED}Environment variable $var must be set${NC}"
missing=true
fi
done
if [ "$missing" = true ]; then
exit 1
fi
# temporal directory for the fake SSL certificate
SSL_VOLUME=$(mktemp -d)
function cleanup {
echo -e "${BGREEN}Stoping kubectl proxy${NC}"
rm -rf "${SSL_VOLUME}"
kill "$proxy_pid"
}
trap cleanup EXIT
KUBE_ROOT=$(dirname "${BASH_SOURCE}")/..
# the ingress controller needs this two variables. To avoid the
# creation of any object in the cluster we use invalid names.
POD_NAMESPACE="invalid-namespace"
POD_NAME="invalid-namespace"
export TAG
export IMAGE
if [[ "${ARCH}" != "amd64" ]]; then
echo -e "${BGREEN}Register ${RED}/usr/bin/qemu-ARCH-static${BGREEN} as the handler for binaries in multiple platforms${NC}"
make -C "${KUBE_ROOT}" register-qemu
fi
USE_EXISTING_IMAGE=${USE_EXISTING_IMAGE:-false}
if [[ "${USE_EXISTING_IMAGE}" == "true" ]]; then
echo -e "${BGREEN}Downloading ingress controller image${NC}"
docker pull "${IMAGE}-${ARCH}:${TAG}"
else
echo -e "${BGREEN}Building ingress controller image${NC}"
make -C "${KUBE_ROOT}" build "sub-container-${ARCH}"
fi
CONTEXT=$(kubectl config current-context)
echo -e "Running against kubectl cluster ${BGREEN}${CONTEXT}${NC}"
kubectl proxy --accept-hosts=.* --address=0.0.0.0 &
proxy_pid=$!
sleep 1
echo -e "\n${BGREEN}kubectl proxy PID: ${BGREEN}$proxy_pid${NC}"
until curl --output /dev/null -fsSL http://localhost:8001/; do
echo -e "${RED}waiting for kubectl proxy${NC}"
sleep 5
done
# if we run as user we cannot bind to port 80 and 443
docker run \
--rm \
--name local-ingress-controller \
--net=host \
--user="root:root" \
-e POD_NAMESPACE="${POD_NAMESPACE}" \
-e POD_NAME="${POD_NAME}" \
-v "${SSL_VOLUME}:/etc/ingress-controller/ssl/" \
-v "${HOME}/.kube:${HOME}/.kube:ro" \
"${IMAGE}-${ARCH}:${TAG}" /nginx-ingress-controller \
--update-status=false \
--v=2 \
--apiserver-host=http://0.0.0.0:8001 \
--kubeconfig="${HOME}/.kube/config"

8
build/test-lua.sh
View file

@ -15,7 +15,7 @@
# limitations under the License.
if ! [ -z $DEBUG ]; then
if [ -n "$DEBUG" ]; then
set -x
fi
@ -25,10 +25,10 @@ set -o pipefail
resty \
-I ./rootfs/etc/nginx/lua \
-I /usr/local/lib/lua \
-I /usr/lib/lua-platform-path/lua/5.1 \
--shdict "configuration_data 5M" \
--shdict "certificate_data 16M" \
--shdict "certificate_servers 1M" \
--shdict "balancer_ewma 1M" \
--shdict "balancer_ewma_last_touched_at 1M" \
./rootfs/etc/nginx/lua/test/run.lua ${BUSTED_ARGS} ./rootfs/etc/nginx/lua/test/
--shdict "balancer_ewma_locks 512k" \
./rootfs/etc/nginx/lua/test/run.lua ${BUSTED_ARGS} ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test

16
build/test.sh
View file

@ -15,7 +15,7 @@
# limitations under the License.
if ! [ -z $DEBUG ]; then
if [ -n "$DEBUG" ]; then
set -x
fi
@ -24,9 +24,15 @@ set -o nounset
set -o pipefail
if [ -z "${PKG}" ]; then
echo "PKG must be set"
exit 1
echo "PKG must be set"
exit 1
fi
go test -v -race -tags "cgo" \
$(go list ${PKG}/... | grep -v vendor | grep -v '/test/e2e' | grep -v images | grep -v "docs/examples")
# enabled to use host dns resolver
export CGO_ENABLED=1
export GODEBUG=netdns=cgo+2
# use vendor directory instead of go modules https://github.com/golang/go/wiki/Modules
export GO111MODULE=off
go test -v \
$(go list "${PKG}/..." | grep -v vendor | grep -v '/test/e2e' | grep -v images | grep -v "docs/examples")

22
charts/ingress-nginx/.helmignore Normal file
View file

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

16
charts/ingress-nginx/Chart.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
name: ingress-nginx
version: 2.0.0
appVersion: 0.30.0
home: https://github.com/kubernetes/ingress-nginx
description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration.
icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png
keywords:
- ingress
- nginx
sources:
- https://github.com/kubernetes/ingress-nginx
maintainers:
- name: ChiefAlexander
engine: gotpl
kubeVersion: ">=1.10.0-0"

5
charts/ingress-nginx/OWNERS Normal file
View file

@ -0,0 +1,5 @@
approvers:
- ChiefAlexander
reviewers:
- ChiefAlexander

332
charts/ingress-nginx/README.md Normal file
View file

@ -0,0 +1,332 @@
|![](https://upload.wikimedia.org/wikipedia/commons/thumb/1/17/Warning.svg/156px-Warning.svg.png) | Work in progress. Please do not use it until we release an official version. |
|---|---|
# ingress-nginx
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) is an Ingress controller that uses ConfigMap to store the nginx configuration.
To use, add the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
## TL;DR;
```console
$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
$ helm install ingress-nginx
```
## Introduction
This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
- Kubernetes 1.6+
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm install --name my-release ingress-nginx
```
The command deploys ingress-nginx on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following table lists the configurable parameters of the ingress-nginx chart and their default values.
Parameter | Description | Default
--- | --- | ---
`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller`
`controller.image.tag` | controller container image tag | `0.30.0`
`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent`
`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. | `101`
`controller.containerPort.http` | The port that the controller container listens on for http connections. | `80`
`controller.containerPort.https` | The port that the controller container listens on for https connections. | `443`
`controller.config` | nginx [ConfigMap](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md) entries | none
`controller.configAnnotations` | annotations to be added to controller custom configuration configmap | `{}`
`controller.hostNetwork` | If the nginx deployment / daemonset should run on the host's network namespace. Do not set this when `controller.service.externalIPs` is set and `kube-proxy` is used as there will be a port-conflict for port `80` | false
`controller.defaultBackendService` | default 404 backend service; needed only if `defaultBackend.enabled = false` and version < 0.21.0| `""`
`controller.dnsPolicy` | If using `hostNetwork=true`, change to `ClusterFirstWithHostNet`. See [pod's dns policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) for details | `ClusterFirst`
`controller.dnsConfig` | custom pod dnsConfig. See [pod's dns config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-config) for details | `{}`
`controller.reportNodeInternalIp` | If using `hostNetwork=true`, setting `reportNodeInternalIp=true`, will pass the flag `report-node-internal-ip-address` to ingress-nginx. This sets the status of all Ingress objects to the internal IP address of all nodes running the NGINX Ingress controller.
`controller.electionID` | election ID to use for the status update | `ingress-controller-leader`
`controller.extraEnvs` | any additional environment variables to set in the pods | `{}`
`controller.extraContainers` | Sidecar containers to add to the controller pod. See [LemonLDAP::NG controller](https://github.com/lemonldap-ng-controller/lemonldap-ng-controller) as example | `{}`
`controller.extraVolumeMounts` | Additional volumeMounts to the controller main container | `{}`
`controller.extraVolumes` | Additional volumes to the controller pod | `{}`
`controller.extraInitContainers` | Containers, which are run before the app containers are started | `[]`
`controller.ingressClass` | name of the ingress class to route through this controller | `nginx`
`controller.maxmindLicenseKey` | Maxmind license key to download GeoLite2 Databases. See [Accessing and using GeoLite2 database](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) | `""`
`controller.scope.enabled` | limit the scope of the ingress controller | `false` (watch all namespaces)
`controller.scope.namespace` | namespace to watch for ingress | `""` (use the release namespace)
`controller.extraArgs` | Additional controller container arguments | `{}`
`controller.kind` | install as Deployment, DaemonSet or Both | `Deployment`
`controller.deploymentAnnotations` | annotations to be added to deployment | `{}`
`controller.autoscaling.enabled` | If true, creates Horizontal Pod Autoscaler | false
`controller.autoscaling.minReplicas` | If autoscaling enabled, this field sets minimum replica count | `2`
`controller.autoscaling.maxReplicas` | If autoscaling enabled, this field sets maximum replica count | `11`
`controller.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization percentage to scale | `"50"`
`controller.autoscaling.targetMemoryUtilizationPercentage` | Target memory utilization percentage to scale | `"50"`
`controller.daemonset.useHostPort` | If `controller.kind` is `DaemonSet`, this will enable `hostPort` for TCP/80 and TCP/443 | false
`controller.daemonset.hostPorts.http` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"80"`
`controller.daemonset.hostPorts.https` | If `controller.daemonset.useHostPort` is `true` and this is non-empty, it sets the hostPort | `"443"`
`controller.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]`
`controller.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}`
`controller.terminationGracePeriodSeconds` | how many seconds to wait before terminating a pod | `60`
`controller.minReadySeconds` | how many seconds a pod needs to be ready before killing the next, during update | `0`
`controller.nodeSelector` | node labels for pod assignment | `{}`
`controller.podAnnotations` | annotations to be added to pods | `{}`
`controller.podLabels` | labels to add to the pod container metadata | `{}`
`controller.podSecurityContext` | Security context policies to add to the controller pod | `{}`
`controller.replicaCount` | desired number of controller pods | `1`
`controller.minAvailable` | minimum number of available controller pods for PodDisruptionBudget | `1`
`controller.resources` | controller pod resource requests & limits | `{}`
`controller.priorityClassName` | controller priorityClassName | `nil`
`controller.lifecycle` | controller pod lifecycle hooks | `{}`
`controller.service.annotations` | annotations for controller service | `{}`
`controller.service.labels` | labels for controller service | `{}`
`controller.publishService.enabled` | if true, the controller will set the endpoint records on the ingress objects to reflect those on the service | `false`
`controller.publishService.pathOverride` | override of the default publish-service name | `""`
`controller.service.enabled` | if disabled no service will be created. This is especially useful when `controller.kind` is set to `DaemonSet` and `controller.daemonset.useHostPorts` is `true` | true
`controller.service.clusterIP` | internal controller cluster service IP (set to `"-"` to pass an empty value) | `nil`
`controller.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the controller service | `false`
`controller.service.externalIPs` | controller service external IP addresses. Do not set this when `controller.hostNetwork` is set to `true` and `kube-proxy` is used as there will be a port-conflict for port `80` | `[]`
`controller.service.externalTrafficPolicy` | If `controller.service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable [source IP preservation](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport) | `"Cluster"`
`controller.service.sessionAffinity` | Enables client IP based session affinity. Must be `ClientIP` or `None` if set. | `""`
`controller.service.healthCheckNodePort` | If `controller.service.type` is `NodePort` or `LoadBalancer` and `controller.service.externalTrafficPolicy` is set to `Local`, set this to [the managed health-check port the kube-proxy will expose](https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typenodeport). If blank, a random port in the `NodePort` range will be assigned | `""`
`controller.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
`controller.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]`
`controller.service.enableHttp` | if port 80 should be opened for service | `true`
`controller.service.enableHttps` | if port 443 should be opened for service | `true`
`controller.service.targetPorts.http` | Sets the targetPort that maps to the Ingress' port 80 | `80`
`controller.service.targetPorts.https` | Sets the targetPort that maps to the Ingress' port 443 | `443`
`controller.service.ports.http` | Sets service http port | `80`
`controller.service.ports.https` | Sets service https port | `443`
`controller.service.type` | type of controller service to create | `LoadBalancer`
`controller.service.nodePorts.http` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 80 | `""`
`controller.service.nodePorts.https` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""`
`controller.service.nodePorts.tcp` | Sets the nodePort for an entry referenced by its key from `tcp` | `{}`
`controller.service.nodePorts.udp` | Sets the nodePort for an entry referenced by its key from `udp` | `{}`
`controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10
`controller.livenessProbe.periodSeconds` | How often to perform the probe | 10
`controller.livenessProbe.timeoutSeconds` | When the probe times out | 5
`controller.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
`controller.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3
`controller.livenessProbe.port` | The port number that the liveness probe will listen on. | 10254
`controller.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 10
`controller.readinessProbe.periodSeconds` | How often to perform the probe | 10
`controller.readinessProbe.timeoutSeconds` | When the probe times out | 1
`controller.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
`controller.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3
`controller.readinessProbe.port` | The port number that the readiness probe will listen on. | 10254
`controller.metrics.enabled` | if `true`, enable Prometheus metrics | `false`
`controller.metrics.service.annotations` | annotations for Prometheus metrics service | `{}`
`controller.metrics.service.clusterIP` | cluster IP address to assign to service (set to `"-"` to pass an empty value) | `nil`
`controller.metrics.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the metrics service | `false`
`controller.metrics.service.externalIPs` | Prometheus metrics service external IP addresses | `[]`
`controller.metrics.service.labels` | labels for metrics service | `{}`
`controller.metrics.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
`controller.metrics.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]`
`controller.metrics.service.servicePort` | Prometheus metrics service port | `9913`
`controller.metrics.service.type` | type of Prometheus metrics service to create | `ClusterIP`
`controller.metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false`
`controller.metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}`
`controller.metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels. | `false`
`controller.metrics.serviceMonitor.namespace` | namespace where servicemonitor resource should be created | `the same namespace as nginx ingress`
`controller.metrics.serviceMonitor.namespaceSelector` | [namespaceSelector](https://github.com/coreos/prometheus-operator/blob/v0.34.0/Documentation/api.md#namespaceselector) to configure what namespaces to scrape | `will scrape the helm release namespace only`
`controller.metrics.serviceMonitor.scrapeInterval` | interval between Prometheus scraping | `30s`
`controller.metrics.prometheusRule.enabled` | Set this to `true` to create prometheusRules for Prometheus operator | `false`
`controller.metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}`
`controller.metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | `the same namespace as nginx ingress`
`controller.metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be prometheus in YAML format, check values for an example. | `[]`
`controller.admissionWebhooks.enabled` | Create Ingress admission webhooks. Validating webhook will check the ingress syntax. | `false`
`controller.admissionWebhooks.failurePolicy` | Failure policy for admission webhooks | `Fail`
`controller.admissionWebhooks.port` | Admission webhook port | `8080`
`controller.admissionWebhooks.service.annotations` | Annotations for admission webhook service | `{}`
`controller.admissionWebhooks.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the admission webhook service | `false`
`controller.admissionWebhooks.service.clusterIP` | cluster IP address to assign to admission webhook service (set to `"-"` to pass an empty value) | `nil`
`controller.admissionWebhooks.service.externalIPs` | Admission webhook service external IP addresses | `[]`
`controller.admissionWebhooks.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
`controller.admissionWebhooks.service.loadBalancerSourceRanges` | List of IP CIDRs allowed access to load balancer (if supported) | `[]`
`controller.admissionWebhooks.service.servicePort` | Admission webhook service port | `443`
`controller.admissionWebhooks.service.type` | Type of admission webhook service to create | `ClusterIP`
`controller.admissionWebhooks.patch.enabled` | If true, will use a pre and post install hooks to generate a CA and certificate to use for the prometheus operator tls proxy, and patch the created webhooks with the CA. | `true`
`controller.admissionWebhooks.patch.image.repository` | Repository to use for the webhook integration jobs | `jettech/kube-webhook-certgen`
`controller.admissionWebhooks.patch.image.tag` | Tag to use for the webhook integration jobs | `v1.0.0`
`controller.admissionWebhooks.patch.image.pullPolicy` | Image pull policy for the webhook integration jobs | `IfNotPresent`
`controller.admissionWebhooks.patch.priorityClassName` | Priority class for the webhook integration jobs | `""`
`controller.admissionWebhooks.patch.podAnnotations` | Annotations for the webhook job pods | `{}`
`controller.admissionWebhooks.patch.nodeSelector` | Node selector for running admission hook patch jobs | `{}`
`controller.customTemplate.configMapName` | configMap containing a custom nginx template | `""`
`controller.customTemplate.configMapKey` | configMap key containing the nginx template | `""`
`controller.addHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers) added before sending response to the client | `{}`
`controller.proxySetHeaders` | configMap key:value pairs containing [custom headers](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#proxy-set-headers) added before sending request to the backends| `{}`
`controller.headers` | DEPRECATED, Use `controller.proxySetHeaders` instead. | `{}`
`controller.updateStrategy` | allows setting of RollingUpdate strategy | `{}`
`controller.configMapNamespace` | The nginx-configmap namespace name | `""`
`controller.tcp.configMapNamespace` | The tcp-services-configmap namespace name | `""`
`controller.tcp.annotations` | annotations to be added to tcp configmap | `{}`
`controller.udp.configMapNamespace` | The udp-services-configmap namespace name | `""`
`controller.udp.annotations` | annotations to be added to udp configmap | `{}`
`defaultBackend.enabled` | Use default backend component | `true`
`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend-amd64`
`defaultBackend.image.tag` | default backend container image tag | `1.5`
`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent`
`defaultBackend.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses nobody user. | `65534`
`defaultBackend.extraArgs` | Additional default backend container arguments | `{}`
`defaultBackend.extraEnvs` | any additional environment variables to set in the defaultBackend pods | `[]`
`defaultBackend.port` | Http port number | `8080`
`defaultBackend.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30
`defaultBackend.livenessProbe.periodSeconds` | How often to perform the probe | 10
`defaultBackend.livenessProbe.timeoutSeconds` | When the probe times out | 5
`defaultBackend.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
`defaultBackend.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 3
`defaultBackend.readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 0
`defaultBackend.readinessProbe.periodSeconds` | How often to perform the probe | 5
`defaultBackend.readinessProbe.timeoutSeconds` | When the probe times out | 5
`defaultBackend.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | 1
`defaultBackend.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6
`defaultBackend.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]`
`defaultBackend.affinity` | node/pod affinities (requires Kubernetes >=1.6) | `{}`
`defaultBackend.nodeSelector` | node labels for pod assignment | `{}`
`defaultBackend.podAnnotations` | annotations to be added to pods | `{}`
`defaultBackend.podLabels` | labels to add to the pod container metadata | `{}`
`defaultBackend.replicaCount` | desired number of default backend pods | `1`
`defaultBackend.minAvailable` | minimum number of available default backend pods for PodDisruptionBudget | `1`
`defaultBackend.resources` | default backend pod resource requests & limits | `{}`
`defaultBackend.priorityClassName` | default backend priorityClassName | `nil`
`defaultBackend.podSecurityContext` | Security context policies to add to the default backend | `{}`
`defaultBackend.service.annotations` | annotations for default backend service | `{}`
`defaultBackend.service.clusterIP` | internal default backend cluster service IP (set to `"-"` to pass an empty value) | `nil`
`defaultBackend.service.omitClusterIP` | (Deprecated) To omit the `clusterIP` from the default backend service | `false`
`defaultBackend.service.externalIPs` | default backend service external IP addresses | `[]`
`defaultBackend.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""`
`defaultBackend.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]`
`defaultBackend.service.type` | type of default backend service to create | `ClusterIP`
`defaultBackend.serviceAccount.create` | if `true`, create a backend service account. Only useful if you need a pod security policy to run the backend. | `true`
`defaultBackend.serviceAccount.name` | The name of the backend service account to use. If not set and `create` is `true`, a name is generated using the fullname template. Only useful if you need a pod security policy to run the backend. | ``
`imagePullSecrets` | name of Secret resource containing private registry credentials | `nil`
`rbac.create` | if `true`, create & use RBAC resources | `true`
`rbac.scope` | if `true`, do not create & use clusterrole and -binding. Set to `true` in combination with `controller.scope.enabled=true` to disable load-balancer status updates and scope the ingress entirely. | `false`
`podSecurityPolicy.enabled` | if `true`, create & use Pod Security Policy resources | `false`
`serviceAccount.create` | if `true`, create a service account for the controller | `true`
`serviceAccount.name` | The name of the controller service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | ``
`revisionHistoryLimit` | The number of old history to retain to allow rollback. | `10`
`tcp` | TCP service key:value pairs. The value is evaluated as a template. | `{}`
`udp` | UDP service key:value pairs The value is evaluated as a template. | `{}`
These parameters can be passed via Helm's `--set` option
```console
$ helm install ingress-nginx --name my-release \
--set controller.metrics.enabled=true
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
$ helm install ingress-nginx --name my-release -f values.yaml
```
A useful trick to debug issues with ingress is to increase the logLevel
as described [here](https://github.com/kubernetes/ingress-nginx/blob/master/docs/troubleshooting.md#debug)
```console
$ helm install ingress-nginx --set controller.extraArgs.v=2
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## PodDisruptionBudget
Note that the PodDisruptionBudget resource will only be defined if the replicaCount is greater than one,
else it would make it impossible to evacuate a node. See [gh issue #7127](https://github.com/helm/charts/issues/7127) for more info.
## Prometheus Metrics
The Nginx ingress controller can export Prometheus metrics.
```console
$ helm install ingress-nginx --name my-release \
--set controller.metrics.enabled=true
```
You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`.
## ingress-nginx nginx\_status page/stats server
Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller:
* in [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed
* in [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost.
You can use `curl --unix-socket /tmp/nginx-status-server.sock http://localhost/nginx_status` inside the controller container to access it locally, or use the snippet from [nginx-ingress changelog](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0230) to re-enable the http server
## ExternalDNS Service configuration
Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service:
```yaml
controller:
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: kubernetes-example.com.
```
## AWS L7 ELB with SSL Termination
Annotate the controller as shown in the [nginx-ingress l7 patch](https://github.com/kubernetes/ingress-nginx/blob/master/deploy/aws/l7/service-l7.yaml):
```yaml
controller:
service:
targetPorts:
http: http
https: http
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:XX-XXXX-X:XXXXXXXXX:certificate/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
```
## AWS route53-mapper
To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/tree/master/addons/route53-mapper), add the `domainName` annotation and `dns` label:
```yaml
controller:
service:
labels:
dns: "route53"
annotations:
domainName: "kubernetes-example.com"
```
## Ingress Admission Webhooks
With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521)
## Helm error when upgrading: spec.clusterIP: Invalid value: ""
If you are upgrading this chart from a version between 0.31.0 and 1.2.2 then you may get an error like this:
```
Error: UPGRADE FAILED: Service "?????-controller" is invalid: spec.clusterIP: Invalid value: "": field is immutable
```
Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13646) but to resolve this you can set `xxxx.service.omitClusterIP` to `true` where `xxxx` is the service referenced in the error.
As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.

4
charts/ingress-nginx/ci/daemonset-customconfig-values.yaml Normal file
View file

@ -0,0 +1,4 @@
controller:
kind: DaemonSet
config:
use-proxy-protocol: "true"

15
charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml Normal file
View file

@ -0,0 +1,15 @@
controller:
kind: DaemonSet
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

6
charts/ingress-nginx/ci/daemonset-headers-values.yaml Normal file
View file

@ -0,0 +1,6 @@
controller:
kind: DaemonSet
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https

4
charts/ingress-nginx/ci/daemonset-nodeport-values.yaml Normal file
View file

@ -0,0 +1,4 @@
controller:
kind: DaemonSet
service:
type: NodePort

14
charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml Normal file
View file

@ -0,0 +1,14 @@
controller:
kind: DaemonSet
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

10
charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml Normal file
View file

@ -0,0 +1,10 @@
controller:
kind: DaemonSet
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

6
charts/ingress-nginx/ci/daemonset-tcp-values.yaml Normal file
View file

@ -0,0 +1,6 @@
controller:
kind: DaemonSet
tcp:
9000: "default/test:8080"
9001: "default/test:8080"

2
charts/ingress-nginx/ci/deamonset-default-values.yaml Normal file
View file

@ -0,0 +1,2 @@
controller:
kind: DaemonSet

4
charts/ingress-nginx/ci/deamonset-metrics-values.yaml Normal file
View file

@ -0,0 +1,4 @@
controller:
kind: DaemonSet
metrics:
enabled: true

5
charts/ingress-nginx/ci/deamonset-psp-values.yaml Normal file
View file

@ -0,0 +1,5 @@
controller:
kind: DaemonSet
podSecurityPolicy:
enabled: true

7
charts/ingress-nginx/ci/deamonset-webhook-and-psp-values.yaml Normal file
View file

@ -0,0 +1,7 @@
controller:
kind: DaemonSet
admissionWebhooks:
enabled: true
podSecurityPolicy:
enabled: true

4
charts/ingress-nginx/ci/deamonset-webhook-values.yaml Normal file
View file

@ -0,0 +1,4 @@
controller:
kind: DaemonSet
admissionWebhooks:
enabled: true

3
charts/ingress-nginx/ci/deployment-autoscaling-values.yaml Normal file
View file

@ -0,0 +1,3 @@
controller:
autoscaling:
enabled: true

3
charts/ingress-nginx/ci/deployment-customconfig-values.yaml Normal file
View file

@ -0,0 +1,3 @@
controller:
config:
use-proxy-protocol: "true"

14
charts/ingress-nginx/ci/deployment-customnodeport-values.yaml Normal file
View file

@ -0,0 +1,14 @@
controller:
service:
type: NodePort
nodePorts:
tcp:
9000: 30090
udp:
9001: 30091
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

1
charts/ingress-nginx/ci/deployment-default-values.yaml Normal file
View file

@ -0,0 +1 @@
# Left blank to test default values

5
charts/ingress-nginx/ci/deployment-headers-values.yaml Normal file
View file

@ -0,0 +1,5 @@
controller:
addHeaders:
X-Frame-Options: deny
proxySetHeaders:
X-Forwarded-Proto: https

3
charts/ingress-nginx/ci/deployment-metrics-values.yaml Normal file
View file

@ -0,0 +1,3 @@
controller:
metrics:
enabled: true

3
charts/ingress-nginx/ci/deployment-nodeport-values.yaml Normal file
View file

@ -0,0 +1,3 @@
controller:
service:
type: NodePort

2
charts/ingress-nginx/ci/deployment-psp-values.yaml Normal file
View file

@ -0,0 +1,2 @@
podSecurityPolicy:
enabled: true

13
charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml Normal file
View file

@ -0,0 +1,13 @@
controller:
service:
type: ClusterIP
tcp:
configMapNamespace: default
udp:
configMapNamespace: default
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

9
charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml Normal file
View file

@ -0,0 +1,9 @@
controller:
service:
type: ClusterIP
tcp:
9000: "default/test:8080"
udp:
9001: "default/test:8080"

3
charts/ingress-nginx/ci/deployment-tcp-values.yaml Normal file
View file

@ -0,0 +1,3 @@
tcp:
9000: "default/test:8080"
9001: "default/test:8080"

6
charts/ingress-nginx/ci/deployment-webhook-and-psp-values.yaml Normal file
View file

@ -0,0 +1,6 @@
controller:
admissionWebhooks:
enabled: true
podSecurityPolicy:
enabled: true

3
charts/ingress-nginx/ci/deployment-webhook-values.yaml Normal file
View file

@ -0,0 +1,3 @@
controller:
admissionWebhooks:
enabled: true

71
charts/ingress-nginx/templates/NOTES.txt Normal file
View file

@ -0,0 +1,71 @@
The ingress-nginx controller has been installed.
{{- if contains "NodePort" .Values.controller.service.type }}
Get the application URL by running these commands:
{{- if (not (empty .Values.controller.service.nodePorts.http)) }}
export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }}
{{- else }}
export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
{{- end }}
{{- if (not (empty .Values.controller.service.nodePorts.https)) }}
export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }}
{{- else }}
export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }})
{{- end }}
export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}")
echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP."
echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS."
{{- else if contains "LoadBalancer" .Values.controller.service.type }}
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}'
{{- else if contains "ClusterIP" .Values.controller.service.type }}
Get the application URL by running these commands:
export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}")
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
echo "Visit http://127.0.0.1:8080 to access your application."
{{- end }}
An example Ingress that makes use of the controller:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: {{ .Values.controller.ingressClass }}
name: example
namespace: foo
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: exampleService
servicePort: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
{{- if .Values.controller.headers }}
#################################################################################
###### WARNING: `controller.headers` has been deprecated! #####
###### It has been renamed to `controller.proxySetHeaders`. #####
#################################################################################
{{- end }}

148
charts/ingress-nginx/templates/_helpers.tpl Normal file
View file

@ -0,0 +1,148 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "ingress-nginx.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "ingress-nginx.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified controller name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.controller.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) "controller" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Construct the path for the publish-service.
By convention this will simply use the <namespace>/<controller-name> to match the name of the
service generated.
Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride`
*/}}
{{- define "ingress-nginx.controller.publishServicePath" -}}
{{- $defServiceName := printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) -}}
{{- $servicePath := default $defServiceName .Values.controller.publishService.pathOverride }}
{{- print $servicePath | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified default backend name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "ingress-nginx.defaultBackend.fullname" -}}
{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "ingress-nginx.labels" -}}
helm.sh/chart: {{ include "ingress-nginx.chart" . }}
{{ include "ingress-nginx.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "ingress-nginx.selectorLabels" -}}
app.kubernetes.io/name: {{ include "ingress-nginx.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the controller service account to use
*/}}
{{- define "ingress-nginx.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "ingress-nginx.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
*/}}
{{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
{{- if .Values.defaultBackend.serviceAccount.create -}}
{{ default (printf "%s-backend" (include "ingress-nginx.fullname" .)) .Values.defaultBackend.serviceAccount.name }}
{{- else -}}
{{ default "default-backend" .Values.defaultBackend.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "deployment.apiVersion" -}}
{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1" -}}
{{- else -}}
{{- print "extensions/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for daemonset.
*/}}
{{- define "daemonset.apiVersion" -}}
{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1" -}}
{{- else -}}
{{- print "v1/beta2" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiGroup for PodSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiGroup" -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy" -}}
{{- else -}}
{{- print "extensions" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for podSecurityPolicy.
*/}}
{{- define "podSecurityPolicy.apiVersion" -}}
{{- if semverCompare ">=1.10-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "policy/v1beta1" -}}
{{- else -}}
{{- print "extensions/v1beta1" -}}
{{- end -}}
{{- end -}}

27
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml Normal file
View file

@ -0,0 +1,27 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ include "ingress-nginx.fullname" . }}-admission
{{- end }}
{{- end }}

20
charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "ingress-nginx.fullname" . }}-admission
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
{{- end }}

47
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml Normal file
View file

@ -0,0 +1,47 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
# Alpha feature since k8s 1.12
ttlSecondsAfterFinished: 0
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-create
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: admission-webhook
spec:
{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
{{- end }}
containers:
- name: create
image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- create
- --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc
- --namespace={{ .Release.Namespace }}
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 2000
{{- end }}

49
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml Normal file
View file

@ -0,0 +1,49 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
spec:
{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
# Alpha feature since k8s 1.12
ttlSecondsAfterFinished: 0
{{- end }}
template:
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission-patch
{{- if .Values.controller.admissionWebhooks.patch.podAnnotations }}
annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 8 }}
app.kubernetes.io/component: admission-webhook
spec:
{{- if .Values.controller.admissionWebhooks.patch.priorityClassName }}
priorityClassName: {{ .Values.controller.admissionWebhooks.patch.priorityClassName }}
{{- end }}
containers:
- name: patch
image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.pullPolicy }}
args:
- patch
- --webhook-name={{ include "ingress-nginx.fullname" . }}-admission
- --namespace={{ .Release.Namespace }}
- --patch-mutating=false
- --secret-name={{ include "ingress-nginx.fullname" . }}-admission
- --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }}
restartPolicy: OnFailure
serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission
{{- if .Values.controller.admissionWebhooks.patch.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 2000
{{- end }}

36
charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml Normal file
View file

@ -0,0 +1,36 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
{{- end }}

20
charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
{{- end }}

20
charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml Normal file
View file

@ -0,0 +1,20 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "ingress-nginx.fullname" . }}-admission
subjects:
- kind: ServiceAccount
name: {{ include "ingress-nginx.fullname" . }}-admission
namespace: {{ .Release.Namespace }}
{{- end }}

12
charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml Normal file
View file

@ -0,0 +1,12 @@
{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "ingress-nginx.fullname" . }}-admission
annotations:
"helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
{{- end }}

28
charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml Normal file
View file

@ -0,0 +1,28 @@
{{- if .Values.controller.admissionWebhooks.enabled -}}
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: admission-webhook
name: {{ include "ingress-nginx.fullname" . }}-admission
webhooks:
- name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- extensions
- networking.k8s.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
clientConfig:
service:
namespace: {{ .Release.Namespace }}
name: {{ include "ingress-nginx.controller.fullname" . }}-admission
path: /extensions/v1beta1/ingresses
{{- end }}

25
deploy/cluster-wide/cluster-role.yaml → charts/ingress-nginx/templates/clusterrole.yaml
View file

@ -1,7 +1,10 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- if and .Values.rbac.create (not .Values.rbac.scope) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
name: {{ include "ingress-nginx.fullname" . }}
rules:
- apiGroups:
- ""
@ -14,6 +17,16 @@ rules:
verbs:
- list
- watch
{{- if and .Values.controller.scope.enabled .Values.controller.scope.namespace }}
- apiGroups:
- ""
resources:
- namespaces
resourceNames:
- "{{ .Values.controller.scope.namespace }}"
verbs:
- get
{{- end }}
- apiGroups:
- ""
resources:
@ -27,9 +40,11 @@ rules:
verbs:
- get
- list
- update
- watch
- apiGroups:
- "extensions"
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses
verbs:
@ -44,8 +59,10 @@ rules:
- create
- patch
- apiGroups:
- "extensions"
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
{{- end }}

16
charts/ingress-nginx/templates/clusterrolebinding.yaml Normal file
View file

@ -0,0 +1,16 @@
{{- if and .Values.rbac.create (not .Values.rbac.scope) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
name: {{ include "ingress-nginx.fullname" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "ingress-nginx.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "ingress-nginx.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

10
charts/ingress-nginx/templates/controller-configmap-addheaders.yaml Normal file
View file

@ -0,0 +1,10 @@
{{- if .Values.controller.addHeaders -}}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers
data: {{ toYaml .Values.controller.addHeaders | nindent 2 }}
{{- end }}

15
charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
data:
{{- if .Values.controller.proxySetHeaders }}
{{ toYaml .Values.controller.proxySetHeaders | indent 2 }}
{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }}
{{ toYaml .Values.controller.headers | indent 2 }}
{{- end }}
{{- end }}

13
charts/ingress-nginx/templates/controller-configmap-tcp.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- if .Values.tcp -}}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.tcp.annotations }}
annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-tcp
data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }}
{{- end }}

13
charts/ingress-nginx/templates/controller-configmap-udp.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- if .Values.udp -}}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.udp.annotations }}
annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.fullname" . }}-udp
data: {{ tpl (toYaml .Values.udp) . | nindent 2 }}
{{- end }}

22
charts/ingress-nginx/templates/controller-configmap.yaml Normal file
View file

@ -0,0 +1,22 @@
{{- if or .Values.controller.config (or (or .Values.controller.proxySetHeaders .Values.controller.headers) .Values.controller.addHeaders) -}}
apiVersion: v1
kind: ConfigMap
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.configAnnotations }}
annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
data:
{{- if .Values.controller.addHeaders }}
add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers
{{- end }}
{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }}
proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers
{{- end }}
{{- if .Values.controller.config }}
{{ toYaml .Values.controller.config | nindent 2 }}
{{- end }}
{{- end }}

241
charts/ingress-nginx/templates/controller-daemonset.yaml Normal file
View file

@ -0,0 +1,241 @@
{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}}
apiVersion: {{ template "daemonset.apiVersion" . }}
kind: DaemonSet
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.daemonsetAnnotations }}
annotations: {{ toYaml .Values.controller.daemonsetAnnotations | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.controller.updateStrategy }}
updateStrategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
template:
metadata:
{{- if .Values.controller.podAnnotations }}
annotations: {{ toYaml .Values.controller.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.podLabels }}
{{- toYaml .Values.controller.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.podSecurityContext }}
securityContext: {{ toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }}
containers:
- name: controller
image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
args:
- /nginx-ingress-controller
{{- if .Values.defaultBackend.enabled }}
- --default-backend-service={{ .Release.Namespace }}/{{ include "ingress-nginx.defaultBackend.fullname" . }}
{{- else }}
{{- if (semverCompare "<0.21.0" .Values.controller.image.tag) }}
- --default-backend-service={{ required ".Values.controller.defaultBackendService is required if .Values.defaultBackend.enabled=false and .Values.controller.image.tag < 0.21.0" .Values.controller.defaultBackendService }}
{{- else if .Values.controller.defaultBackendService }}
- --default-backend-service={{ .Values.controller.defaultBackendService }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) .Values.controller.publishService.enabled }}
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
{{- end }}
{{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
- --election-id={{ .Values.controller.electionID }}
{{- end }}
{{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
- --ingress-class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
- --configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- else }}
- --nginx-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }}
{{- if .Values.tcp }}
- --tcp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
{{- end }}
{{- if .Values.udp }}
- --udp-services-configmap={{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-udp
{{- end }}
{{- if .Values.controller.scope.enabled }}
- --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }}
{{- end }}
{{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
- --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }}
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
{{- end }}
{{- if .Values.controller.maxmindLicenseKey }}
- --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
{{- end }}
{{- range $key, $value := .Values.controller.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- if (semverCompare ">=0.16.0" .Values.controller.image.tag) }}
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.controller.extraEnvs }}
{{- toYaml .Values.controller.extraEnvs | nindent 12 }}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.controller.livenessProbe.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: {{ .Values.controller.readinessProbe.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- if $.Values.controller.daemonset.useHostPort }}
hostPort: {{ index $.Values.controller.daemonset.hostPorts $key | default $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook
containerPort: {{ .Values.controller.admissionWebhooks.port }}
protocol: TCP
{{- end }}
{{- range $key, $value := .Values.tcp }}
- name: {{ $key }}-tcp
containerPort: {{ $key }}
protocol: TCP
{{- if $.Values.controller.daemonset.useHostPort }}
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- range $key, $value := .Values.udp }}
- name: {{ $key }}-udp
containerPort: {{ $key }}
protocol: UDP
{{- if $.Values.controller.daemonset.useHostPort }}
hostPort: {{ $key }}
{{- end }}
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
volumeMounts:
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
{{- end }}
{{- if .Values.controller.extraVolumeMounts }}
{{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.controller.resources }}
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraInitContainers }}
initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if .Values.controller.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
volumes:
{{- if .Values.controller.customTemplate.configMapName }}
- name: nginx-template-volume
configMap:
name: {{ .Values.controller.customTemplate.configMapName }}
items:
- key: {{ .Values.controller.customTemplate.configMapKey }}
path: nginx.tmpl
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

235
charts/ingress-nginx/templates/controller-deployment.yaml Normal file
View file

@ -0,0 +1,235 @@
{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}}
apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.deploymentAnnotations }}
annotations: {{ toYaml .Values.controller.deploymentAnnotations | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
{{- if not .Values.controller.autoscaling.enabled }}
replicas: {{ .Values.controller.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
{{- if .Values.controller.updateStrategy }}
strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }}
{{- end }}
minReadySeconds: {{ .Values.controller.minReadySeconds }}
template:
metadata:
{{- if .Values.controller.podAnnotations }}
annotations: {{ toYaml .Values.controller.podAnnotations | nindent 8 }}
{{- end }}
labels:
{{- include "ingress-nginx.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.podLabels }}
{{- toYaml .Values.controller.podLabels | nindent 8 }}
{{- end }}
spec:
{{- if .Values.controller.dnsConfig }}
dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
{{- if .Values.controller.podSecurityContext }}
securityContext: {{ toYaml .Values.controller.podSecurityContext | nindent 8 }}
{{- end }}
containers:
- name: controller
image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}
{{- end }}
args:
- /nginx-ingress-controller
{{- if .Values.defaultBackend.enabled }}
- --default-backend-service={{ .Release.Namespace }}/{{ include "ingress-nginx.defaultBackend.fullname" . }}
{{- else }}
{{- if (semverCompare "<0.21.0" .Values.controller.image.tag) }}
- --default-backend-service={{ required ".Values.controller.defaultBackendService is required if .Values.defaultBackend.enabled=false and .Values.controller.image.tag < 0.21.0" .Values.controller.defaultBackendService }}
{{- else if .Values.controller.defaultBackendService }}
- --default-backend-service={{ .Values.controller.defaultBackendService }}
{{- end }}
{{- end }}
{{- if and (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) .Values.controller.publishService.enabled }}
- --publish-service={{ template "ingress-nginx.controller.publishServicePath" . }}
{{- end }}
{{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
- --election-id={{ .Values.controller.electionID }}
{{- end }}
{{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
- --ingress-class={{ .Values.controller.ingressClass }}
{{- end }}
{{- if (semverCompare ">=0.9.0-beta.1" .Values.controller.image.tag) }}
- --configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- else }}
- --nginx-configmap={{ default .Release.Namespace .Values.controller.configMapNamespace }}/{{ include "ingress-nginx.controller.fullname" . }}
{{- end }}
{{- if .Values.tcp }}
- --tcp-services-configmap={{ default .Release.Namespace .Values.controller.tcp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-tcp
{{- end }}
{{- if .Values.udp }}
- --udp-services-configmap={{ default .Release.Namespace .Values.controller.udp.configMapNamespace }}/{{ include "ingress-nginx.fullname" . }}-udp
{{- end }}
{{- if .Values.controller.scope.enabled }}
- --watch-namespace={{ default .Release.Namespace .Values.controller.scope.namespace }}
{{- end }}
{{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }}
- --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- --validating-webhook=:{{ .Values.controller.admissionWebhooks.port }}
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
{{- end }}
{{- if .Values.controller.maxmindLicenseKey }}
- --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
{{- end }}
{{- range $key, $value := .Values.controller.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- if (semverCompare ">=0.16.0" .Values.controller.image.tag) }}
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: {{ .Values.controller.image.runAsUser }}
allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }}
{{- end }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.controller.extraEnvs }}
{{- toYaml .Values.controller.extraEnvs | nindent 12 }}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.controller.livenessProbe.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: {{ .Values.controller.readinessProbe.port }}
scheme: HTTP
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
ports:
{{- range $key, $value := .Values.controller.containerPort }}
- name: {{ $key }}
containerPort: {{ $value }}
protocol: TCP
{{- end }}
{{- if .Values.controller.metrics.enabled }}
- name: metrics
containerPort: {{ .Values.controller.metrics.port }}
protocol: TCP
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook
containerPort: {{ .Values.controller.admissionWebhooks.port }}
protocol: TCP
{{- end }}
{{- range $key, $value := .Values.tcp }}
- name: {{ $key }}-tcp
containerPort: {{ $key }}
protocol: TCP
{{- end }}
{{- range $key, $value := .Values.udp }}
- name: {{ $key }}-udp
containerPort: {{ $key }}
protocol: UDP
{{- end }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled) }}
volumeMounts:
{{- if .Values.controller.customTemplate.configMapName }}
- mountPath: /etc/nginx/template
name: nginx-template-volume
readOnly: true
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
mountPath: /usr/local/certificates/
readOnly: true
{{- end }}
{{- if .Values.controller.extraVolumeMounts }}
{{- toYaml .Values.controller.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.controller.resources }}
resources: {{ toYaml .Values.controller.resources | nindent 12 }}
{{- end }}
{{- if .Values.controller.extraContainers }}
{{ toYaml .Values.controller.extraContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.extraInitContainers }}
initContainers: {{ toYaml .Values.controller.extraInitContainers | nindent 8 }}
{{- end }}
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if .Values.controller.nodeSelector }}
nodeSelector: {{ toYaml .Values.controller.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.controller.affinity }}
affinity: {{ toYaml .Values.controller.affinity | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes) }}
volumes:
{{- if .Values.controller.customTemplate.configMapName }}
- name: nginx-template-volume
configMap:
name: {{ .Values.controller.customTemplate.configMapName }}
items:
- key: {{ .Values.controller.customTemplate.configMapKey }}
path: nginx.tmpl
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
- name: webhook-cert
secret:
secretName: {{ include "ingress-nginx.fullname" . }}-admission
{{- end }}
{{- if .Values.controller.extraVolumes }}
{{ toYaml .Values.controller.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

29
charts/ingress-nginx/templates/controller-hpa.yaml Normal file
View file

@ -0,0 +1,29 @@
{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
name: {{ include "ingress-nginx.controller.fullname" . }}
spec:
scaleTargetRef:
apiVersion: {{ template "deployment.apiVersion" . }}
kind: Deployment
name: {{ include "ingress-nginx.controller.fullname" . }}
minReplicas: {{ .Values.controller.autoscaling.minReplicas }}
maxReplicas: {{ .Values.controller.autoscaling.maxReplicas }}
metrics:
{{- with .Values.controller.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ . }}
{{- end }}
{{- with .Values.controller.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ . }}
{{- end }}
{{- end }}

15
charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml Normal file
View file

@ -0,0 +1,15 @@
{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (gt (.Values.controller.replicaCount | int) 1) -}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
name: {{ include "ingress-nginx.controller.fullname" . }}
spec:
selector:
matchLabels:
{{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
minAvailable: {{ .Values.controller.minAvailable }}
{{- end }}

21
charts/ingress-nginx/templates/controller-prometheusrules.yaml Normal file
View file

@ -0,0 +1,21 @@
{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "ingress-nginx.controller.fullname" . }}
{{- if .Values.controller.metrics.prometheusRule.namespace }}
namespace: {{ .Values.controller.metrics.prometheusRule.namespace }}
{{- end }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.controller.metrics.prometheusRule.additionalLabels }}
{{- toYaml .Values.controller.metrics.prometheusRule.additionalLabels | nindent 4 }}
{{- end }}
spec:
{{- if .Values.controller.metrics.prometheusRule.rules }}
groups:
- name: {{ template "ingress-nginx.name" . }}
rules: {{- toYaml .Values.controller.metrics.prometheusRule.rules | nindent 4 }}
{{- end }}
{{- end }}

80
charts/ingress-nginx/templates/controller-psp.yaml Normal file
View file

@ -0,0 +1,80 @@
{{- if .Values.podSecurityPolicy.enabled -}}
apiVersion: {{ template "podSecurityPolicy.apiVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ include "ingress-nginx.fullname" . }}
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
spec:
allowedCapabilities:
- NET_BIND_SERVICE
privileged: false
allowPrivilegeEscalation: true
# Allow core volume types.
volumes:
- 'configMap'
#- 'emptyDir'
#- 'projected'
- 'secret'
#- 'downwardAPI'
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if or .Values.controller.hostNetwork .Values.controller.daemonset.useHostPort }}
hostPorts:
{{- if .Values.controller.hostNetwork }}
{{- range $key, $value := .Values.controller.containerPort }}
# {{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- else if .Values.controller.daemonset.useHostPort }}
{{- range $key, $value := .Values.controller.daemonset.hostPorts }}
# {{ $key }}
- min: {{ $value }}
max: {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.controller.metrics.enabled }}
# metrics
- min: {{ .Values.controller.metrics.port }}
max: {{ .Values.controller.metrics.port }}
{{- end }}
{{- if .Values.controller.admissionWebhooks.enabled }}
# admission webhooks
- min: {{ .Values.controller.admissionWebhooks.port }}
max: {{ .Values.controller.admissionWebhooks.port }}
{{- end }}
{{- range $key, $value := .Values.tcp }}
# {{ $key }}-tcp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- range $key, $value := .Values.udp }}
# {{ $key }}-udp
- min: {{ $key }}
max: {{ $key }}
{{- end }}
{{- end }}
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
seLinux:
rule: 'RunAsAny'
{{- end }}

88
charts/ingress-nginx/templates/controller-role.yaml Normal file
View file

@ -0,0 +1,88 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "ingress-nginx.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
name: {{ include "ingress-nginx.fullname" . }}
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- update
- watch
- apiGroups:
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- "networking.k8s.io" # k8s 1.14+
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- {{ .Values.controller.electionID }}-{{ .Values.controller.ingressClass }}
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- get
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
{{- if .Values.podSecurityPolicy.enabled }}
- apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}]
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: [{{ include "ingress-nginx.fullname" . }}]
{{- end }}
{{- end }}

Some files were not shown because too many files have changed in this diff Show more