DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into at-auth

Browse source
This commit is contained in:
pando85 2025-01-24 16:45:51 +01:00 committed by GitHub
commit 2fb45693c3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
100 changed files with 448 additions and 392 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/ci.yaml vendored
View file

@ -159,7 +159,7 @@ jobs:
check-latest: true
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- name: Set up Docker Buildx
id: buildx
@ -202,7 +202,7 @@ jobs:
| gzip > docker.tar.gz
- name: cache
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: docker.tar.gz
path: docker.tar.gz

2
.github/workflows/golangci-lint.yml vendored
View file

@ -28,7 +28,7 @@ jobs:
check-latest: true
- name: golangci-lint
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0
with:
version: v1.62
only-new-issues: true

2
.github/workflows/images.yaml vendored
View file

@ -174,7 +174,7 @@ jobs:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0

4
.github/workflows/scorecards.yml vendored
View file

@ -51,7 +51,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: SARIF file
path: results.sarif
@ -59,6 +59,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
with:
sarif_file: results.sarif

2
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -75,7 +75,7 @@ jobs:
# This step checks out a copy of your repository.
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
with:
token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository

2
.github/workflows/zz-tmpl-k8s-e2e.yaml vendored
View file

@ -49,7 +49,7 @@ jobs:
make kind-e2e-test
- name: Upload e2e junit-reports ${{ inputs.variation }}
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: success() || failure()
with:
name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }}

2
GOLANG_VERSION
View file

@ -1 +1 @@
1.23.4
1.23.5

2
NGINX_BASE
View file

@ -1 +1 @@
registry.k8s.io/ingress-nginx/nginx:v1.1.0@sha256:43e04f78d7544010e2e86918faae1d15091995b7ef6e522f53cf3035ad814567
registry.k8s.io/ingress-nginx/nginx:v2.0.0@sha256:3e7bda4cf5111d283ed1e4ff5cc9a2b5cdc5ebe62d50ba67473d3e25b1389133

2
build/dev-env.sh
View file

@ -64,7 +64,7 @@ echo "[dev-env] building image"
make build image
docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}"
export K8S_VERSION=${K8S_VERSION:-v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245}
export K8S_VERSION=${K8S_VERSION:-v1.31.4@sha256:2cb39f7295fe7eafee0842b1052a599a4fb0f8bcf3f83d96c7f4864c357c6c30}
KIND_CLUSTER_NAME="ingress-nginx-dev"

7
build/run-in-docker.sh
View file

@ -26,14 +26,11 @@ set -o nounset
set -o pipefail
# temporal directory for the /etc/ingress-controller directory
if [[ "$OSTYPE" == darwin* ]] && [[ "$RUNTIME" == podman ]]; then
if [[ "$OSTYPE" == darwin* ]]; then
mkdir -p "tmp"
INGRESS_VOLUME=$(pwd)/$(mktemp -d tmp/XXXXXX)
else
INGRESS_VOLUME=$(mktemp -d)
if [[ "$OSTYPE" == darwin* ]]; then
INGRESS_VOLUME=/private$INGRESS_VOLUME
fi
fi
# make sure directory for SSL cert storage exists under ingress volume
@ -44,7 +41,7 @@ function cleanup {
}
trap cleanup EXIT
E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20241224-68ed4e7b@sha256:871642296ebc0dd386f9a43b0cf2606028d757d6c4a2737d41180f02f8172823}
E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441}
if [[ "$RUNTIME" == podman ]]; then
# Podman does not support both tag and digest

8
charts/ingress-nginx/README.md
View file

@ -270,10 +270,10 @@ metadata:
| controller.admissionWebhooks.namespaceSelector | object | `{}` | |
| controller.admissionWebhooks.objectSelector | object | `{}` | |
| controller.admissionWebhooks.patch.enabled | bool | `true` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4"` | |
| controller.admissionWebhooks.patch.image.digest | string | `"sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3"` | |
| controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | |
| controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.0"` | |
| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.1"` | |
| controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
| controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | |
@ -447,6 +447,7 @@ metadata:
| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
| controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. |
| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips |
| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer |
@ -458,6 +459,7 @@ metadata:
| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.internal.labels | object | `{}` | Labels to be added to the internal controller service. |
| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class |
| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer |
| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
@ -468,6 +470,7 @@ metadata:
| controller.service.internal.ports | object | `{}` | |
| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.internal.targetPorts | object | `{}` | |
| controller.service.internal.trafficDistribution | string | `""` | Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services |
@ -484,6 +487,7 @@ metadata:
| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
| controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| controller.shareProcessNamespace | bool | `false` | |
| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ |

2
charts/ingress-nginx/ci/controller-service-internal-values.yaml
View file

@ -9,5 +9,7 @@ controller:
internal:
enabled: true
labels:
external-dns.alpha.kubernetes.io/hostname: internal.example.com
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"

4
charts/ingress-nginx/ci/controller-service-values.yaml
View file

@ -7,6 +7,10 @@ controller:
service:
type: NodePort
external:
labels:
external-dns.alpha.kubernetes.io/hostname: external.example.com
nodePorts:
tcp:
9000: 30090

8
charts/ingress-nginx/templates/controller-service-internal.yaml
View file

@ -12,6 +12,9 @@ metadata:
{{- if .Values.controller.service.labels }}
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
{{- if .Values.controller.service.internal.labels }}
{{- toYaml .Values.controller.service.internal.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}-internal
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
@ -46,6 +49,11 @@ spec:
{{- if .Values.controller.service.internal.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }}
{{- end }}
{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.internal.trafficDistribution }}
trafficDistribution: {{ .Values.controller.service.internal.trafficDistribution }}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.internal.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }}

8
charts/ingress-nginx/templates/controller-service.yaml
View file

@ -12,6 +12,9 @@ metadata:
{{- if .Values.controller.service.labels }}
{{- toYaml .Values.controller.service.labels | nindent 4 }}
{{- end }}
{{- if .Values.controller.service.external.labels }}
{{- toYaml .Values.controller.service.external.labels | nindent 4 }}
{{- end }}
name: {{ include "ingress-nginx.controller.fullname" . }}
namespace: {{ include "ingress-nginx.namespace" . }}
spec:
@ -46,6 +49,11 @@ spec:
{{- if .Values.controller.service.healthCheckNodePort }}
healthCheckNodePort: {{ .Values.controller.service.healthCheckNodePort }}
{{- end }}
{{- if semverCompare ">=1.31.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.trafficDistribution }}
trafficDistribution: {{ .Values.controller.service.trafficDistribution }}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}}
{{- if .Values.controller.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }}

26
charts/ingress-nginx/tests/controller-service-internal_test.yaml
View file

@ -47,3 +47,29 @@ tests:
value:
- 10.0.0.1
- fd00::1
- it: should create a Service with `trafficDistribution` if `controller.service.internal.trafficDistribution` is set
capabilities:
majorVersion: 1
minorVersion: 31
set:
controller.service.internal.enabled: true
controller.service.internal.annotations:
test.annotation: "true"
controller.service.internal.trafficDistribution: PreferClose
asserts:
- equal:
path: spec.trafficDistribution
value: PreferClose
- it: should create a Service with labels if `controller.service.internal.labels` is set
set:
controller.service.internal.enabled: true
controller.service.internal.annotations:
test.annotation: "true"
controller.service.internal.labels:
external-dns.alpha.kubernetes.io/hostname: internal.example.com
asserts:
- equal:
path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
value: internal.example.com

22
charts/ingress-nginx/tests/controller-service_test.yaml
View file

@ -50,3 +50,25 @@ tests:
value:
- 10.0.0.1
- fd00::1
- it: should create a Service with `trafficDistribution` if `controller.service.trafficDistribution` is set
capabilities:
majorVersion: 1
minorVersion: 31
set:
controller.service.external.enabled: true
controller.service.trafficDistribution: PreferClose
asserts:
- equal:
path: spec.trafficDistribution
value: PreferClose
- it: should create a Service with labels if `controller.service.external.labels` is set
set:
controller.service.external.enabled: true
controller.service.external.labels:
external-dns.alpha.kubernetes.io/hostname: external.example.com
asserts:
- equal:
path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
value: external.example.com

16
charts/ingress-nginx/values.yaml
View file

@ -486,6 +486,8 @@ controller:
external:
# -- Enable the external controller service or not. Useful for internal-only deployments.
enabled: true
# -- Labels to be added to the external controller service.
labels: {}
# -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
annotations: {}
# -- Labels to be added to both controller services.
@ -527,6 +529,10 @@ controller:
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
# healthCheckNodePort: 0
# -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
trafficDistribution: ""
# -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
# Fields `ipFamilies` and `clusterIP` depend on the value of this field.
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
@ -570,6 +576,8 @@ controller:
internal:
# -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
enabled: false
# -- Labels to be added to the internal controller service.
labels: {}
# -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
annotations: {}
@ -611,6 +619,10 @@ controller:
# Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
# healthCheckNodePort: 0
# -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
# Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
trafficDistribution: ""
# -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
# Fields `ipFamilies` and `clusterIP` depend on the value of this field.
# Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
@ -804,8 +816,8 @@ controller:
## for backwards compatibility consider setting the full image url via the repository value below
## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
## repository:
tag: v1.5.0
digest: sha256:aaafd456bda110628b2d4ca6296f38731a3aaf0bf7581efae824a41c770a8fc4
tag: v1.5.1
digest: sha256:0de05718b59dc33b57ddfb4d8ad5f637cefd13eafdec0e1579d782b3483c27c3
pullPolicy: IfNotPresent
# -- Provide a priority class name to the webhook patching job
##

2
cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
- REPO_INFO=https://github.com/kubernetes/ingress-nginx

16
docs/deploy/baremetal.md
View file

@ -118,6 +118,8 @@ requests.
![NodePort request flow](../images/baremetal/nodeport.jpg)
You can **customize the exposed node port numbers** by setting the `controller.service.nodePorts.*` Helm values, but they still have to be in the 30000-32767 range.
!!! example
Given the NodePort `30100` allocated to the `ingress-nginx` Service
@ -152,7 +154,7 @@ requests.
This approach has a few other limitations one ought to be aware of:
* **Source IP address**
### Source IP address
Services of type NodePort perform [source address translation][nodeport-nat] by default. This means the source IP of a
HTTP request is always **the IP address of the Kubernetes node that received the request** from the perspective of
@ -191,7 +193,9 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]).
Requests sent to `host-2` and `host-3` would be forwarded to NGINX and original client's IP would be preserved,
while requests to `host-1` would get dropped because there is no NGINX replica running on that node.
* **Ingress status**
Other ways to preserve the source IP in a NodePort setup are described here: [Source IP address](https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#source-ip-address).
### Ingress status
Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller **does not
update the status of Ingress objects it manages**.
@ -241,7 +245,7 @@ Service.
test-ingress myapp.example.com 203.0.113.1,203.0.113.2,203.0.113.3 80
```
* **Redirects**
### Redirects
As NGINX is **not aware of the port translation operated by the NodePort Service**, backend applications are responsible
for generating redirect URLs that take into account the URL used by external clients, including the NodePort.
@ -262,7 +266,7 @@ for generating redirect URLs that take into account the URL used by external cli
[nodeport-def]: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
[nodeport-nat]: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-type-nodeport
[pod-assign]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
[preserve-ip]: https://github.com/kubernetes/ingress-nginx/blob/nginx-0.19.0/deploy/provider/aws/service-nlb.yaml#L12-L14
[preserve-ip]: https://github.com/kubernetes/ingress-nginx/blob/ingress-nginx-3.15.2/deploy/static/provider/aws/deploy.yaml#L290
## Via the host network
@ -326,13 +330,13 @@ configuration of the corresponding manifest at the user's discretion.
Like with NodePorts, this approach has a few quirks it is important to be aware of.
* **DNS resolution**
### DNS resolution
Pods configured with `hostNetwork: true` do not use the internal DNS resolver (i.e. *kube-dns* or *CoreDNS*), unless
their `dnsPolicy` spec field is set to [`ClusterFirstWithHostNet`][dnspolicy]. Consider using this setting if NGINX is
expected to resolve internal names for any reason.
* **Ingress status**
### Ingress status
Because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default
`--publish-service` flag used in standard cloud setups **does not apply** and the status of all Ingress objects remains

4
docs/examples/canary/README.md
View file

@ -31,7 +31,7 @@ spec:
spec:
containers:
- name: production
image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356
image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef
ports:
- containerPort: 80
env:
@ -97,7 +97,7 @@ spec:
spec:
containers:
- name: canary
image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356
image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef
ports:
- containerPort: 80
env:

2
docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml
View file

@ -6,7 +6,7 @@ defaultBackend:
image:
registry: registry.k8s.io
image: ingress-nginx/custom-error-pages
tag: v1.1.0@sha256:a2342e403fc3c19f81f5625e1b93daa0f8fb3dfaa1df4905f85e32d2d98a5e96
tag: v1.1.1@sha256:8c10776191ae44b5c387b8c7696d8bc17ceec90d7184a3a38b89ac8434b6c56b
extraVolumes:
- name: custom-error-pages
configMap:

2
docs/examples/customization/custom-errors/custom-default-backend.yaml
View file

@ -36,7 +36,7 @@ spec:
spec:
containers:
- name: nginx-error-server
image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.1.0@sha256:a2342e403fc3c19f81f5625e1b93daa0f8fb3dfaa1df4905f85e32d2d98a5e96
image: registry.k8s.io/ingress-nginx/custom-error-pages:v1.1.1@sha256:8c10776191ae44b5c387b8c7696d8bc17ceec90d7184a3a38b89ac8434b6c56b
ports:
- containerPort: 8080
# Setting the environment variable DEBUG we can see the headers sent

2
docs/examples/customization/external-auth-headers/echo-service.yaml
View file

@ -18,7 +18,7 @@ spec:
terminationGracePeriodSeconds: 60
containers:
- name: echo-service
image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356
image: registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef
ports:
- containerPort: 8080
resources:

4
docs/user-guide/miscellaneous.md
View file

@ -4,9 +4,11 @@
By default NGINX uses the content of the header `X-Forwarded-For` as the source of truth to get information about the client IP address. This works without issues in L7 **if we configure the setting `proxy-real-ip-cidr`** with the correct information of the IP/network address of trusted external load balancer.
This setting can be enabled/disabled by setting [`use-forwarded-headers`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers).
If the ingress controller is running in AWS we need to use the VPC IPv4 CIDR.
Another option is to enable proxy protocol using `use-proxy-protocol: "true"`.
Another option is to enable the **PROXY protocol** using [`use-proxy-protocol: "true"`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol).
In this mode NGINX does not use the content of the header to get the source IP address of the connection.

13
docs/user-guide/nginx-configuration/annotations.md
View file

@ -550,10 +550,15 @@ By default the controller redirects all requests to an existing service that pro
These annotations define limits on connections and transmission rates. These can be used to mitigate [DDoS Attacks](https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus).
* `nginx.ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address. A 503 error is returned when exceeding this limit.
* `nginx.ingress.kubernetes.io/limit-rps`: number of requests accepted from a given IP each second. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned.
* `nginx.ingress.kubernetes.io/limit-rpm`: number of requests accepted from a given IP each minute. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned.
* `nginx.ingress.kubernetes.io/limit-burst-multiplier`: multiplier of the limit rate for burst size. The default burst multiplier is 5, this annotation override the default multiplier. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned.
!!! attention
Rate limits are applied per Ingress NGINX controller replica.
If you're running multiple replicas or using a horizontal pod autoscaler (HPA), the effective rate limit will be multiplied by the number of replicas.
When using HPA, the exact rate limit becomes dynamic as the number of replicas may change based on load.
* `nginx.ingress.kubernetes.io/limit-connections`: number of concurrent connections allowed from a single IP address per controller replica. A 503 error is returned when exceeding this limit.
* `nginx.ingress.kubernetes.io/limit-rps`: number of requests accepted from a given IP each second per controller replica. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned.
* `nginx.ingress.kubernetes.io/limit-rpm`: number of requests accepted from a given IP each minute per controller replica. The burst limit is set to this limit multiplied by the burst multiplier, the default multiplier is 5. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned.
* `nginx.ingress.kubernetes.io/limit-burst-multiplier`: multiplier of the limit rate for burst size. The default burst multiplier is 5, this annotation override the default multiplier. When clients exceed this limit, [limit-req-status-code](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#limit-req-status-code) ***default:*** 503 is returned.
* `nginx.ingress.kubernetes.io/limit-rate-after`: initial number of kilobytes after which the further transmission of a response to a given connection will be rate limited. This feature must be used with [proxy-buffering](#proxy-buffering) enabled.
* `nginx.ingress.kubernetes.io/limit-rate`: number of kilobytes per second allowed to send to a given connection. The zero value disables rate limiting. This feature must be used with [proxy-buffering](#proxy-buffering) enabled.
* `nginx.ingress.kubernetes.io/limit-whitelist`: client IP source ranges to be excluded from rate-limiting. The value is a comma separated list of CIDRs.

36
go.mod
View file

@ -1,6 +1,6 @@
module k8s.io/ingress-nginx
go 1.23.4
go 1.23.5
require (
dario.cat/mergo v1.0.1
@ -13,35 +13,35 @@ require (
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/mitchellh/mapstructure v1.5.0
github.com/moul/pb v0.0.0-20220425114252-bca18df4138c
github.com/ncabatoff/process-exporter v0.8.4
github.com/ncabatoff/process-exporter v0.8.5
github.com/onsi/ginkgo/v2 v2.22.2
github.com/opencontainers/runc v1.2.3
github.com/opencontainers/runc v1.2.4
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
github.com/prometheus/client_golang v1.20.5
github.com/prometheus/client_model v0.6.1
github.com/prometheus/common v0.61.0
github.com/prometheus/common v0.62.0
github.com/spf13/cobra v1.8.1
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.10.0
github.com/yudai/gojsondiff v1.0.0
github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30
golang.org/x/crypto v0.31.0
golang.org/x/crypto v0.32.0
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
google.golang.org/grpc v1.69.2
google.golang.org/grpc v1.69.4
google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab
gopkg.in/go-playground/pool.v3 v3.1.1
gopkg.in/mcuadros/go-syslog.v2 v2.3.0
k8s.io/api v0.32.0
k8s.io/apiextensions-apiserver v0.32.0
k8s.io/apimachinery v0.32.0
k8s.io/apiserver v0.32.0
k8s.io/cli-runtime v0.32.0
k8s.io/client-go v0.32.0
k8s.io/code-generator v0.32.0
k8s.io/component-base v0.32.0
k8s.io/api v0.32.1
k8s.io/apiextensions-apiserver v0.32.1
k8s.io/apimachinery v0.32.1
k8s.io/apiserver v0.32.1
k8s.io/cli-runtime v0.32.1
k8s.io/client-go v0.32.1
k8s.io/code-generator v0.32.1
k8s.io/component-base v0.32.1
k8s.io/klog/v2 v2.130.1
pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732
sigs.k8s.io/controller-runtime v0.19.3
sigs.k8s.io/controller-runtime v0.20.0
sigs.k8s.io/mdtoc v1.4.0
)
@ -81,7 +81,7 @@ require (
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/btree v1.1.3 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
@ -117,8 +117,8 @@ require (
golang.org/x/net v0.33.0 // indirect
golang.org/x/oauth2 v0.24.0 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sys v0.28.0 // indirect
golang.org/x/term v0.27.0 // indirect
golang.org/x/sys v0.29.0 // indirect
golang.org/x/term v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
golang.org/x/time v0.7.0 // indirect
golang.org/x/tools v0.28.0 // indirect

68
go.sum
View file

@ -77,8 +77,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0 h1:4gjrh/PN2MuWCCElk8/I4OCKRKWCCo2zEct3VKCbibU=
github.com/gomarkdown/markdown v0.0.0-20240328165702-4d01890c35c0/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@ -154,8 +154,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QUgeEjeXnVb+oYuEDQc6gLvrZJTYo94=
github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag=
github.com/ncabatoff/process-exporter v0.8.4 h1:qj0pWbP6AytVQ1fMYabRd5LnuV6NPh0O6WCfenPJT54=
github.com/ncabatoff/process-exporter v0.8.4/go.mod h1:MxEOWl740VK/hlWycJkq91VrA2mI+U9Bvc1wuyAaxA4=
github.com/ncabatoff/process-exporter v0.8.5 h1:Hk1sflgRWn0Xrh/OsupQLVVCTW01kv0YYrGxu7NvkmM=
github.com/ncabatoff/process-exporter v0.8.5/go.mod h1:IZndG/m2Y++D90y99NhDJfg0SOkpbx/Fl6MlnBr4SC0=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
@ -169,8 +169,8 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
github.com/opencontainers/runc v1.2.3 h1:fxE7amCzfZflJO2lHXf4y/y8M1BoAqp+FVmG19oYB80=
github.com/opencontainers/runc v1.2.3/go.mod h1:nSxcWUydXrsBZVYNSkTjoQ/N6rcyTtn+1SD5D4+kRIM=
github.com/opencontainers/runc v1.2.4 h1:yWFgLkghp71D76Fa0l349yAl5g4Gse7DPYNlvkQ9Eiw=
github.com/opencontainers/runc v1.2.4/go.mod h1:nSxcWUydXrsBZVYNSkTjoQ/N6rcyTtn+1SD5D4+kRIM=
github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
@ -184,8 +184,8 @@ github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+
github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ=
github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s=
github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
@ -243,8 +243,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@ -281,10 +281,10 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
@ -306,8 +306,8 @@ gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw
gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 h1:X58yt85/IXCx0Y3ZwN6sEIKZzQtDEYaBWrDvErdXrRE=
google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
google.golang.org/grpc v1.69.4 h1:MF5TftSMkd8GLw/m0KM6V8CMOCY6NZ1NQDPGFgbTt4A=
google.golang.org/grpc v1.69.4/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab h1:tg8hvIl5RmFBuXlcJMuL0h4Psh1gx5Q5xEMwzBZIzWA=
google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab/go.mod h1:liVNnGuZDITxuksuZ+BBvdy7FcJfeNk+efF9qgqNUmc=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
@ -342,22 +342,22 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE=
k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0=
k8s.io/apiextensions-apiserver v0.32.0 h1:S0Xlqt51qzzqjKPxfgX1xh4HBZE+p8KKBq+k2SWNOE0=
k8s.io/apiextensions-apiserver v0.32.0/go.mod h1:86hblMvN5yxMvZrZFX2OhIHAuFIMJIZ19bTvzkP+Fmw=
k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg=
k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/apiserver v0.32.0 h1:VJ89ZvQZ8p1sLeiWdRJpRD6oLozNZD2+qVSLi+ft5Qs=
k8s.io/apiserver v0.32.0/go.mod h1:HFh+dM1/BE/Hm4bS4nTXHVfN6Z6tFIZPi649n83b4Ag=
k8s.io/cli-runtime v0.32.0 h1:dP+OZqs7zHPpGQMCGAhectbHU2SNCuZtIimRKTv2T1c=
k8s.io/cli-runtime v0.32.0/go.mod h1:Mai8ht2+esoDRK5hr861KRy6z0zHsSTYttNVJXgP3YQ=
k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8=
k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8=
k8s.io/code-generator v0.32.0 h1:s0lNN8VSWny8LBz5t5iy7MCdgwdOhdg7vAGVxvS+VWU=
k8s.io/code-generator v0.32.0/go.mod h1:b7Q7KMZkvsYFy72A79QYjiv4aTz3GvW0f1T3UfhFq4s=
k8s.io/component-base v0.32.0 h1:d6cWHZkCiiep41ObYQS6IcgzOUQUNpywm39KVYaUqzU=
k8s.io/component-base v0.32.0/go.mod h1:JLG2W5TUxUu5uDyKiH2R/7NnxJo1HlPoRIIbVLkK5eM=
k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/apiserver v0.32.1 h1:oo0OozRos66WFq87Zc5tclUX2r0mymoVHRq8JmR7Aak=
k8s.io/apiserver v0.32.1/go.mod h1:UcB9tWjBY7aryeI5zAgzVJB/6k7E97bkr1RgqDz0jPw=
k8s.io/cli-runtime v0.32.1 h1:19nwZPlYGJPUDbhAxDIS2/oydCikvKMHsxroKNGA2mM=
k8s.io/cli-runtime v0.32.1/go.mod h1:NJPbeadVFnV2E7B7vF+FvU09mpwYlZCu8PqjzfuOnkY=
k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
k8s.io/code-generator v0.32.1 h1:4lw1kFNDuFYXquTkB7Sl5EwPMUP2yyW9hh6BnFfRZFY=
k8s.io/code-generator v0.32.1/go.mod h1:zaILfm00CVyP/6/pJMJ3zxRepXkxyDfUV5SNG4CjZI4=
k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk=
k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w=
k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9 h1:si3PfKm8dDYxgfbeA6orqrtLkvvIeH8UqffFJDl0bz4=
k8s.io/gengo/v2 v2.0.0-20240911193312-2b36238f13e9/go.mod h1:EJykeLsmFC60UQbYJezXkEsG2FLrt0GPNkU5iK5GWxU=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
@ -368,8 +368,8 @@ k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6J
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg=
pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg=
sigs.k8s.io/controller-runtime v0.19.3 h1:XO2GvC9OPftRst6xWCpTgBZO04S2cbp0Qqkj8bX1sPw=
sigs.k8s.io/controller-runtime v0.19.3/go.mod h1:j4j87DqtsThvwTv5/Tc5NFRyyF/RF0ip4+62tbTSIUM=
sigs.k8s.io/controller-runtime v0.20.0 h1:jjkMo29xEXH+02Md9qaVXfEIaMESSpy3TBWPrsfQkQs=
sigs.k8s.io/controller-runtime v0.20.0/go.mod h1:BrP3w158MwvB3ZbNpaAcIKkHQ7YGpYnzpoSTZ8E14WU=
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo=

7
go.work
View file

@ -1,7 +0,0 @@
go 1.23.4
use (
.
./images/kube-webhook-certgen/rootfs
./magefiles
)

145
go.work.sum
View file

@ -1,145 +0,0 @@
cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI=
cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.24.2/go.mod h1:itPGVDKf9cC/ov4MdvJ2QZ0khw4bfoo9jzwTJlaxy2k=
github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
github.com/alecthomas/kingpin/v2 v2.4.0/go.mod h1:0gyi0zQnjuFk8xrkNKamJoyUo382HRL7ATRpFZCw6tE=
github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY=
github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/bytedance/sonic v1.9.1/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U=
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
github.com/checkpoint-restore/go-criu/v6 v6.3.0/go.mod h1:rrRTN/uSwY2X+BPRl/gkulo9gsKOSAeVp9/K2tv7xZI=
github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311/go.mod h1:b583jCggY9gE99b6G5LEC39OIiVsWj+R97kbl5odCEk=
github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ=
github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
github.com/cilium/ebpf v0.16.0/go.mod h1:L7u2Blt2jMM/vLAVgjxluxtBKlz3/GWjB0dMOEngfwE=
github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw=
github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
github.com/getsentry/sentry-go v0.21.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8=
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
github.com/labstack/echo/v4 v4.10.2/go.mod h1:OEyqf2//K1DFdE57vw2DRgWY0M7s65IVQO2FzvI4J5k=
github.com/labstack/gommon v0.4.0/go.mod h1:uW6kP17uPlLJsD3ijUYn3/M5bAxtlZhMI6m3MFxTMTM=
github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1/go.mod h1:eyp4DdUJAKkr9tvxR3jWhw2mDK7CWABMG5r9uyaKC7I=
github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/ncabatoff/fakescraper v0.0.0-20201102132415-4b37ba603d65/go.mod h1:Tx6UMSMyIsjLG/VU/F6xA1+0XI+/f9o1dGJnf1l+bPg=
github.com/nwaples/rardecode v1.1.3/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWkRpHbbfGS0=
github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
github.com/prometheus/exporter-toolkit v0.11.0/go.mod h1:BVnENhnNecpwoTLiABx7mrPB/OLRIgN74qlQbV+FK1Q=
github.com/seccomp/libseccomp-golang v0.10.0/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75/go.mod h1:KO6IkyS8Y3j8OdNO85qEYBsRPuteD+YciPomcXdrMnk=
github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
github.com/uwu-tools/magex v0.10.0/go.mod h1:TrSEhrL1xHfJVy6n05AUwFdcQndgwrbgL5ybPNKWmVY=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
github.com/valyala/fasttemplate v1.2.2/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=
github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
go.etcd.io/etcd/api/v3 v3.5.16/go.mod h1:1P4SlIP/VwkDmGo3OlOD7faPeP8KDIFhqvciH5EfN28=
go.etcd.io/etcd/client/pkg/v3 v3.5.16/go.mod h1:V8acl8pcEK0Y2g19YlOV9m9ssUe6MgiDSobSoaBAM0E=
go.etcd.io/etcd/client/v2 v2.305.16/go.mod h1:h9YxWCzcdvZENbfzBTFCnoNumr2ax3F19sKMqHFmXHE=
go.etcd.io/etcd/client/v3 v3.5.16/go.mod h1:X+rExSGkyqxvu276cr2OwPLBaeqFu1cIl4vmRjAD/50=
go.etcd.io/etcd/pkg/v3 v3.5.16/go.mod h1:+lutCZHG5MBBFI/U4eYT5yL7sJfnexsoM20Y0t2uNuY=
go.etcd.io/etcd/raft/v3 v3.5.16/go.mod h1:P4UP14AxofMJ/54boWilabqqWoW9eLodl6I5GdGzazI=
go.etcd.io/etcd/server/v3 v3.5.16/go.mod h1:ynhyZZpdDp1Gq49jkUg5mfkDWZwXnn3eIqCqtJnrD/s=
go.opentelemetry.io/contrib/detectors/gcp v1.31.0/go.mod h1:tzQL6E1l+iV44YFTkcAeNQqzXUiekSYP9jjJjXwEd00=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
golang.org/x/arch v0.3.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro=
google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4=
google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
k8s.io/kms v0.32.0/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=

2
images/cfssl/TAG
View file

@ -1 +1 @@
v1.1.0
v1.1.1

2
images/cfssl/cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

2
images/custom-error-pages/TAG
View file

@ -1 +1 @@
v1.1.0
v1.1.1

2
images/custom-error-pages/cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

2
images/custom-error-pages/rootfs/go.mod
View file

@ -1,6 +1,6 @@
module k8s.io/ingress-nginx/custom-error-pages
go 1.23.4
go 1.23.5
require github.com/prometheus/client_golang v1.20.5

2
images/e2e-test-echo/TAG
View file

@ -1 +1 @@
v1.1.0
v1.1.1

2
images/e2e-test-echo/cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

2
images/ext-auth-example-authsvc/TAG
View file

@ -1 +1 @@
v1.1.0
v1.1.1

4
images/ext-auth-example-authsvc/rootfs/go.mod
View file

@ -1,7 +1,7 @@
module example.com/authsvc
go 1.23.4
go 1.23.5
require k8s.io/apimachinery v0.32.0
require k8s.io/apimachinery v0.32.1
require github.com/google/uuid v1.6.0 // indirect

4
images/ext-auth-example-authsvc/rootfs/go.sum
View file

@ -1,4 +1,4 @@
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg=
k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=

2
images/fastcgi-helloserver/TAG
View file

@ -1 +1 @@
v1.1.0
v1.1.1

2
images/fastcgi-helloserver/cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

2
images/go-grpc-greeter-server/TAG
View file

@ -1 +1 @@
v1.1.0
v1.1.1

2
images/httpbun/TAG
View file

@ -1 +1 @@
v1.1.0
v1.1.1

2
images/httpbun/cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

2
images/kube-webhook-certgen/TAG
View file

@ -1 +1 @@
v1.5.0
v1.5.1

2
images/kube-webhook-certgen/cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

10
images/kube-webhook-certgen/rootfs/go.mod
View file

@ -1,15 +1,15 @@
module github.com/jet/kube-webhook-certgen
go 1.23.4
go 1.23.5
require (
github.com/onrik/logrus v0.11.0
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.8.1
k8s.io/api v0.32.0
k8s.io/apimachinery v0.32.0
k8s.io/client-go v0.32.0
k8s.io/kube-aggregator v0.32.0
k8s.io/api v0.32.1
k8s.io/apimachinery v0.32.1
k8s.io/client-go v0.32.1
k8s.io/kube-aggregator v0.32.1
)
require (

16
images/kube-webhook-certgen/rootfs/go.sum
View file

@ -141,16 +141,16 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/api v0.32.0 h1:OL9JpbvAU5ny9ga2fb24X8H6xQlVp+aJMFlgtQjR9CE=
k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0=
k8s.io/apimachinery v0.32.0 h1:cFSE7N3rmEEtv4ei5X6DaJPHHX0C+upp+v5lVPiEwpg=
k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/client-go v0.32.0 h1:DimtMcnN/JIKZcrSrstiwvvZvLjG0aSxy8PxN8IChp8=
k8s.io/client-go v0.32.0/go.mod h1:boDWvdM1Drk4NJj/VddSLnx59X3OPgwrOo0vGbtq9+8=
k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-aggregator v0.32.0 h1:5ZyMW3QwAbmkasQrROcpa5we3et938DQuyUYHeXSPao=
k8s.io/kube-aggregator v0.32.0/go.mod h1:6OKivf6Ypx44qu2v1ZUMrxH8kRp/8LKFKeJU72J18lU=
k8s.io/kube-aggregator v0.32.1 h1:cztPyIHbo6tgrhYHDqmdmvxUufJKuxgAC/vog7yeWek=
k8s.io/kube-aggregator v0.32.1/go.mod h1:sXjL5T8FO/rlBzTbBhahw9V5Nnr1UtzZHKTj9WxQCOU=
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=

2
images/nginx/TAG
View file

@ -1 +1 @@
v1.1.0
v2.0.0

2
images/nginx/cloudbuild.yaml
View file

@ -4,7 +4,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

85
images/nginx/rootfs/build.sh
View file

@ -18,91 +18,91 @@ set -o errexit
set -o nounset
set -o pipefail
export NGINX_VERSION=1.25.5
export NGINX_VERSION=1.27.1
# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master
export NDK_VERSION=v0.3.3
# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master
export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e
export SETMISC_VERSION=v0.33
# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master
export MORE_HEADERS_VERSION=v0.37
# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master
# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master
export NGINX_DIGEST_AUTH=v1.0.0
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master
export MODSECURITY_VERSION=v1.0.3
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master
export MODSECURITY_LIB_VERSION=v3.0.12
# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.13...v3/master
export MODSECURITY_LIB_VERSION=v3.0.13
# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main
export OWASP_MODSECURITY_CRS_VERSION=v4.4.0
# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.10.0...main
export OWASP_MODSECURITY_CRS_VERSION=v4.10.0
# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master
export LUA_NGX_VERSION=v0.10.26
# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.27...master
export LUA_NGX_VERSION=v0.10.27
# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master
export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63
# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.15...master
export LUA_STREAM_NGX_VERSION=v0.0.15
# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master
export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36
# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master
export LUA_UPSTREAM_VERSION=v0.07
# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master
export LUA_CJSON_VERSION=2.1.0.13
# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.14...master
export LUA_CJSON_VERSION=2.1.0.14
# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master
export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425
# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/445df24ef3781e488cee3dfe8a1e111997fc1dfe...master
export GEOIP2_VERSION=445df24ef3781e488cee3dfe8a1e111997fc1dfe
# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh
export LUAJIT_VERSION=v2.1-20240314
# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240815...v2.1-agentzh
export LUAJIT_VERSION=v2.1-20240815
# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master
export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea
# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.05...master
export LUA_RESTY_BALANCER=v0.05
# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master
export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed
# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.15...master
export LUA_RESTY_CACHE=v0.15
# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master
export LUA_RESTY_CORE=v0.1.28
# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.30...master
export LUA_RESTY_CORE=v0.1.30
# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master
export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4
# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master
export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f
# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.23...master
export LUA_RESTY_DNS=v0.23
# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master
export LUA_RESTY_HTTP=v0.17.1
# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.2...master
export LUA_RESTY_HTTP=v0.17.2
# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master
export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9
export LUA_RESTY_LOCK=v0.09
# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master
export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3
export LUA_RESTY_UPLOAD_VERSION=v0.11
# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master
export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844
# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.16...master
export LUA_RESTY_STRING_VERSION=v0.16
# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master
export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b
export LUA_RESTY_MEMCACHED_VERSION=v0.17
# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master
export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8
# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.31...master
export LUA_RESTY_REDIS_VERSION=v0.31
# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master
# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/3e93c53eb8c9884efe939ef070486a0e507cc5be...master
export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be
# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master
export MIMALOC_VERSION=v2.1.7
# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.9...master
export MIMALOC_VERSION=v2.1.9
# Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main
export OPENTELEMETRY_CPP_VERSION="v1.18.0"
export OPENTELEMETRY_CPP_VERSION=v1.18.0
# Check for recent changes: https://github.com/open-telemetry/opentelemetry-proto/compare/v1.5.0...main
export OPENTELEMETRY_PROTO_VERSION="v1.5.0"
export OPENTELEMETRY_PROTO_VERSION=v1.5.0
export BUILD_PATH=/tmp/build
@ -318,8 +318,7 @@ git config --global --add core.compression -1
cd "$BUILD_PATH"
git clone --depth=100 https://github.com/google/ngx_brotli.git
cd ngx_brotli
# https://github.com/google/ngx_brotli/issues/156
git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52
git reset --hard a71f9312c2deb28875acc7bacfdd5695a111aa53
git submodule init
git submodule update

0
images/nginx/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch → images/nginx/rootfs/patches/01_nginx-1.27.1-win32_max_err_str.patch
View file

0
images/nginx/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch → images/nginx/rootfs/patches/02_nginx-1.27.1-stream_balancer_export.patch
View file

0
images/nginx/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch → images/nginx/rootfs/patches/03_nginx-1.27.1-stream_proxy_get_next_upstream_tries.patch
View file

12
images/nginx/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch → images/nginx/rootfs/patches/04_nginx-1.27.1-stream_proxy_timeout_fields.patch
View file

@ -1,6 +1,6 @@
diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/src/stream/ngx_stream.h
--- nginx-1.25.3/src/stream/ngx_stream.h 2021-11-04 21:27:55.288708527 +0800
+++ nginx-1.25.3-patched/src/stream/ngx_stream.h 2021-11-04 21:28:50.768035209 +0800
diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream.h nginx-1.27.1-patched/src/stream/ngx_stream.h
--- nginx-1.27.1/src/stream/ngx_stream.h 2021-11-04 21:27:55.288708527 +0800
+++ nginx-1.27.1-patched/src/stream/ngx_stream.h 2021-11-04 21:28:50.768035209 +0800
@@ -254,6 +254,15 @@ typedef struct {
} ngx_stream_module_t;
@ -25,9 +25,9 @@ diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/sr
typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream_proxy_module.c nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c
--- nginx-1.25.3/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:27:55.289708533 +0800
+++ nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:37:03.578936990 +0800
diff -u -r -p -Naur nginx-1.27.1/src/stream/ngx_stream_proxy_module.c nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c
--- nginx-1.27.1/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:27:55.289708533 +0800
+++ nginx-1.27.1-patched/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:37:03.578936990 +0800
@@ -400,6 +400,7 @@ ngx_stream_proxy_handler(ngx_stream_sess
ngx_stream_proxy_srv_conf_t *pscf;
ngx_stream_upstream_srv_conf_t *uscf, **uscfp;

0
images/nginx/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch → images/nginx/rootfs/patches/05_nginx-1.27.1-stream_ssl_preread_no_skip.patch
View file

0
images/nginx/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch → images/nginx/rootfs/patches/06_nginx-1.27.1-resolver_conf_parsing.patch
View file

0
images/nginx/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch → images/nginx/rootfs/patches/07_nginx-1.27.1-daemon_destroy_pool.patch
View file

24
images/nginx/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch → images/nginx/rootfs/patches/08_nginx-1.27.1-init_cycle_pool_release.patch
View file

@ -1,6 +1,6 @@
diff -rup nginx-1.25.3/src/core/nginx.c nginx-1.25.3-patched/src/core/nginx.c
--- nginx-1.25.3/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800
+++ nginx-1.25.3-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800
diff -rup nginx-1.27.1/src/core/nginx.c nginx-1.27.1-patched/src/core/nginx.c
--- nginx-1.27.1/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800
+++ nginx-1.27.1-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800
@@ -186,6 +186,7 @@ static u_char *ngx_prefix;
static u_char *ngx_conf_file;
static u_char *ngx_conf_params;
@ -18,9 +18,9 @@ diff -rup nginx-1.25.3/src/core/nginx.c nginx-1.25.3-patched/src/core/nginx.c
if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
return 1;
}
diff -rup nginx-1.25.3/src/core/ngx_core.h nginx-1.25.3-patched/src/core/ngx_core.h
--- nginx-1.25.3/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.25.3-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800
diff -rup nginx-1.27.1/src/core/ngx_core.h nginx-1.27.1-patched/src/core/ngx_core.h
--- nginx-1.27.1/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.27.1-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800
@@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
#define NGX_DISABLE_SYMLINKS_NOTOWNER 2
#endif
@ -28,9 +28,9 @@ diff -rup nginx-1.25.3/src/core/ngx_core.h nginx-1.25.3-patched/src/core/ngx_cor
+extern ngx_pool_t *saved_init_cycle_pool;
+
#endif /* _NGX_CORE_H_INCLUDED_ */
diff -rup nginx-1.25.3/src/core/ngx_cycle.c nginx-1.25.3-patched/src/core/ngx_cycle.c
--- nginx-1.25.3/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.25.3-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800
diff -rup nginx-1.27.1/src/core/ngx_cycle.c nginx-1.27.1-patched/src/core/ngx_cycle.c
--- nginx-1.27.1/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.27.1-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800
@@ -748,6 +748,10 @@ old_shm_zone_done:
if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
@ -42,9 +42,9 @@ diff -rup nginx-1.25.3/src/core/ngx_cycle.c nginx-1.25.3-patched/src/core/ngx_cy
ngx_destroy_pool(old_cycle->pool);
cycle->old_cycle = NULL;
diff -rup nginx-1.25.3/src/os/unix/ngx_process_cycle.c nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c
--- nginx-1.25.3/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800
+++ nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800
diff -rup nginx-1.27.1/src/os/unix/ngx_process_cycle.c nginx-1.27.1-patched/src/os/unix/ngx_process_cycle.c
--- nginx-1.27.1/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800
+++ nginx-1.27.1-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800
@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
ngx_exit_cycle.files_n = ngx_cycle->files_n;
ngx_cycle = &ngx_exit_cycle;

0
images/nginx/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch → images/nginx/rootfs/patches/09_nginx-1.27.1-balancer_status_code.patch
View file

0
images/nginx/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch → images/nginx/rootfs/patches/10_nginx-1.27.1-delayed_posted_events.patch
View file

0
images/nginx/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch → images/nginx/rootfs/patches/11_nginx-1.27.1-privileged_agent_process.patch
View file

0
images/nginx/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch → images/nginx/rootfs/patches/12_nginx-1.27.1-privileged_agent_process_connections.patch
View file

0
images/nginx/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch → images/nginx/rootfs/patches/13_nginx-1.27.1-privileged_agent_process_thread_pool.patch
View file

0
images/nginx/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch → images/nginx/rootfs/patches/14_nginx-1.27.1-single_process_graceful_exit.patch
View file

0
images/nginx/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch → images/nginx/rootfs/patches/15_nginx-1.27.1-intercept_error_log.patch
View file

0
images/nginx/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch → images/nginx/rootfs/patches/16_nginx-1.27.1-upstream_pipelining.patch
View file

6
images/nginx/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch → images/nginx/rootfs/patches/17_nginx-1.27.1-no_error_pages.patch
View file

@ -1,6 +1,6 @@
diff -upr nginx-1.25.3/src/http/ngx_http_core_module.c nginx-1.25.3-patched/src/http/ngx_http_core_module.c
--- nginx-1.25.3/src/http/ngx_http_core_module.c 2017-08-31 18:14:41.000000000 -0700
+++ nginx-1.25.3-patched/src/http/ngx_http_core_module.c 2017-08-31 18:21:31.638098196 -0700
diff -upr nginx-1.27.1/src/http/ngx_http_core_module.c nginx-1.27.1-patched/src/http/ngx_http_core_module.c
--- nginx-1.27.1/src/http/ngx_http_core_module.c 2017-08-31 18:14:41.000000000 -0700
+++ nginx-1.27.1-patched/src/http/ngx_http_core_module.c 2017-08-31 18:21:31.638098196 -0700
@@ -64,6 +64,8 @@ static char *ngx_http_core_directio(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd,

36
images/nginx/rootfs/patches/18_nginx-1.25.3-no_Werror.patch
View file

@ -1,36 +0,0 @@
diff -urp nginx-1.25.3/auto/cc/clang nginx-1.25.3-patched/auto/cc/clang
--- nginx-1.25.3/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.25.3-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700
@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
CFLAGS="$CFLAGS -Wno-unused-parameter"
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"
diff -urp nginx-1.25.3/auto/cc/gcc nginx-1.25.3-patched/auto/cc/gcc
--- nginx-1.25.3/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.25.3-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700
@@ -168,7 +168,7 @@ esac
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"
diff -urp nginx-1.25.3/auto/cc/icc nginx-1.25.3-patched/auto/cc/icc
--- nginx-1.25.3/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.25.3-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700
@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
esac
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"

36
images/nginx/rootfs/patches/18_nginx-1.27.1-no_Werror.patch Normal file
View file

@ -0,0 +1,36 @@
diff -urp nginx-1.27.1/auto/cc/clang nginx-1.27.1-patched/auto/cc/clang
--- nginx-1.27.1/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.27.1-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700
@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali
CFLAGS="$CFLAGS -Wno-unused-parameter"
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"
diff -urp nginx-1.27.1/auto/cc/gcc nginx-1.27.1-patched/auto/cc/gcc
--- nginx-1.27.1/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.27.1-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700
@@ -168,7 +168,7 @@ esac
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"
diff -urp nginx-1.27.1/auto/cc/icc nginx-1.27.1-patched/auto/cc/icc
--- nginx-1.27.1/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800
+++ nginx-1.27.1-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700
@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in
esac
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"

0
images/nginx/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch → images/nginx/rootfs/patches/19_nginx-1.27.1-log_escape_non_ascii.patch
View file

4
images/nginx/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch → images/nginx/rootfs/patches/20_nginx-1.27.1-proxy_host_port_vars.patch
View file

@ -1,5 +1,5 @@
--- nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800
+++ nginx-1.25.3-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800
--- nginx-1.27.1/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800
+++ nginx-1.27.1-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800
@@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach
static ngx_http_variable_t ngx_http_proxy_vars[] = {

0
images/nginx/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch → images/nginx/rootfs/patches/21_nginx-1.27.1-cache_manager_exit.patch
View file

4
images/nginx/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch → images/nginx/rootfs/patches/22_nginx-1.27.1-larger_max_error_str.patch
View file

@ -1,5 +1,5 @@
--- nginx-1.25.3/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700
+++ nginx-1.25.3-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800
--- nginx-1.27.1/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700
+++ nginx-1.27.1-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800
@@ -64,7 +64,9 @@ struct ngx_log_s {
};

0
images/nginx/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch → images/nginx/rootfs/patches/23_nginx-1.27.1-pcre_conf_opt.patch
View file

4
images/nginx/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch → images/nginx/rootfs/patches/24_nginx-1.27.1-always_enable_cc_feature_tests.patch
View file

@ -1,5 +1,5 @@
--- nginx-1.25.3/auto/cc/conf 2015-10-30 22:47:50.000000000 +0800
+++ nginx-1.25.3-patched/auto/cc/conf 2015-11-02 12:23:05.385156987 +0800
--- nginx-1.27.1/auto/cc/conf 2015-10-30 22:47:50.000000000 +0800
+++ nginx-1.27.1-patched/auto/cc/conf 2015-11-02 12:23:05.385156987 +0800
@@ -144,7 +144,7 @@ fi
CFLAGS="$CFLAGS $NGX_CC_OPT"
NGX_TEST_LD_OPT="$NGX_LD_OPT"

0
images/nginx/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch → images/nginx/rootfs/patches/25_nginx-1.27.1-ssl_cert_cb_yield.patch
View file

0
images/nginx/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch → images/nginx/rootfs/patches/26_nginx-1.27.1-ssl_sess_cb_yield.patch
View file

0
images/nginx/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch → images/nginx/rootfs/patches/27_nginx-1.27.1-ssl_client_hello_cb_yield.patch
View file

0
images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch → images/nginx/rootfs/patches/28_nginx-1.27.1-upstream_timeout_fields.patch
View file

0
images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch → images/nginx/rootfs/patches/29_nginx-1.27.1-safe_resolver_ipv6_option.patch
View file

0
images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch → images/nginx/rootfs/patches/30_nginx-1.27.1-socket_cloexec.patch
View file

0
images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch → images/nginx/rootfs/patches/31_nginx-1.27.1-reuseport_close_unused_fds.patch
View file

77
images/nginx/rootfs/patches/32_nginx-1.27.1-proc_exit_handler.patch Normal file
View file

@ -0,0 +1,77 @@
diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c
index c4e3c50..fa1408b 100644
--- a/src/core/ngx_cycle.c
+++ b/src/core/ngx_cycle.c
@@ -264,6 +264,9 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
}
+#if !(NGX_WIN32)
+ ngx_proc_exit_top_handler = ngx_proc_exit_def_handler;
+#endif
conf.ctx = cycle->conf_ctx;
conf.cycle = cycle;
conf.pool = pool;
diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c
index 12a8c68..874c9bf 100644
--- a/src/os/unix/ngx_process.c
+++ b/src/os/unix/ngx_process.c
@@ -34,6 +34,7 @@ ngx_int_t ngx_process_slot;
ngx_socket_t ngx_channel;
ngx_int_t ngx_last_process;
ngx_process_t ngx_processes[NGX_MAX_PROCESSES];
+ngx_proc_exit_pt ngx_proc_exit_top_handler;
ngx_signal_t signals[] = {
@@ -83,6 +84,13 @@ ngx_signal_t signals[] = {
};
+void
+ngx_proc_exit_def_handler(ngx_pid_t pid)
+{
+ /* do nothing */
+}
+
+
ngx_pid_t
ngx_spawn_process(ngx_cycle_t *cycle, ngx_spawn_proc_pt proc, void *data,
char *name, ngx_int_t respawn)
@@ -564,6 +572,7 @@ ngx_process_get_status(void)
}
ngx_unlock_mutexes(pid);
+ ngx_proc_exit_top_handler(pid);
}
}
diff --git a/src/os/unix/ngx_process.h b/src/os/unix/ngx_process.h
index 3986639..0b55d98 100644
--- a/src/os/unix/ngx_process.h
+++ b/src/os/unix/ngx_process.h
@@ -18,6 +18,8 @@ typedef pid_t ngx_pid_t;
#define NGX_INVALID_PID -1
typedef void (*ngx_spawn_proc_pt) (ngx_cycle_t *cycle, void *data);
+#define NGX_HAVE_PROC_EXIT 1
+typedef void (*ngx_proc_exit_pt)(ngx_pid_t pid);
typedef struct {
ngx_pid_t pid;
@@ -66,6 +68,7 @@ ngx_pid_t ngx_spawn_process(ngx_cycle_t *cycle,
ngx_pid_t ngx_execute(ngx_cycle_t *cycle, ngx_exec_ctx_t *ctx);
ngx_int_t ngx_init_signals(ngx_log_t *log);
void ngx_debug_point(void);
+void ngx_proc_exit_def_handler(ngx_pid_t pid);
#if (NGX_HAVE_SCHED_YIELD)
@@ -85,6 +88,7 @@ extern ngx_socket_t ngx_channel;
extern ngx_int_t ngx_process_slot;
extern ngx_int_t ngx_last_process;
extern ngx_process_t ngx_processes[NGX_MAX_PROCESSES];
+extern ngx_proc_exit_pt ngx_proc_exit_top_handler;
#endif /* _NGX_PROCESS_H_INCLUDED_ */

2
images/test-runner/TAG
View file

@ -1 +1 @@
v1.2.0
v2.0.0

2
images/test-runner/cloudbuild.yaml
View file

@ -2,7 +2,7 @@ options:
# Ignore Prow provided substitutions.
substitution_option: ALLOW_LOOSE
steps:
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20241217-ff46a068cd
- name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20250116-2a05ea7e3d
env:
- REGISTRY=gcr.io/k8s-staging-ingress-nginx
entrypoint: bash

13
internal/ingress/annotations/customheaders/main.go
View file

@ -18,6 +18,7 @@ package customheaders
import (
"fmt"
"reflect"
"regexp"
"k8s.io/klog/v2"
@ -35,6 +36,18 @@ type Config struct {
Headers map[string]string `json:"headers,omitempty"`
}
// Equal tests for equality between two Config types
func (c1 *Config) Equal(c2 *Config) bool {
if c1 == c2 {
return true
}
if c1 == nil || c2 == nil {
return false
}
return reflect.DeepEqual(c1.Headers, c2.Headers)
}
var (
headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`)
valueRegexp = regexp.MustCompile(`^[a-zA-Z\d_ :;.,\\/"'?!(){}\[\]@<>=\-+*#$&\x60|~^%]+$`)

6
internal/ingress/annotations/parser/validators.go
View file

@ -79,6 +79,8 @@ var (
// URLWithNginxVariableRegex defines a url that can contain nginx variables.
// It is a risky operation
URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$")
// MaliciousRegex defines chars that are known to inject RCE
MaliciousRegex = regexp.MustCompile(`\r|\n`)
)
// ValidateArrayOfServerName validates if all fields on a Server name annotation are
@ -113,6 +115,10 @@ func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator {
if !regex.MatchString(s) {
return fmt.Errorf("value %s is invalid", s)
}
if MaliciousRegex.MatchString(s) {
return fmt.Errorf("value %s contains malicious string", s)
}
return nil
}
}

5
internal/ingress/annotations/parser/validators_test.go
View file

@ -65,6 +65,11 @@ func TestValidateArrayOfServerName(t *testing.T) {
value: "something.com,lolo;xpto.com,nothing.com",
wantErr: true,
},
{
name: "should deny names with malicous chars",
value: "http://something.com/#;\nournewinjection",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {

2
magefiles/go.mod
View file

@ -1,6 +1,6 @@
module k8s.io/ingress-nginx/magefiles
go 1.23.4
go 1.23.5
require (
github.com/blang/semver/v4 v4.0.0

4
pkg/apis/ingress/types_equals.go
View file

@ -467,6 +467,10 @@ func (l1 *Location) Equal(l2 *Location) bool {
return false
}
if !l1.CustomHeaders.Equal(&l2.CustomHeaders) {
return false
}
return true
}

2
test/e2e-image/Makefile
View file

@ -1,6 +1,6 @@
DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20241224-68ed4e7b@sha256:871642296ebc0dd386f9a43b0cf2606028d757d6c4a2737d41180f02f8172823"
E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441"
image:
echo "..entered Makefile in /test/e2e-image"

2
test/e2e/HTTPBUN_IMAGE
View file

@ -1 +1 @@
registry.k8s.io/ingress-nginx/httpbun:v1.1.0@sha256:bd870e71e30d478fafd00c515fba454f326960fe343a84ace577723a07a2cd6c
registry.k8s.io/ingress-nginx/httpbun:v1.1.1@sha256:4569515d9b74470c915566a010792e7202b6769443fb1f3bb1b1e87376028634

2
test/e2e/framework/deployment.go
View file

@ -47,7 +47,7 @@ const NIPService = "external-nip"
var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE")
// EchoImage is the default image to be used by the echo service
const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.0@sha256:0713ba47b3e4359b38ad53cd785c34b158e168a91636520a4a5e54cd500d8356" //#nosec G101
const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo:v1.1.1@sha256:a1e0152e2eeab26e3f6fd3986f3d82b17bc7711717cae5392dcd18dd447ba6ef" //#nosec G101
// TODO: change all Deployment functions to use these options
// in order to reduce complexity and have a unified API across the

2
test/e2e/framework/fastcgi_helloserver.go
View file

@ -59,7 +59,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3
Containers: []corev1.Container{
{
Name: "fastcgi-helloserver",
Image: "registry.k8s.io/ingress-nginx/fastcgi-helloserver:v1.1.0@sha256:939cb351010a618383921b49056ccb6227b5a486ec52773464edbec03bc04812",
Image: "registry.k8s.io/ingress-nginx/fastcgi-helloserver:v1.1.1@sha256:6af4d8c7745c6727aab759db616a58fd68d784d07ce7a32d1ad149c331fd9a6f",
Env: []corev1.EnvVar{},
Ports: []corev1.ContainerPort{
{

2
test/e2e/run-chart-test.sh
View file

@ -114,5 +114,5 @@ docker run \
--workdir /workdir \
--entrypoint ct \
--rm \
registry.k8s.io/ingress-nginx/e2e-test-runner:v20241224-68ed4e7b@sha256:871642296ebc0dd386f9a43b0cf2606028d757d6c4a2737d41180f02f8172823 \
registry.k8s.io/ingress-nginx/e2e-test-runner:v20250112-a188f4eb@sha256:043038b1e30e5a0b64f3f919f096c5c9488ac3f617ac094b07fb9db8215f9441 \
install --charts charts/ingress-nginx

2
test/e2e/settings/ocsp/ocsp.go
View file

@ -297,7 +297,7 @@ func ocspserveDeployment(namespace string) (*appsv1.Deployment, *corev1.Service)
Containers: []corev1.Container{
{
Name: name,
Image: "registry.k8s.io/ingress-nginx/cfssl:v1.1.0@sha256:31a195d7c3dc801575ca46919ff2b3f01afce54a744ab22ee83469f92a6e0965",
Image: "registry.k8s.io/ingress-nginx/cfssl:v1.1.1@sha256:bcd576c6d0a01d4710969195e804c02da62b71b5c35c6816df9b7584d5445437",
Command: []string{
"/bin/bash",
"-c",

7
test/manifests/configuration-a.json
View file

@ -302,7 +302,12 @@
"validationDepth": 0
},
"use-port-in-redirects": false,
"configuration-snippet": ""
"configuration-snippet": "",
"customHeaders": {
"headers": {
"Server": "HAL9000"
}
}
}]
}, {
"hostname": "dev.mycompany.com",

7
test/manifests/configuration-b.json
View file

@ -302,7 +302,12 @@
"validationDepth": 0
},
"use-port-in-redirects": false,
"configuration-snippet": ""
"configuration-snippet": "",
"customHeaders": {
"headers": {
"Server": "HAL9000"
}
}
}]
}, {
"hostname": "dev.mycompany.com",