wqChart: Improve #10673.

charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.defaultBackend.enabled }}
+{{- range .Values.defaultBackend.extraConfigMaps }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    {{- include "ingress-nginx.labels" $ | nindent 4 }}
+    app.kubernetes.io/component: default-backend
+    {{- with $.Values.defaultBackend.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ .name }}
+  namespace: {{ include "ingress-nginx.namespace" $ }}
+data:
+  {{- with .data }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}

charts/ingress-nginx/tests/controller-service_test.yaml

@@ -0,0 +1,32 @@
+suite: Controller > Service
+templates:
+  - controller-service.yaml
+
+tests:
+  - it: should not create a Service if `controller.service.external.enabled` is false
+    set:
+      controller.service.external.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a Service if `controller.service.external.enabled` is true
+    set:
+      controller.service.external.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-controller
+
+  - it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort"
+    set:
+      controller.service.external.enabled: true
+      controller.service.type: NodePort
+    asserts:
+      - equal:
+          path: spec.type
+          value: NodePort

charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml

@@ -0,0 +1,50 @@
+suite: Default Backend > Extra ConfigMaps
+templates:
+  - default-backend-extra-configmaps.yaml
+
+tests:
+  - it: should not create a ConfigMap if `defaultBackend.extraConfigMaps` is empty
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.extraConfigMaps: []
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create one ConfigMap if `defaultBackend.extraConfigMaps` has one element
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.extraConfigMaps:
+        - name: my-configmap-1
+          data:
+            key1: value1
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ConfigMap
+      - equal:
+          path: metadata.name
+          value: my-configmap-1
+      - equal:
+          path: data.key1
+          value: value1
+
+  - it: should create two ConfigMaps if `defaultBackend.extraConfigMaps` has two elements
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.extraConfigMaps:
+        - name: my-configmap-1
+          data:
+            key1: value1
+        - name: my-configmap-2
+          data:
+            key2: value2
+    asserts:
+      - hasDocuments:
+          count: 2
+      - isKind:
+          of: ConfigMap
+      - matchRegex:
+          path: metadata.name
+          pattern: my-configmap-(1|2)

charts/ingress-nginx/values.yaml

@@ -27,13 +27,17 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.8.2"
+    tag: "v1.9.4"
-    digest: sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2
+    digest: sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3
-    digestChroot: sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133
+    digestChroot: sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26
     pullPolicy: IfNotPresent
+    runAsNonRoot: true
     # www-data -> uid 101
     runAsUser: 101
-    allowPrivilegeEscalation: true
+    allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    readOnlyRootFilesystem: false
   # -- Use an existing PSP instead of creating one
   existingPsp: ""
   # -- Configures the controller container name
@@ -127,12 +131,15 @@ controller:
   podLabels: {}
   #  key: value
 
-  # -- Security Context policies for controller pods
+  # -- Security context for controller pods
   podSecurityContext: {}
-  # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls
+  # -- sysctls for controller pods
+  ## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
   sysctls: {}
   # sysctls:
   #   "net.core.somaxconn": "8192"
+  # -- Security context for controller containers
+  containerSecurityContext: {}
 
   # -- Allows customization of the source of the IP address or FQDN to report
   # in the ingress status field. By default, it reads the information provided
@@ -437,103 +444,198 @@ controller:
   customTemplate:
     configMapName: ""
     configMapKey: ""
+
   service:
+    # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service.
     enabled: true
-    # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were
+
-    # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
+    external:
-    # It allows choosing the protocol for each backend specified in the Kubernetes service.
+      # -- Enable the external controller service or not. Useful for internal-only deployments.
-    # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244
+      enabled: true
-    # Will be ignored for Kubernetes versions older than 1.20
+
-    ##
+    # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
-    appProtocol: true
-    # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
     annotations: {}
+    # -- Labels to be added to both controller services.
     labels: {}
-    # clusterIP: ""
 
-    # -- List of IP addresses at which the controller services are available
+    # -- Type of the external controller service.
-    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
-    ##
+    type: LoadBalancer
+
+    # -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services.
+    # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+    clusterIP: ""
+
+    # -- List of node IP addresses at which the external controller service is available.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
     externalIPs: []
-    # -- Set to false to disable loadbalancer node port allocation
+
-    # See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
+    # -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
-    # allocateLoadBalancerNodePorts: true
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
-    # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
     loadBalancerIP: ""
+    # -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default.
     loadBalancerSourceRanges: []
-    # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
+    # -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
     loadBalancerClass: ""
-    enableHttp: true
-    enableHttps: true
-    ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it.
-    ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
-    # externalTrafficPolicy: ""
 
-    ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None".
+    # -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only.
-    ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
-    # sessionAffinity: ""
+    # allocateLoadBalancerNodePorts: true
 
-    ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified,
+    # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
-    ## the service controller allocates a port from your cluster’s NodePort range.
+    # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-    ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+    externalTrafficPolicy: ""
+
+    # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
+    # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
+    sessionAffinity: ""
+
+    # -- Specifies the health check node port (numeric port number) for the external controller service.
+    # If not specified, the service controller allocates a port from your cluster's node port range.
+    # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
     # healthCheckNodePort: 0
 
-    # -- Represents the dual-stack-ness requested or required by this Service. Possible values are
+    # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
-    # SingleStack, PreferDualStack or RequireDualStack.
+    # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
-    # The ipFamilies and clusterIPs fields depend on the value of this field.
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-    ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
+    ipFamilyPolicy: SingleStack
-    ipFamilyPolicy: "SingleStack"
+    # -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
-    # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-    # based on cluster configuration and the ipFamilyPolicy field.
-    ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/
     ipFamilies:
       - IPv4
+
+    # -- Enable the HTTP listener on both controller services or not.
+    enableHttp: true
+    # -- Enable the HTTPS listener on both controller services or not.
+    enableHttps: true
+
     ports:
+      # -- Port the external HTTP listener is published with.
       http: 80
+      # -- Port the external HTTPS listener is published with.
       https: 443
+
     targetPorts:
+      # -- Port of the ingress controller the external HTTP listener is mapped to.
       http: http
+      # -- Port of the ingress controller the external HTTPS listener is mapped to.
       https: https
-    type: LoadBalancer
+
-    ## type: NodePort
+    # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
-    ## nodePorts:
+    # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
-    ##   http: 32080
+    appProtocol: true
-    ##   https: 32443
+
-    ##   tcp:
-    ##     8080: 32808
     nodePorts:
+      # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
       http: ""
+      # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
       https: ""
+      # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range.
+      # Example:
+      # tcp:
+      #   8080: 30080
       tcp: {}
+      # -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range.
+      # Example:
+      # udp:
+      #   53: 30053
       udp: {}
-    external:
+
-      enabled: true
     internal:
-      # -- Enables an additional internal load balancer (besides the external one).
+      # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
       enabled: false
-      # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine.
+
+      # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
       annotations: {}
-      # -- Set to false to disable loadbalancer node port allocation
+
-      # See https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
+      # -- Type of the internal controller service.
-      # allocateLoadBalancerNodePorts: true
+      # Defaults to the value of `controller.service.type`.
-      # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+      type: ""
+
+      # -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services.
+      # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
+      clusterIP: ""
+
+      # -- List of node IP addresses at which the internal controller service is available.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
+      externalIPs: []
+
+      # -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
       loadBalancerIP: ""
-      # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0.
+      # -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default.
       loadBalancerSourceRanges: []
-      ## Set external traffic policy to: "Local" to preserve source IP on
+      # -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
-      ## providers supporting it
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
-      ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
+      loadBalancerClass: ""
-      # externalTrafficPolicy: ""
+
+      # -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
+      # allocateLoadBalancerNodePorts: true
+
+      # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
+      # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+      externalTrafficPolicy: ""
+
+      # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
+      # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
+      sessionAffinity: ""
+
+      # -- Specifies the health check node port (numeric port number) for the internal controller service.
+      # If not specified, the service controller allocates a port from your cluster's node port range.
+      # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+      # healthCheckNodePort: 0
+
+      # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
+      # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+      ipFamilyPolicy: SingleStack
+      # -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+      ipFamilies:
+        - IPv4
 
-      # -- Custom port mapping for internal service
       ports: {}
-      #  http: 80
+        # -- Port the internal HTTP listener is published with.
-      #  https: 443
+        # Defaults to the value of `controller.service.ports.http`.
+        # http: 80
+        # -- Port the internal HTTPS listener is published with.
+        # Defaults to the value of `controller.service.ports.https`.
+        # https: 443
 
-      # -- Custom target port mapping for internal service
       targetPorts: {}
-      #  http: http
+        # -- Port of the ingress controller the internal HTTP listener is mapped to.
-      #  https: https
+        # Defaults to the value of `controller.service.targetPorts.http`.
+        # http: http
+        # -- Port of the ingress controller the internal HTTPS listener is mapped to.
+        # Defaults to the value of `controller.service.targetPorts.https`.
+        # https: https
+
+      # -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
+      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
+      appProtocol: true
+
+      nodePorts:
+        # -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range.
+        http: ""
+        # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
+        https: ""
+        # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range.
+        # Example:
+        # tcp:
+        #   8080: 30080
+        tcp: {}
+        # -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range.
+        # Example:
+        # udp:
+        #   53: 30053
+        udp: {}
+
   # shareProcessNamespace enables process namespace sharing within the pod.
   # This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
   shareProcessNamespace: false
@@ -580,9 +682,26 @@ controller:
   # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module
   extraModules: []
   # - name: mytestmodule
-  #   image: registry.k8s.io/ingress-nginx/mytestmodule
+  #   image:
+  #     registry: registry.k8s.io
+  #     image: ingress-nginx/mytestmodule
+  #     ## for backwards compatibility consider setting the full image url via the repository value below
+  #     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
+  #     ## repository:
+  #     tag: "v1.0.0"
+  #     digest: ""
+  #     distroless: false
   #   containerSecurityContext:
+  #     runAsNonRoot: true
+  #     runAsUser: <user-id>
   #     allowPrivilegeEscalation: false
+  #     seccompProfile:
+  #       type: RuntimeDefault
+  #     capabilities:
+  #       drop:
+  #       - ALL
+  #     readOnlyRootFilesystem: true
+  #   resources: {}
   #
   # The image must contain a `/usr/local/bin/init_module.sh` executable, which
   # will be executed as initContainers, to move its config files within the
@@ -590,9 +709,28 @@ controller:
 
   opentelemetry:
     enabled: false
-    image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
+    name: opentelemetry
+    image:
+      registry: registry.k8s.io
+      image: ingress-nginx/opentelemetry
+      ## for backwards compatibility consider setting the full image url via the repository value below
+      ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
+      ## repository:
+      tag: "v20230721-3e2062ee5"
+      digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
+      distroless: true
     containerSecurityContext:
+      runAsNonRoot: true
+      # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`.
+      runAsUser: 65532
       allowPrivilegeEscalation: false
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+    resources: {}
   admissionWebhooks:
     name: admission
     annotations: {}
@@ -632,8 +770,17 @@ controller:
       type: ClusterIP
     createSecretJob:
       name: create
+      # -- Security context for secret creation containers
       securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
         allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+          - ALL
+        readOnlyRootFilesystem: true
       resources: {}
       # limits:
       #   cpu: 10m
@@ -643,8 +790,17 @@ controller:
       #   memory: 20Mi
     patchWebhookJob:
       name: patch
+      # -- Security context for webhook patch containers
       securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
         allowPrivilegeEscalation: false
+        seccompProfile:
+          type: RuntimeDefault
+        capabilities:
+          drop:
+          - ALL
+        readOnlyRootFilesystem: true
       resources: {}
     patch:
       enabled: true
@@ -661,15 +817,17 @@ controller:
       ##
       priorityClassName: ""
       podAnnotations: {}
+      # NetworkPolicy for webhook patch
+      networkPolicy:
+        # -- Enable 'networkPolicy' or not
+        enabled: false
       nodeSelector:
         kubernetes.io/os: linux
       tolerations: []
       # -- Labels to be added to patch job resources
       labels: {}
-      securityContext:
+      # -- Security context for secret creation & webhook patch pods
-        runAsNonRoot: true
+      securityContext: {}
-        runAsUser: 2000
-        fsGroup: 2000
     # Use certmanager to generate webhook certs
     certManager:
       enabled: false
@@ -795,11 +953,13 @@ defaultBackend:
     ## repository:
     tag: "1.5"
     pullPolicy: IfNotPresent
+    runAsNonRoot: true
     # nobody user -> uid 65534
     runAsUser: 65534
-    runAsNonRoot: true
-    readOnlyRootFilesystem: true
     allowPrivilegeEscalation: false
+    seccompProfile:
+      type: RuntimeDefault
+    readOnlyRootFilesystem: true
   # -- Use an existing PSP instead of creating one
   existingPsp: ""
   extraArgs: {}
@@ -845,15 +1005,9 @@ defaultBackend:
   #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
 
   affinity: {}
-  # -- Security Context policies for controller pods
+  # -- Security context for default backend pods
-  # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
-  # notes on enabling and using sysctls
-  ##
   podSecurityContext: {}
-  # -- Security Context policies for controller main container.
+  # -- Security context for default backend containers
-  # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for
-  # notes on enabling and using sysctls
-  ##
   containerSecurityContext: {}
   # -- Labels to add to the pod container metadata
   podLabels: {}
@@ -887,6 +1041,21 @@ defaultBackend:
   #  - name: copy-portal-skins
   #    emptyDir: {}
 
+  extraConfigMaps: []
+  ## Additional configmaps to the default backend pod.
+  #  - name: my-extra-configmap-1
+  #    labels:
+  #      type: config-1
+  #    data:
+  #      extra_file_1.html: |
+  #        <!-- Extra HTML content for ConfigMap 1 -->
+  #  - name: my-extra-configmap-2
+  #    labels:
+  #      type: config-2
+  #    data:
+  #      extra_file_2.html: |
+  #        <!-- Extra HTML content for ConfigMap 2 -->
+
   autoscaling:
     annotations: {}
     enabled: false
@@ -894,12 +1063,10 @@ defaultBackend:
     maxReplicas: 2
     targetCPUUtilizationPercentage: 50
     targetMemoryUtilizationPercentage: 50
-
   # NetworkPolicy for default backend component.
   networkPolicy:
     # -- Enable 'networkPolicy' or not
     enabled: false
-
   service:
     annotations: {}
     # clusterIP: ""

go.work.sum

@@ -135,6 +135,7 @@ github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk=
 github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=